diff --git a/Config/Language/en.ps1 b/Config/Language/en.ps1 index a68b01a9..bd5b5750 100644 --- a/Config/Language/en.ps1 +++ b/Config/Language/en.ps1 @@ -77,7 +77,7 @@ $4625 = @{ TimelineDetect = "Yes"; } $4627 = @{ - EventTitle = 'Group membership information'; + EventTitle = 'Group membership information'; } $4634 = @{ EventTitle = 'Logoff'; @@ -97,11 +97,11 @@ $4672 = @{ } $4673 = @{ - EventTitle = 'A privileged service was called'; + EventTitle = 'A privileged service was called'; } $4674 = @{ - EventTitle = 'An operation was attempted on a privileged object'; + EventTitle = 'An operation was attempted on a privileged object'; } $4688 = @{ @@ -349,24 +349,28 @@ $Create_LogonTimeline_NoLogoffEvent = "No logoff event" $Create_LogonTimeline_Total_Logon_Event_Records = "Total logon event records: " $Create_LogonTimeline_Data_Reduction = "Log event data reduction: " $Create_LogonTimeline_Total_Filtered_Logons = "Total filtered logons: " -$Create_LogonTimeline_Type0 = "Type 0 System Logons (System runtime):" -$Create_LogonTimeline_Type2 = "Type 2 Interactive Logons (Ex: Console logon, VNC) (Dangerous: Credentials in memory):" -$Create_LogonTimeline_Type3 = "Type 3 Network Logons (Ex: SMB Share, net command, rpcclient, psexec, winrm):" -$Create_LogonTimeline_Type4 = "Type 4 Batch Logons (Ex: Scheduled Tasks):" -$Create_LogonTimeline_Type5 = "Type 5 Service Logons:" -$Create_LogonTimeline_Type7 = "Type 7 Screen Unlock (and RDP reconnect) Logons:" -$Create_LogonTimeline_Type8 = "Type 8 NetworkCleartext Logons (Ex: IIS Basic Auth)(Dangerous: plaintext password used for authentication):" -$Create_LogonTimeline_Type9 = "Type 9 NewCredentials Logons (Ex: runas /netonly command)(Dangerous: Credentials in memory):" +$Create_LogonTimeline_Type0 = "Type 0 System Logons (System runtime):" +$Create_LogonTimeline_Type2 = "Type 2 Interactive Logons (Ex: Console logon, VNC) (Dangerous: Credentials in memory):" +$Create_LogonTimeline_Type3 = "Type 3 Network Logons (Ex: SMB Share, net command, rpcclient, psexec, winrm):" +$Create_LogonTimeline_Type4 = "Type 4 Batch Logons (Ex: Scheduled Tasks):" +$Create_LogonTimeline_Type5 = "Type 5 Service Logons:" +$Create_LogonTimeline_Type7 = "Type 7 Screen Unlock (and RDP reconnect) Logons:" +$Create_LogonTimeline_Type8 = "Type 8 NetworkCleartext Logons (Ex: IIS Basic Auth)(Dangerous: plaintext password used for authentication):" +$Create_LogonTimeline_Type9 = "Type 9 NewCredentials Logons (Ex: runas /netonly command)(Dangerous: Credentials in memory):" $Create_LogonTimeline_Type10 = "Type 10 RemoteInteractive Logons (Ex: RDP) (Dangerous: Credentials in memory):" $Create_LogonTimeline_Type11 = "Type 11 CachedInteractive/Cached Credentials Logons (Ex: Cannot connect to DC for authentication):" $Create_LogonTimeline_Type12 = "Type 12 CachedRemoteInteractive (Ex: RDP with cached credentials, Microsoft Live Accounts):" $Create_LogonTimeline_Type13 = "Type 13 CachedUnlocked Logons (Ex: Unlock or RDP reconnect without authenticated to DC):" $Create_LogonTimeline_TypeOther = "Other Type Logons:" $Create_LogonTimeline_localComputer = "LOCAL" +$Detect_ProcessingDetectionMessage = "Processing rule-base detection...`n" $Create_LogonTimeline_LoadingEVTX = "Loading event logs." $Create_LogonTimeline_PleaseWait = "Please be patient." $Create_LogonTimeline_AnalyzingLogs = "Analyzing logs..." +$Info_Noload_SIGMAMODULE = "Info:Load of SIGMA Detection Rule is canceled by User Input." +$Info_GetEventNoMatch = "Info:No events were found that match in Get-WinEvent." +$Warn_GetEvent = "Warning:Get-WinEvent error record skip." $Warn_DC_LiveAnalysis = "Warning: You probably should not be doing live analysis on a Domain Controller. Please copy log files offline for analysis." $Error_InCompatible_LiveAnalysisAndLogFile = "Error: You cannot specify -LiveAnalysis and -LogFile (or -LogDirectory) at the same time" $Error_InCompatible_LogDirAndFile = "Error:You cannot specify -LogDirectory and -LogFile at the same time" @@ -375,6 +379,16 @@ $Error_NeedAdministratorPriv = "Error: You need to be running Powershell as Admi $Error_NoSaveOutputWithCSV = "Error: You need to specify -SaveOutput" $Error_NoNeedSaveOutputWithGUI = "Error: You cannot output to GUI with the -SaveOutput parameter" $Error_InCompatible_NoLiveAnalysisOrLogFileSpecified = "Error: You need to specify -LiveAnalysis or -LogFile" +$Error_ExecutionPolicy_Bypassed = "ERROR:To use SIGMA Detection Rule, You need change exection policy to bypass. Please execution ""Set-ExectionPolicy bypass -scope Process""" + +#Remote live analysis +$remoteAnalysis_getComputername = "Please enter a remote machine name (IP address or Hostname) " +$remoteAnalysis_getCredential = "Please enter the remote computer credential." +$Error_remoteAnalysis_InvalidExecutionPolicy = "Error: ExecutionPolicy must be ""RemoteSigned""." +$Error_remoteAnalysis_UnregisteredComputername = "Error: you need to registered this remote computer in trustedhosts." +$Error_remoteAnalysis_FailedTestWSMan = "Error: Failed to run Test-WSMan." +$Warn_remoteAnalysis_Stopped_WinRMservice = "Warning: WinRM service on the remote computer may be stopped." +$Warn_remoteAnalysis_wrongRemoteComputerInfo = "Warning: Either ComputerName or Credentials, or both, are wrong." $Error_NoEventsFound = "Error: No events found!" $Error_ThisFunctionDoesNotSupportOutputGUI = "Error: This function does not support -OutputGUI" $Error_ThisFunctionDoesNotSupportOutputCSV = "Error: This function does not support -OutputCSV" @@ -488,9 +502,9 @@ $Show_Contributors1 = @" $Show_Contributors2 = "Contributors: -oginoPmP - Developer -DustInDark - Localization, Japanese Translations -Tsubokku - Japanese Translations +ogino(GitHub:@oginoPmP) - Developer +DustInDark(GitHub:@hitenkoku) - Localization, Japanese Translations +Tsubokku(twitter: @ytsuboi0322) - Japanese Translations 秀真(Hotsuma) - Calligraphy Please contribute to this project for fame and glory! @@ -517,6 +531,9 @@ function Show-Help { Write-Host " -LogDirectory (Warning: not fully implemented.)" -NoNewline -ForegroundColor Green Write-Host " : Analyze offline .evtx files" + Write-Host " -RemoteLiveAnalysis" -NoNewline -ForegroundColor Green + Write-Host " : Creates a timeline based on the remote host's log" + Write-Host Write-Host "Analysis Type (Specify one):" @@ -550,6 +567,10 @@ function Show-Help { Write-Host " -IsDC" -NoNewline -ForegroundColor Green Write-Host " : Specify if the logs are from a DC" + Write-Host " -UseDetectRule (Default: preset-rule='0')" -NoNewline -ForegroundColor Green + Write-Host ":Specify detected event output on Rule Base" + Write-Host " preset-rule| 0:None 1: DeepBlueCLI 2:SIGMA all:all-preset" + Write-Host Write-Host "Output Types (Default: Standard Output):" diff --git a/Config/Language/ja.ps1 b/Config/Language/ja.ps1 index 47be1cd6..83b446f2 100644 --- a/Config/Language/ja.ps1 +++ b/Config/Language/ja.ps1 @@ -32,6 +32,8 @@ $Create_SecurityEventIDStatistics_Event = "イベント" $Create_SecurityEventIDStatistics_TimelineOutput = "タイムライン出力" $Create_SecurityEventIDStatistics_Comment = "コメント" +$Detect_ProcessingDetectionMessage = "ルールベースでの検知中です。`n" + $1100 = @{ EventTitle = 'イベントログサービスがシャットダウンした'; Comment = 'Good for finding signs of anti-forensics but most likely false positives when the system shuts down.'; @@ -84,7 +86,7 @@ $4625 = @{ TimelineDetect = "Yes"; } $4627 = @{ - EventTitle = 'グループメンバーシップ情報'; + EventTitle = 'グループメンバーシップ情報'; } $4634 = @{ @@ -106,10 +108,10 @@ $4672 = @{ TimelineDetect = "Yes"; } $4673 = @{ - EventTitle = '特権のあるサービスが呼び出された'; + EventTitle = '特権のあるサービスが呼び出された'; } $4674 = @{ - EventTitle = '特権のあるオブジェクトに対して操作が行われた'; + EventTitle = '特権のあるオブジェクトに対して操作が行われた'; } $4688 = @{ EventTitle = '新しいプロセスが起動された'; @@ -373,6 +375,11 @@ $Create_LogonTimeline_LoadingEVTX = "イベントログをロードしていま $Create_LogonTimeline_PleaseWait = "少々お待ち下さい。" $Create_LogonTimeline_AnalyzingLogs = "ログを解析しています。" +$Confirm_DefConfirm_ExecutionPolicy_Bypassed = "確認:SIGMAの検知ルールを利用するために、PowerShellのExectionPolicyをBypassに設定する必要があります。実行しますか?" +$Confirm_DefConfirm_DefenderRealTimeScan_enderRealTimeScan_Disabled = "" +$Info_Noload_SIGMAMODULE = "情報:SIGMAの検知ルールの読み込みがユーザによってキャンセルされました。" +$Info_GetEventNoMatch = "情報:Get-WinEventで調査対象に合致するイベントレコードはありませんでした。" +$Warn_GetEvent = "注意:Get-WinEventでエラーが発生しました。エラーが発生したイベントレコードは読み込まれません。" $Warn_DC_LiveAnalysis = "注意:ドメインコントローラーでライブ調査をしない方が良いです。ログをオフラインにコピーしてから解析して下さい。" $Error_InCompatible_LiveAnalysisAndLogFile = "エラー:「-LiveAnalysis」 と「-LogFile」「-LogDirectory」を同時に指定できません。" $Error_InCompatible_LogDirAndFile = "エラー:「-LogDirectory」 と「-LogFile」を同時に指定できません。" @@ -385,6 +392,15 @@ $Error_NoEventsFound = "エラー: イベントがない!" $Error_ThisFunctionDoesNotSupportOutputGUI = "エラー: この機能は-OutputGUIに対応していない。" $Error_ThisFunctionDoesNotSupportOutputCSV = "エラー: この機能は-OutputCSVに対応していない。" +#Remote live analysis +$remoteAnalysis_getComputername = "リモートコンピュータのマシン名(IPアドレス or ホスト名)を入力してください " +$remoteAnalysis_getCredential = "リモートコンピュータの認証情報を入力してください。" +$Error_remoteAnalysis_InvalidExecutionPolicy = "エラー: ExecutionPolicyは「RemoteSigned」である必要があります。" +$Error_remoteAnalysis_UnregisteredComputername = "エラー: リモートコンピュータのマシン名をtrustedhostsに登録する必要があります。" +$Error_remoteAnalysis_FailedTestWSMan = "エラー: Test-WSManの実行が失敗しました。リモートコンピュータへの接続ができません。" +$Warn_remoteAnalysis_Stopped_WinRMservice = "注意: リモートコンピュータ上のWinRMサービスが停止している可能性があります。" +$Warn_remoteAnalysis_wrongRemoteComputerInfo = "注意: 間違ったマシン名または認証情報が入力された可能性があります。" + #function Show-Contributors $Show_Contributors1 = @" @@ -496,9 +512,9 @@ $Show_Contributors1 = @" $Show_Contributors2 = "コントリビューター: -oginoPmP - 開発 -DustInDark - ローカライゼーション、和訳 -つぼっく - 和訳 +ogino(GitHub:@oginoPmP) - 開発 +DustInDark(GitHub:@hitenkoku) - ローカライゼーション、和訳 +つぼっく(twitter: @ytsuboi0322) - 和訳 秀真(ほつま) - アート コントリビュータを募集しています! @@ -522,6 +538,9 @@ function Show-Help { Write-Host " -LogDirectory <ログファイルのディレクトリのパス> (未完成)" -NoNewline -ForegroundColor Green Write-Host " : 複数のオフラインの.evtxファイルを解析する" + Write-Host " -RemoteLiveAnalysis" -NoNewline -ForegroundColor Green + Write-Host " : リモートマシンのログでタイムラインを作成する" + Write-Host Write-Host "解析タイプを一つ指定して下さい:" @@ -555,6 +574,11 @@ function Show-Help { Write-Host " -IsDC" -NoNewline -ForegroundColor Green Write-Host " : ドメインコントローラーのログの場合は指定して下さい" + Write-Host " -UseDetectRule (Default:preset rule='0')" -NoNewline -ForegroundColor Green + Write-Host ":検知ルールに該当するイベントの出力を行う" + Write-Host " preset rule| 0:None 1: DeepBlueCLI 2:SIGMA all:all-preset" + + Write-Host Write-Host "出力方法(デフォルト:標準出力):" diff --git a/Config/regexes.txt b/Config/regexes.txt new file mode 100644 index 00000000..42c76b32 --- /dev/null +++ b/Config/regexes.txt @@ -0,0 +1,27 @@ +# DeepBlueCLI command regex CSV file +# Include only regex CSV entries or comments beginning with "#" +# +# Format: Match type, regex, output string +# Match types: +# 0: Image Path - regex +# 1: Service Name - regex +# +Type,regex,string +0,^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$,Metasploit-style cmd with pipe (possible use of Meterpreter 'getsystem') +0,^%SYSTEMROOT%\\[a-zA-Z]{8}\.exe$,Metasploit-style %SYSTEMROOT% image path (possible use of Metasploit 'Native upload' exploit payload) +0,powershell.*FromBase64String.*IO.Compression.GzipStream,Metasploit-style base64 encoded/compressed PowerShell function (possible use of Metasploit PowerShell exploit payload) +0,DownloadString\(.http,Download via Net.WebClient DownloadString +0,mimikatz,Command referencing Mimikatz +0,Invoke-Mimikatz.ps,PowerSploit Invoke-Mimikatz.ps1 +0,PowerSploit.*ps1,Use of PowerSploit +0,User-Agent,User-Agent set via command line +0,[a-zA-Z0-9/+=]{500},500+ consecutive Base64 characters +0,powershell.exe.*Hidden.*Enc,Base64 encoded and hidden PowerShell command +# Generic csc.exe alert, comment out if experiencing false positives +0,\\csc\.exe,Use of C Sharp compiler csc.exe +0,\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline,PSAttack-style command via csc.exe +# Generic cvtres.exe alert, comment out if experiencing false positives +0,\\cvtres\.exe.*,Resource File To COFF Object Conversion Utility cvtres.exe +0,\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp,PSAttack-style command via cvtres.exe +1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters, [A-Za-z] +1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters, [A-Za-z] diff --git a/Config/util.ps1 b/Config/util.ps1 new file mode 100644 index 00000000..d6ac8580 --- /dev/null +++ b/Config/util.ps1 @@ -0,0 +1,278 @@ +<# + +.DESCRIPTION +WELA utils funciton + + +.LINK +https://github.com/yamatosecurity +#> + +# Yamato Event Analyzer (YEA) Security event timeline generator +# Zach Mathis, Yamatosecurity founder +# Twitter: @yamatosecurity +# https://yamatosecurity.connpass.com/ +# +# Inspired by Eric Conrad's DeepBlueCLI (https://github.com/sans-blue-team/DeepBlueCLI) +# Much help from the Windows Event Log Analysis Cheatsheets by Steve Anson (https://www.forwarddefense.com/en/article/references-pdf) +# and event log info from www.ultimatewindowssecurity.com + + +#Functions: +function Get-WinEventWithFilter { + param( + $WinEventFilter, + $RemoteComputerInfo + ) + $logs = $null + + if ( $RemoteComputerInfo.RemoteLiveAnalysis -eq $true ) { + $logs = Get-WinEvent -ComputerName $RemoteComputerInfo.Computername -Credential $RemoteComputerInfo.Credential -FilterHashtable $WinEventFilter -Oldest -ErrorAction SilentlyContinue + } + else { + $logs = Get-WinEvent -FilterHashtable $WinEventFilter -Oldest -ErrorAction SilentlyContinue + } + + if ($LASTEXITCODE -ne 0) { + if ($logs) { + Write-Host $Warn_GetEvent -ForegroundColor Black -BackgroundColor Yellow + } + else { + Write-Host $Info_GetEventNoMatch -ForegroundColor Green + } + } + return $logs +} + +function Show-Contributors { + Write-Host + Write-Host $Show_Contributors1 -ForegroundColor Red + Write-Host $Show_Contributors2 -ForegroundColor Cyan + Write-Host +} + +Function Format-FileSize { + Param ([int]$size) + If ($size -gt 1TB) { [string]::Format("{0:0.00} TB", $size / 1TB) } + ElseIf ($size -gt 1GB) { [string]::Format("{0:0.00} GB", $size / 1GB) } + ElseIf ($size -gt 1MB) { [string]::Format("{0:0.00} MB", $size / 1MB) } + ElseIf ($size -gt 1KB) { [string]::Format("{0:0.00} kB", $size / 1KB) } + ElseIf ($size -gt 0) { [string]::Format("{0:0.00} B", $size) } + Else { "" } +} + +function Check-Administrator { + $user = [Security.Principal.WindowsIdentity]::GetCurrent(); + (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) +} + + +# following check function in DeepBlueCLI. + +$minlength = 1000 # Minimum length of command line to alert +# Load cmd match regexes from csv file, ignore comments +$regexes = Get-Content ".\Config\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv +# Load cmd whitelist regexes from csv file, ignore comments +$whitelist = Get-Content ".\Config\whitelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv + +# Custom reporting object: +function Create-Obj { + param($event, $logname) + if ($event) { + $obj = [PSCustomObject]@{ + Date = $event.TimeCreated + Log = $logname + EventID = $event.id + Message = $event.message + Results = "" + Command = "" + Decoded = "" + } + } + else { + $obj = [PSCustomObject]@{ + Date = "" + Log = $logname + EventID = "" + Message = "" + Results = "" + Command = "" + Decoded = "" + } + } + return $obj +} + +function Check-Command() { + + Param( + $EventID, + $commandline, + $creator, + $servicecmd = 0, + $obj + ) + + $text = "" + $base64 = "" + # Check to see if command is whitelisted + foreach ($entry in $whitelist) { + if ($commandline -Match $entry.regex) { + # Command is whitelisted, return nothing + return + } + } + if ($commandline.length -gt $minlength) { + $text += "Long Command Line: greater than $minlength bytes`n" + } + $text += (Check-Obfu $commandline) + $text += (Check-Regex $commandline 0) + $text += (Check-Creator $commandline $creator) + # Check for base64 encoded function, decode and print if found + # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks + if ($commandline -Match "\-enc.*[A-Za-z0-9/+=]{100}") { + $base64 = $commandline -Replace "^.* \-Enc(odedCommand)? ", "" + } + ElseIf ($commandline -Match ":FromBase64String\(") { + $base64 = $commandline -Replace "^.*:FromBase64String\(\'*", "" + $base64 = $base64 -Replace "\'.*$", "" + } + if ($base64) { + if ($commandline -Match "Compression.GzipStream.*Decompress") { + # Metasploit-style compressed and base64-encoded function. Uncompress it. + $decoded = New-Object IO.MemoryStream(, [Convert]::FromBase64String($base64)) + $uncompressed = (New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded, [IO.Compression.CompressionMode]::Decompress))), [Text.Encoding]::ASCII)).ReadToEnd() + $obj.Decoded = $uncompressed + $text += "Base64-encoded and compressed function`n" + } + else { + $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) + $obj.Decoded = $decoded + $text += "Base64-encoded function`n" + $text += (Check-Obfu $decoded) + $text += (Check-Regex $decoded 0) + } + } + if ($text) { + if ($servicecmd) { + $obj.Message = "Suspicious Service Command" + $obj.Results = "Service name: $servicename`n" + } + Else { + $obj.Message = "Suspicious Command Line" + } + $obj.Command = $commandline + $obj.Results += $text + $obj.EventID = $EventID + return $obj; + } + return $null; +} + + +function Check-Regex($string, $type) { + $regextext = "" # Local variable for return output + foreach ($regex in $regexes) { + if ($regex.Type -eq $type) { + # Type is 0 for Commands, 1 for services. Set in regexes.csv + if ($string -Match $regex.regex) { + $regextext += $regex.String + "`n" + } + } + } + #if ($regextext){ + # $regextext = $regextext.Substring(0,$regextext.Length-1) # Remove final newline. + #} + return $regextext +} + +function Check-Obfu($string) { + # Check for special characters in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 + # + $obfutext = "" # Local variable for return output + if (!$string) { + return $null + } + $minpercent = .65 + $maxbinary = .50 + $lowercasestring = $string.ToLower() + $length = $lowercasestring.length + $noalphastring = $lowercasestring -replace "[a-z0-9/\;:|.]" + $nobinarystring = $lowercasestring -replace "[01]" # To catch binary encoding + # Calculate the percent alphanumeric/common symbols + if ($length -gt 0) { + $percent = (($length - $noalphastring.length) / $length) + # Adjust minpercent for very short commands, to avoid triggering short warnings + if (($length / 100) -lt $minpercent) { + $minpercent = ($length / 100) + } + if ($percent -lt $minpercent) { + $percent = "{0:P0}" -f $percent # Convert to a percent + $obfutext += "Possible command obfuscation: only $percent alphanumeric and common symbols`n" + } + # Calculate the percent of binary characters + $percent = (($nobinarystring.length - $length / $length) / $length) + $binarypercent = 1 - $percent + if ($binarypercent -gt $maxbinary) { + #$binarypercent = 1-$percent + $binarypercent = "{0:P0}" -f $binarypercent # Convert to a percent + $obfutext += "Possible command obfuscation: $binarypercent zeroes and ones (possible numeric or binary encoding)`n" + } + } + return $obfutext +} + +function Check-Creator($command, $creator) { + $creatortext = "" # Local variable for return output + if ($creator) { + if ($command -Match "powershell") { + if ($creator -Match "PSEXESVC") { + $creatortext += "PowerShell launched via PsExec: $creator`n" + } + ElseIf ($creator -Match "WmiPrvSE") { + $creatortext += "PowerShell launched via WMI: $creator`n" + } + } + } + return $creatortext +} + +function Remove-Spaces($string) { + # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe + # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe + $string = $string.trim() -Replace "\s+:", ":" + return $string +} + +function Get-RemoteComputerInfo { + $Computername = Read-Host $remoteAnalysis_getComputername + $trustedhosts = Get-Item WSMan:\localhost\client\trustedhosts + + If ($Computername -contains $trustedhosts.Value -or $trustedhosts.Value -eq "*") { + $creds = Get-Credential -Message $remoteAnalysis_getCredential + $Test = Test-WSMan -ComputerName $Computername -Credential $creds -Authentication Negotiate + + If ( $Test -eq $NULL ) { + Write-Host "" + write-host $Error_remoteAnalysis_FailedTestWSMan -ForegroundColor White -BackgroundColor Red + write-host $Warn_remoteAnalysis_Stopped_WinRMservice -ForegroundColor Black -BackgroundColor Yellow + write-host $Warn_remoteAnalysis_wrongRemoteComputerInfo -ForegroundColor Black -BackgroundColor Yellow + Write-Host "" + Exit + } + + $RemoteComputerInfo = @{ + "RemoteLiveAnalysis" = $True; + "Computername" = $Computername; + "Credential" = $creds + } + return $RemoteComputerInfo + } + + else { + Write-Host "" + Write-Host $Error_remoteAnalysis_UnregisteredComputername -ForegroundColor White -BackgroundColor Red + Write-Host "" + Exit + } +} \ No newline at end of file diff --git a/Config/whitelist.txt b/Config/whitelist.txt new file mode 100644 index 00000000..67e76166 --- /dev/null +++ b/Config/whitelist.txt @@ -0,0 +1,9 @@ +# DeepBlueCLI command ignore list +# Currently: one entry (regex) per line +# Read as a CSV file for future growth (may want to add options to each entry) +# +# Include only regex CSV entries, or comments beginning with "#" +# +regex +^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe" +^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe" diff --git a/Rules/SIGMA/RuleTemplate.template_ps1 b/Rules/SIGMA/RuleTemplate.template_ps1 new file mode 100644 index 00000000..3252c981 --- /dev/null +++ b/Rules/SIGMA/RuleTemplate.template_ps1 @@ -0,0 +1,27 @@ + + +function Add-Rule { + $ruleName = "!filename!"; + $detectedMessage = "!detection!" + + $detectRule = { + function Search-DetectableEvents { + param ( + $event + ) + $results = @(); + $results += $event !firstpipe!; + foreach ($result in $results) { + if ($result.Count -ne 0) { + Write-Host + Write-Host "Detected! RuleName:$ruleName"; + Write-Host $result + Write-Host $detectedMessage; + } + } + + }; + Search-DetectableEvents $args[0]; + }; + $Global:ruleStack.Add($ruleName, $detectRule); +} \ No newline at end of file diff --git a/Rules/SIGMA/builtin/win_GPO_scheduledtasks.ps1 b/Rules/SIGMA/builtin/win_GPO_scheduledtasks.ps1 new file mode 100644 index 00000000..c6ef0015 --- /dev/null +++ b/Rules/SIGMA/builtin/win_GPO_scheduledtasks.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\SYSVOL" -and $_.message -match "RelativeTargetName.*.*ScheduledTasks.xml" -and ($_.message -match "Accesses.*.*WriteData.*" -or $_.message -match "Accesses.*.*%%4417.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_GPO_scheduledtasks"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_GPO_scheduledtasks"; + $detectedMessage = "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale"; + $result = $event | where { ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\SYSVOL" -and $_.message -match "RelativeTargetName.*.*ScheduledTasks.xml" -and ($_.message -match "Accesses.*.*WriteData.*" -or $_.message -match "Accesses.*.*%%4417.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_account_backdoor_dcsync_rights.ps1 b/Rules/SIGMA/builtin/win_account_backdoor_dcsync_rights.ps1 new file mode 100644 index 00000000..7705b531 --- /dev/null +++ b/Rules/SIGMA/builtin/win_account_backdoor_dcsync_rights.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*ntSecurityDescriptor" -and ($_.message -match "AttributeValue.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "AttributeValue.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "AttributeValue.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_account_backdoor_dcsync_rights"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_account_backdoor_dcsync_rights"; + $detectedMessage = "backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using PowerviewAdd-DomainObjectAcl DCSync"; + $result = $event | where { ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*ntSecurityDescriptor" -and ($_.message -match "AttributeValue.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "AttributeValue.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "AttributeValue.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_account_discovery.ps1 b/Rules/SIGMA/builtin/win_account_discovery.ps1 new file mode 100644 index 00000000..25941f72 --- /dev/null +++ b/Rules/SIGMA/builtin/win_account_discovery.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4661" -and ($_.message -match "SAM_USER" -or $_.message -match "SAM_GROUP")) -and (($_.message -match "ObjectName.*.*-512" -or $_.message -match "ObjectName.*.*-502" -or $_.message -match "ObjectName.*.*-500" -or $_.message -match "ObjectName.*.*-505" -or $_.message -match "ObjectName.*.*-519" -or $_.message -match "ObjectName.*.*-520" -or $_.message -match "ObjectName.*.*-544" -or $_.message -match "ObjectName.*.*-551" -or $_.message -match "ObjectName.*.*-555") -or ($_.message -match "ObjectName.*.*admin.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_account_discovery"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_account_discovery"; + $detectedMessage = "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs"; + $result = $event | where { (($_.ID -eq "4661" -and ($_.message -match "SAM_USER" -or $_.message -match "SAM_GROUP")) -and (($_.message -match "ObjectName.*.*-512" -or $_.message -match "ObjectName.*.*-502" -or $_.message -match "ObjectName.*.*-500" -or $_.message -match "ObjectName.*.*-505" -or $_.message -match "ObjectName.*.*-519" -or $_.message -match "ObjectName.*.*-520" -or $_.message -match "ObjectName.*.*-544" -or $_.message -match "ObjectName.*.*-551" -or $_.message -match "ObjectName.*.*-555") -or ($_.message -match "ObjectName.*.*admin.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_ad_object_writedac_access.ps1 b/Rules/SIGMA/builtin/win_ad_object_writedac_access.ps1 new file mode 100644 index 00000000..8f73065d --- /dev/null +++ b/Rules/SIGMA/builtin/win_ad_object_writedac_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4662" -and $_.message -match "ObjectServer.*DS" -and $_.message -match "AccessMask.*0x40000" -and ($_.message -match "19195a5b-6da0-11d0-afd3-00c04fd930c9" -or $_.message -match "domainDNS")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_ad_object_writedac_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_ad_object_writedac_access"; + $detectedMessage = "Detects WRITE_DAC access to a domain object"; + $result = $event | where { ($_.ID -eq "4662" -and $_.message -match "ObjectServer.*DS" -and $_.message -match "AccessMask.*0x40000" -and ($_.message -match "19195a5b-6da0-11d0-afd3-00c04fd930c9" -or $_.message -match "domainDNS")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_ad_replication_non_machine_account.ps1 b/Rules/SIGMA/builtin/win_ad_replication_non_machine_account.ps1 new file mode 100644 index 00000000..df5cfd04 --- /dev/null +++ b/Rules/SIGMA/builtin/win_ad_replication_non_machine_account.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4662" -and $_.message -match "AccessMask.*0x100" -and ($_.message -match "Properties.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) -and -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_ad_replication_non_machine_account"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_ad_replication_non_machine_account"; + $detectedMessage = "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials."; + $result = $event | where { (($_.ID -eq "4662" -and $_.message -match "AccessMask.*0x100" -and ($_.message -match "Properties.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) -and -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_ad_user_enumeration.ps1 b/Rules/SIGMA/builtin/win_ad_user_enumeration.ps1 new file mode 100644 index 00000000..87ece1a0 --- /dev/null +++ b/Rules/SIGMA/builtin/win_ad_user_enumeration.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4662" -and ($_.message -match "ObjectType.*.*bf967aba-0de6-11d0-a285-00aa003049e2.*")) -and -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_ad_user_enumeration"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_ad_user_enumeration"; + $detectedMessage = "Detects access to a domain user from a non-machine account"; + $result = $event | where { (($_.ID -eq "4662" -and ($_.message -match "ObjectType.*.*bf967aba-0de6-11d0-a285-00aa003049e2.*")) -and -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_admin_rdp_login.ps1 b/Rules/SIGMA/builtin/win_admin_rdp_login.ps1 new file mode 100644 index 00000000..90d03f9b --- /dev/null +++ b/Rules/SIGMA/builtin/win_admin_rdp_login.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and $_.message -match "AuthenticationPackageName.*Negotiate" -and $_.message -match "TargetUserName.*Admin.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_admin_rdp_login"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_admin_rdp_login"; + $detectedMessage = "Detect remote login by Administrator user (depending on internal pattern)."; + $result = $event | where { ($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and $_.message -match "AuthenticationPackageName.*Negotiate" -and $_.message -match "TargetUserName.*Admin.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_admin_share_access.ps1 b/Rules/SIGMA/builtin/win_admin_share_access.ps1 new file mode 100644 index 00000000..407b05e0 --- /dev/null +++ b/Rules/SIGMA/builtin/win_admin_share_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "5140" -and $_.message -match "ShareName.*Admin$") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_admin_share_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_admin_share_access"; + $detectedMessage = "Detects access to $ADMIN share"; + $result = $event | where { (($_.ID -eq "5140" -and $_.message -match "ShareName.*Admin$") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_alert_active_directory_user_control.ps1 b/Rules/SIGMA/builtin/win_alert_active_directory_user_control.ps1 new file mode 100644 index 00000000..74e09918 --- /dev/null +++ b/Rules/SIGMA/builtin/win_alert_active_directory_user_control.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4704" -and ($_.message -match ".*SeEnableDelegationPrivilege.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_alert_active_directory_user_control"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_alert_active_directory_user_control"; + $detectedMessage = "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects."; + $result = $event | where { ($_.ID -eq "4704" -and ($_.message -match ".*SeEnableDelegationPrivilege.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_alert_ad_user_backdoors.ps1 b/Rules/SIGMA/builtin/win_alert_ad_user_backdoors.ps1 new file mode 100644 index 00000000..024b5c52 --- /dev/null +++ b/Rules/SIGMA/builtin/win_alert_ad_user_backdoors.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(((((($_.ID -eq "4738" -and -not ($_.message -match "AllowedToDelegateTo.*-")) -and -not (-not AllowedToDelegateTo="*")) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToDelegateTo")) -or ($_.ID -eq "5136" -and $_.message -match "ObjectClass.*user" -and $_.message -match "AttributeLDAPDisplayName.*servicePrincipalName")) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToActOnBehalfOfOtherIdentity"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_alert_ad_user_backdoors"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_alert_ad_user_backdoors"; + $detectedMessage = "Detects scenarios where one can control another users or computers account without having to use their credentials."; + $result = $event | where { (((((($_.ID -eq "4738" -and -not ($_.message -match "AllowedToDelegateTo.*-")) ) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToDelegateTo")) -or ($_.ID -eq "5136" -and $_.message -match "ObjectClass.*user" -and $_.message -match "AttributeLDAPDisplayName.*servicePrincipalName")) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToActOnBehalfOfOtherIdentity"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_alert_enable_weak_encryption.ps1 b/Rules/SIGMA/builtin/win_alert_enable_weak_encryption.ps1 new file mode 100644 index 00000000..279fa233 --- /dev/null +++ b/Rules/SIGMA/builtin/win_alert_enable_weak_encryption.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4738" -and ($_.message -match ".*DES.*" -or $_.message -match ".*Preauth.*" -or $_.message -match ".*Encrypted.*") -and ($_.message -match ".*Enabled.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_alert_enable_weak_encryption"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_alert_enable_weak_encryption"; + $detectedMessage = "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking."; + $result = $event | where { ($_.ID -eq "4738" -and ($_.message -match ".*DES.*" -or $_.message -match ".*Preauth.*" -or $_.message -match ".*Encrypted.*") -and ($_.message -match ".*Enabled.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_alert_lsass_access.ps1 b/Rules/SIGMA/builtin/win_alert_lsass_access.ps1 new file mode 100644 index 00000000..00ff2538 --- /dev/null +++ b/Rules/SIGMA/builtin/win_alert_lsass_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent | where {($_.ID -eq "1121" -and $_.message -match "Path.*.*\lsass.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_alert_lsass_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_alert_lsass_access"; + $detectedMessage = "Detects Access to LSASS Process"; + $result = $event | where { ($_.ID -eq "1121" -and $_.message -match "Path.*.*\\lsass.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMesssage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_alert_mimikatz_keywords.ps1 b/Rules/SIGMA/builtin/win_alert_mimikatz_keywords.ps1 new file mode 100644 index 00000000..c3b04acd --- /dev/null +++ b/Rules/SIGMA/builtin/win_alert_mimikatz_keywords.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent | where {($_.message -match ".*mimikatz.*" -or $_.message -match ".*mimilib.*" -or $_.message -match ".*<3 eo.oe.*" -or $_.message -match ".*eo.oe.kiwi.*" -or $_.message -match ".*privilege::debug.*" -or $_.message -match ".*sekurlsa::logonpasswords.*" -or $_.message -match ".*lsadump::sam.*" -or $_.message -match ".*mimidrv.sys.*" -or $_.message -match ".* p::d .*" -or $_.message -match ".* s::l .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_alert_mimikatz_keywords"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_alert_mimikatz_keywords"; + $detectedMessage = "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)"; + $result = $event | where { ($_.message -match ".*mimikatz.*" -or $_.message -match ".*mimilib.*" -or $_.message -match ".*<3 eo.oe.*" -or $_.message -match ".*eo.oe.kiwi.*" -or $_.message -match ".*privilege::debug.*" -or $_.message -match ".*sekurlsa::logonpasswords.*" -or $_.message -match ".*lsadump::sam.*" -or $_.message -match ".*mimidrv.sys.*" -or $_.message -match ".* p::d .*" -or $_.message -match ".* s::l .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMesssage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_alert_ruler.ps1 b/Rules/SIGMA/builtin/win_alert_ruler.ps1 new file mode 100644 index 00000000..bc801665 --- /dev/null +++ b/Rules/SIGMA/builtin/win_alert_ruler.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(((($_.ID -eq "4776") -and $_.message -match "Workstation.*RULER") -or (($_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "WorkstationName.*RULER"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_alert_ruler"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_alert_ruler"; + $detectedMessage = "This events that are generated when using the hacktool Ruler by Sensepost"; + $result = $event | where { (((($_.ID -eq "4776") -and $_.message -match "Workstation.*RULER") -or (($_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "WorkstationName.*RULER"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_applocker_file_was_not_allowed_to_run.ps1 b/Rules/SIGMA/builtin/win_applocker_file_was_not_allowed_to_run.ps1 new file mode 100644 index 00000000..3aaf5f9b --- /dev/null +++ b/Rules/SIGMA/builtin/win_applocker_file_was_not_allowed_to_run.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent | where {(($_.message -match "Microsoft-Windows-AppLocker/MSI and Script" -or $_.message -match "Microsoft-Windows-AppLocker/EXE and DLL" -or $_.message -match "Microsoft-Windows-AppLocker/Packaged app-Deployment" -or $_.message -match "Microsoft-Windows-AppLocker/Packaged app-Execution") -and ($_.ID -eq "8004" -or $_.ID -eq "8007")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_applocker_file_was_not_allowed_to_run"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_applocker_file_was_not_allowed_to_run"; + $detectedMessage = "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events."; + $result = $event | where { (($_.message -match "Microsoft-Windows-AppLocker/MSI and Script" -or $_.message -match "Microsoft-Windows-AppLocker/EXE and DLL" -or $_.message -match "Microsoft-Windows-AppLocker/Packaged app-Deployment" -or $_.message -match "Microsoft-Windows-AppLocker/Packaged app-Execution") -and ($_.ID -eq "8004" -or $_.ID -eq "8007")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_apt_carbonpaper_turla.ps1 b/Rules/SIGMA/builtin/win_apt_carbonpaper_turla.ps1 new file mode 100644 index 00000000..32bc68e0 --- /dev/null +++ b/Rules/SIGMA/builtin/win_apt_carbonpaper_turla.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and ($_.message -match "srservice" -or $_.message -match "ipvpn" -or $_.message -match "hkmsvc")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_carbonpaper_turla"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_carbonpaper_turla"; + $detectedMessage = "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET"; + $result = $event | where { ($_.ID -eq "7045" -and ($_.message -match "srservice" -or $_.message -match "ipvpn" -or $_.message -match "hkmsvc")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_apt_stonedrill.ps1 b/Rules/SIGMA/builtin/win_apt_stonedrill.ps1 new file mode 100644 index 00000000..3517c0b5 --- /dev/null +++ b/Rules/SIGMA/builtin/win_apt_stonedrill.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*NtsSrv" -and $_.Service File Name -eq "* LocalService") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_stonedrill"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_stonedrill"; + $detectedMessage = "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky"; + $result = $event | where { ($_.ID -eq "7045" -and $_.message -match "ServiceName.*NtsSrv" -and $_.message -Like "* LocalService") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_apt_turla_service_png.ps1 b/Rules/SIGMA/builtin/win_apt_turla_service_png.ps1 new file mode 100644 index 00000000..fdcc8cca --- /dev/null +++ b/Rules/SIGMA/builtin/win_apt_turla_service_png.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*WerFaultSvc") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_turla_service_png"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_turla_service_png"; + $detectedMessage = "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018"; + $result = $event | where { ($_.ID -eq "7045" -and $_.message -match "ServiceName.*WerFaultSvc") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_arbitrary_shell_execution_via_settingcontent.ps1 b/Rules/SIGMA/builtin/win_arbitrary_shell_execution_via_settingcontent.ps1 new file mode 100644 index 00000000..31218255 --- /dev/null +++ b/Rules/SIGMA/builtin/win_arbitrary_shell_execution_via_settingcontent.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.message -match "CommandLine.*.*.SettingContent-ms.*" -and -not (($_.message -match "FilePath.*.*immersivecontrolpanel.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_arbitrary_shell_execution_via_settingcontent"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_arbitrary_shell_execution_via_settingcontent"; + $detectedMessage = "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create ""shortcuts"" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries."; + $result = $event | where { ($_.message -match "CommandLine.*.*.SettingContent-ms.*" -and -not (($_.message -match "FilePath.*.*immersivecontrolpanel.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_atsvc_task.ps1 b/Rules/SIGMA/builtin/win_atsvc_task.ps1 new file mode 100644 index 00000000..33770251 --- /dev/null +++ b/Rules/SIGMA/builtin/win_atsvc_task.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\IPC$" -and $_.message -match "RelativeTargetName.*atsvc" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_atsvc_task"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_atsvc_task"; + $detectedMessage = "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe"; + $result = $event | where { ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*atsvc" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_audit_cve.ps1 b/Rules/SIGMA/builtin/win_audit_cve.ps1 new file mode 100644 index 00000000..e5ae65b9 --- /dev/null +++ b/Rules/SIGMA/builtin/win_audit_cve.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Application | where {($_.message -match "Source.*Microsoft-Windows-Audit-CVE") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_audit_cve"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_audit_cve"; + $detectedMessage = "Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)"; + $result = $event | where { ($_.message -match "Source.*Microsoft-Windows-Audit-CVE") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_av_relevant_match.ps1 b/Rules/SIGMA/builtin/win_av_relevant_match.ps1 new file mode 100644 index 00000000..1bcfd624 --- /dev/null +++ b/Rules/SIGMA/builtin/win_av_relevant_match.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Application | where {(($_.message -match ".*HTool-.*" -or $_.message -match ".*Hacktool.*" -or $_.message -match ".*ASP/Backdoor.*" -or $_.message -match ".*JSP/Backdoor.*" -or $_.message -match ".*PHP/Backdoor.*" -or $_.message -match ".*Backdoor.ASP.*" -or $_.message -match ".*Backdoor.JSP.*" -or $_.message -match ".*Backdoor.PHP.*" -or $_.message -match ".*Webshell.*" -or $_.message -match ".*Portscan.*" -or $_.message -match ".*Mimikatz.*" -or $_.message -match ".*WinCred.*" -or $_.message -match ".*PlugX.*" -or $_.message -match ".*Korplug.*" -or $_.message -match ".*Pwdump.*" -or $_.message -match ".*Chopper.*" -or $_.message -match ".*WmiExec.*" -or $_.message -match ".*Xscan.*" -or $_.message -match ".*Clearlog.*" -or $_.message -match ".*ASPXSpy.*") -and -not (($_.message -match ".*Keygen.*" -or $_.message -match ".*Crack.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_av_relevant_match"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_av_relevant_match"; + $detectedMessage = "This detection method points out highly relevant Antivirus events"; + $result = $event | where { (($_.message -match ".*HTool-.*" -or $_.message -match ".*Hacktool.*" -or $_.message -match ".*ASP/Backdoor.*" -or $_.message -match ".*JSP/Backdoor.*" -or $_.message -match ".*PHP/Backdoor.*" -or $_.message -match ".*Backdoor.ASP.*" -or $_.message -match ".*Backdoor.JSP.*" -or $_.message -match ".*Backdoor.PHP.*" -or $_.message -match ".*Webshell.*" -or $_.message -match ".*Portscan.*" -or $_.message -match ".*Mimikatz.*" -or $_.message -match ".*WinCred.*" -or $_.message -match ".*PlugX.*" -or $_.message -match ".*Korplug.*" -or $_.message -match ".*Pwdump.*" -or $_.message -match ".*Chopper.*" -or $_.message -match ".*WmiExec.*" -or $_.message -match ".*Xscan.*" -or $_.message -match ".*Clearlog.*" -or $_.message -match ".*ASPXSpy.*") -and -not (($_.message -match ".*Keygen.*" -or $_.message -match ".*Crack.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_camera_microphone_access.ps1 b/Rules/SIGMA/builtin/win_camera_microphone_access.ps1 new file mode 100644 index 00000000..5dfefbfc --- /dev/null +++ b/Rules/SIGMA/builtin/win_camera_microphone_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4657" -or $_.ID -eq "4656" -or $_.ID -eq "4663") -and ($_.message -match "ObjectName.*.*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged.*" -or $_.message -match "ObjectName.*.*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_camera_microphone_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_camera_microphone_access"; + $detectedMessage = "Potential adversaries accessing the microphone and webcam in an endpoint."; + $result = $event | where { (($_.ID -eq "4657" -or $_.ID -eq "4656" -or $_.ID -eq "4663") -and ($_.message -match "ObjectName.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged.*" -or $_.message -match "ObjectName.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_cobaltstrike_service_installs.ps1 b/Rules/SIGMA/builtin/win_cobaltstrike_service_installs.ps1 new file mode 100644 index 00000000..1644745c --- /dev/null +++ b/Rules/SIGMA/builtin/win_cobaltstrike_service_installs.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and (($_.Service File Name -eq "*ADMIN$*" -and $_.Service File Name -eq "*.exe*") -or ($_.Service File Name -eq "*%COMSPEC%*" -and $_.Service File Name -eq "*start*" -and $_.Service File Name -eq "*powershell*") -or ($_.Service File Name -eq "*powershell -nop -w hidden -encodedcommand*") -or ($_.Service File Name -eq "*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*" -or $_.message -match "Service File Name.*.*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT.*" -or $_.message -match "Service File Name.*.*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_cobaltstrike_service_installs"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_cobaltstrike_service_installs"; + $detectedMessage = "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement"; + $result = $event | where { ($_.ID -eq "7045" -and (($_.message -like "*ADMIN$*" -and $_.message -like "*.exe*") -or ($_.message -like "*%COMSPEC%*" -and $_.message -like "*start*" -and $_.message -like "*powershell*") -or ($_.message -like "*powershell -nop -w hidden -encodedcommand*") -or ($_.message -Like "*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*" -or $_.message -match "Service File Name.*.*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT.*" -or $_.message -match "Service File Name.*.*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_dce_rpc_smb_spoolss_named_pipe.ps1 b/Rules/SIGMA/builtin/win_dce_rpc_smb_spoolss_named_pipe.ps1 new file mode 100644 index 00000000..22b5f123 --- /dev/null +++ b/Rules/SIGMA/builtin/win_dce_rpc_smb_spoolss_named_pipe.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\IPC$" -and $_.message -match "RelativeTargetName.*spoolss") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_dce_rpc_smb_spoolss_named_pipe"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_dce_rpc_smb_spoolss_named_pipe"; + $detectedMessage = "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. "; + $result = $event | where { ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*spoolss") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_dcom_iertutil_dll_hijack.ps1 b/Rules/SIGMA/builtin/win_dcom_iertutil_dll_hijack.ps1 new file mode 100644 index 00000000..3ec4dfd7 --- /dev/null +++ b/Rules/SIGMA/builtin/win_dcom_iertutil_dll_hijack.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "RelativeTargetName.*.*\Internet Explorer\iertutil.dll") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_dcom_iertutil_dll_hijack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_dcom_iertutil_dll_hijack"; + $detectedMessage = "Detects a threat actor creating a file named `iertutil.dll` in the `C:Program FilesInternet Explorer` directory over the network for a DCOM InternetExplorer DLL Hijack scenario."; + $result = $event | where { (($_.ID -eq "5145" -and $_.message -match "RelativeTargetName.*.*\\Internet Explorer\\iertutil.dll") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_dcsync.ps1 b/Rules/SIGMA/builtin/win_dcsync.ps1 new file mode 100644 index 00000000..c8bef8c4 --- /dev/null +++ b/Rules/SIGMA/builtin/win_dcsync.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(((($_.ID -eq "4662" -and ($_.message -match "Properties.*.*Replicating Directory Changes All.*" -or $_.message -match "Properties.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*")) -and -not ($_.message -match "SubjectDomainName.*Window Manager")) -and -not (($_.message -match "SubjectUserName.*NT AUTHORITY.*" -or $_.message -match "SubjectUserName.*MSOL_.*"))) -and -not (($_.message -match "SubjectUserName.*.*$"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_dcsync"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_dcsync"; + $detectedMessage = "Detects Mimikatz DC sync security events"; + $result = $event | where { (((($_.ID -eq "4662" -and ($_.message -match "Properties.*.*Replicating Directory Changes All.*" -or $_.message -match "Properties.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*")) -and -not ($_.message -match "SubjectDomainName.*Window Manager")) -and -not (($_.message -match "SubjectUserName.*NT AUTHORITY.*" -or $_.message -match "SubjectUserName.*MSOL_.*"))) -and -not (($_.message -match "SubjectUserName.*.*$"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_disable_event_logging.ps1 b/Rules/SIGMA/builtin/win_disable_event_logging.ps1 new file mode 100644 index 00000000..8119f010 --- /dev/null +++ b/Rules/SIGMA/builtin/win_disable_event_logging.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4719" -and ($_.message -match "AuditPolicyChanges.*.*%%8448.*" -or $_.message -match "AuditPolicyChanges.*.*%%8450.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_disable_event_logging"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_disable_event_logging"; + $detectedMessage = "Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off ""Local Group Policy Object Processing"" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as ""gpedit.msc"". Please note, that disabling ""Local Group Policy Object Processing"" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways."; + $result = $event | where { ($_.ID -eq "4719" -and ($_.message -match "AuditPolicyChanges.*.*%%8448.*" -or $_.message -match "AuditPolicyChanges.*.*%%8450.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_dpapi_domain_backupkey_extraction.ps1 b/Rules/SIGMA/builtin/win_dpapi_domain_backupkey_extraction.ps1 new file mode 100644 index 00000000..f2ff3e1f --- /dev/null +++ b/Rules/SIGMA/builtin/win_dpapi_domain_backupkey_extraction.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4662" -and $_.message -match "ObjectType.*SecretObject" -and $_.message -match "AccessMask.*0x2" -and $_.message -match "ObjectName.*BCKUPKEY") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_dpapi_domain_backupkey_extraction"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_dpapi_domain_backupkey_extraction"; + $detectedMessage = "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers"; + $result = $event | where { ($_.ID -eq "4662" -and $_.message -match "ObjectType.*SecretObject" -and $_.message -match "AccessMask.*0x2" -and $_.message -match "ObjectName.*BCKUPKEY") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_dpapi_domain_masterkey_backup_attempt.ps1 b/Rules/SIGMA/builtin/win_dpapi_domain_masterkey_backup_attempt.ps1 new file mode 100644 index 00000000..68e79b9c --- /dev/null +++ b/Rules/SIGMA/builtin/win_dpapi_domain_masterkey_backup_attempt.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4692") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_dpapi_domain_masterkey_backup_attempt"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_dpapi_domain_masterkey_backup_attempt"; + $detectedMessage = "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller."; + $result = $event | where { ($_.ID -eq "4692") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_etw_modification.ps1 b/Rules/SIGMA/builtin/win_etw_modification.ps1 new file mode 100644 index 00000000..855f9be2 --- /dev/null +++ b/Rules/SIGMA/builtin/win_etw_modification.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4657" -and $_.message -match "ObjectName.*.*\SOFTWARE\Microsoft\.NETFramework" -and $_.message -match "ObjectValueName.*ETWEnabled" -and $_.message -match "NewValue.*0") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_etw_modification"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_etw_modification"; + $detectedMessage = "Potential adversaries stopping ETW providers recording loaded .NET assemblies."; + $result = $event | where { ($_.ID -eq "4657" -and $_.message -match "ObjectName.*.*\\SOFTWARE\\Microsoft\\.NETFramework" -and $_.message -match "ObjectValueName.*ETWEnabled" -and $_.message -match "NewValue.*0") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_exploit_cve_2021_1675_printspooler.ps1 b/Rules/SIGMA/builtin/win_exploit_cve_2021_1675_printspooler.ps1 new file mode 100644 index 00000000..7975dca4 --- /dev/null +++ b/Rules/SIGMA/builtin/win_exploit_cve_2021_1675_printspooler.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-PrintService/Admin | where {(((($_.ID -eq "808" -or $_.ID -eq "4909") -and ($_.message -match "0x45A" -or $_.message -match "0x7e")) -or ($_.message -match "The print spooler failed to load a plug-in module" -or $_.message -match "MyExploit.dll" -or $_.message -match "evil.dll" -or $_.message -match "ddCube.dll" -or $_.message -match "ev.dll" -or $_.message -match "ev2.dll" -or $_.message -match "main64.dll" -or $_.message -match "mimilib.dll" -or $_.message -match "mimispool.dll"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2021_1675_printspooler"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2021_1675_printspooler"; + $detectedMessage = "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675" + $result = $event | where { (((($_.ID -eq "808" -or $_.ID -eq "4909") -and ($_.message -match "0x45A" -or $_.message -match "0x7e")) -or ($_.message -match "The print spooler failed to load a plug-in module" -or $_.message -match "MyExploit.dll" -or $_.message -match "evil.dll" -or $_.message -match "ddCube.dll" -or $_.message -match " +ev.dll" -or $_.message -match "ev2.dll" -or $_.message -match "main64.dll" -or $_.message -match "mimilib.dll" -or $_.message -match "mimispool.dll"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_exploit_cve_2021_1675_printspooler_Security.ps1 b/Rules/SIGMA/builtin/win_exploit_cve_2021_1675_printspooler_Security.ps1 new file mode 100644 index 00000000..8d285fbe --- /dev/null +++ b/Rules/SIGMA/builtin/win_exploit_cve_2021_1675_printspooler_Security.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\IPC$" -and $_.message -match "RelativeTargetName.*spoolss" -and $_.message -match "AccessMask.*0x3" -and $_.message -match "ObjectType.*File") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2021_1675_printspooler_Security"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2021_1675_printspooler_Security"; + $detectedMessage = "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527"; + $result = $event | where { ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*spoolss" -and $_.message -match "AccessMask.*0x3" -and $_.message -match "ObjectType.*File") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_exploit_cve_2021_1675_printspooler_operational.ps1 b/Rules/SIGMA/builtin/win_exploit_cve_2021_1675_printspooler_operational.ps1 new file mode 100644 index 00000000..a7ce7cc9 --- /dev/null +++ b/Rules/SIGMA/builtin/win_exploit_cve_2021_1675_printspooler_operational.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PrintService/Operational | where {($_.ID -eq "316" -and ($_.message -match "UNIDRV.DLL, kernelbase.dll, " -or $_.message -match " 123 " -or $_.message -match " 1234 " -or $_.message -match "mimispool")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2021_1675_printspooler_operational"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2021_1675_printspooler_operational"; + $detectedMessage = "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675"; + $result = $event | where { ($_.ID -eq "316" -and ($_.message -match "UNIDRV.DLL, kernelbase.dll, " -or $_.message -match " 123 " -or $_.message -match " 1234 " -or $_.message -match "mimispool")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_external_device.ps1 b/Rules/SIGMA/builtin/win_external_device.ps1 new file mode 100644 index 00000000..4351d4e3 --- /dev/null +++ b/Rules/SIGMA/builtin/win_external_device.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(((($_.ID -eq "6416") -and $_.message -match "ClassName.*DiskDrive") -or $_.message -match "DeviceDescription.*USB Mass Storage Device")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_external_device"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_external_device"; + $detectedMessage = "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later"; + $result = $event | where { (((($_.ID -eq "6416") -and $_.message -match "ClassName.*DiskDrive") -or $_.message -match "DeviceDescription.*USB Mass Storage Device")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_global_catalog_enumeration.ps1 b/Rules/SIGMA/builtin/win_global_catalog_enumeration.ps1 new file mode 100644 index 00000000..757c8bfa --- /dev/null +++ b/Rules/SIGMA/builtin/win_global_catalog_enumeration.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5156" -and ($_.message -match "3268" -or $_.message -match "3269")) } | group-object SourceAddress | where { $_.count -gt 2000 } | select name,count | sort -desc + +function Add-Rule { + + $ruleName = "win_global_catalog_enumeration"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_global_catalog_enumeration"; + $detectedMessage = "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width."; + $result = $event | where { ($_.ID -eq "5156" -and ($_.message -match "3268" -or $_.message -match "3269")) } | group-object SourceAddress | where { $_.count -gt 2000 } | select name, count | sort -desc; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_hack_smbexec.ps1 b/Rules/SIGMA/builtin/win_hack_smbexec.ps1 new file mode 100644 index 00000000..741f928d --- /dev/null +++ b/Rules/SIGMA/builtin/win_hack_smbexec.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*BTOBTO" -and $_.Service File Name -eq "*\execute.bat") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hack_smbexec"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hack_smbexec"; + $detectedMessage = "Detects the use of smbexec.py tool by detecting a specific service installation"; + $result = $event | where { ($_.ID -eq "7045" -and $_.message -match "ServiceName.*BTOBTO" -and $_.message -Like "*\\execute.bat") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_hidden_user_creation.ps1 b/Rules/SIGMA/builtin/win_hidden_user_creation.ps1 new file mode 100644 index 00000000..54034fec --- /dev/null +++ b/Rules/SIGMA/builtin/win_hidden_user_creation.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4720" -and $_.message -match "TargetUserName.*.*$") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hidden_user_creation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hidden_user_creation"; + $detectedMessage = "Detects the creation of a local hidden user account which should not happen for event ID 4720."; + $result = $event | where { ($_.ID -eq "4720" -and $_.message -match "TargetUserName.*.*$") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_hybridconnectionmgr_svc_installation.ps1 b/Rules/SIGMA/builtin/win_hybridconnectionmgr_svc_installation.ps1 new file mode 100644 index 00000000..52a9f05f --- /dev/null +++ b/Rules/SIGMA/builtin/win_hybridconnectionmgr_svc_installation.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4697") -and $_.message -match "ServiceName.*HybridConnectionManager" -and $_.Service File Name -eq "*HybridConnectionManager*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hybridconnectionmgr_svc_installation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hybridconnectionmgr_svc_installation"; + $detectedMessage = "Rule to detect the Hybrid Connection Manager service installation."; + $result = $event | where { (($_.ID -eq "4697") -and $_.message -match "ServiceName.*HybridConnectionManager" -and $_.message -Like "*HybridConnectionManager*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_hybridconnectionmgr_svc_running.ps1 b/Rules/SIGMA/builtin/win_hybridconnectionmgr_svc_running.ps1 new file mode 100644 index 00000000..e2e524af --- /dev/null +++ b/Rules/SIGMA/builtin/win_hybridconnectionmgr_svc_running.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent | where {(($_.ID -eq "40300" -or $_.ID -eq "40301" -or $_.ID -eq "40302") -and ($_.message -match ".*HybridConnection.*" -or $_.message -match ".*sb://.*" -or $_.message -match ".*servicebus.windows.net.*" -or $_.message -match ".*HybridConnectionManage.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hybridconnectionmgr_svc_running"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hybridconnectionmgr_svc_running"; + $detectedMessage = "Rule to detect the Hybrid Connection Manager service running on an endpoint."; + $result = $event | where { (($_.ID -eq "40300" -or $_.ID -eq "40301" -or $_.ID -eq "40302") -and ($_.message -match ".*HybridConnection.*" -or $_.message -match ".*sb://.*" -or $_.message -match ".*servicebus.windows.net.*" -or $_.message -match ".*HybridConnectionManage.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_impacket_psexec.ps1 b/Rules/SIGMA/builtin/win_impacket_psexec.ps1 new file mode 100644 index 00000000..87ff70bb --- /dev/null +++ b/Rules/SIGMA/builtin/win_impacket_psexec.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\IPC$" -and ($_.message -match "RelativeTargetName.*.*RemCom_stdint.*" -or $_.message -match "RelativeTargetName.*.*RemCom_stdoutt.*" -or $_.message -match "RelativeTargetName.*.*RemCom_stderrt.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_impacket_psexec"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_impacket_psexec"; + $detectedMessage = "Detects execution of Impacket's psexec.py."; + $result = $event | where { ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and ($_.message -match "RelativeTargetName.*.*RemCom_stdint.*" -or $_.message -match "RelativeTargetName.*.*RemCom_stdoutt.*" -or $_.message -match "RelativeTargetName.*.*RemCom_stderrt.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_impacket_secretdump.ps1 b/Rules/SIGMA/builtin/win_impacket_secretdump.ps1 new file mode 100644 index 00000000..20e8a685 --- /dev/null +++ b/Rules/SIGMA/builtin/win_impacket_secretdump.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\ADMIN$" -and $_.message -match "RelativeTargetName.*.*SYSTEM32\.*" -and $_.message -match "RelativeTargetName.*.*.tmp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_impacket_secretdump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_impacket_secretdump"; + $detectedMessage = "Detect AD credential dumping using impacket secretdump HKTL"; + $result = $event | where { ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\ADMIN$" -and $_.message -match "RelativeTargetName.*.*SYSTEM32\\.*" -and $_.message -match "RelativeTargetName.*.*.tmp.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_iso_mount.ps1 b/Rules/SIGMA/builtin/win_iso_mount.ps1 new file mode 100644 index 00000000..615b209e --- /dev/null +++ b/Rules/SIGMA/builtin/win_iso_mount.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4663" -and $_.message -match "ObjectServer.*Security" -and $_.message -match "ObjectType.*File" -and $_.message -match "ObjectName.*\Device\CdRom.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_iso_mount"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_iso_mount"; + $detectedMessage = "Detects the mount of ISO images on an endpoint"; + $result = $event | where { ($_.ID -eq "4663" -and $_.message -match "ObjectServer.*Security" -and $_.message -match "ObjectType.*File" -and $_.message -match "ObjectName.*\\Device\\CdRom.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_lm_namedpipe.ps1 b/Rules/SIGMA/builtin/win_lm_namedpipe.ps1 new file mode 100644 index 00000000..4348163e --- /dev/null +++ b/Rules/SIGMA/builtin/win_lm_namedpipe.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\IPC$") -and -not ($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\IPC$" -and ($_.message -match "atsvc" -or $_.message -match "samr" -or $_.message -match "lsarpc" -or $_.message -match "winreg" -or $_.message -match "netlogon" -or $_.message -match "srvsvc" -or $_.message -match "protected_storage" -or $_.message -match "wkssvc" -or $_.message -match "browser" -or $_.message -match "netdfs" -or $_.message -match "svcctl" -or $_.message -match "spoolss" -or $_.message -match "ntsvcs" -or $_.message -match "LSM_API_service" -or $_.message -match "HydraLsPipe" -or $_.message -match "TermSrv_API_service" -or $_.message -match "MsFteWds"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_lm_namedpipe"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_lm_namedpipe"; + $detectedMessage = "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes"; + $result = $event | where { (($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$") -and -not ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and ($_.message -match "atsvc" -or $_.message -match "samr" -or $_.message -match "lsarpc" -or $_.message -match "winreg" -or $_.message -match "netlogon" -or $_.message -match "srvsvc" -or $_.message -match "protected_storage" -or $_.message -match "wkssvc" -or $_.message -match "browser" -or $_.message -match "netdfs" -or $_.message -match "svcctl" -or $_.message -match "spoolss" -or $_.message -match "ntsvcs" -or $_.message -match "LSM_API_service" -or $_.message -match "HydraLsPipe" -or $_.message -match "TermSrv_API_service" -or $_.message -match "MsFteWds"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_lsass_access_non_system_account.ps1 b/Rules/SIGMA/builtin/win_lsass_access_non_system_account.ps1 new file mode 100644 index 00000000..0619ec7b --- /dev/null +++ b/Rules/SIGMA/builtin/win_lsass_access_non_system_account.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(((($_.ID -eq "4663" -or $_.ID -eq "4656") -and ($_.message -match "0x40" -or $_.message -match "0x1400" -or $_.message -match "0x1000" -or $_.message -match "0x100000" -or $_.message -match "0x1410" -or $_.message -match "0x1010" -or $_.message -match "0x1438" -or $_.message -match "0x143a" -or $_.message -match "0x1418" -or $_.message -match "0x1f0fff" -or $_.message -match "0x1f1fff" -or $_.message -match "0x1f2fff" -or $_.message -match "0x1f3fff" -or $_.message -match "40" -or $_.message -match "1400" -or $_.message -match "1000" -or $_.message -match "100000" -or $_.message -match "1410" -or $_.message -match "1010" -or $_.message -match "1438" -or $_.message -match "143a" -or $_.message -match "1418" -or $_.message -match "1f0fff" -or $_.message -match "1f1fff" -or $_.message -match "1f2fff" -or $_.message -match "1f3fff") -and $_.message -match "ObjectType.*Process" -and $_.message -match "ObjectName.*.*\lsass.exe") -and -not ($_.message -match "SubjectUserName.*.*$")) -and -not ($_.message -match "ProcessName.*C:\Program Files.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_lsass_access_non_system_account"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_lsass_access_non_system_account"; + $detectedMessage = "Detects potential mimikatz-like tools accessing LSASS from non system account"; + $result = $event | where { (((($_.ID -eq "4663" -or $_.ID -eq "4656") -and ($_.message -match "0x40" -or $_.message -match "0x1400" -or $_.message -match "0x1000" -or $_.message -match "0x100000" -or $_.message -match "0x1410" -or $_.message -match "0x1010" -or $_.message -match "0x1438" -or $_.message -match "0x143a" -or $_.message -match "0x1418" -or $_.message -match "0x1f0fff" -or $_.message -match "0x1f1fff" -or $_.message -match "0x1f2fff" -or $_.message -match "0x1f3fff" -or $_.message -match "40" -or $_.message -match "1400" -or $_.message -match "1000" -or $_.message -match "100000" -or $_.message -match "1410" -or $_.message -match "1010" -or $_.message -match "1438" -or $_.message -match "143a" -or $_.message -match "1418" -or $_.message -match "1f0fff" -or $_.message -match "1f1fff" -or $_.message -match "1f2fff" -or $_.message -match "1f3fff") -and $_.message -match "ObjectType.*Process" -and $_.message -match "ObjectName.*.*\\lsass.exe") -and -not ($_.message -match "SubjectUserName.*.*$")) -and -not ($_.message -match "ProcessName.*C:\\Program Files.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_mal_creddumper.ps1 b/Rules/SIGMA/builtin/win_mal_creddumper.ps1 new file mode 100644 index 00000000..06f03b0b --- /dev/null +++ b/Rules/SIGMA/builtin/win_mal_creddumper.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName System | where {((($_.message -match "ServiceName.*.*fgexec.*" -or $_.message -match "ServiceName.*.*wceservice.*" -or $_.message -match "ServiceName.*.*wce service.*" -or $_.message -match "ServiceName.*.*pwdump.*" -or $_.message -match "ServiceName.*.*gsecdump.*" -or $_.message -match "ServiceName.*.*cachedump.*" -or $_.message -match "ServiceName.*.*mimikatz.*" -or $_.message -match "ServiceName.*.*mimidrv.*") -or ($_.message -match "ImagePath.*.*fgexec.*" -or $_.message -match "ImagePath.*.*dumpsvc.*" -or $_.message -match "ImagePath.*.*cachedump.*" -or $_.message -match "ImagePath.*.*mimidrv.*" -or $_.message -match "ImagePath.*.*gsecdump.*" -or $_.message -match "ImagePath.*.*servpw.*" -or $_.message -match "ImagePath.*.*pwdump.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "6") -and (($_.message -match "ServiceName.*.*fgexec.*" -or $_.message -match "ServiceName.*.*wceservice.*" -or $_.message -match "ServiceName.*.*wce service.*" -or $_.message -match "ServiceName.*.*pwdump.*" -or $_.message -match "ServiceName.*.*gsecdump.*" -or $_.message -match "ServiceName.*.*cachedump.*" -or $_.message -match "ServiceName.*.*mimikatz.*" -or $_.message -match "ServiceName.*.*mimidrv.*") -or ($_.message -match "ImagePath.*.*fgexec.*" -or $_.message -match "ImagePath.*.*dumpsvc.*" -or $_.message -match "ImagePath.*.*cachedump.*" -or $_.message -match "ImagePath.*.*mimidrv.*" -or $_.message -match "ImagePath.*.*gsecdump.*" -or $_.message -match "ImagePath.*.*servpw.*" -or $_.message -match "ImagePath.*.*pwdump.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Security | where {((($_.message -match "ServiceName.*.*fgexec.*" -or $_.message -match "ServiceName.*.*wceservice.*" -or $_.message -match "ServiceName.*.*wce service.*" -or $_.message -match "ServiceName.*.*pwdump.*" -or $_.message -match "ServiceName.*.*gsecdump.*" -or $_.message -match "ServiceName.*.*cachedump.*" -or $_.message -match "ServiceName.*.*mimikatz.*" -or $_.message -match "ServiceName.*.*mimidrv.*") -or ($_.message -match "ImagePath.*.*fgexec.*" -or $_.message -match "ImagePath.*.*dumpsvc.*" -or $_.message -match "ImagePath.*.*cachedump.*" -or $_.message -match "ImagePath.*.*mimidrv.*" -or $_.message -match "ImagePath.*.*gsecdump.*" -or $_.message -match "ImagePath.*.*servpw.*" -or $_.message -match "ImagePath.*.*pwdump.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mal_creddumper"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ((($_.message -match "ServiceName.*.*fgexec.*" -or $_.message -match "ServiceName.*.*wceservice.*" -or $_.message -match "ServiceName.*.*wce service.*" -or $_.message -match "ServiceName.*.*pwdump.*" -or $_.message -match "ServiceName.*.*gsecdump.*" -or $_.message -match "ServiceName.*.*cachedump.*" -or $_.message -match "ServiceName.*.*mimikatz.*" -or $_.message -match "ServiceName.*.*mimidrv.*") -or ($_.message -match "ImagePath.*.*fgexec.*" -or $_.message -match "ImagePath.*.*dumpsvc.*" -or $_.message -match "ImagePath.*.*cachedump.*" -or $_.message -match "ImagePath.*.*mimidrv.*" -or $_.message -match "ImagePath.*.*gsecdump.*" -or $_.message -match "ImagePath.*.*servpw.*" -or $_.message -match "ImagePath.*.*pwdump.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "6") -and (($_.message -match "ServiceName.*.*fgexec.*" -or $_.message -match "ServiceName.*.*wceservice.*" -or $_.message -match "ServiceName.*.*wce service.*" -or $_.message -match "ServiceName.*.*pwdump.*" -or $_.message -match "ServiceName.*.*gsecdump.*" -or $_.message -match "ServiceName.*.*cachedump.*" -or $_.message -match "ServiceName.*.*mimikatz.*" -or $_.message -match "ServiceName.*.*mimidrv.*") -or ($_.message -match "ImagePath.*.*fgexec.*" -or $_.message -match "ImagePath.*.*dumpsvc.*" -or $_.message -match "ImagePath.*.*cachedump.*" -or $_.message -match "ImagePath.*.*mimidrv.*" -or $_.message -match "ImagePath.*.*gsecdump.*" -or $_.message -match "ImagePath.*.*servpw.*" -or $_.message -match "ImagePath.*.*pwdump.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ((($_.message -match "ServiceName.*.*fgexec.*" -or $_.message -match "ServiceName.*.*wceservice.*" -or $_.message -match "ServiceName.*.*wce service.*" -or $_.message -match "ServiceName.*.*pwdump.*" -or $_.message -match "ServiceName.*.*gsecdump.*" -or $_.message -match "ServiceName.*.*cachedump.*" -or $_.message -match "ServiceName.*.*mimikatz.*" -or $_.message -match "ServiceName.*.*mimidrv.*") -or ($_.message -match "ImagePath.*.*fgexec.*" -or $_.message -match "ImagePath.*.*dumpsvc.*" -or $_.message -match "ImagePath.*.*cachedump.*" -or $_.message -match "ImagePath.*.*mimidrv.*" -or $_.message -match "ImagePath.*.*gsecdump.*" -or $_.message -match "ImagePath.*.*servpw.*" -or $_.message -match "ImagePath.*.*pwdump.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_mal_service_installs.ps1 b/Rules/SIGMA/builtin/win_mal_service_installs.ps1 new file mode 100644 index 00000000..64fba5c2 --- /dev/null +++ b/Rules/SIGMA/builtin/win_mal_service_installs.ps1 @@ -0,0 +1,37 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and ($_.Service File Name -eq "*\\PAExec*" -or $_.message -match "ServiceName.*mssecsvc2.0" -or $_.Service File Name -eq "*net user*" -or $_.message -match "ServiceName.*Java(TM) Virtual Machine Support Service")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Security | where {($_.ID -eq "4697" -and $_.message -match "ServiceName.*javamtsup") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mal_service_installs"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "7045" -and ($_.message -match "\\PAExec*" -or $_.message -match "ServiceName.*mssecsvc2.0" -or $_.message -match "net user*" -or $_.message -match "ServiceName.*Java(TM) Virtual Machine Support Service")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp) + $tmp = $event | where { ($_.ID -eq "4697" -and $_.message -match "ServiceName.*javamtsup") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp) + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_mal_wceaux_dll.ps1 b/Rules/SIGMA/builtin/win_mal_wceaux_dll.ps1 new file mode 100644 index 00000000..f2440666 --- /dev/null +++ b/Rules/SIGMA/builtin/win_mal_wceaux_dll.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -or $_.ID -eq "4658" -or $_.ID -eq "4660" -or $_.ID -eq "4663") -and $_.message -match "ObjectName.*.*\wceaux.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mal_wceaux_dll"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mal_wceaux_dll"; + $detectedMessage = "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host"; + $result = $event | where { (($_.ID -eq "4656" -or $_.ID -eq "4658" -or $_.ID -eq "4660" -or $_.ID -eq "4663") -and $_.message -match "ObjectName.*.*\\wceaux.dll") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.ps1 b/Rules/SIGMA/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.ps1 new file mode 100644 index 00000000..bb8a2d2c --- /dev/null +++ b/Rules/SIGMA/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.ps1 @@ -0,0 +1,41 @@ +# Get-WinEvent -LogName System | where {((($_.Service File Name -eq "*cmd*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*%COMSPEC%*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*cmd.exe*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*rundll32*" -and $_.Service File Name -eq "*.dll,a*" -and $_.Service File Name -eq "*/p:*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "6") -and (($_.Service File Name -eq "*cmd*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*%COMSPEC%*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*cmd.exe*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*rundll32*" -and $_.Service File Name -eq "*.dll,a*" -and $_.Service File Name -eq "*/p:*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Security | where {((($_.Service File Name -eq "*cmd*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*%COMSPEC%*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*cmd.exe*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*rundll32*" -and $_.Service File Name -eq "*.dll,a*" -and $_.Service File Name -eq "*/p:*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + + +function Add-Rule { + + $ruleName = "win_meterpreter_or_cobaltstrike_getsystem_service_installation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ((($_.Message -Like "*cmd*" -and $_.Message -Like "*/c*" -and $_.Message -Like "*echo*" -and $_.Message -Like "*\\pipe\\*") -or ($_.Message -Like "*%COMSPEC%*" -and $_.Message -Like "*/c*" -and $_.Message -Like "*echo*" -and $_.Message -Like "*\\pipe\\*") -or ($_.Message -Like "*cmd.exe*" -and $_.Message -Like "*/c*" -and $_.Message -Like "*echo*" -and $_.Message -Like "*\\pipe\\*") -or ($_.Message -Like "*rundll32*" -and $_.Message -Like "*.dll,a*" -and $_.Message -Like "*/p:*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "6") -and (($_.Message -Like "*cmd*" -and $_.Message -Like "*/c*" -and $_.Message -Like "*echo*" -and $_.Message -Like "*\\pipe\\*") -or ($_.Message -Like "*%COMSPEC%*" -and $_.Message -Like "*/c*" -and $_.Message -Like "*echo*" -and $_.Message -Like "*\\pipe\\*") -or ($_.Message -Like "*cmd.exe*" -and $_.Message -Like "*/c*" -and $_.Message -Like "*echo*" -and $_.Message -Like "*\\pipe\\*") -or ($_.Message -Like "*rundll32*" -and $_.Message -Like "*.dll,a*" -and $_.Message -Like "*/p:*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ((($_.Message -Like "*cmd*" -and $_.Message -Like "*/c*" -and $_.Message -Like "*echo*" -and $_.Message -Like "*\\pipe\\*") -or ($_.Message -Like "*%COMSPEC%*" -and $_.Message -Like "*/c*" -and $_.Message -Like "*echo*" -and $_.Message -Like "*\\pipe\\*") -or ($_.Message -Like "*cmd.exe*" -and $_.Message -Like "*/c*" -and $_.Message -Like "*echo*" -and $_.Message -Like "*\\pipe\\*") -or ($_.Message -Like "*rundll32*" -and $_.Message -Like "*.dll,a*" -and $_.Message -Like "*/p:*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_mmc20_lateral_movement.ps1 b/Rules/SIGMA/builtin/win_mmc20_lateral_movement.ps1 new file mode 100644 index 00000000..63444436 --- /dev/null +++ b/Rules/SIGMA/builtin/win_mmc20_lateral_movement.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\svchost.exe" -and $_.message -match "Image.*.*\mmc.exe" -and $_.message -match "CommandLine.*.*-Embedding.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mmc20_lateral_movement"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mmc20_lateral_movement"; + $detectedMessage = "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of ""-Embedding"" as a child of svchost.exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\svchost.exe" -and $_.message -match "Image.*.*\\mmc.exe" -and $_.message -match "CommandLine.*.*-Embedding.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_moriya_rootkit.ps1 b/Rules/SIGMA/builtin/win_moriya_rootkit.ps1 new file mode 100644 index 00000000..05a16e57 --- /dev/null +++ b/Rules/SIGMA/builtin/win_moriya_rootkit.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*ZzNetSvc") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*C:\\Windows\\System32\\drivers\\MoriyaStreamWatchmen.sys") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_moriya_rootkit"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_moriya_rootkit"; + $detectedMessage = "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report" + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "7045" -and $_.message -match "ServiceName.*ZzNetSvc") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*C:\\Windows\\System32\\drivers\\MoriyaStreamWatchmen.sys") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_net_ntlm_downgrade.ps1 b/Rules/SIGMA/builtin/win_net_ntlm_downgrade.ps1 new file mode 100644 index 00000000..27a4d41c --- /dev/null +++ b/Rules/SIGMA/builtin/win_net_ntlm_downgrade.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*SYSTEM\\.*" -and $_.message -match "TargetObject.*.*ControlSet.*" -and $_.message -match "TargetObject.*.*\\Control\\Lsa.*" -and ($_.message -match "TargetObject.*.*\\lmcompatibilitylevel" -or $_.message -match "TargetObject.*.*\\NtlmMinClientSec" -or $_.message -match "TargetObject.*.*\\RestrictSendingNTLMTraffic")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Security | where {($_.ID -eq "4657" -and $_.message -match "ObjectName.*.*\\REGISTRY\\MACHINE\\SYSTEM.*" -and $_.message -match "ObjectName.*.*ControlSet.*" -and $_.message -match "ObjectName.*.*\\Control\\Lsa.*" -and ($_.message -match "LmCompatibilityLevel" -or $_.message -match "NtlmMinClientSec" -or $_.message -match "RestrictSendingNTLMTraffic")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_net_ntlm_downgrade"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_net_ntlm_downgrade"; + $detectedMessage = "Detects NetNTLM downgrade attack" + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*SYSTEM\\.*" -and $_.message -match "TargetObject.*.*ControlSet.*" -and $_.message -match "TargetObject.*.*\\Control\\Lsa.*" -and ($_.message -match "TargetObject.*.*\\lmcompatibilitylevel" -or $_.message -match "TargetObject.*.*\\NtlmMinClientSec" -or $_.message -match "TargetObject.*.*\\RestrictSendingNTLMTraffic")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "4657" -and $_.message -match "ObjectName.*.*\\REGISTRY\\MACHINE\\SYSTEM.*" -and $_.message -match "ObjectName.*.*ControlSet.*" -and $_.message -match "ObjectName.*.*\\Control\\Lsa.*" -and ($_.message -match "LmCompatibilityLevel" -or $_.message -match "NtlmMinClientSec" -or $_.message -match "RestrictSendingNTLMTraffic")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_net_use_admin_share.ps1 b/Rules/SIGMA/builtin/win_net_use_admin_share.ps1 new file mode 100644 index 00000000..6cea7a29 --- /dev/null +++ b/Rules/SIGMA/builtin/win_net_use_admin_share.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\net.exe" -or $_.message -match "Image.*.*\net1.exe") -and $_.message -match "CommandLine.*.* use .*" -and $_.message -match "CommandLine.*.*\.*\.*$.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_net_use_admin_share"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_net_use_admin_share"; + $detectedMessage = "Detects when an admin share is mounted using net.exe"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.* use .*" -and $_.message -match "CommandLine.*.*\\.*\\.*$.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_new_or_renamed_user_account_with_dollar_sign.ps1 b/Rules/SIGMA/builtin/win_new_or_renamed_user_account_with_dollar_sign.ps1 new file mode 100644 index 00000000..937ff717 --- /dev/null +++ b/Rules/SIGMA/builtin/win_new_or_renamed_user_account_with_dollar_sign.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4720" -or $_.ID -eq "4781") -and $_.message -match "SamAccountName.*.*$.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_new_or_renamed_user_account_with_dollar_sign"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_new_or_renamed_user_account_with_dollar_sign"; + $detectedMessage = "Detects possible bypass EDR and SIEM via abnormal user account name."; + $result = $event | where { (($_.ID -eq "4720" -or $_.ID -eq "4781") -and $_.message -match "SamAccountName.*.*$.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_not_allowed_rdp_access.ps1 b/Rules/SIGMA/builtin/win_not_allowed_rdp_access.ps1 new file mode 100644 index 00000000..e3318055 --- /dev/null +++ b/Rules/SIGMA/builtin/win_not_allowed_rdp_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4825") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_not_allowed_rdp_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_not_allowed_rdp_access"; + $detectedMessage = "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop."; + $result = $event | where { ($_.ID -eq "4825") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_ntfs_vuln_exploit.ps1 b/Rules/SIGMA/builtin/win_ntfs_vuln_exploit.ps1 new file mode 100644 index 00000000..2fe1b06d --- /dev/null +++ b/Rules/SIGMA/builtin/win_ntfs_vuln_exploit.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "55" -and $_.message -match "Origin.*File System Driver" -and $_.message -match "Description.*.*contains a corrupted file record.*" -and $_.message -match "Description.*.*The name of the file is "\".*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_ntfs_vuln_exploit"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_ntfs_vuln_exploit"; + $detectedMessage = "This the exploitation of a NTFS vulnerability as reported without many details via Twitter"; + $result = $event | where { ($_.ID -eq "55" -and $_.message -match "Origin.*File System Driver" -and $_.message -match "Description.*.*contains a corrupted file record.*" -and $_.message -match "Description.*.*The name of the file is ""\\"".*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_overpass_the_hash.ps1 b/Rules/SIGMA/builtin/win_overpass_the_hash.ps1 new file mode 100644 index 00000000..9cac9eb5 --- /dev/null +++ b/Rules/SIGMA/builtin/win_overpass_the_hash.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*9" -and $_.message -match "LogonProcessName.*seclogo" -and $_.message -match "AuthenticationPackageName.*Negotiate") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_overpass_the_hash"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_overpass_the_hash"; + $detectedMessage = "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module."; + $result = $event | where { ($_.ID -eq "4624" -and $_.message -match "LogonType.*9" -and $_.message -match "LogonProcessName.*seclogo" -and $_.message -match "AuthenticationPackageName.*Negotiate") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_pass_the_hash.ps1 b/Rules/SIGMA/builtin/win_pass_the_hash.ps1 new file mode 100644 index 00000000..3d2a0248 --- /dev/null +++ b/Rules/SIGMA/builtin/win_pass_the_hash.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.message -match "LogonType.*3" -and $_.message -match "LogonProcessName.*NtLmSsp" -and $_.message -match "WorkstationName.*%Workstations%" -and $_.message -match "ComputerName.*%Workstations%" -and ($_.ID -eq "4624" -or $_.ID -eq "4625")) -and -not ($_.message -match "AccountName.*ANONYMOUS LOGON")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_pass_the_hash"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_pass_the_hash"; + $detectedMessage = "Detects the attack technique pass the hash which is used to move laterally inside the network"; + $result = $event | where { (($_.message -match "LogonType.*3" -and $_.message -match "LogonProcessName.*NtLmSsp" -and $_.message -match "WorkstationName.*%Workstations%" -and $_.message -match "ComputerName.*%Workstations%" -and ($_.ID -eq "4624" -or $_.ID -eq "4625")) -and -not ($_.message -match "AccountName.*ANONYMOUS LOGON")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_pass_the_hash_2.ps1 b/Rules/SIGMA/builtin/win_pass_the_hash_2.ps1 new file mode 100644 index 00000000..0dbeb9f0 --- /dev/null +++ b/Rules/SIGMA/builtin/win_pass_the_hash_2.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4624" -and (($_.message -match "SubjectUserSid.*S-1-0-0" -and $_.message -match "LogonType.*3" -and $_.message -match "LogonProcessName.*NtLmSsp" -and $_.message -match "KeyLength.*0") -or ($_.message -match "LogonType.*9" -and $_.message -match "LogonProcessName.*seclogo"))) -and -not ($_.message -match "AccountName.*ANONYMOUS LOGON")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_pass_the_hash_2"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_pass_the_hash_2"; + $detectedMessage = "Detects the attack technique pass the hash which is used to move laterally inside the network"; + $result = $event | where { (($_.ID -eq "4624" -and (($_.message -match "SubjectUserSid.*S-1-0-0" -and $_.message -match "LogonType.*3" -and $_.message -match "LogonProcessName.*NtLmSsp" -and $_.message -match "KeyLength.*0") -or ($_.message -match "LogonType.*9" -and $_.message -match "LogonProcessName.*seclogo"))) -and -not ($_.message -match "AccountName.*ANONYMOUS LOGON")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_possible_dc_shadow.ps1 b/Rules/SIGMA/builtin/win_possible_dc_shadow.ps1 new file mode 100644 index 00000000..012ebbcc --- /dev/null +++ b/Rules/SIGMA/builtin/win_possible_dc_shadow.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {((($_.ID -eq "4742" -and $_.message -match "ServicePrincipalNames.*.*GC/.*") -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*servicePrincipalName" -and $_.message -match "AttributeValue.*GC/.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_possible_dc_shadow"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_possible_dc_shadow"; + $detectedMessage = "Detects DCShadow via create new SPN"; + $result = $event | where { ((($_.ID -eq "4742" -and $_.message -match "ServicePrincipalNames.*.*GC/.*") -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*servicePrincipalName" -and $_.message -match "AttributeValue.*GC/.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_powershell_script_installed_as_service.ps1 b/Rules/SIGMA/builtin/win_powershell_script_installed_as_service.ps1 new file mode 100644 index 00000000..d32019d7 --- /dev/null +++ b/Rules/SIGMA/builtin/win_powershell_script_installed_as_service.ps1 @@ -0,0 +1,46 @@ +# Get-WinEvent -LogName System | where { ($_.ID -eq "7045" -and ($_.Service File Name -eq "*powershell*" -or $_.message -match "Service File Name.*.*pwsh.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "6" -and ($_.Service File Name -eq "*powershell*" -or $_.message -match "Service File Name.*.*pwsh.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Security | where { ($_.ID -eq "4697" -and ($_.Service File Name -eq "*powershell*" -or $_.message -match "Service File Name.*.*pwsh.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + + +function Add-Rule { + + $ruleName = "win_powershell_script_installed_as_service"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_script_installed_as_service"; + $detectedMessage = "Detects powershell script installed as a Service" + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "7045" -and ($_.message -match "powershell*" -or $_.message -match "Service File Name.*.*pwsh.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + $tmp = $event | where { ($_.ID -eq "6" -and ($_.message -match "powershell*" -or $_.message -match "Service File Name.*.*pwsh.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + $tmp = $event | where { ($_.ID -eq "4697" -and ($_.message -match "powershell*" -or $_.message -match "Service File Name.*.*pwsh.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_privesc_cve_2020_1472.ps1 b/Rules/SIGMA/builtin/win_privesc_cve_2020_1472.ps1 new file mode 100644 index 00000000..81169835 --- /dev/null +++ b/Rules/SIGMA/builtin/win_privesc_cve_2020_1472.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4742" -and $_.message -match "SubjectUserName.*ANONYMOUS LOGON" -and $_.message -match "TargetUserName.*%DC-MACHINE-NAME%") -and -not ($_.message -match "PasswordLastSet.*-")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_privesc_cve_2020_1472"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_privesc_cve_2020_1472"; + $detectedMessage = "Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)"; + $result = $event | where { (($_.ID -eq "4742" -and $_.message -match "SubjectUserName.*ANONYMOUS LOGON" -and $_.message -match "TargetUserName.*%DC-MACHINE-NAME%") -and -not ($_.message -match "PasswordLastSet.*-")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_protected_storage_service_access.ps1 b/Rules/SIGMA/builtin/win_protected_storage_service_access.ps1 new file mode 100644 index 00000000..89352733 --- /dev/null +++ b/Rules/SIGMA/builtin/win_protected_storage_service_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*.*IPC.*" -and $_.message -match "RelativeTargetName.*protected_storage") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_protected_storage_service_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_protected_storage_service_access"; + $detectedMessage = "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers"; + $result = $event | where { ($_.ID -eq "5145" -and $_.message -match "ShareName.*.*IPC.*" -and $_.message -match "RelativeTargetName.*protected_storage") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_quarkspwdump_clearing_hive_access_history.ps1 b/Rules/SIGMA/builtin/win_quarkspwdump_clearing_hive_access_history.ps1 new file mode 100644 index 00000000..bf6f81de --- /dev/null +++ b/Rules/SIGMA/builtin/win_quarkspwdump_clearing_hive_access_history.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "16" -and $_.message -match "HiveName.*.*\AppData\Local\Temp\SAM.*" -and $_.message -match "HiveName.*.*.dmp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_quarkspwdump_clearing_hive_access_history"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_quarkspwdump_clearing_hive_access_history"; + $detectedMessage = "Detects QuarksPwDump clearing access history in hive"; + $result = $event | where { ($_.ID -eq "16" -and $_.message -match "HiveName.*.*\\AppData\\Local\\Temp\\SAM.*" -and $_.message -match "HiveName.*.*.dmp") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_rare_schtasks_creations.ps1 b/Rules/SIGMA/builtin/win_rare_schtasks_creations.ps1 new file mode 100644 index 00000000..d92cc9b0 --- /dev/null +++ b/Rules/SIGMA/builtin/win_rare_schtasks_creations.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4698") } | group-object TaskName | where { $_.count -lt 5 } | select name,count | sort -desc + +function Add-Rule { + + $ruleName = "win_rare_schtasks_creations"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rare_schtasks_creations"; + $detectedMessage = "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code"; + $result = $event | where { ($_.ID -eq "4698") } | group-object TaskName | where { $_.count -lt 5 } | select name, count | sort -desc; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_rare_service_installs.ps1 b/Rules/SIGMA/builtin/win_rare_service_installs.ps1 new file mode 100644 index 00000000..26618951 --- /dev/null +++ b/Rules/SIGMA/builtin/win_rare_service_installs.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "7045") } | group-object ServiceFileName | where { $_.count -lt 5 } | select name,count | sort -desc + +function Add-Rule { + + $ruleName = "win_rare_service_installs"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rare_service_installs"; + $detectedMessage = "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services"; + $result = $event | where { ($_.ID -eq "7045") } | group-object ServiceFileName | where { $_.count -lt 5 } | select name, count | sort -desc; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_rdp_bluekeep_poc_scanner.ps1 b/Rules/SIGMA/builtin/win_rdp_bluekeep_poc_scanner.ps1 new file mode 100644 index 00000000..13add54d --- /dev/null +++ b/Rules/SIGMA/builtin/win_rdp_bluekeep_poc_scanner.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4625" -and $_.message -match "AccountName.*AAAAAAA") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_rdp_bluekeep_poc_scanner"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rdp_bluekeep_poc_scanner"; + $detectedMessage = "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep"; + $result = $event | where { ($_.ID -eq "4625" -and $_.message -match "AccountName.*AAAAAAA") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_rdp_localhost_login.ps1 b/Rules/SIGMA/builtin/win_rdp_localhost_login.ps1 new file mode 100644 index 00000000..34be45d1 --- /dev/null +++ b/Rules/SIGMA/builtin/win_rdp_localhost_login.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and ($_.message -match "::1" -or $_.message -match "127.0.0.1")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_rdp_localhost_login"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rdp_localhost_login"; + $detectedMessage = "RDP login with localhost source address may be a tunnelled login"; + $result = $event | where { ($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and ($_.message -match "::1" -or $_.message -match "127.0.0.1")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_rdp_potential_cve-2019-0708.ps1 b/Rules/SIGMA/builtin/win_rdp_potential_cve-2019-0708.ps1 new file mode 100644 index 00000000..609a49c0 --- /dev/null +++ b/Rules/SIGMA/builtin/win_rdp_potential_cve-2019-0708.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName System | where {(($_.ID -eq "56" -or $_.ID -eq "50") -and $_.message -match "Source.*TermDD") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_rdp_potential_cve-2019-0708"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rdp_potential_cve-2019-0708"; + $detectedMessage = "Detect suspicious error on protocol RDP, potential CVE-2019-0708"; + $result = $event | where { (($_.ID -eq "56" -or $_.ID -eq "50") -and $_.message -match "Source.*TermDD") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_rdp_reverse_tunnel.ps1 b/Rules/SIGMA/builtin/win_rdp_reverse_tunnel.ps1 new file mode 100644 index 00000000..5432f95e --- /dev/null +++ b/Rules/SIGMA/builtin/win_rdp_reverse_tunnel.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5156" -and (($_.message -match "SourcePort.*3389" -and ($_.message -match "DestAddress.*127..*" -or $_.message -match "::1")) -or ($_.message -match "DestPort.*3389" -and ($_.message -match "SourceAddress.*127..*" -or $_.message -match "::1")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_rdp_reverse_tunnel"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rdp_reverse_tunnel"; + $detectedMessage = "Detects svchost hosting RDP termsvcs communicating with the loopback address"; + $result = $event | where { ($_.ID -eq "5156" -and (($_.message -match "SourcePort.*3389" -and ($_.message -match "DestAddress.*127..*" -or $_.message -match "::1")) -or ($_.message -match "DestPort.*3389" -and ($_.message -match "SourceAddress.*127..*" -or $_.message -match "::1")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_register_new_logon_process_by_rubeus.ps1 b/Rules/SIGMA/builtin/win_register_new_logon_process_by_rubeus.ps1 new file mode 100644 index 00000000..7fa72574 --- /dev/null +++ b/Rules/SIGMA/builtin/win_register_new_logon_process_by_rubeus.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4611" -and $_.message -match "LogonProcessName.*User32LogonProcesss") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_register_new_logon_process_by_rubeus"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_register_new_logon_process_by_rubeus"; + $detectedMessage = "Detects potential use of Rubeus via registered new trusted logon process"; + $result = $event | where { ($_.ID -eq "4611" -and $_.message -match "LogonProcessName.*User32LogonProcesss") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_remote_powershell_session.ps1 b/Rules/SIGMA/builtin/win_remote_powershell_session.ps1 new file mode 100644 index 00000000..06973887 --- /dev/null +++ b/Rules/SIGMA/builtin/win_remote_powershell_session.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5156" -and ($_.message -match "5985" -or $_.message -match "5986") -and $_.message -match "LayerRTID.*44") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_remote_powershell_session"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_remote_powershell_session"; + $detectedMessage = "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986"; + $result = $event | where { ($_.ID -eq "5156" -and ($_.message -match "5985" -or $_.message -match "5986") -and $_.message -match "LayerRTID.*44") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($null -ne $result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_remote_registry_management_using_reg_utility.ps1 b/Rules/SIGMA/builtin/win_remote_registry_management_using_reg_utility.ps1 new file mode 100644 index 00000000..ba88bb2a --- /dev/null +++ b/Rules/SIGMA/builtin/win_remote_registry_management_using_reg_utility.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "RelativeTargetName.*.*\winreg.*") -and -not ($_.message -match "IpAddress.*%Admins_Workstations%")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_remote_registry_management_using_reg_utility"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_remote_registry_management_using_reg_utility"; + $detectedMessage = "Remote registry management using REG utility from non-admin workstation"; + $result = $event | where { (($_.ID -eq "5145" -and $_.message -match "RelativeTargetName.*.*\\winreg.*") -and -not ($_.message -match "IpAddress.*%Admins_Workstations%")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_root_certificate_installed.ps1 b/Rules/SIGMA/builtin/win_root_certificate_installed.ps1 new file mode 100644 index 00000000..d4661ca6 --- /dev/null +++ b/Rules/SIGMA/builtin/win_root_certificate_installed.ps1 @@ -0,0 +1,40 @@ +#Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Cert:\\LocalMachine\\Root.*" -and ($_.message -match "ScriptBlockText.*.*Move-Item.*" -or $_.message -match "ScriptBlockText.*.*Import-Certificate.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +#Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*root.*" -and (($_.message -match "Image.*.*\\certutil.exe" -and $_.message -match "CommandLine.*.*-addstore.*") -or ($_.message -match "Image.*.*\\CertMgr.exe" -and $_.message -match "CommandLine.*.*/add.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_root_certificate_installed"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_root_certificate_installed"; + $detectedMessage = "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers." + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Cert:\\LocalMachine\\Root.*" -and ($_.message -match "ScriptBlockText.*.*Move-Item.*" -or $_.message -match "ScriptBlockText.*.*Import-Certificate.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*root.*" -and (($_.message -match "Image.*.*\\certutil.exe" -and $_.message -match "CommandLine.*.*-addstore.*") -or ($_.message -match "Image.*.*\\CertMgr.exe" -and $_.message -match "CommandLine.*.*/add.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_sam_registry_hive_handle_request.ps1 b/Rules/SIGMA/builtin/win_sam_registry_hive_handle_request.ps1 new file mode 100644 index 00000000..24b7bc4e --- /dev/null +++ b/Rules/SIGMA/builtin/win_sam_registry_hive_handle_request.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4656" -and $_.message -match "ObjectType.*Key" -and $_.message -match "ObjectName.*.*\SAM") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_sam_registry_hive_handle_request"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_sam_registry_hive_handle_request"; + $detectedMessage = "Detects handles requested to SAM registry hive"; + $result = $event | where { ($_.ID -eq "4656" -and $_.message -match "ObjectType.*Key" -and $_.message -match "ObjectName.*.*\\SAM") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_scheduled_task_deletion.ps1 b/Rules/SIGMA/builtin/win_scheduled_task_deletion.ps1 new file mode 100644 index 00000000..bfd2e7a1 --- /dev/null +++ b/Rules/SIGMA/builtin/win_scheduled_task_deletion.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4699") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_scheduled_task_deletion"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_scheduled_task_deletion"; + $detectedMessage = "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. TASKNAME"; + $result = $event | where { ($_.ID -eq "4699") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_scm_database_handle_failure.ps1 b/Rules/SIGMA/builtin/win_scm_database_handle_failure.ps1 new file mode 100644 index 00000000..0126aaef --- /dev/null +++ b/Rules/SIGMA/builtin/win_scm_database_handle_failure.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -and $_.message -match "ObjectType.*SC_MANAGER OBJECT" -and $_.message -match "ObjectName.*servicesactive" -and $_.message -match "Keywords.*Audit Failure") -and -not ($_.message -match "SubjectLogonId.*0x3e4")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_scm_database_handle_failure"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_scm_database_handle_failure"; + $detectedMessage = "Detects non-system users failing to get a handle of the SCM database."; + $result = $event | where { (($_.ID -eq "4656" -and $_.message -match "ObjectType.*SC_MANAGER OBJECT" -and $_.message -match "ObjectName.*servicesactive" -and $_.message -match "Keywords.*Audit Failure") -and -not ($_.message -match "SubjectLogonId.*0x3e4")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_scm_database_privileged_operation.ps1 b/Rules/SIGMA/builtin/win_scm_database_privileged_operation.ps1 new file mode 100644 index 00000000..d66ce0d3 --- /dev/null +++ b/Rules/SIGMA/builtin/win_scm_database_privileged_operation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4674" -and $_.message -match "ObjectType.*SC_MANAGER OBJECT" -and $_.message -match "ObjectName.*servicesactive" -and $_.message -match "PrivilegeList.*SeTakeOwnershipPrivilege") -and -not ($_.message -match "SubjectLogonId.*0x3e4")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_scm_database_privileged_operation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_scm_database_privileged_operation"; + $detectedMessage = "Detects non-system users performing privileged operation os the SCM database"; + $result = $event | where { (($_.ID -eq "4674" -and $_.message -match "ObjectType.*SC_MANAGER OBJECT" -and $_.message -match "ObjectName.*servicesactive" -and $_.message -match "PrivilegeList.*SeTakeOwnershipPrivilege") -and -not ($_.message -match "SubjectLogonId.*0x3e4")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_scrcons_remote_wmi_scripteventconsumer.ps1 b/Rules/SIGMA/builtin/win_scrcons_remote_wmi_scripteventconsumer.ps1 new file mode 100644 index 00000000..d4ee67e4 --- /dev/null +++ b/Rules/SIGMA/builtin/win_scrcons_remote_wmi_scripteventconsumer.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4624" -and $_.message -match "LogonType.*3" -and $_.message -match "ProcessName.*.*scrcons.exe") -and -not ($_.message -match "TargetLogonId.*0x3e7")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_scrcons_remote_wmi_scripteventconsumer"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_scrcons_remote_wmi_scripteventconsumer"; + $detectedMessage = "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network"; + $result = $event | where { (($_.ID -eq "4624" -and $_.message -match "LogonType.*3" -and $_.message -match "ProcessName.*.*scrcons.exe") -and -not ($_.message -match "TargetLogonId.*0x3e7")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_set_oabvirtualdirectory_externalurl.ps1 b/Rules/SIGMA/builtin/win_set_oabvirtualdirectory_externalurl.ps1 new file mode 100644 index 00000000..9c4f428f --- /dev/null +++ b/Rules/SIGMA/builtin/win_set_oabvirtualdirectory_externalurl.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName MSExchange Management | where {($_.message -match ".*Set-OabVirtualDirectory.*" -and $_.message -match ".*ExternalUrl.*" -and $_.message -match ".*Page_Load.*" -and $_.message -match ".*script.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_set_oabvirtualdirectory_externalurl"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_set_oabvirtualdirectory_externalurl"; + $detectedMessage = "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script"; + $result = $event | where { ($_.message -match ".*Set-OabVirtualDirectory.*" -and $_.message -match ".*ExternalUrl.*" -and $_.message -match ".*Page_Load.*" -and $_.message -match ".*script.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_smb_file_creation_admin_shares.ps1 b/Rules/SIGMA/builtin/win_smb_file_creation_admin_shares.ps1 new file mode 100644 index 00000000..dabb1417 --- /dev/null +++ b/Rules/SIGMA/builtin/win_smb_file_creation_admin_shares.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "ShareName.*.*C$" -and $_.message -match "AccessMask.*0x2") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_smb_file_creation_admin_shares"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_smb_file_creation_admin_shares"; + $detectedMessage = "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$)."; + $result = $event | where { (($_.ID -eq "5145" -and $_.message -match "ShareName.*.*C$" -and $_.message -match "AccessMask.*0x2") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_software_discovery.ps1 b/Rules/SIGMA/builtin/win_software_discovery.ps1 new file mode 100644 index 00000000..7fcc2bb4 --- /dev/null +++ b/Rules/SIGMA/builtin/win_software_discovery.ps1 @@ -0,0 +1,41 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*get-itemProperty.*" -and $_.message -match "ScriptBlockText.*.*\\software\\.*" -and $_.message -match "ScriptBlockText.*.*select-object.*" -and $_.message -match "ScriptBlockText.*.*format-table.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and $_.message -match "CommandLine.*.*query.*" -and $_.message -match "CommandLine.*.*\\software\\.*" -and $_.message -match "CommandLine.*.*/v.*" -and $_.message -match "CommandLine.*.*svcversion.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_software_discovery"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_software_discovery"; + $detectedMessage = "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable." + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*get-itemProperty.*" -and $_.message -match "ScriptBlockText.*.*\\software\\.*" -and $_.message -match "ScriptBlockText.*.*select-object.*" -and $_.message -match "ScriptBlockText.*.*format-table.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and $_.message -match "CommandLine.*.*query.*" -and $_.message -match "CommandLine.*.*\\software\\.*" -and $_.message -match "CommandLine.*.*/v.*" -and $_.message -match "CommandLine.*.*svcversion.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_add_domain_trust.ps1 b/Rules/SIGMA/builtin/win_susp_add_domain_trust.ps1 new file mode 100644 index 00000000..4279e785 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_add_domain_trust.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4706") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_add_domain_trust"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_add_domain_trust"; + $detectedMessage = "Addition of domains is seldom and should be verified for legitimacy."; + $result = $event | where { ($_.ID -eq "4706") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_add_sid_history.ps1 b/Rules/SIGMA/builtin/win_susp_add_sid_history.ps1 new file mode 100644 index 00000000..a647e702 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_add_sid_history.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {((($_.ID -eq "4765" -or $_.ID -eq "4766") -or (($_.ID -eq "4738" -and -not (($_.message -match "-" -or $_.message -match "%%1793"))) -and -not (-not SidHistory="*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_add_sid_history"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_add_sid_history"; + $detectedMessage = "An attacker can use the SID history attribute to gain additional privileges."; + $result = $event | where { ((($_.ID -eq "4765" -or $_.ID -eq "4766") -or (($_.ID -eq "4738" -and -not (($_.message -match "-" -or $_.message -match "%%1793"))) -and -not (-not $_.message -match "SidHistory.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_athremotefxvgpudisablementcommand.ps1 b/Rules/SIGMA/builtin/win_susp_athremotefxvgpudisablementcommand.ps1 new file mode 100644 index 00000000..3431c09f --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_athremotefxvgpudisablementcommand.ps1 @@ -0,0 +1,45 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Invoke-ATHRemoteFXvGPUDisablementCommand .*" -and ($_.message -match "CommandLine.*.*-ModuleName .*" -or $_.message -match "CommandLine.*.*-ModulePath .*" -or $_.message -match "CommandLine.*.*-ScriptBlock .*" -or $_.message -match "CommandLine.*.*-RemoteFXvGPUDisablementFilePath.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Windows PowerShell | where { ($_.message -match "HostApplication.*.*Invoke-ATHRemoteFXvGPUDisablementCommand .*" -and ($_.message -match "HostApplication.*.*-ModuleName .*" -or $_.message -match "HostApplication.*.*-ModulePath .*" -or $_.message -match "HostApplication.*.*-ScriptBlock .*" -or $_.message -match "HostApplication.*.*-RemoteFXvGPUDisablementFilePath.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where { ($_.message -match "ContextInfo.*.*Invoke-ATHRemoteFXvGPUDisablementCommand .*" -and ($_.message -match "ContextInfo.*.*-ModuleName .*" -or $_.message -match "ContextInfo.*.*-ModulePath .*" -or $_.message -match "ContextInfo.*.*-ScriptBlock .*" -or $_.message -match "ContextInfo.*.*-RemoteFXvGPUDisablementFilePath.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_susp_athremotefxvgpudisablementcommand"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_athremotefxvgpudisablementcommand"; + $detectedMessage = "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339)." + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Invoke-ATHRemoteFXvGPUDisablementCommand .*" -and ($_.message -match "CommandLine.*.*-ModuleName .*" -or $_.message -match "CommandLine.*.*-ModulePath .*" -or $_.message -match "CommandLine.*.*-ScriptBlock .*" -or $_.message -match "CommandLine.*.*-RemoteFXvGPUDisablementFilePath.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + $tmp = $event | where { ($_.message -match "HostApplication.*.*Invoke-ATHRemoteFXvGPUDisablementCommand .*" -and ($_.message -match "HostApplication.*.*-ModuleName .*" -or $_.message -match "HostApplication.*.*-ModulePath .*" -or $_.message -match "HostApplication.*.*-ScriptBlock .*" -or $_.message -match "HostApplication.*.*-RemoteFXvGPUDisablementFilePath.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + $tmp = $event | where { ($_.message -match "ContextInfo.*.*Invoke-ATHRemoteFXvGPUDisablementCommand .*" -and ($_.message -match "ContextInfo.*.*-ModuleName .*" -or $_.message -match "ContextInfo.*.*-ModulePath .*" -or $_.message -match "ContextInfo.*.*-ScriptBlock .*" -or $_.message -match "ContextInfo.*.*-RemoteFXvGPUDisablementFilePath.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_backup_delete.ps1 b/Rules/SIGMA/builtin/win_susp_backup_delete.ps1 new file mode 100644 index 00000000..1fc27c56 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_backup_delete.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Application | where {($_.ID -eq "524" -and $_.message -match "Source.*Microsoft-Windows-Backup") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_backup_delete"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_backup_delete"; + $detectedMessage = "Detects backup catalog deletions"; + $result = $event | where { ($_.ID -eq "524" -and $_.message -match "Source.*Microsoft-Windows-Backup") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_codeintegrity_check_failure.ps1 b/Rules/SIGMA/builtin/win_susp_codeintegrity_check_failure.ps1 new file mode 100644 index 00000000..01702dec --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_codeintegrity_check_failure.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "5038" -or $_.ID -eq "6281")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_codeintegrity_check_failure"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_codeintegrity_check_failure"; + $detectedMessage = "Code integrity failures may indicate tampered executables."; + $result = $event | where { (($_.ID -eq "5038" -or $_.ID -eq "6281")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_dhcp_config.ps1 b/Rules/SIGMA/builtin/win_susp_dhcp_config.ps1 new file mode 100644 index 00000000..401d2f31 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_dhcp_config.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "1033" -and $_.message -match "Source.*Microsoft-Windows-DHCP-Server") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_dhcp_config"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_dhcp_config"; + $detectedMessage = "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded"; + $result = $event | where { ($_.ID -eq "1033" -and $_.message -match "Source.*Microsoft-Windows-DHCP-Server") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_dhcp_config_failed.ps1 b/Rules/SIGMA/builtin/win_susp_dhcp_config_failed.ps1 new file mode 100644 index 00000000..a7f732f1 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_dhcp_config_failed.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName System | where {(($_.ID -eq "1031" -or $_.ID -eq "1032" -or $_.ID -eq "1034") -and $_.message -match "Source.*Microsoft-Windows-DHCP-Server") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_dhcp_config_failed"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_dhcp_config_failed"; + $detectedMessage = "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded"; + $result = $event | where { (($_.ID -eq "1031" -or $_.ID -eq "1032" -or $_.ID -eq "1034") -and $_.message -match "Source.*Microsoft-Windows-DHCP-Server") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_dns_config.ps1 b/Rules/SIGMA/builtin/win_susp_dns_config.ps1 new file mode 100644 index 00000000..557b9bbc --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_dns_config.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent | where {($_.ID -eq "150" -or $_.ID -eq "770") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_dns_config"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_dns_config"; + $detectedMessage = "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded"; + $result = $event | where { ($_.ID -eq "150" -or $_.ID -eq "770") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_dsrm_password_change.ps1 b/Rules/SIGMA/builtin/win_susp_dsrm_password_change.ps1 new file mode 100644 index 00000000..1b11d4fb --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_dsrm_password_change.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4794") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_dsrm_password_change"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_dsrm_password_change"; + $detectedMessage = "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence."; + $result = $event | where { ($_.ID -eq "4794") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_eventlog_cleared.ps1 b/Rules/SIGMA/builtin/win_susp_eventlog_cleared.ps1 new file mode 100644 index 00000000..4cc3d231 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_eventlog_cleared.ps1 @@ -0,0 +1,41 @@ +# Get-WinEvent -LogName Security | where { (($_.ID -eq "517" -or $_.ID -eq "1102")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName System | where { ($_.ID -eq "104" -and $_.message -match "Source.*Microsoft-Windows-Eventlog") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_susp_eventlog_cleared"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_eventlog_cleared"; + $detectedMessage = "One of the Windows Eventlogs has been cleared. e.g. caused by ""wevtutil cl"" command execution" + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "517" -or $_.ID -eq "1102")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + $tmp = $event | where { ($_.ID -eq "104" -and $_.message -match "Source.*Microsoft-Windows-Eventlog") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output "" + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output "" + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_guest_logon.ps1 b/Rules/SIGMA/builtin/win_susp_failed_guest_logon.ps1 new file mode 100644 index 00000000..1434492b --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_guest_logon.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-SmbClient/Security | where {($_.ID -eq "31017" -and $_.message -match "Description.*.*Rejected an insecure guest logon.*" -and $_.message -match "UserName.*" -and $_.message -match "ServerName.*\1.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_failed_guest_logon"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_guest_logon"; + $detectedMessage = "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service"; + $result = $event | where { ($_.ID -eq "31017" -and $_.message -match "Description.*.*Rejected an insecure guest logon.*" -and $_.message -match "UserName.*" -and $_.message -match "ServerName.*\\1.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_logon_reasons.ps1 b/Rules/SIGMA/builtin/win_susp_failed_logon_reasons.ps1 new file mode 100644 index 00000000..3c378272 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_logon_reasons.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4625" -or $_.ID -eq "4776") -and ($_.message -match "0xC0000072" -or $_.message -match "0xC000006F" -or $_.message -match "0xC0000070" -or $_.message -match "0xC0000413" -or $_.message -match "0xC000018C" -or $_.message -match "0xC000015B")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_failed_logon_reasons"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_logon_reasons"; + $detectedMessage = "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow"; + $result = $event | where { (($_.ID -eq "4625" -or $_.ID -eq "4776") -and ($_.message -match "0xC0000072" -or $_.message -match "0xC000006F" -or $_.message -match "0xC0000070" -or $_.message -match "0xC0000413" -or $_.message -match "0xC000018C" -or $_.message -match "0xC000015B")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_logon_source.ps1 b/Rules/SIGMA/builtin/win_susp_failed_logon_source.ps1 new file mode 100644 index 00000000..6a07b505 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_logon_source.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4625" -and -not ((($_.message -match "IpAddress.*.*-.*" -or ($_.message -match "IpAddress.*10..*" -or $_.message -match "IpAddress.*192.168..*" -or $_.message -match "IpAddress.*172.16..*" -or $_.message -match "IpAddress.*172.17..*" -or $_.message -match "IpAddress.*172.18..*" -or $_.message -match "IpAddress.*172.19..*" -or $_.message -match "IpAddress.*172.20..*" -or $_.message -match "IpAddress.*172.21..*" -or $_.message -match "IpAddress.*172.22..*" -or $_.message -match "IpAddress.*172.23..*" -or $_.message -match "IpAddress.*172.24..*" -or $_.message -match "IpAddress.*172.25..*" -or $_.message -match "IpAddress.*172.26..*" -or $_.message -match "IpAddress.*172.27..*" -or $_.message -match "IpAddress.*172.28..*" -or $_.message -match "IpAddress.*172.29..*" -or $_.message -match "IpAddress.*172.30..*" -or $_.message -match "IpAddress.*172.31..*" -or $_.message -match "IpAddress.*127..*" -or $_.message -match "IpAddress.*169.254..*") -or $_.message -match "IpAddress.*::1" -or ($_.message -match "IpAddress.*fe80::.*" -or $_.message -match "IpAddress.*fc00::.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_failed_logon_source"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_logon_source"; + $detectedMessage = "A login from a public IP can indicate a misconfigured firewall or network boundary."; + $result = $event | where { ($_.ID -eq "4625" -and -not ((($_.message -match "IpAddress.*.*-.*" -or ($_.message -match "IpAddress.*10..*" -or $_.message -match "IpAddress.*192.168..*" -or $_.message -match "IpAddress.*172.16..*" -or $_.message -match "IpAddress.*172.17..*" -or $_.message -match "IpAddress.*172.18..*" -or $_.message -match "IpAddress.*172.19..*" -or $_.message -match "IpAddress.*172.20..*" -or $_.message -match "IpAddress.*172.21..*" -or $_.message -match "IpAddress.*172.22..*" -or $_.message -match "IpAddress.*172.23..*" -or $_.message -match "IpAddress.*172.24..*" -or $_.message -match "IpAddress.*172.25..*" -or $_.message -match "IpAddress.*172.26..*" -or $_.message -match "IpAddress.*172.27..*" -or $_.message -match "IpAddress.*172.28..*" -or $_.message -match "IpAddress.*172.29..*" -or $_.message -match "IpAddress.*172.30..*" -or $_.message -match "IpAddress.*172.31..*" -or $_.message -match "IpAddress.*127..*" -or $_.message -match "IpAddress.*169.254..*") -or $_.message -match "IpAddress.*::1" -or ($_.message -match "IpAddress.*fe80::.*" -or $_.message -match "IpAddress.*fc00::.*"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_logons_explicit_credentials.ps1 b/Rules/SIGMA/builtin/win_susp_failed_logons_explicit_credentials.ps1 new file mode 100644 index 00000000..3b7d9661 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_logons_explicit_credentials.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4648") } | select ComputerName, Account_Name | group ComputerName | foreach { [PSCustomObject]@{'ComputerName'=$_.name;'Count'=($_.group.Account_Name | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } + +function Add-Rule { + + $ruleName = "win_susp_failed_logons_explicit_credentials"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_logons_explicit_credentials"; + $detectedMessage = "Detects a source user failing to authenticate with multiple users using explicit credentials on a host."; + $result = $event | where { ($_.ID -eq "4648") } | select ComputerName, Account_Name | group ComputerName | foreach { [PSCustomObject]@{'ComputerName' = $_.name; 'Count' = ($_.group.Account_Name | sort -u).count } } | sort count -desc | where { $_.count -gt 10 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_logons_single_process.ps1 b/Rules/SIGMA/builtin/win_susp_failed_logons_single_process.ps1 new file mode 100644 index 00000000..131a0b13 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_logons_single_process.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4625" -and $_.message -match "LogonType.*2") -and -not ($_.message -match "ProcessName.*-")) } | select ProcessName, TargetUserName | group ProcessName | foreach { [PSCustomObject]@{'ProcessName'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } + +function Add-Rule { + + $ruleName = "win_susp_failed_logons_single_process"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_logons_single_process"; + $detectedMessage = "Detects failed logins with multiple accounts from a single process on the system."; + $result = $event | where { (($_.ID -eq "4625" -and $_.message -match "LogonType.*2") -and -not ($_.message -match "ProcessName.*-")) } | select ProcessName, TargetUserName | group ProcessName | foreach { [PSCustomObject]@{'ProcessName' = $_.name; 'Count' = ($_.group.TargetUserName | sort -u).count } } | sort count -desc | where { $_.count -gt 10 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_logons_single_source.ps1 b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source.ps1 new file mode 100644 index 00000000..04da3e4e --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "529" -or $_.ID -eq "4625") -and $_.message -match "TargetUserName.*.*" -and $_.message -match "WorkstationName.*.*") } | select WorkstationName, TargetUserName | group WorkstationName | foreach { [PSCustomObject]@{'WorkstationName'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 3 } + +function Add-Rule { + + $ruleName = "win_susp_failed_logons_single_source"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_logons_single_source"; + $detectedMessage = "Detects suspicious failed logins with different user accounts from a single source system"; + $result = $event | where { (($_.ID -eq "529" -or $_.ID -eq "4625") -and $_.message -match "TargetUserName.*.*" -and $_.message -match "WorkstationName.*.*") } | select WorkstationName, TargetUserName | group WorkstationName | foreach { [PSCustomObject]@{'WorkstationName' = $_.name; 'Count' = ($_.group.TargetUserName | sort -u).count } } | sort count -desc | where { $_.count -gt 3 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_kerberos.ps1 b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_kerberos.ps1 new file mode 100644 index 00000000..304d70bf --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_kerberos.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4771" -and $_.message -match "Status.*0x18") -and -not ($_.message -match "TargetUserName.*.*$")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } + +function Add-Rule { + + $ruleName = "win_susp_failed_logons_single_source_kerberos"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_logons_single_source_kerberos"; + $detectedMessage = "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol."; + $result = $event | where { (($_.ID -eq "4771" -and $_.message -match "Status.*0x18") -and -not ($_.message -match "TargetUserName.*.*$")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress' = $_.name; 'Count' = ($_.group.TargetUserName | sort -u).count } } | sort count -desc | where { $_.count -gt 10 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_kerberos2.ps1 b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_kerberos2.ps1 new file mode 100644 index 00000000..12be9a62 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_kerberos2.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4768" -and $_.message -match "Status.*0x12") -and -not ($_.message -match "TargetUserName.*.*$")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } + +function Add-Rule { + + $ruleName = "win_susp_failed_logons_single_source_kerberos2"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_logons_single_source_kerberos2"; + $detectedMessage = "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol."; + $result = $event | where { (($_.ID -eq "4768" -and $_.message -match "Status.*0x12") -and -not ($_.message -match "TargetUserName.*.*$")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress' = $_.name; 'Count' = ($_.group.TargetUserName | sort -u).count } } | sort count -desc | where { $_.count -gt 10 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_kerberos3.ps1 b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_kerberos3.ps1 new file mode 100644 index 00000000..ac79a9f9 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_kerberos3.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4768" -and $_.message -match "Status.*0x6") -and -not ($_.message -match "TargetUserName.*.*$")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } + +function Add-Rule { + + $ruleName = "win_susp_failed_logons_single_source_kerberos3"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_logons_single_source_kerberos3"; + $detectedMessage = "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol."; + $result = $event | where { (($_.ID -eq "4768" -and $_.message -match "Status.*0x6") -and -not ($_.message -match "TargetUserName.*.*$")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress' = $_.name; 'Count' = ($_.group.TargetUserName | sort -u).count } } | sort count -desc | where { $_.count -gt 10 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_ntlm.ps1 b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_ntlm.ps1 new file mode 100644 index 00000000..d386a1d9 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_ntlm.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4776" -and $_.message -match "Status.*.*0xC000006A") -and -not ($_.message -match "TargetUserName.*.*$")) } | select Workstation, TargetUserName | group Workstation | foreach { [PSCustomObject]@{'Workstation'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } + +function Add-Rule { + + $ruleName = "win_susp_failed_logons_single_source_ntlm"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_logons_single_source_ntlm"; + $detectedMessage = "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol."; + $result = $event | where { (($_.ID -eq "4776" -and $_.message -match "Status.*.*0xC000006A") -and -not ($_.message -match "TargetUserName.*.*$")) } | select Workstation, TargetUserName | group Workstation | foreach { [PSCustomObject]@{'Workstation' = $_.name; 'Count' = ($_.group.TargetUserName | sort -u).count } } | sort count -desc | where { $_.count -gt 10 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_ntlm2.ps1 b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_ntlm2.ps1 new file mode 100644 index 00000000..2acb7305 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_logons_single_source_ntlm2.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4776" -and $_.message -match "Status.*.*0xC0000064") -and -not ($_.message -match "TargetUserName.*.*$")) } | select Workstation, TargetUserName | group Workstation | foreach { [PSCustomObject]@{'Workstation'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } + +function Add-Rule { + + $ruleName = "win_susp_failed_logons_single_source_ntlm2"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_logons_single_source_ntlm2"; + $detectedMessage = "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol."; + $result = $event | where { (($_.ID -eq "4776" -and $_.message -match "Status.*.*0xC0000064") -and -not ($_.message -match "TargetUserName.*.*$")) } | select Workstation, TargetUserName | group Workstation | foreach { [PSCustomObject]@{'Workstation' = $_.name; 'Count' = ($_.group.TargetUserName | sort -u).count } } | sort count -desc | where { $_.count -gt 10 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_failed_remote_logons_single_source.ps1 b/Rules/SIGMA/builtin/win_susp_failed_remote_logons_single_source.ps1 new file mode 100644 index 00000000..225ec09b --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_failed_remote_logons_single_source.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4625" -and $_.message -match "LogonType.*3") -and -not ($_.message -match "IpAddress.*-")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } + +function Add-Rule { + + $ruleName = "win_susp_failed_remote_logons_single_source"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_failed_remote_logons_single_source"; + $detectedMessage = "Detects a source system failing to authenticate against a remote host with multiple users."; + $result = $event | where { (($_.ID -eq "4625" -and $_.message -match "LogonType.*3") -and -not ($_.message -match "IpAddress.*-")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress' = $_.name; 'Count' = ($_.group.TargetUserName | sort -u).count } } | sort count -desc | where { $_.count -gt 10 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_interactive_logons.ps1 b/Rules/SIGMA/builtin/win_susp_interactive_logons.ps1 new file mode 100644 index 00000000..4a970833 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_interactive_logons.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {((($_.ID -eq "528" -or $_.ID -eq "529" -or $_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "LogonType.*2" -and ($_.message -match "%ServerSystems%" -or $_.message -match "%DomainControllers%")) -and -not ($_.message -match "LogonProcessName.*Advapi" -and $_.message -match "ComputerName.*%Workstations%")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_interactive_logons"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_interactive_logons"; + $detectedMessage = "Detects interactive console logons to Server Systems"; + $result = $event | where { ((($_.ID -eq "528" -or $_.ID -eq "529" -or $_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "LogonType.*2" -and ($_.message -match "%ServerSystems%" -or $_.message -match "%DomainControllers%")) -and -not ($_.message -match "LogonProcessName.*Advapi" -and $_.message -match "ComputerName.*%Workstations%")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_kerberos_manipulation.ps1 b/Rules/SIGMA/builtin/win_susp_kerberos_manipulation.ps1 new file mode 100644 index 00000000..ee43ecbd --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_kerberos_manipulation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "675" -or $_.ID -eq "4768" -or $_.ID -eq "4769" -or $_.ID -eq "4771") -and ($_.message -match "0x9" -or $_.message -match "0xA" -or $_.message -match "0xB" -or $_.message -match "0xF" -or $_.message -match "0x10" -or $_.message -match "0x11" -or $_.message -match "0x13" -or $_.message -match "0x14" -or $_.message -match "0x1A" -or $_.message -match "0x1F" -or $_.message -match "0x21" -or $_.message -match "0x22" -or $_.message -match "0x23" -or $_.message -match "0x24" -or $_.message -match "0x26" -or $_.message -match "0x27" -or $_.message -match "0x28" -or $_.message -match "0x29" -or $_.message -match "0x2C" -or $_.message -match "0x2D" -or $_.message -match "0x2E" -or $_.message -match "0x2F" -or $_.message -match "0x31" -or $_.message -match "0x32" -or $_.message -match "0x3E" -or $_.message -match "0x3F" -or $_.message -match "0x40" -or $_.message -match "0x41" -or $_.message -match "0x43" -or $_.message -match "0x44")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_kerberos_manipulation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_kerberos_manipulation"; + $detectedMessage = "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages"; + $result = $event | where { (($_.ID -eq "675" -or $_.ID -eq "4768" -or $_.ID -eq "4769" -or $_.ID -eq "4771") -and ($_.message -match "0x9" -or $_.message -match "0xA" -or $_.message -match "0xB" -or $_.message -match "0xF" -or $_.message -match "0x10" -or $_.message -match "0x11" -or $_.message -match "0x13" -or $_.message -match "0x14" -or $_.message -match "0x1A" -or $_.message -match "0x1F" -or $_.message -match "0x21" -or $_.message -match "0x22" -or $_.message -match "0x23" -or $_.message -match "0x24" -or $_.message -match "0x26" -or $_.message -match "0x27" -or $_.message -match "0x28" -or $_.message -match "0x29" -or $_.message -match "0x2C" -or $_.message -match "0x2D" -or $_.message -match "0x2E" -or $_.message -match "0x2F" -or $_.message -match "0x31" -or $_.message -match "0x32" -or $_.message -match "0x3E" -or $_.message -match "0x3F" -or $_.message -match "0x40" -or $_.message -match "0x41" -or $_.message -match "0x43" -or $_.message -match "0x44")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_ldap_dataexchange.ps1 b/Rules/SIGMA/builtin/win_susp_ldap_dataexchange.ps1 new file mode 100644 index 00000000..d2765122 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_ldap_dataexchange.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5136" -and $_.message -match "AttributeValue.*.*" -and ($_.message -match "primaryInternationalISDNNumber" -or $_.message -match "otherFacsimileTelephoneNumber" -or $_.message -match "primaryTelexNumber")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_ldap_dataexchange"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_ldap_dataexchange"; + $detectedMessage = "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies."; + $result = $event | where { ($_.ID -eq "5136" -and $_.message -match "AttributeValue.*.*" -and ($_.message -match "primaryInternationalISDNNumber" -or $_.message -match "otherFacsimileTelephoneNumber" -or $_.message -match "primaryTelexNumber")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_local_anon_logon_created.ps1 b/Rules/SIGMA/builtin/win_susp_local_anon_logon_created.ps1 new file mode 100644 index 00000000..582e5049 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_local_anon_logon_created.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4720" -and $_.message -match "SamAccountName.*.*ANONYMOUS.*" -and $_.message -match "SamAccountName.*.*LOGON.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_local_anon_logon_created"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_local_anon_logon_created"; + $detectedMessage = "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts."; + $result = $event | where { ($_.ID -eq "4720" -and $_.message -match "SamAccountName.*.*ANONYMOUS.*" -and $_.message -match "SamAccountName.*.*LOGON.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_logon_explicit_credentials.ps1 b/Rules/SIGMA/builtin/win_susp_logon_explicit_credentials.ps1 new file mode 100644 index 00000000..182432c6 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_logon_explicit_credentials.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4648" -and ($_.message -match "Image.*.*\cmd.exe" -or $_.message -match "Image.*.*\powershell.exe" -or $_.message -match "Image.*.*\pwsh.exe" -or $_.message -match "Image.*.*\winrs.exe" -or $_.message -match "Image.*.*\wmic.exe" -or $_.message -match "Image.*.*\net.exe" -or $_.message -match "Image.*.*\net1.exe" -or $_.message -match "Image.*.*\reg.exe")) -and -not ($_.message -match "TargetServerName.*localhost")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_logon_explicit_credentials"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_logon_explicit_credentials"; + $detectedMessage = "Detects suspicious processes logging on with explicit credentials"; + $result = $event | where { (($_.ID -eq "4648" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\pwsh.exe" -or $_.message -match "Image.*.*\\winrs.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe" -or $_.message -match "Image.*.*\\reg.exe")) -and -not ($_.message -match "TargetServerName.*localhost")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_lsass_dump.ps1 b/Rules/SIGMA/builtin/win_susp_lsass_dump.ps1 new file mode 100644 index 00000000..52194bba --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_lsass_dump.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4656" -and $_.message -match "ProcessName.*.*\lsass.exe" -and $_.message -match "AccessMask.*0x705" -and $_.message -match "ObjectType.*SAM_DOMAIN") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_lsass_dump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_lsass_dump"; + $detectedMessage = "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN"; + $result = $event | where { ($_.ID -eq "4656" -and $_.message -match "ProcessName.*.*\\lsass.exe" -and $_.message -match "AccessMask.*0x705" -and $_.message -match "ObjectType.*SAM_DOMAIN") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_lsass_dump_generic.ps1 b/Rules/SIGMA/builtin/win_susp_lsass_dump_generic.ps1 new file mode 100644 index 00000000..57321b54 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_lsass_dump_generic.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {((($_.ID -eq "4656" -and $_.message -match "ObjectName.*.*\lsass.exe" -and ($_.message -match "AccessMask.*.*0x40.*" -or $_.message -match "AccessMask.*.*0x1400.*" -or $_.message -match "AccessMask.*.*0x1000.*" -or $_.message -match "AccessMask.*.*0x100000.*" -or $_.message -match "AccessMask.*.*0x1410.*" -or $_.message -match "AccessMask.*.*0x1010.*" -or $_.message -match "AccessMask.*.*0x1438.*" -or $_.message -match "AccessMask.*.*0x143a.*" -or $_.message -match "AccessMask.*.*0x1418.*" -or $_.message -match "AccessMask.*.*0x1f0fff.*" -or $_.message -match "AccessMask.*.*0x1f1fff.*" -or $_.message -match "AccessMask.*.*0x1f2fff.*" -or $_.message -match "AccessMask.*.*0x1f3fff.*")) -or ((($_.ID -eq "4663" -and $_.message -match "ObjectName.*.*\lsass.exe" -and ($_.message -match "AccessList.*.*4484.*" -or $_.message -match "AccessList.*.*4416.*")) -and -not (($_.message -match "ProcessName.*.*\wmiprvse.exe" -or $_.message -match "ProcessName.*.*\taskmgr.exe" -or $_.message -match "ProcessName.*.*\procexp64.exe" -or $_.message -match "ProcessName.*.*\procexp.exe" -or $_.message -match "ProcessName.*.*\lsm.exe" -or $_.message -match "ProcessName.*.*\csrss.exe" -or $_.message -match "ProcessName.*.*\wininit.exe" -or $_.message -match "ProcessName.*.*\vmtoolsd.exe" -or $_.message -match "ProcessName.*.*\minionhost.exe" -or $_.message -match "ProcessName.*.*\VsTskMgr.exe" -or $_.message -match "ProcessName.*.*\thor64.exe") -and ($_.message -match "ProcessName.*C:\Windows\System32\.*" -or $_.message -match "ProcessName.*C:\Windows\SysWow64\.*" -or $_.message -match "ProcessName.*C:\Windows\SysNative\.*" -or $_.message -match "ProcessName.*C:\Program Files\.*" -or $_.message -match "ProcessName.*C:\Windows\Temp\asgard2-agent\.*"))) -and -not (($_.message -match "ProcessName.*C:\Program Files.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_lsass_dump_generic"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_lsass_dump_generic"; + $detectedMessage = "Detects process handle on LSASS process with certain access mask"; + $result = $event | where { ((($_.ID -eq "4656" -and $_.message -match "ObjectName.*.*\\lsass.exe" -and ($_.message -match "AccessMask.*.*0x40.*" -or $_.message -match "AccessMask.*.*0x1400.*" -or $_.message -match "AccessMask.*.*0x1000.*" -or $_.message -match "AccessMask.*.*0x100000.*" -or $_.message -match "AccessMask.*.*0x1410.*" -or $_.message -match "AccessMask.*.*0x1010.*" -or $_.message -match "AccessMask.*.*0x1438.*" -or $_.message -match "AccessMask.*.*0x143a.*" -or $_.message -match "AccessMask.*.*0x1418.*" -or $_.message -match "AccessMask.*.*0x1f0fff.*" -or $_.message -match "AccessMask.*.*0x1f1fff.*" -or $_.message -match "AccessMask.*.*0x1f2fff.*" -or $_.message -match "AccessMask.*.*0x1f3fff.*")) -or ((($_.ID -eq "4663" -and $_.message -match "ObjectName.*.*\\lsass.exe" -and ($_.message -match "AccessList.*.*4484.*" -or $_.message -match "AccessList.*.*4416.*")) -and -not (($_.message -match "ProcessName.*.*\\wmiprvse.exe" -or $_.message -match "ProcessName.*.*\\taskmgr.exe" -or $_.message -match "ProcessName.*.*\\procexp64.exe" -or $_.message -match "ProcessName.*.*\\procexp.exe" -or $_.message -match "ProcessName.*.*\\lsm.exe" -or $_.message -match "ProcessName.*.*\\csrss.exe" -or $_.message -match "ProcessName.*.*\\wininit.exe" -or $_.message -match "ProcessName.*.*\\vmtoolsd.exe" -or $_.message -match "ProcessName.*.*\\minionhost.exe" -or $_.message -match "ProcessName.*.*\\VsTskMgr.exe" -or $_.message -match "ProcessName.*.*\\thor64.exe") -and ($_.message -match "ProcessName.*C:\\Windows\\System32\\.*" -or $_.message -match "ProcessName.*C:\\Windows\\SysWow64\\.*" -or $_.message -match "ProcessName.*C:\\Windows\\SysNative\\.*" -or $_.message -match "ProcessName.*C:\\Program Files\\.*" -or $_.message -match "ProcessName.*C:\\Windows\\Temp\\asgard2-agent\\.*"))) -and -not (($_.message -match "ProcessName.*C:\\Program Files.*"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_mshta_execution.ps1 b/Rules/SIGMA/builtin/win_susp_mshta_execution.ps1 new file mode 100644 index 00000000..510fbfb0 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_mshta_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\mshta.exe" -and ($_.message -match "CommandLine.*.*vbscript.*" -or $_.message -match "CommandLine.*.*.jpg.*" -or $_.message -match "CommandLine.*.*.png.*" -or $_.message -match "CommandLine.*.*.lnk.*" -or $_.message -match "CommandLine.*.*.xls.*" -or $_.message -match "CommandLine.*.*.doc.*" -or $_.message -match "CommandLine.*.*.zip.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_mshta_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_mshta_execution"; + $detectedMessage = "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\mshta.exe" -and ($_.message -match "CommandLine.*.*vbscript.*" -or $_.message -match "CommandLine.*.*.jpg.*" -or $_.message -match "CommandLine.*.*.png.*" -or $_.message -match "CommandLine.*.*.lnk.*" -or $_.message -match "CommandLine.*.*.xls.*" -or $_.message -match "CommandLine.*.*.doc.*" -or $_.message -match "CommandLine.*.*.zip.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_msmpeng_crash.ps1 b/Rules/SIGMA/builtin/win_susp_msmpeng_crash.ps1 new file mode 100644 index 00000000..7ad11f58 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_msmpeng_crash.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Application | where {((($_.message -match "Source.*Application Error" -and $_.ID -eq "1000") -or ($_.message -match "Source.*Windows Error Reporting" -and $_.ID -eq "1001")) -and ($_.message -match ".*MsMpEng.exe.*" -or $_.message -match ".*mpengine.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_msmpeng_crash"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_msmpeng_crash"; + $detectedMessage = "This rule detects a suspicious crash of the Microsoft Malware Protection Engine"; + $result = $event | where { ((($_.message -match "Source.*Application Error" -and $_.ID -eq "1000") -or ($_.message -match "Source.*Windows Error Reporting" -and $_.ID -eq "1001")) -and ($_.message -match ".*MsMpEng.exe.*" -or $_.message -match ".*mpengine.dll.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_net_recon_activity.ps1 b/Rules/SIGMA/builtin/win_susp_net_recon_activity.ps1 new file mode 100644 index 00000000..095969c5 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_net_recon_activity.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4661" -and ($_.message -match "SAM_USER" -or $_.message -match "SAM_GROUP") -and $_.message -match "ObjectName.*S-1-5-21-.*" -and $_.message -match "AccessMask.*0x2d" -and ($_.message -match "ObjectName.*.*-500" -or $_.message -match "ObjectName.*.*-512")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_net_recon_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_net_recon_activity"; + $detectedMessage = "Detects activity as ""net user administrator /domain"" and ""net group domain admins /domain"""; + $result = $event | where { ($_.ID -eq "4661" -and ($_.message -match "SAM_USER" -or $_.message -match "SAM_GROUP") -and $_.message -match "ObjectName.*S-1-5-21-.*" -and $_.message -match "AccessMask.*0x2d" -and ($_.message -match "ObjectName.*.*-500" -or $_.message -match "ObjectName.*.*-512")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_ntlm_auth.ps1 b/Rules/SIGMA/builtin/win_susp_ntlm_auth.ps1 new file mode 100644 index 00000000..153e144b --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_ntlm_auth.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-NTLM/Operational | where {($_.ID -eq "8002" -and $_.message -match "CallingProcessName.*.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_ntlm_auth"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_ntlm_auth"; + $detectedMessage = "Detects logons using NTLM, which could be caused by a legacy source or attackers"; + $result = $event | where { ($_.ID -eq "8002" -and $_.message -match "CallingProcessName.*.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_ntlm_rdp.ps1 b/Rules/SIGMA/builtin/win_susp_ntlm_rdp.ps1 new file mode 100644 index 00000000..d607e9b4 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_ntlm_rdp.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-NTLM/Operational | where {($_.ID -eq "8001" -and $_.message -match "TargetName.*TERMSRV.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_ntlm_rdp"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_ntlm_rdp"; + $detectedMessage = "Detects logons using NTLM to hosts that are potentially not part of the domain."; + $result = $event | where { ($_.ID -eq "8001" -and $_.message -match "TargetName.*TERMSRV.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_proceshacker.ps1 b/Rules/SIGMA/builtin/win_susp_proceshacker.ps1 new file mode 100644 index 00000000..e9e660f6 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_proceshacker.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*ProcessHacker.*" -and $_.message -match "AccountName.*LocalSystem") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_proceshacker"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_proceshacker"; + $detectedMessage = "Detects a ProcessHacker tool that elevated privileges to a very high level"; + $result = $event | where { ($_.ID -eq "7045" -and $_.message -match "ServiceName.*ProcessHacker.*" -and $_.message -match "AccountName.*LocalSystem") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_psexec.ps1 b/Rules/SIGMA/builtin/win_susp_psexec.ps1 new file mode 100644 index 00000000..49f0a64c --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_psexec.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\IPC$" -and ($_.message -match "RelativeTargetName.*.*-stdin" -or $_.message -match "RelativeTargetName.*.*-stdout" -or $_.message -match "RelativeTargetName.*.*-stderr")) -and -not ($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\IPC$" -and $_.message -match "RelativeTargetName.*PSEXESVC.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_psexec"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_psexec"; + $detectedMessage = "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one"; + $result = $event | where { (($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and ($_.message -match "RelativeTargetName.*.*-stdin" -or $_.message -match "RelativeTargetName.*.*-stdout" -or $_.message -match "RelativeTargetName.*.*-stderr")) -and -not ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*PSEXESVC.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_raccess_sensitive_fext.ps1 b/Rules/SIGMA/builtin/win_susp_raccess_sensitive_fext.ps1 new file mode 100644 index 00000000..8fa01e57 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_raccess_sensitive_fext.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "5145") -and ($_.message -match "RelativeTargetName.*.*.pst" -or $_.message -match "RelativeTargetName.*.*.ost" -or $_.message -match "RelativeTargetName.*.*.msg" -or $_.message -match "RelativeTargetName.*.*.nst" -or $_.message -match "RelativeTargetName.*.*.oab" -or $_.message -match "RelativeTargetName.*.*.edb" -or $_.message -match "RelativeTargetName.*.*.nsf" -or $_.message -match "RelativeTargetName.*.*.bak" -or $_.message -match "RelativeTargetName.*.*.dmp" -or $_.message -match "RelativeTargetName.*.*.kirbi" -or $_.message -match "RelativeTargetName.*.*\groups.xml" -or $_.message -match "RelativeTargetName.*.*.rdp")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_raccess_sensitive_fext"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_raccess_sensitive_fext"; + $detectedMessage = "Detects known sensitive file extensions accessed on a network share"; + $result = $event | where { (($_.ID -eq "5145") -and ($_.message -match "RelativeTargetName.*.*.pst" -or $_.message -match "RelativeTargetName.*.*.ost" -or $_.message -match "RelativeTargetName.*.*.msg" -or $_.message -match "RelativeTargetName.*.*.nst" -or $_.message -match "RelativeTargetName.*.*.oab" -or $_.message -match "RelativeTargetName.*.*.edb" -or $_.message -match "RelativeTargetName.*.*.nsf" -or $_.message -match "RelativeTargetName.*.*.bak" -or $_.message -match "RelativeTargetName.*.*.dmp" -or $_.message -match "RelativeTargetName.*.*.kirbi" -or $_.message -match "RelativeTargetName.*.*\\groups.xml" -or $_.message -match "RelativeTargetName.*.*.rdp")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_rc4_kerberos.ps1 b/Rules/SIGMA/builtin/win_susp_rc4_kerberos.ps1 new file mode 100644 index 00000000..443cb918 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_rc4_kerberos.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4769" -and $_.message -match "TicketOptions.*0x40810000" -and $_.message -match "TicketEncryptionType.*0x17") -and -not ($_.message -match "ServiceName.*$.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rc4_kerberos"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rc4_kerberos"; + $detectedMessage = "Detects service ticket requests using RC4 encryption type"; + $result = $event | where { (($_.ID -eq "4769" -and $_.message -match "TicketOptions.*0x40810000" -and $_.message -match "TicketEncryptionType.*0x17") -and -not ($_.message -match "ServiceName.*$.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_rottenpotato.ps1 b/Rules/SIGMA/builtin/win_susp_rottenpotato.ps1 new file mode 100644 index 00000000..850a9855 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_rottenpotato.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*3" -and $_.message -match "TargetUserName.*ANONYMOUS_LOGON" -and $_.message -match "WorkstationName.*-" -and $_.message -match "IpAddress.*127.0.0.1") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rottenpotato"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rottenpotato"; + $detectedMessage = "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like"; + $result = $event | where { ($_.ID -eq "4624" -and $_.message -match "LogonType.*3" -and $_.message -match "TargetUserName.*ANONYMOUS_LOGON" -and $_.message -match "WorkstationName.*-" -and $_.message -match "IpAddress.*127.0.0.1") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_sam_dump.ps1 b/Rules/SIGMA/builtin/win_susp_sam_dump.ps1 new file mode 100644 index 00000000..cec8d614 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_sam_dump.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "16" -and $_.message -match ".*\AppData\Local\Temp\SAM-.*" -and $_.message -match ".*.dmp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_sam_dump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_sam_dump"; + $detectedMessage = "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers"; + $result = $event | where { ($_.ID -eq "16" -and $_.message -match ".*\\AppData\\Local\\Temp\\SAM-.*" -and $_.message -match ".*.dmp.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_sdelete.ps1 b/Rules/SIGMA/builtin/win_susp_sdelete.ps1 new file mode 100644 index 00000000..d07b563c --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_sdelete.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -or $_.ID -eq "4663" -or $_.ID -eq "4658") -and ($_.message -match "ObjectName.*.*.AAA" -or $_.message -match "ObjectName.*.*.ZZZ")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_sdelete"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_sdelete"; + $detectedMessage = "Detects renaming of file while deletion with SDelete tool."; + $result = $event | where { (($_.ID -eq "4656" -or $_.ID -eq "4663" -or $_.ID -eq "4658") -and ($_.message -match "ObjectName.*.*.AAA" -or $_.message -match "ObjectName.*.*.ZZZ")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_time_modification.ps1 b/Rules/SIGMA/builtin/win_susp_time_modification.ps1 new file mode 100644 index 00000000..df1734e0 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_time_modification.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4616" -and -not (((($_.message -match "ProcessName.*C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -or $_.message -match "ProcessName.*C:\Windows\System32\VBoxService.exe") -or ($_.message -match "ProcessName.*C:\Windows\System32\svchost.exe" -and $_.message -match "SubjectUserSid.*S-1-5-19"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_time_modification"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_time_modification"; + $detectedMessage = "Detect scenarios where a potentially unauthorized application or user is modifying the system time."; + $result = $event | where { ($_.ID -eq "4616" -and -not (((($_.message -match "ProcessName.*C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" -or $_.message -match "ProcessName.*C:\\Windows\\System32\\VBoxService.exe") -or ($_.message -match "ProcessName.*C:\\Windows\\System32\\svchost.exe" -and $_.message -match "SubjectUserSid.*S-1-5-19"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_wmi_login.ps1 b/Rules/SIGMA/builtin/win_susp_wmi_login.ps1 new file mode 100644 index 00000000..884f9a16 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_wmi_login.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "ProcessName.*.*\WmiPrvSE.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_wmi_login"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_wmi_login"; + $detectedMessage = "Detection of logins performed with WMI"; + $result = $event | where { ($_.ID -eq "4624" -and $_.message -match "ProcessName.*.*\\WmiPrvSE.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_susp_zip_compress.ps1 b/Rules/SIGMA/builtin/win_susp_zip_compress.ps1 new file mode 100644 index 00000000..ee6a2758 --- /dev/null +++ b/Rules/SIGMA/builtin/win_susp_zip_compress.ps1 @@ -0,0 +1,43 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Compress-Archive .*" -and $_.message -match "CommandLine.*.* -Path .*" -and $_.message -match "CommandLine.*.* -DestinationPath .*" -and $_.message -match "CommandLine.*.*$env:TEMP\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Windows PowerShell | where { ($_.message -match "HostApplication.*.*Compress-Archive .*" -and $_.message -match "HostApplication.*.* -Path .*" -and $_.message -match "HostApplication.*.* -DestinationPath .*" -and $_.message -match "HostApplication.*.*$env:TEMP\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where { ($_.message -match "ContextInfo.*.*Compress-Archive .*" -and $_.message -match "ContextInfo.*.* -Path .*" -and $_.message -match "ContextInfo.*.* -DestinationPath .*" -and $_.message -match "ContextInfo.*.*$env:TEMP\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_susp_zip_compress"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_zip_compress"; + $detectedMessage = "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Compress-Archive .*" -and $_.message -match "CommandLine.*.* -Path .*" -and $_.message -match "CommandLine.*.* -DestinationPath .*" -and $_.message -match "CommandLine.*.*$env:TEMP\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.message -match "HostApplication.*.*Compress-Archive .*" -and $_.message -match "HostApplication.*.* -Path .*" -and $_.message -match "HostApplication.*.* -DestinationPath .*" -and $_.message -match "HostApplication.*.*$env:TEMP\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.message -match "ContextInfo.*.*Compress-Archive .*" -and $_.message -match "ContextInfo.*.* -Path .*" -and $_.message -match "ContextInfo.*.* -DestinationPath .*" -and $_.message -match "ContextInfo.*.*$env:TEMP\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_suspicious_outbound_kerberos_connection.ps1 b/Rules/SIGMA/builtin/win_suspicious_outbound_kerberos_connection.ps1 new file mode 100644 index 00000000..72ac8ad8 --- /dev/null +++ b/Rules/SIGMA/builtin/win_suspicious_outbound_kerberos_connection.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "5156" -and $_.message -match "DestinationPort.*88") -and -not (($_.message -match "Image.*.*\lsass.exe" -or $_.message -match "Image.*.*\opera.exe" -or $_.message -match "Image.*.*\chrome.exe" -or $_.message -match "Image.*.*\firefox.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_suspicious_outbound_kerberos_connection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_suspicious_outbound_kerberos_connection"; + $detectedMessage = "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation."; + $result = $event | where { (($_.ID -eq "5156" -and $_.message -match "DestinationPort.*88") -and -not (($_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\opera.exe" -or $_.message -match "Image.*.*\\chrome.exe" -or $_.message -match "Image.*.*\\firefox.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_suspicious_werfault_connection_outbound.ps1 b/Rules/SIGMA/builtin/win_suspicious_werfault_connection_outbound.ps1 new file mode 100644 index 00000000..960d90d6 --- /dev/null +++ b/Rules/SIGMA/builtin/win_suspicious_werfault_connection_outbound.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and $_.message -match "Image.*werfault.exe" -and -not (($_.ID -eq "3" -and $_.message -match "ParentImage.*svchost.exe" -and ($_.message -match "104.42.151.234" -or $_.message -match "104.43.193.48" -or $_.message -match "52.255.188.83" -or $_.message -match "13.64.90.137" -or $_.message -match "168.61.161.212" -or $_.message -match "13.88.21.125" -or $_.message -match "40.88.32.150" -or $_.message -match "52.147.198.201" -or $_.message -match "52.239.207.100" -or $_.message -match "52.176.224.96" -or $_.message -match "2607:7700:0:24:0:1:287e:1894" -or $_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*127..*") -and ($_.message -match "DestinationHostname.*.*.windowsupdate.com.*" -or $_.message -match "DestinationHostname.*.*.microsoft.com.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_suspicious_werfault_connection_outbound"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_suspicious_werfault_connection_outbound"; + $detectedMessage = "Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection."; + $result = $event | where { (($_.ID -eq "3") -and $_.message -match "Image.*werfault.exe" -and -not (($_.ID -eq "3" -and $_.message -match "ParentImage.*svchost.exe" -and ($_.message -match "104.42.151.234" -or $_.message -match "104.43.193.48" -or $_.message -match "52.255.188.83" -or $_.message -match "13.64.90.137" -or $_.message -match "168.61.161.212" -or $_.message -match "13.88.21.125" -or $_.message -match "40.88.32.150" -or $_.message -match "52.147.198.201" -or $_.message -match "52.239.207.100" -or $_.message -match "52.176.224.96" -or $_.message -match "2607:7700:0:24:0:1:287e:1894" -or $_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*127..*") -and ($_.message -match "DestinationHostname.*.*.windowsupdate.com.*" -or $_.message -match "DestinationHostname.*.*.microsoft.com.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_svcctl_remote_service.ps1 b/Rules/SIGMA/builtin/win_svcctl_remote_service.ps1 new file mode 100644 index 00000000..0679f1eb --- /dev/null +++ b/Rules/SIGMA/builtin/win_svcctl_remote_service.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\.*\IPC$" -and $_.message -match "RelativeTargetName.*svcctl" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_svcctl_remote_service"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_svcctl_remote_service"; + $detectedMessage = "Detects remote service activity via remote access to the svcctl named pipe"; + $result = $event | where { ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*svcctl" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_syskey_registry_access.ps1 b/Rules/SIGMA/builtin/win_syskey_registry_access.ps1 new file mode 100644 index 00000000..d87208b6 --- /dev/null +++ b/Rules/SIGMA/builtin/win_syskey_registry_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -or $_.ID -eq "4663") -and $_.message -match "ObjectType.*key" -and ($_.message -match "ObjectName.*.*lsa\JD" -or $_.message -match "ObjectName.*.*lsa\GBG" -or $_.message -match "ObjectName.*.*lsa\Skew1" -or $_.message -match "ObjectName.*.*lsa\Data")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_syskey_registry_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_syskey_registry_access"; + $detectedMessage = "Detects handle requests and access operations to specific registry keys to calculate the SysKey"; + $result = $event | where { (($_.ID -eq "4656" -or $_.ID -eq "4663") -and $_.message -match "ObjectType.*key" -and ($_.message -match "ObjectName.*.*lsa\\JD" -or $_.message -match "ObjectName.*.*lsa\\GBG" -or $_.message -match "ObjectName.*.*lsa\\Skew1" -or $_.message -match "ObjectName.*.*lsa\\Data")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_sysmon_channel_reference_deletion.ps1 b/Rules/SIGMA/builtin/win_sysmon_channel_reference_deletion.ps1 new file mode 100644 index 00000000..f8271b21 --- /dev/null +++ b/Rules/SIGMA/builtin/win_sysmon_channel_reference_deletion.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.message -match "ObjectName.*.*WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}.*" -or $_.message -match "ObjectName.*.*WINEVT\Channels\Microsoft-Windows-Sysmon/Operational.*") -and (($_.ID -eq "4657" -and $_.message -match "ObjectValueName.*Enabled" -and $_.message -match "NewValue.*0") -or ($_.ID -eq "4663" -and $_.message -match "AccessMask.*65536"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_sysmon_channel_reference_deletion"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_sysmon_channel_reference_deletion"; + $detectedMessage = "Potential threat actor tampering with Sysmon manifest and eventually disabling it"; + $result = $result | where { (($_.message -match "ObjectName.*.*WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}.*" -or $_.message -match "ObjectName.*.*WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational.*") -and (($_.ID -eq "4657" -and $_.message -match "ObjectValueName.*Enabled" -and $_.message -match "NewValue.*0") -or ($_.ID -eq "4663" -and $_.message -match "AccessMask.*65536"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_tap_driver_installation.ps1 b/Rules/SIGMA/builtin/win_tap_driver_installation.ps1 new file mode 100644 index 00000000..7785f0a6 --- /dev/null +++ b/Rules/SIGMA/builtin/win_tap_driver_installation.ps1 @@ -0,0 +1,45 @@ +# Get-WinEvent -LogName System | where { ($_.ID -eq "7045" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "6" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Security | where { ($_.ID -eq "4697" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_tap_driver_installation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_tap_driver_installation"; + $detectedMessage = "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "7045" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "6" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "6" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "4697" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $result; + Write-Output ""; + Write-Output $detectedMessage; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_transferring_files_with_credential_data_via_network_shares.ps1 b/Rules/SIGMA/builtin/win_transferring_files_with_credential_data_via_network_shares.ps1 new file mode 100644 index 00000000..b5d17dfc --- /dev/null +++ b/Rules/SIGMA/builtin/win_transferring_files_with_credential_data_via_network_shares.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and ($_.message -match "RelativeTargetName.*.*\mimidrv.*" -or $_.message -match "RelativeTargetName.*.*\lsass.*" -or $_.message -match "RelativeTargetName.*.*\windows\minidump\.*" -or $_.message -match "RelativeTargetName.*.*\hiberfil.*" -or $_.message -match "RelativeTargetName.*.*\sqldmpr.*" -or $_.message -match "RelativeTargetName.*.*\sam.*" -or $_.message -match "RelativeTargetName.*.*\ntds.dit.*" -or $_.message -match "RelativeTargetName.*.*\security.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_transferring_files_with_credential_data_via_network_shares"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_transferring_files_with_credential_data_via_network_shares"; + $detectedMessage = "Transferring files with well-known filenames (sensitive files with credential data) using network shares"; + $result = $event | where { ($_.ID -eq "5145" -and ($_.message -match "RelativeTargetName.*.*\\mimidrv.*" -or $_.message -match "RelativeTargetName.*.*\\lsass.*" -or $_.message -match "RelativeTargetName.*.*\\windows\\minidump\\.*" -or $_.message -match "RelativeTargetName.*.*\\hiberfil.*" -or $_.message -match "RelativeTargetName.*.*\\sqldmpr.*" -or $_.message -match "RelativeTargetName.*.*\\sam.*" -or $_.message -match "RelativeTargetName.*.*\\ntds.dit.*" -or $_.message -match "RelativeTargetName.*.*\\security.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_usb_device_plugged.ps1 b/Rules/SIGMA/builtin/win_usb_device_plugged.ps1 new file mode 100644 index 00000000..52682b3d --- /dev/null +++ b/Rules/SIGMA/builtin/win_usb_device_plugged.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational | where {(($_.ID -eq "2003" -or $_.ID -eq "2100" -or $_.ID -eq "2102")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_usb_device_plugged"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_usb_device_plugged"; + $detectedMessage = "Detects plugged USB devices"; + $result = $event | where { (($_.ID -eq "2003" -or $_.ID -eq "2100" -or $_.ID -eq "2102")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_user_added_to_local_administrators.ps1 b/Rules/SIGMA/builtin/win_user_added_to_local_administrators.ps1 new file mode 100644 index 00000000..3a8e3ca2 --- /dev/null +++ b/Rules/SIGMA/builtin/win_user_added_to_local_administrators.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4732" -and ($_.message -match "TargetUserName.*Administr.*" -or $_.message -match "TargetSid.*S-1-5-32-544")) -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_user_added_to_local_administrators"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_user_added_to_local_administrators"; + $detectedMessage = "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation"; + $result = $event | where { (($_.ID -eq "4732" -and ($_.message -match "TargetUserName.*Administr.*" -or $_.message -match "TargetSid.*S-1-5-32-544")) -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.ps1 b/Rules/SIGMA/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.ps1 new file mode 100644 index 00000000..4cc0e5c6 --- /dev/null +++ b/Rules/SIGMA/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4673" -and $_.message -match "Service.*LsaRegisterLogonProcess()" -and $_.message -match "Keywords.*0x8010000000000000") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_user_couldnt_call_privileged_service_lsaregisterlogonprocess"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_user_couldnt_call_privileged_service_lsaregisterlogonprocess"; + $detectedMessage = "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA."; + $result = $event | where { ($_.ID -eq "4673" -and $_.message -match "Service.*LsaRegisterLogonProcess()" -and $_.message -match "Keywords.*0x8010000000000000") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_user_creation.ps1 b/Rules/SIGMA/builtin/win_user_creation.ps1 new file mode 100644 index 00000000..7860cc08 --- /dev/null +++ b/Rules/SIGMA/builtin/win_user_creation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4720") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_user_creation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_user_creation"; + $detectedMessage = "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows"; + $result = $event | where { ($_.ID -eq "4720") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_user_driver_loaded.ps1 b/Rules/SIGMA/builtin/win_user_driver_loaded.ps1 new file mode 100644 index 00000000..cfa43710 --- /dev/null +++ b/Rules/SIGMA/builtin/win_user_driver_loaded.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4673" -and $_.message -match "PrivilegeList.*SeLoadDriverPrivilege" -and $_.message -match "Service.*-") -and -not (($_.message -match "ProcessName.*.*\Windows\System32\Dism.exe" -or $_.message -match "ProcessName.*.*\Windows\System32\rundll32.exe" -or $_.message -match "ProcessName.*.*\Windows\System32\fltMC.exe" -or $_.message -match "ProcessName.*.*\Windows\HelpPane.exe" -or $_.message -match "ProcessName.*.*\Windows\System32\mmc.exe" -or $_.message -match "ProcessName.*.*\Windows\System32\svchost.exe" -or $_.message -match "ProcessName.*.*\Windows\System32\wimserv.exe" -or $_.message -match "ProcessName.*.*\procexp64.exe" -or $_.message -match "ProcessName.*.*\procexp.exe" -or $_.message -match "ProcessName.*.*\procmon64.exe" -or $_.message -match "ProcessName.*.*\procmon.exe" -or $_.message -match "ProcessName.*.*\Google\Chrome\Application\chrome.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_user_driver_loaded"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_user_driver_loaded"; + $detectedMessage = "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff."; + $result = $event | where { (($_.ID -eq "4673" -and $_.message -match "PrivilegeList.*SeLoadDriverPrivilege" -and $_.message -match "Service.*-") -and -not (($_.message -match "ProcessName.*.*\\Windows\\System32\\Dism.exe" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\rundll32.exe" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\fltMC.exe" -or $_.message -match "ProcessName.*.*\\Windows\\HelpPane.exe" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\mmc.exe" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\svchost.exe" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\wimserv.exe" -or $_.message -match "ProcessName.*.*\\procexp64.exe" -or $_.message -match "ProcessName.*.*\\procexp.exe" -or $_.message -match "ProcessName.*.*\\procmon64.exe" -or $_.message -match "ProcessName.*.*\\procmon.exe" -or $_.message -match "ProcessName.*.*\\Google\\Chrome\\Application\\chrome.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_volume_shadow_copy_mount.ps1 b/Rules/SIGMA/builtin/win_volume_shadow_copy_mount.ps1 new file mode 100644 index 00000000..f861aef2 --- /dev/null +++ b/Rules/SIGMA/builtin/win_volume_shadow_copy_mount.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName System | where {($_.message -match "Source.*Microsoft-Windows-Ntfs" -and $_.ID -eq "98" -and $_.message -match "DeviceName.*.*HarddiskVolumeShadowCopy.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_volume_shadow_copy_mount"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_volume_shadow_copy_mount"; + $detectedMessage = "Detects volume shadow copy mount"; + $result = $event | where { ($_.message -match "Source.*Microsoft-Windows-Ntfs" -and $_.ID -eq "98" -and $_.message -match "DeviceName.*.*HarddiskVolumeShadowCopy.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_vssaudit_secevent_source_registration.ps1 b/Rules/SIGMA/builtin/win_vssaudit_secevent_source_registration.ps1 new file mode 100644 index 00000000..6a17740b --- /dev/null +++ b/Rules/SIGMA/builtin/win_vssaudit_secevent_source_registration.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.message -match "AuditSourceName.*VSSAudit" -and ($_.ID -eq "4904" -or $_.ID -eq "4905")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_vssaudit_secevent_source_registration"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_vssaudit_secevent_source_registration"; + $detectedMessage = "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen."; + $result = $event | where { ($_.message -match "AuditSourceName.*VSSAudit" -and ($_.ID -eq "4904" -or $_.ID -eq "4905")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_vul_cve_2020_0688.ps1 b/Rules/SIGMA/builtin/win_vul_cve_2020_0688.ps1 new file mode 100644 index 00000000..7e5b922a --- /dev/null +++ b/Rules/SIGMA/builtin/win_vul_cve_2020_0688.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Application | where {($_.ID -eq "4" -and $_.message -match "Source.*MSExchange Control Panel" -and $_.message -match "Level.*Error" -and ($_.message -match ".*&__VIEWSTATE=.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_vul_cve_2020_0688"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_vul_cve_2020_0688"; + $detectedMessage = "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 "; + $result = $event | where { ($_.ID -eq "4" -and $_.message -match "Source.*MSExchange Control Panel" -and $_.message -match "Level.*Error" -and ($_.message -match ".*&__VIEWSTATE=.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Messagel; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_vul_cve_2020_1472.ps1 b/Rules/SIGMA/builtin/win_vul_cve_2020_1472.ps1 new file mode 100644 index 00000000..2c737b5b --- /dev/null +++ b/Rules/SIGMA/builtin/win_vul_cve_2020_1472.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName System | where {(($_.ID -eq "5829")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_vul_cve_2020_1472"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_vul_cve_2020_1472"; + $detectedMessage = "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472."; + $result = $event | where { (($_.ID -eq "5829")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/builtin/win_wmiprvse_wbemcomn_dll_hijack.ps1 b/Rules/SIGMA/builtin/win_wmiprvse_wbemcomn_dll_hijack.ps1 new file mode 100644 index 00000000..8f171788 --- /dev/null +++ b/Rules/SIGMA/builtin/win_wmiprvse_wbemcomn_dll_hijack.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "RelativeTargetName.*.*\wbem\wbemcomn.dll") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_wmiprvse_wbemcomn_dll_hijack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_wmiprvse_wbemcomn_dll_hijack"; + $detectedMessage = "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:WindowsSystem32wbem` directory over the network for a WMI DLL Hijack scenario."; + $result = $event | where { (($_.ID -eq "5145" -and $_.message -match "RelativeTargetName.*.*\\wbem\\wbemcomn.dll") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/create_remote_thread/sysmon_cactustorch.ps1 b/Rules/SIGMA/create_remote_thread/sysmon_cactustorch.ps1 new file mode 100644 index 00000000..c32e1ed4 --- /dev/null +++ b/Rules/SIGMA/create_remote_thread/sysmon_cactustorch.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and ($_.message -match "SourceImage.*.*\System32\cscript.exe" -or $_.message -match "SourceImage.*.*\System32\wscript.exe" -or $_.message -match "SourceImage.*.*\System32\mshta.exe" -or $_.message -match "SourceImage.*.*\winword.exe" -or $_.message -match "SourceImage.*.*\excel.exe") -and $_.message -match "TargetImage.*.*\SysWOW64\.*" -and -not StartModule="*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cactustorch"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cactustorch"; + $detectedMessage = "Detects remote thread creation from CACTUSTORCH as described in references."; + $result = $event | where { ($_.ID -eq "8" -and ($_.message -match "SourceImage.*.*\\System32\\cscript.exe" -or $_.message -match "SourceImage.*.*\\System32\\wscript.exe" -or $_.message -match "SourceImage.*.*\\System32\\mshta.exe" -or $_.message -match "SourceImage.*.*\\winword.exe" -or $_.message -match "SourceImage.*.*\\excel.exe") -and $_.message -match "TargetImage.*.*\\SysWOW64\\.*" -and (-not $_.message -match "StartModule.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/create_remote_thread/sysmon_cobaltstrike_process_injection.ps1 b/Rules/SIGMA/create_remote_thread/sysmon_cobaltstrike_process_injection.ps1 new file mode 100644 index 00000000..cf5563a2 --- /dev/null +++ b/Rules/SIGMA/create_remote_thread/sysmon_cobaltstrike_process_injection.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and ($_.message -match "TargetProcessAddress.*.*0B80" -or $_.message -match "TargetProcessAddress.*.*0C7C" -or $_.message -match "TargetProcessAddress.*.*0C88")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cobaltstrike_process_injection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cobaltstrike_process_injection"; + $detectedMessage = "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons"; + $result = $event | where { ($_.ID -eq "8" -and ($_.message -match "TargetProcessAddress.*.*0B80" -or $_.message -match "TargetProcessAddress.*.*0C7C" -or $_.message -match "TargetProcessAddress.*.*0C88")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/create_remote_thread/sysmon_createremotethread_loadlibrary.ps1 b/Rules/SIGMA/create_remote_thread/sysmon_createremotethread_loadlibrary.ps1 new file mode 100644 index 00000000..ab18f5a9 --- /dev/null +++ b/Rules/SIGMA/create_remote_thread/sysmon_createremotethread_loadlibrary.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "StartModule.*.*\kernel32.dll" -and $_.message -match "StartFunction.*LoadLibraryA") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_createremotethread_loadlibrary"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_createremotethread_loadlibrary"; + $detectedMessage = "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process"; + $result = $event | where { ($_.ID -eq "8" -and $_.message -match "StartModule.*.*\\kernel32.dll" -and $_.message -match "StartFunction.*LoadLibraryA") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/create_remote_thread/sysmon_password_dumper_lsass.ps1 b/Rules/SIGMA/create_remote_thread/sysmon_password_dumper_lsass.ps1 new file mode 100644 index 00000000..a34743a0 --- /dev/null +++ b/Rules/SIGMA/create_remote_thread/sysmon_password_dumper_lsass.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "TargetImage.*.*\lsass.exe" -and $_.message -match "StartModule.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_password_dumper_lsass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_password_dumper_lsass"; + $detectedMessage = "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events."; + $result = $event | where { ($_.ID -eq "8" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "StartModule.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/create_remote_thread/sysmon_susp_powershell_rundll32.ps1 b/Rules/SIGMA/create_remote_thread/sysmon_susp_powershell_rundll32.ps1 new file mode 100644 index 00000000..16d4495a --- /dev/null +++ b/Rules/SIGMA/create_remote_thread/sysmon_susp_powershell_rundll32.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "SourceImage.*.*\powershell.exe" -and $_.message -match "TargetImage.*.*\rundll32.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_powershell_rundll32"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_powershell_rundll32"; + $detectedMessage = "Detects PowerShell remote thread creation in Rundll32.exe"; + $result = $event | where { ($_.ID -eq "8" -and $_.message -match "SourceImage.*.*\\powershell.exe" -and $_.message -match "TargetImage.*.*\\rundll32.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/create_remote_thread/sysmon_suspicious_remote_thread.ps1 b/Rules/SIGMA/create_remote_thread/sysmon_suspicious_remote_thread.ps1 new file mode 100644 index 00000000..61055338 --- /dev/null +++ b/Rules/SIGMA/create_remote_thread/sysmon_suspicious_remote_thread.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "8") -and ($_.message -match "SourceImage.*.*\bash.exe" -or $_.message -match "SourceImage.*.*\cvtres.exe" -or $_.message -match "SourceImage.*.*\defrag.exe" -or $_.message -match "SourceImage.*.*\dnx.exe" -or $_.message -match "SourceImage.*.*\esentutl.exe" -or $_.message -match "SourceImage.*.*\excel.exe" -or $_.message -match "SourceImage.*.*\expand.exe" -or $_.message -match "SourceImage.*.*\explorer.exe" -or $_.message -match "SourceImage.*.*\find.exe" -or $_.message -match "SourceImage.*.*\findstr.exe" -or $_.message -match "SourceImage.*.*\forfiles.exe" -or $_.message -match "SourceImage.*.*\git.exe" -or $_.message -match "SourceImage.*.*\gpupdate.exe" -or $_.message -match "SourceImage.*.*\hh.exe" -or $_.message -match "SourceImage.*.*\iexplore.exe" -or $_.message -match "SourceImage.*.*\installutil.exe" -or $_.message -match "SourceImage.*.*\lync.exe" -or $_.message -match "SourceImage.*.*\makecab.exe" -or $_.message -match "SourceImage.*.*\mDNSResponder.exe" -or $_.message -match "SourceImage.*.*\monitoringhost.exe" -or $_.message -match "SourceImage.*.*\msbuild.exe" -or $_.message -match "SourceImage.*.*\mshta.exe" -or $_.message -match "SourceImage.*.*\msiexec.exe" -or $_.message -match "SourceImage.*.*\mspaint.exe" -or $_.message -match "SourceImage.*.*\outlook.exe" -or $_.message -match "SourceImage.*.*\ping.exe" -or $_.message -match "SourceImage.*.*\powerpnt.exe" -or $_.message -match "SourceImage.*.*\powershell.exe" -or $_.message -match "SourceImage.*.*\provtool.exe" -or $_.message -match "SourceImage.*.*\python.exe" -or $_.message -match "SourceImage.*.*\regsvr32.exe" -or $_.message -match "SourceImage.*.*\robocopy.exe" -or $_.message -match "SourceImage.*.*\runonce.exe" -or $_.message -match "SourceImage.*.*\sapcimc.exe" -or $_.message -match "SourceImage.*.*\schtasks.exe" -or $_.message -match "SourceImage.*.*\smartscreen.exe" -or $_.message -match "SourceImage.*.*\spoolsv.exe" -or $_.message -match "SourceImage.*.*\tstheme.exe" -or $_.message -match "SourceImage.*.*\userinit.exe" -or $_.message -match "SourceImage.*.*\vssadmin.exe" -or $_.message -match "SourceImage.*.*\vssvc.exe" -or $_.message -match "SourceImage.*.*\w3wp.exe" -or $_.message -match "SourceImage.*.*\winlogon.exe" -or $_.message -match "SourceImage.*.*\winscp.exe" -or $_.message -match "SourceImage.*.*\wmic.exe" -or $_.message -match "SourceImage.*.*\word.exe" -or $_.message -match "SourceImage.*.*\wscript.exe") -and -not ($_.message -match "SourceImage.*.*Visual Studio.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_suspicious_remote_thread"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_suspicious_remote_thread"; + $detectedMessage = "Offensive tradecraft is switching away from using APIs like ""CreateRemoteThread"", however, this is still largely observed in the wild. This rule aims"; + $result = $event | where { (($_.ID -eq "8") -and ($_.message -match "SourceImage.*.*\\bash.exe" -or $_.message -match "SourceImage.*.*\\cvtres.exe" -or $_.message -match "SourceImage.*.*\\defrag.exe" -or $_.message -match "SourceImage.*.*\\dnx.exe" -or $_.message -match "SourceImage.*.*\\esentutl.exe" -or $_.message -match "SourceImage.*.*\\excel.exe" -or $_.message -match "SourceImage.*.*\\expand.exe" -or $_.message -match "SourceImage.*.*\\explorer.exe" -or $_.message -match "SourceImage.*.*\\find.exe" -or $_.message -match "SourceImage.*.*\\findstr.exe" -or $_.message -match "SourceImage.*.*\\forfiles.exe" -or $_.message -match "SourceImage.*.*\\git.exe" -or $_.message -match "SourceImage.*.*\\gpupdate.exe" -or $_.message -match "SourceImage.*.*\\hh.exe" -or $_.message -match "SourceImage.*.*\\iexplore.exe" -or $_.message -match "SourceImage.*.*\\installutil.exe" -or $_.message -match "SourceImage.*.*\\lync.exe" -or $_.message -match "SourceImage.*.*\\makecab.exe" -or $_.message -match "SourceImage.*.*\\mDNSResponder.exe" -or $_.message -match "SourceImage.*.*\\monitoringhost.exe" -or $_.message -match "SourceImage.*.*\\msbuild.exe" -or $_.message -match "SourceImage.*.*\\mshta.exe" -or $_.message -match "SourceImage.*.*\\msiexec.exe" -or $_.message -match "SourceImage.*.*\\mspaint.exe" -or $_.message -match "SourceImage.*.*\\outlook.exe" -or $_.message -match "SourceImage.*.*\\ping.exe" -or $_.message -match "SourceImage.*.*\\powerpnt.exe" -or $_.message -match "SourceImage.*.*\\powershell.exe" -or $_.message -match "SourceImage.*.*\\provtool.exe" -or $_.message -match "SourceImage.*.*\\python.exe" -or $_.message -match "SourceImage.*.*\\regsvr32.exe" -or $_.message -match "SourceImage.*.*\\robocopy.exe" -or $_.message -match "SourceImage.*.*\\runonce.exe" -or $_.message -match "SourceImage.*.*\\sapcimc.exe" -or $_.message -match "SourceImage.*.*\\schtasks.exe" -or $_.message -match "SourceImage.*.*\\smartscreen.exe" -or $_.message -match "SourceImage.*.*\\spoolsv.exe" -or $_.message -match "SourceImage.*.*\\tstheme.exe" -or $_.message -match "SourceImage.*.*\\userinit.exe" -or $_.message -match "SourceImage.*.*\\vssadmin.exe" -or $_.message -match "SourceImage.*.*\\vssvc.exe" -or $_.message -match "SourceImage.*.*\\w3wp.exe" -or $_.message -match "SourceImage.*.*\\winlogon.exe" -or $_.message -match "SourceImage.*.*\\winscp.exe" -or $_.message -match "SourceImage.*.*\\wmic.exe" -or $_.message -match "SourceImage.*.*\\word.exe" -or $_.message -match "SourceImage.*.*\\wscript.exe") -and -not ($_.message -match "SourceImage.*.*Visual Studio.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/create_stream_hash/sysmon_ads_executable.ps1 b/Rules/SIGMA/create_stream_hash/sysmon_ads_executable.ps1 new file mode 100644 index 00000000..b63ede12 --- /dev/null +++ b/Rules/SIGMA/create_stream_hash/sysmon_ads_executable.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "15") -and -not (($_.message -match "Imphash.*00000000000000000000000000000000") -or (-not Imphash="*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_ads_executable"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_ads_executable"; + $detectedMessage = "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)"; + $result = $event | where { (($_.ID -eq "15") -and -not (($_.message -match "Imphash.*00000000000000000000000000000000") -or (-not $_.message -eq "Imphash.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/create_stream_hash/sysmon_regedit_export_to_ads.ps1 b/Rules/SIGMA/create_stream_hash/sysmon_regedit_export_to_ads.ps1 new file mode 100644 index 00000000..7a72a686 --- /dev/null +++ b/Rules/SIGMA/create_stream_hash/sysmon_regedit_export_to_ads.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "15" -and $_.message -match "Image.*.*\regedit.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_regedit_export_to_ads"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_regedit_export_to_ads"; + $detectedMessage = "Exports the target Registry key and hides it in the specified alternate data stream."; + $result = $event | where { ($_.ID -eq "15" -and $_.message -match "Image.*.*\\regedit.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/deprecated/sysmon_mimikatz_detection_lsass.ps1 b/Rules/SIGMA/deprecated/sysmon_mimikatz_detection_lsass.ps1 new file mode 100644 index 00000000..9b121724 --- /dev/null +++ b/Rules/SIGMA/deprecated/sysmon_mimikatz_detection_lsass.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\lsass.exe" -and ($_.message -match "0x1410" -or $_.message -match "0x1010")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_mimikatz_detection_lsass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_mimikatz_detection_lsass"; + $detectedMessage = "Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION only old"; + $result = $event | where { ($_.ID -eq 10 -and $_.message -match "TargetImage.*.*\\lsass.exe" -and ($_.message -match "0x1410" -or $_.message -match "0x1010")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/deprecated/win_susp_esentutl_activity.ps1 b/Rules/SIGMA/deprecated/win_susp_esentutl_activity.ps1 new file mode 100644 index 00000000..57d4d0a0 --- /dev/null +++ b/Rules/SIGMA/deprecated/win_susp_esentutl_activity.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /vss .*" -and $_.message -match "CommandLine.*.* /y .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_esentutl_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_esentutl_activity"; + $detectedMessage = "Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. "; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /vss .*" -and $_.message -match "CommandLine.*.* /y .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/deprecated/win_susp_vssadmin_ntds_activity.ps1 b/Rules/SIGMA/deprecated/win_susp_vssadmin_ntds_activity.ps1 new file mode 100644 index 00000000..3b2f0d77 --- /dev/null +++ b/Rules/SIGMA/deprecated/win_susp_vssadmin_ntds_activity.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "vssadmin.exe Delete Shadows" -or $_.message -match "vssadmin create shadow /for=C:" -or $_.message -match "CommandLine.*copy \?\GLOBALROOT\Device\.*\windows\ntds\ntds.dit" -or $_.message -match "CommandLine.*copy \?\GLOBALROOT\Device\.*\config\SAM" -or $_.message -match "vssadmin delete shadows /for=C:" -or $_.message -match "reg SAVE HKLM\SYSTEM " -or $_.message -match "CommandLine.*esentutl.exe /y /vss .*\ntds.dit.*" -or $_.message -match "CommandLine.*esentutl.exe /y /vss .*\SAM" -or $_.message -match "CommandLine.*esentutl.exe /y /vss .*\SYSTEM")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_vssadmin_ntds_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_vssadmin_ntds_activity"; + $detectedMessage = "Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "vssadmin.exe Delete Shadows" -or $_.message -match "vssadmin create shadow /for=C:" -or $_.message -match "CommandLine.*copy \\?\\GLOBALROOT\\Device\\.*\\windows\\ntds\\ntds.dit" -or $_.message -match "CommandLine.*copy \\?\\GLOBALROOT\\Device\\.*\\config\\SAM" -or $_.message -match "vssadmin delete shadows /for=C:" -or $_.message -match "reg SAVE HKLM\\SYSTEM " -or $_.message -match "CommandLine.*esentutl.exe /y /vss .*\\ntds.dit.*" -or $_.message -match "CommandLine.*esentutl.exe /y /vss .*\\SAM" -or $_.message -match "CommandLine.*esentutl.exe /y /vss .*\\SYSTEM")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/dns_query/dns_mega_nz.ps1 b/Rules/SIGMA/dns_query/dns_mega_nz.ps1 new file mode 100644 index 00000000..cb197b09 --- /dev/null +++ b/Rules/SIGMA/dns_query/dns_mega_nz.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "22" -and $_.message -match "QueryName.*.*userstorage.mega.co.nz.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "dns_mega_nz"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "dns_mega_nz"; + $detectedMessage = " Detects DNS queries for subdomains used for upload to MEGA.io"; + $result = $event | where { ($_.ID -eq "22" -and $_.message -match "QueryName.*.*userstorage.mega.co.nz.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/SIGMA/dns_query/sysmon_possible_dns_rebinding.ps1 b/Rules/SIGMA/dns_query/sysmon_possible_dns_rebinding.ps1 new file mode 100644 index 00000000..17e98af4 --- /dev/null +++ b/Rules/SIGMA/dns_query/sysmon_possible_dns_rebinding.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "22" -and $_.message -match "QueryName.*.*" -and $_.message -match "QueryStatus.*0" -and ($_.message -match "QueryResults.*(::ffff:)?10..*" -or $_.message -match "QueryResults.*(::ffff:)?192.168..*" -or $_.message -match "QueryResults.*(::ffff:)?172.16..*" -or $_.message -match "QueryResults.*(::ffff:)?172.17..*" -or $_.message -match "QueryResults.*(::ffff:)?172.18..*" -or $_.message -match "QueryResults.*(::ffff:)?172.19..*" -or $_.message -match "QueryResults.*(::ffff:)?172.20..*" -or $_.message -match "QueryResults.*(::ffff:)?172.21..*" -or $_.message -match "QueryResults.*(::ffff:)?172.22..*" -or $_.message -match "QueryResults.*(::ffff:)?172.23..*" -or $_.message -match "QueryResults.*(::ffff:)?172.24..*" -or $_.message -match "QueryResults.*(::ffff:)?172.25..*" -or $_.message -match "QueryResults.*(::ffff:)?172.26..*" -or $_.message -match "QueryResults.*(::ffff:)?172.27..*" -or $_.message -match "QueryResults.*(::ffff:)?172.28..*" -or $_.message -match "QueryResults.*(::ffff:)?172.29..*" -or $_.message -match "QueryResults.*(::ffff:)?172.30..*" -or $_.message -match "QueryResults.*(::ffff:)?172.31..*" -or $_.message -match "QueryResults.*(::ffff:)?127..*") -and ($_.ID -eq "22") -and ($_.message -match "QueryName.*.*" -and $_.message -match "QueryStatus.*0") -and -not (($_.message -match "QueryResults.*(::ffff:)?10..*" -or $_.message -match "QueryResults.*(::ffff:)?192.168..*" -or $_.message -match "QueryResults.*(::ffff:)?172.16..*" -or $_.message -match "QueryResults.*(::ffff:)?172.17..*" -or $_.message -match "QueryResults.*(::ffff:)?172.18..*" -or $_.message -match "QueryResults.*(::ffff:)?172.19..*" -or $_.message -match "QueryResults.*(::ffff:)?172.20..*" -or $_.message -match "QueryResults.*(::ffff:)?172.21..*" -or $_.message -match "QueryResults.*(::ffff:)?172.22..*" -or $_.message -match "QueryResults.*(::ffff:)?172.23..*" -or $_.message -match "QueryResults.*(::ffff:)?172.24..*" -or $_.message -match "QueryResults.*(::ffff:)?172.25..*" -or $_.message -match "QueryResults.*(::ffff:)?172.26..*" -or $_.message -match "QueryResults.*(::ffff:)?172.27..*" -or $_.message -match "QueryResults.*(::ffff:)?172.28..*" -or $_.message -match "QueryResults.*(::ffff:)?172.29..*" -or $_.message -match "QueryResults.*(::ffff:)?172.30..*" -or $_.message -match "QueryResults.*(::ffff:)?172.31..*" -or $_.message -match "QueryResults.*(::ffff:)?127..*"))) } | select ComputerName, QueryName | group ComputerName | foreach { [PSCustomObject]@{'ComputerName'=$_.name;'Count'=($_.group.QueryName | sort -u).count} } | sort count -desc | where { $_.count -gt 3 } + +function Add-Rule { + + $ruleName = "sysmon_possible_dns_rebinding"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_possible_dns_rebinding"; + $detectedMessage = "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL)."; + $result = $event | where { ($_.ID -eq "22" -and $_.message -match "QueryName.*.*" -and $_.message -match "QueryStatus.*0" -and ($_.message -match "QueryResults.*(::ffff:)?10..*" -or $_.message -match "QueryResults.*(::ffff:)?192.168..*" -or $_.message -match "QueryResults.*(::ffff:)?172.16..*" -or $_.message -match "QueryResults.*(::ffff:)?172.17..*" -or $_.message -match "QueryResults.*(::ffff:)?172.18..*" -or $_.message -match "QueryResults.*(::ffff:)?172.19..*" -or $_.message -match "QueryResults.*(::ffff:)?172.20..*" -or $_.message -match "QueryResults.*(::ffff:)?172.21..*" -or $_.message -match "QueryResults.*(::ffff:)?172.22..*" -or $_.message -match "QueryResults.*(::ffff:)?172.23..*" -or $_.message -match "QueryResults.*(::ffff:)?172.24..*" -or $_.message -match "QueryResults.*(::ffff:)?172.25..*" -or $_.message -match "QueryResults.*(::ffff:)?172.26..*" -or $_.message -match "QueryResults.*(::ffff:)?172.27..*" -or $_.message -match "QueryResults.*(::ffff:)?172.28..*" -or $_.message -match "QueryResults.*(::ffff:)?172.29..*" -or $_.message -match "QueryResults.*(::ffff:)?172.30..*" -or $_.message -match "QueryResults.*(::ffff:)?172.31..*" -or $_.message -match "QueryResults.*(::ffff:)?127..*") -and ($_.ID -eq "22") -and ($_.message -match "QueryName.*.*" -and $_.message -match "QueryStatus.*0") -and -not (($_.message -match "QueryResults.*(::ffff:)?10..*" -or $_.message -match "QueryResults.*(::ffff:)?192.168..*" -or $_.message -match "QueryResults.*(::ffff:)?172.16..*" -or $_.message -match "QueryResults.*(::ffff:)?172.17..*" -or $_.message -match "QueryResults.*(::ffff:)?172.18..*" -or $_.message -match "QueryResults.*(::ffff:)?172.19..*" -or $_.message -match "QueryResults.*(::ffff:)?172.20..*" -or $_.message -match "QueryResults.*(::ffff:)?172.21..*" -or $_.message -match "QueryResults.*(::ffff:)?172.22..*" -or $_.message -match "QueryResults.*(::ffff:)?172.23..*" -or $_.message -match "QueryResults.*(::ffff:)?172.24..*" -or $_.message -match "QueryResults.*(::ffff:)?172.25..*" -or $_.message -match "QueryResults.*(::ffff:)?172.26..*" -or $_.message -match "QueryResults.*(::ffff:)?172.27..*" -or $_.message -match "QueryResults.*(::ffff:)?172.28..*" -or $_.message -match "QueryResults.*(::ffff:)?172.29..*" -or $_.message -match "QueryResults.*(::ffff:)?172.30..*" -or $_.message -match "QueryResults.*(::ffff:)?172.31..*" -or $_.message -match "QueryResults.*(::ffff:)?127..*"))) } | select ComputerName, QueryName | group ComputerName | foreach { [PSCustomObject]@{'ComputerName' = $_.name; 'Count' = ($_.group.QueryName | sort -u).count } } | sort count -desc | where { $_.count -gt 3 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/driver_load/sysmon_susp_driver_load.ps1 b/Rules/SIGMA/driver_load/sysmon_susp_driver_load.ps1 new file mode 100644 index 00000000..d644f496 --- /dev/null +++ b/Rules/SIGMA/driver_load/sysmon_susp_driver_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "6" -and $_.message -match "ImageLoaded.*.*\Temp\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_driver_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_driver_load"; + $detectedMessage = "Detects a driver load from a temporary directory"; + $result = $event | where { ($_.ID -eq "6" -and $_.message -match "ImageLoaded.*.*\\Temp\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/driver_load/sysmon_vuln_dell_driver_load.ps1 b/Rules/SIGMA/driver_load/sysmon_vuln_dell_driver_load.ps1 new file mode 100644 index 00000000..effc8a01 --- /dev/null +++ b/Rules/SIGMA/driver_load/sysmon_vuln_dell_driver_load.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "6") -and ($_.message -match "ImageLoaded.*.*\DBUtil_2_3.Sys.*" -or ($_.message -match "Hashes.*.*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5.*" -or $_.message -match "Hashes.*.*c948ae14761095e4d76b55d9de86412258be7afd.*" -or $_.message -match "Hashes.*.*c996d7971c49252c582171d9380360f2.*" -or $_.message -match "Hashes.*.*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1.*" -or $_.message -match "Hashes.*.*10b30bdee43b3a2ec4aa63375577ade650269d25.*" -or $_.message -match "Hashes.*.*d2fd132ab7bbc6bbb87a84f026fa0244.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_vuln_dell_driver_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_vuln_dell_driver_load"; + $detectedMessage = "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551"; + $result = $event | where { (($_.ID -eq "6") -and ($_.message -match "ImageLoaded.*.*\\DBUtil_2_3.Sys.*" -or ($_.message -match "Hashes.*.*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5.*" -or $_.message -match "Hashes.*.*c948ae14761095e4d76b55d9de86412258be7afd.*" -or $_.message -match "Hashes.*.*c996d7971c49252c582171d9380360f2.*" -or $_.message -match "Hashes.*.*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1.*" -or $_.message -match "Hashes.*.*10b30bdee43b3a2ec4aa63375577ade650269d25.*" -or $_.message -match "Hashes.*.*d2fd132ab7bbc6bbb87a84f026fa0244.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/driver_load/sysmon_windivert_driver_load.ps1 b/Rules/SIGMA/driver_load/sysmon_windivert_driver_load.ps1 new file mode 100644 index 00000000..2f5228fa --- /dev/null +++ b/Rules/SIGMA/driver_load/sysmon_windivert_driver_load.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "6" -and ($_.message -match "ImageLoaded.*.*\WinDivert.sys.*" -or $_.message -match "ImageLoaded.*.*\WinDivert64.sys.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_windivert_driver_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_windivert_driver_load"; + $detectedMessage = "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows"; + $result = $event | where { ($_.ID -eq "6" -and ($_.message -match "ImageLoaded.*.*\\WinDivert.sys.*" -or $_.message -match "ImageLoaded.*.*\\WinDivert64.sys.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_delete/sysmon_sysinternals_sdelete_file_deletion.ps1 b/Rules/SIGMA/file_delete/sysmon_sysinternals_sdelete_file_deletion.ps1 new file mode 100644 index 00000000..89b02a78 --- /dev/null +++ b/Rules/SIGMA/file_delete/sysmon_sysinternals_sdelete_file_deletion.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "23" -and ($_.message -match "TargetFilename.*.*.AAA" -or $_.message -match "TargetFilename.*.*.ZZZ")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_sysinternals_sdelete_file_deletion"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_sysinternals_sdelete_file_deletion"; + $detectedMessage = "A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files."; + $result = $event | where { ($_.ID -eq "23" -and ($_.message -match "TargetFilename.*.*.AAA" -or $_.message -match "TargetFilename.*.*.ZZZ")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_delete/win_cve_2021_1675_printspooler_del.ps1 b/Rules/SIGMA/file_delete/win_cve_2021_1675_printspooler_del.ps1 new file mode 100644 index 00000000..077ed093 --- /dev/null +++ b/Rules/SIGMA/file_delete/win_cve_2021_1675_printspooler_del.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "23" -and ($_.message -match "Image.*.*spoolsv.exe") -and ($_.message -match "TargetFilename.*.*C:\Windows\System32\spool\drivers\x64\3\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_cve_2021_1675_printspooler_del"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_cve_2021_1675_printspooler_del"; + $detectedMessage = "Detect DLL deletions from Spooler Service driver folder "; + $result = $event | where { ($_.ID -eq "23" -and ($_.message -match "Image.*.*spoolsv.exe") -and ($_.message -match "TargetFilename.*.*C:\\Windows\\System32\\spool\\drivers\\x64\\3\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_creation_system_file.ps1 b/Rules/SIGMA/file_event/sysmon_creation_system_file.ps1 new file mode 100644 index 00000000..5950acd5 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_creation_system_file.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\svchost.exe" -or $_.message -match "TargetFilename.*.*\rundll32.exe" -or $_.message -match "TargetFilename.*.*\services.exe" -or $_.message -match "TargetFilename.*.*\powershell.exe" -or $_.message -match "TargetFilename.*.*\regsvr32.exe" -or $_.message -match "TargetFilename.*.*\spoolsv.exe" -or $_.message -match "TargetFilename.*.*\lsass.exe" -or $_.message -match "TargetFilename.*.*\smss.exe" -or $_.message -match "TargetFilename.*.*\csrss.exe" -or $_.message -match "TargetFilename.*.*\conhost.exe" -or $_.message -match "TargetFilename.*.*\wininit.exe" -or $_.message -match "TargetFilename.*.*\lsm.exe" -or $_.message -match "TargetFilename.*.*\winlogon.exe" -or $_.message -match "TargetFilename.*.*\explorer.exe" -or $_.message -match "TargetFilename.*.*\taskhost.exe" -or $_.message -match "TargetFilename.*.*\Taskmgr.exe" -or $_.message -match "TargetFilename.*.*\taskmgr.exe" -or $_.message -match "TargetFilename.*.*\sihost.exe" -or $_.message -match "TargetFilename.*.*\RuntimeBroker.exe" -or $_.message -match "TargetFilename.*.*\runtimebroker.exe" -or $_.message -match "TargetFilename.*.*\smartscreen.exe" -or $_.message -match "TargetFilename.*.*\dllhost.exe" -or $_.message -match "TargetFilename.*.*\audiodg.exe" -or $_.message -match "TargetFilename.*.*\wlanext.exe") -and -not (($_.message -match "TargetFilename.*C:\Windows\System32\.*" -or $_.message -match "TargetFilename.*C:\Windows\system32\.*" -or $_.message -match "TargetFilename.*C:\Windows\SysWow64\.*" -or $_.message -match "TargetFilename.*C:\Windows\SysWOW64\.*" -or $_.message -match "TargetFilename.*C:\Windows\winsxs\.*" -or $_.message -match "TargetFilename.*C:\Windows\WinSxS\.*" -or $_.message -match "TargetFilename.*\SystemRoot\System32\.*") -and ($_.message -match "Image.*.*\Windows\System32\dism.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_creation_system_file"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_creation_system_file"; + $detectedMessage = "Detects the creation of a executable with a system process name in a suspicious folder"; + $result = $event | where { (($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\\svchost.exe" -or $_.message -match "TargetFilename.*.*\\rundll32.exe" -or $_.message -match "TargetFilename.*.*\\services.exe" -or $_.message -match "TargetFilename.*.*\\powershell.exe" -or $_.message -match "TargetFilename.*.*\\regsvr32.exe" -or $_.message -match "TargetFilename.*.*\\spoolsv.exe" -or $_.message -match "TargetFilename.*.*\\lsass.exe" -or $_.message -match "TargetFilename.*.*\\smss.exe" -or $_.message -match "TargetFilename.*.*\\csrss.exe" -or $_.message -match "TargetFilename.*.*\\conhost.exe" -or $_.message -match "TargetFilename.*.*\\wininit.exe" -or $_.message -match "TargetFilename.*.*\\lsm.exe" -or $_.message -match "TargetFilename.*.*\\winlogon.exe" -or $_.message -match "TargetFilename.*.*\\explorer.exe" -or $_.message -match "TargetFilename.*.*\\taskhost.exe" -or $_.message -match "TargetFilename.*.*\\Taskmgr.exe" -or $_.message -match "TargetFilename.*.*\\taskmgr.exe" -or $_.message -match "TargetFilename.*.*\\sihost.exe" -or $_.message -match "TargetFilename.*.*\\RuntimeBroker.exe" -or $_.message -match "TargetFilename.*.*\\runtimebroker.exe" -or $_.message -match "TargetFilename.*.*\\smartscreen.exe" -or $_.message -match "TargetFilename.*.*\\dllhost.exe" -or $_.message -match "TargetFilename.*.*\\audiodg.exe" -or $_.message -match "TargetFilename.*.*\\wlanext.exe") -and -not (($_.message -match "TargetFilename.*C:\\Windows\\System32\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\system32\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\SysWow64\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\winsxs\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\WinSxS\\.*" -or $_.message -match "TargetFilename.*\\SystemRoot\\System32\\.*") -and ($_.message -match "Image.*.*\\Windows\\System32\\dism.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_cred_dump_tools_dropped_files.ps1 b/Rules/SIGMA/file_event/sysmon_cred_dump_tools_dropped_files.ps1 new file mode 100644 index 00000000..ce2797a5 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_cred_dump_tools_dropped_files.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\pwdump.*" -or $_.message -match "TargetFilename.*.*\kirbi.*" -or $_.message -match "TargetFilename.*.*\pwhashes.*" -or $_.message -match "TargetFilename.*.*\wce_ccache.*" -or $_.message -match "TargetFilename.*.*\wce_krbtkts.*" -or $_.message -match "TargetFilename.*.*\fgdump-log.*") -and ($_.message -match "TargetFilename.*.*\test.pwd" -or $_.message -match "TargetFilename.*.*\lsremora64.dll" -or $_.message -match "TargetFilename.*.*\lsremora.dll" -or $_.message -match "TargetFilename.*.*\fgexec.exe" -or $_.message -match "TargetFilename.*.*\wceaux.dll" -or $_.message -match "TargetFilename.*.*\SAM.out" -or $_.message -match "TargetFilename.*.*\SECURITY.out" -or $_.message -match "TargetFilename.*.*\SYSTEM.out" -or $_.message -match "TargetFilename.*.*\NTDS.out" -or $_.message -match "TargetFilename.*.*\DumpExt.dll" -or $_.message -match "TargetFilename.*.*\DumpSvc.exe" -or $_.message -match "TargetFilename.*.*\cachedump64.exe" -or $_.message -match "TargetFilename.*.*\cachedump.exe" -or $_.message -match "TargetFilename.*.*\pstgdump.exe" -or $_.message -match "TargetFilename.*.*\servpw.exe" -or $_.message -match "TargetFilename.*.*\servpw64.exe" -or $_.message -match "TargetFilename.*.*\pwdump.exe" -or $_.message -match "TargetFilename.*.*\procdump64.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cred_dump_tools_dropped_files"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cred_dump_tools_dropped_files"; + $detectedMessage = "Files with well-known filenames (parts of credential dump software or files produced by them) creation"; + $result = $event | where { ($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\\pwdump.*" -or $_.message -match "TargetFilename.*.*\\kirbi.*" -or $_.message -match "TargetFilename.*.*\\pwhashes.*" -or $_.message -match "TargetFilename.*.*\\wce_ccache.*" -or $_.message -match "TargetFilename.*.*\\wce_krbtkts.*" -or $_.message -match "TargetFilename.*.*\\fgdump-log.*") -and ($_.message -match "TargetFilename.*.*\\test.pwd" -or $_.message -match "TargetFilename.*.*\\lsremora64.dll" -or $_.message -match "TargetFilename.*.*\\lsremora.dll" -or $_.message -match "TargetFilename.*.*\\fgexec.exe" -or $_.message -match "TargetFilename.*.*\\wceaux.dll" -or $_.message -match "TargetFilename.*.*\\SAM.out" -or $_.message -match "TargetFilename.*.*\\SECURITY.out" -or $_.message -match "TargetFilename.*.*\\SYSTEM.out" -or $_.message -match "TargetFilename.*.*\\NTDS.out" -or $_.message -match "TargetFilename.*.*\\DumpExt.dll" -or $_.message -match "TargetFilename.*.*\\DumpSvc.exe" -or $_.message -match "TargetFilename.*.*\\cachedump64.exe" -or $_.message -match "TargetFilename.*.*\\cachedump.exe" -or $_.message -match "TargetFilename.*.*\\pstgdump.exe" -or $_.message -match "TargetFilename.*.*\\servpw.exe" -or $_.message -match "TargetFilename.*.*\\servpw64.exe" -or $_.message -match "TargetFilename.*.*\\pwdump.exe" -or $_.message -match "TargetFilename.*.*\\procdump64.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_cve_2021_26858_msexchange.ps1 b/Rules/SIGMA/file_event/sysmon_cve_2021_26858_msexchange.ps1 new file mode 100644 index 00000000..dfeaf6f1 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_cve_2021_26858_msexchange.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and $_.message -match "Image.*.*UMWorkerProcess.exe" -and -not (($_.message -match "TargetFilename.*.*CacheCleanup.bin" -or $_.message -match "TargetFilename.*.*.txt" -or $_.message -match "TargetFilename.*.*.LOG" -or $_.message -match "TargetFilename.*.*.cfg" -or $_.message -match "TargetFilename.*.*cleanup.bin"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cve_2021_26858_msexchange"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cve_2021_26858_msexchange"; + $detectedMessage = "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for |"; + $result = $event | where { (($_.ID -eq "11") -and $_.message -match "Image.*.*UMWorkerProcess.exe" -and -not (($_.message -match "TargetFilename.*.*CacheCleanup.bin" -or $_.message -match "TargetFilename.*.*.txt" -or $_.message -match "TargetFilename.*.*.LOG" -or $_.message -match "TargetFilename.*.*.cfg" -or $_.message -match "TargetFilename.*.*cleanup.bin"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_ghostpack_safetykatz.ps1 b/Rules/SIGMA/file_event/sysmon_ghostpack_safetykatz.ps1 new file mode 100644 index 00000000..cf7a20a0 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_ghostpack_safetykatz.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\Temp\debug.bin") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_ghostpack_safetykatz"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_ghostpack_safetykatz"; + $detectedMessage = "Detects possible SafetyKatz Behaviour"; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\Temp\\debug.bin") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_hack_dumpert.ps1 b/Rules/SIGMA/file_event/sysmon_hack_dumpert.ps1 new file mode 100644 index 00000000..df0aaf35 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_hack_dumpert.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Imphash.*09D278F9DE118EF09163C6140255C690") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*C:\\Windows\\Temp\\dumpert.dmp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_hack_dumpert"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_hack_dumpert"; + $detectedMessage = "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "Imphash.*09D278F9DE118EF09163C6140255C690") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*C:\\Windows\\Temp\\dumpert.dmp") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_lsass_memory_dump_file_creation.ps1 b/Rules/SIGMA/file_event/sysmon_lsass_memory_dump_file_creation.ps1 new file mode 100644 index 00000000..e45b53d5 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_lsass_memory_dump_file_creation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*lsass.*" -and $_.message -match "TargetFilename.*.*dmp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_lsass_memory_dump_file_creation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_lsass_memory_dump_file_creation"; + $detectedMessage = "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified"; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*lsass.*" -and $_.message -match "TargetFilename.*.*dmp") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_non_priv_program_files_move.ps1 b/Rules/SIGMA/file_event/sysmon_non_priv_program_files_move.ps1 new file mode 100644 index 00000000..0ba2d4fc --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_non_priv_program_files_move.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\Program Files\.*" -or $_.message -match "TargetFilename.*.*\Program Files (x86)\.*") -or ($_.message -match "TargetFilename.*\Windows\.*" -and -not ($_.message -match "TargetFilename.*.*temp.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_non_priv_program_files_move"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_non_priv_program_files_move"; + $detectedMessage = "Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes"; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\\Program Files\\.*" -or $_.message -match "TargetFilename.*.*\\Program Files (x86)\\.*") -or ($_.message -match "TargetFilename.*\\Windows\\.*" -and -not ($_.message -match "TargetFilename.*.*temp.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_office_persistence.ps1 b/Rules/SIGMA/file_event/sysmon_office_persistence.ps1 new file mode 100644 index 00000000..1206e8bf --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_office_persistence.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and ($_.ID -eq "11") -and ((($_.message -match "TargetFilename.*.*\Microsoft\Word\Startup\.*" -and $_.message -match "TargetFilename.*.*.wll") -or ($_.message -match "TargetFilename.*.*\Microsoft\Excel\Startup\.*" -and $_.message -match "TargetFilename.*.*.xll")) -or ($_.message -match "TargetFilename.*.*\Microsoft\Addins\.*" -and ($_.message -match "TargetFilename.*.*.xlam" -or $_.message -match "TargetFilename.*.*.xla")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_office_persistence"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_office_persistence"; + $detectedMessage = "Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel)."; + $result = $event | where { (($_.ID -eq "11") -and ($_.ID -eq "11") -and ((($_.message -match "TargetFilename.*.*\\Microsoft\\Word\\Startup\\.*" -and $_.message -match "TargetFilename.*.*.wll") -or ($_.message -match "TargetFilename.*.*\\Microsoft\\Excel\\Startup\\.*" -and $_.message -match "TargetFilename.*.*.xll")) -or ($_.message -match "TargetFilename.*.*\\Microsoft\\Addins\\.*" -and ($_.message -match "TargetFilename.*.*.xlam" -or $_.message -match "TargetFilename.*.*.xla")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_outlook_newform.ps1 b/Rules/SIGMA/file_event/sysmon_outlook_newform.ps1 new file mode 100644 index 00000000..54ac8afa --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_outlook_newform.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "Image.*\outlook.exe" -and $_.message -match "TargetFilename.*.*\appdata\local\microsoft\FORMS\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_outlook_newform"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_outlook_newform"; + $detectedMessage = "Detects the creation of new Outlook form which can contain malicious code"; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "Image.*\\outlook.exe" -and $_.message -match "TargetFilename.*.*\\appdata\\local\\microsoft\\FORMS\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_pcre_net_temp_file.ps1 b/Rules/SIGMA/file_event/sysmon_pcre_net_temp_file.ps1 new file mode 100644 index 00000000..554ae3ea --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_pcre_net_temp_file.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_pcre_net_temp_file"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_pcre_net_temp_file"; + $detectedMessage = "Detects processes creating temp files related to PCRE.NET package"; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_powershell_exploit_scripts.ps1 b/Rules/SIGMA/file_event/sysmon_powershell_exploit_scripts.ps1 new file mode 100644 index 00000000..e7128afc --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_powershell_exploit_scripts.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\Invoke-DllInjection.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-WmiCommand.ps1" -or $_.message -match "TargetFilename.*.*\Get-GPPPassword.ps1" -or $_.message -match "TargetFilename.*.*\Get-Keystrokes.ps1" -or $_.message -match "TargetFilename.*.*\Get-VaultCredential.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-CredentialInjection.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-Mimikatz.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-NinjaCopy.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-TokenManipulation.ps1" -or $_.message -match "TargetFilename.*.*\Out-Minidump.ps1" -or $_.message -match "TargetFilename.*.*\VolumeShadowCopyTools.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-ReflectivePEInjection.ps1" -or $_.message -match "TargetFilename.*.*\Get-TimedScreenshot.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-UserHunter.ps1" -or $_.message -match "TargetFilename.*.*\Find-GPOLocation.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-ACLScanner.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-DowngradeAccount.ps1" -or $_.message -match "TargetFilename.*.*\Get-ServiceUnquoted.ps1" -or $_.message -match "TargetFilename.*.*\Get-ServiceFilePermission.ps1" -or $_.message -match "TargetFilename.*.*\Get-ServicePermission.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-ServiceAbuse.ps1" -or $_.message -match "TargetFilename.*.*\Install-ServiceBinary.ps1" -or $_.message -match "TargetFilename.*.*\Get-RegAutoLogon.ps1" -or $_.message -match "TargetFilename.*.*\Get-VulnAutoRun.ps1" -or $_.message -match "TargetFilename.*.*\Get-VulnSchTask.ps1" -or $_.message -match "TargetFilename.*.*\Get-UnattendedInstallFile.ps1" -or $_.message -match "TargetFilename.*.*\Get-WebConfig.ps1" -or $_.message -match "TargetFilename.*.*\Get-ApplicationHost.ps1" -or $_.message -match "TargetFilename.*.*\Get-RegAlwaysInstallElevated.ps1" -or $_.message -match "TargetFilename.*.*\Get-Unconstrained.ps1" -or $_.message -match "TargetFilename.*.*\Add-RegBackdoor.ps1" -or $_.message -match "TargetFilename.*.*\Add-ScrnSaveBackdoor.ps1" -or $_.message -match "TargetFilename.*.*\Gupt-Backdoor.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-ADSBackdoor.ps1" -or $_.message -match "TargetFilename.*.*\Enabled-DuplicateToken.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-PsUaCme.ps1" -or $_.message -match "TargetFilename.*.*\Remove-Update.ps1" -or $_.message -match "TargetFilename.*.*\Check-VM.ps1" -or $_.message -match "TargetFilename.*.*\Get-LSASecret.ps1" -or $_.message -match "TargetFilename.*.*\Get-PassHashes.ps1" -or $_.message -match "TargetFilename.*.*\Show-TargetScreen.ps1" -or $_.message -match "TargetFilename.*.*\Port-Scan.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-PoshRatHttp.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-PowerShellTCP.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-PowerShellWMI.ps1" -or $_.message -match "TargetFilename.*.*\Add-Exfiltration.ps1" -or $_.message -match "TargetFilename.*.*\Add-Persistence.ps1" -or $_.message -match "TargetFilename.*.*\Do-Exfiltration.ps1" -or $_.message -match "TargetFilename.*.*\Start-CaptureServer.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-ShellCode.ps1" -or $_.message -match "TargetFilename.*.*\Get-ChromeDump.ps1" -or $_.message -match "TargetFilename.*.*\Get-ClipboardContents.ps1" -or $_.message -match "TargetFilename.*.*\Get-FoxDump.ps1" -or $_.message -match "TargetFilename.*.*\Get-IndexedItem.ps1" -or $_.message -match "TargetFilename.*.*\Get-Screenshot.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-Inveigh.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-NetRipper.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-EgressCheck.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-PostExfil.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-PSInject.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-RunAs.ps1" -or $_.message -match "TargetFilename.*.*\MailRaider.ps1" -or $_.message -match "TargetFilename.*.*\New-HoneyHash.ps1" -or $_.message -match "TargetFilename.*.*\Set-MacAttribute.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-DCSync.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-PowerDump.ps1" -or $_.message -match "TargetFilename.*.*\Exploit-Jboss.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-ThunderStruck.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-VoiceTroll.ps1" -or $_.message -match "TargetFilename.*.*\Set-Wallpaper.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-InveighRelay.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-PsExec.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-SSHCommand.ps1" -or $_.message -match "TargetFilename.*.*\Get-SecurityPackages.ps1" -or $_.message -match "TargetFilename.*.*\Install-SSP.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-BackdoorLNK.ps1" -or $_.message -match "TargetFilename.*.*\PowerBreach.ps1" -or $_.message -match "TargetFilename.*.*\Get-SiteListPassword.ps1" -or $_.message -match "TargetFilename.*.*\Get-System.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-BypassUAC.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-Tater.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-WScriptBypassUAC.ps1" -or $_.message -match "TargetFilename.*.*\PowerUp.ps1" -or $_.message -match "TargetFilename.*.*\PowerView.ps1" -or $_.message -match "TargetFilename.*.*\Get-RickAstley.ps1" -or $_.message -match "TargetFilename.*.*\Find-Fruit.ps1" -or $_.message -match "TargetFilename.*.*\HTTP-Login.ps1" -or $_.message -match "TargetFilename.*.*\Find-TrustedDocuments.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-Paranoia.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-WinEnum.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-ARPScan.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-PortScan.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-ReverseDNSLookup.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-SMBScanner.ps1" -or $_.message -match "TargetFilename.*.*\Invoke-Mimikittenz.ps1")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_powershell_exploit_scripts"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_powershell_exploit_scripts"; + $detectedMessage = "Detects the creation of known powershell scripts for exploitation"; + $result = $event | where { ($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\\Invoke-DllInjection.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-WmiCommand.ps1" -or $_.message -match "TargetFilename.*.*\\Get-GPPPassword.ps1" -or $_.message -match "TargetFilename.*.*\\Get-Keystrokes.ps1" -or $_.message -match "TargetFilename.*.*\\Get-VaultCredential.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-CredentialInjection.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-Mimikatz.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-NinjaCopy.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-TokenManipulation.ps1" -or $_.message -match "TargetFilename.*.*\\Out-Minidump.ps1" -or $_.message -match "TargetFilename.*.*\\VolumeShadowCopyTools.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ReflectivePEInjection.ps1" -or $_.message -match "TargetFilename.*.*\\Get-TimedScreenshot.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-UserHunter.ps1" -or $_.message -match "TargetFilename.*.*\\Find-GPOLocation.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ACLScanner.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-DowngradeAccount.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ServiceUnquoted.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ServiceFilePermission.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ServicePermission.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ServiceAbuse.ps1" -or $_.message -match "TargetFilename.*.*\\Install-ServiceBinary.ps1" -or $_.message -match "TargetFilename.*.*\\Get-RegAutoLogon.ps1" -or $_.message -match "TargetFilename.*.*\\Get-VulnAutoRun.ps1" -or $_.message -match "TargetFilename.*.*\\Get-VulnSchTask.ps1" -or $_.message -match "TargetFilename.*.*\\Get-UnattendedInstallFile.ps1" -or $_.message -match "TargetFilename.*.*\\Get-WebConfig.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ApplicationHost.ps1" -or $_.message -match "TargetFilename.*.*\\Get-RegAlwaysInstallElevated.ps1" -or $_.message -match "TargetFilename.*.*\\Get-Unconstrained.ps1" -or $_.message -match "TargetFilename.*.*\\Add-RegBackdoor.ps1" -or $_.message -match "TargetFilename.*.*\\Add-ScrnSaveBackdoor.ps1" -or $_.message -match "TargetFilename.*.*\\Gupt-Backdoor.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ADSBackdoor.ps1" -or $_.message -match "TargetFilename.*.*\\Enabled-DuplicateToken.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PsUaCme.ps1" -or $_.message -match "TargetFilename.*.*\\Remove-Update.ps1" -or $_.message -match "TargetFilename.*.*\\Check-VM.ps1" -or $_.message -match "TargetFilename.*.*\\Get-LSASecret.ps1" -or $_.message -match "TargetFilename.*.*\\Get-PassHashes.ps1" -or $_.message -match "TargetFilename.*.*\\Show-TargetScreen.ps1" -or $_.message -match "TargetFilename.*.*\\Port-Scan.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PoshRatHttp.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PowerShellTCP.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PowerShellWMI.ps1" -or $_.message -match "TargetFilename.*.*\\Add-Exfiltration.ps1" -or $_.message -match "TargetFilename.*.*\\Add-Persistence.ps1" -or $_.message -match "TargetFilename.*.*\\Do-Exfiltration.ps1" -or $_.message -match "TargetFilename.*.*\\Start-CaptureServer.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ShellCode.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ChromeDump.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ClipboardContents.ps1" -or $_.message -match "TargetFilename.*.*\\Get-FoxDump.ps1" -or $_.message -match "TargetFilename.*.*\\Get-IndexedItem.ps1" -or $_.message -match "TargetFilename.*.*\\Get-Screenshot.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-Inveigh.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-NetRipper.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-EgressCheck.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PostExfil.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PSInject.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-RunAs.ps1" -or $_.message -match "TargetFilename.*.*\\MailRaider.ps1" -or $_.message -match "TargetFilename.*.*\\New-HoneyHash.ps1" -or $_.message -match "TargetFilename.*.*\\Set-MacAttribute.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-DCSync.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PowerDump.ps1" -or $_.message -match "TargetFilename.*.*\\Exploit-Jboss.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ThunderStruck.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-VoiceTroll.ps1" -or $_.message -match "TargetFilename.*.*\\Set-Wallpaper.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-InveighRelay.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PsExec.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-SSHCommand.ps1" -or $_.message -match "TargetFilename.*.*\\Get-SecurityPackages.ps1" -or $_.message -match "TargetFilename.*.*\\Install-SSP.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-BackdoorLNK.ps1" -or $_.message -match "TargetFilename.*.*\\PowerBreach.ps1" -or $_.message -match "TargetFilename.*.*\\Get-SiteListPassword.ps1" -or $_.message -match "TargetFilename.*.*\\Get-System.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-BypassUAC.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-Tater.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-WScriptBypassUAC.ps1" -or $_.message -match "TargetFilename.*.*\\PowerUp.ps1" -or $_.message -match "TargetFilename.*.*\\PowerView.ps1" -or $_.message -match "TargetFilename.*.*\\Get-RickAstley.ps1" -or $_.message -match "TargetFilename.*.*\\Find-Fruit.ps1" -or $_.message -match "TargetFilename.*.*\\HTTP-Login.ps1" -or $_.message -match "TargetFilename.*.*\\Find-TrustedDocuments.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-Paranoia.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-WinEnum.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ARPScan.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PortScan.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ReverseDNSLookup.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-SMBScanner.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-Mimikittenz.ps1")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_quarkspw_filedump.ps1 b/Rules/SIGMA/file_event/sysmon_quarkspw_filedump.ps1 new file mode 100644 index 00000000..86561ae4 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_quarkspw_filedump.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\AppData\Local\Temp\SAM-.*" -and $_.message -match "TargetFilename.*.*.dmp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_quarkspw_filedump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_quarkspw_filedump"; + $detectedMessage = "Detects a dump file written by QuarksPwDump password dumper"; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\SAM-.*" -and $_.message -match "TargetFilename.*.*.dmp.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_redmimicry_winnti_filedrop.ps1 b/Rules/SIGMA/file_event/sysmon_redmimicry_winnti_filedrop.ps1 new file mode 100644 index 00000000..5e58441f --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_redmimicry_winnti_filedrop.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*gthread-3.6.dll.*" -or $_.message -match "TargetFilename.*.*sigcmm-2.4.dll.*" -or $_.message -match "TargetFilename.*.*\Windows\Temp\tmp.bat.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_redmimicry_winnti_filedrop"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_redmimicry_winnti_filedrop"; + $detectedMessage = "Detects actions caused by the RedMimicry Winnti playbook"; + $result = $event | where { ($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*gthread-3.6.dll.*" -or $_.message -match "TargetFilename.*.*sigcmm-2.4.dll.*" -or $_.message -match "TargetFilename.*.*\\Windows\\Temp\\tmp.bat.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_startup_folder_file_write.ps1 b/Rules/SIGMA/file_event/sysmon_startup_folder_file_write.ps1 new file mode 100644 index 00000000..3b3b1e44 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_startup_folder_file_write.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_startup_folder_file_write"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_startup_folder_file_write"; + $detectedMessage = "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence."; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_susp_adsi_cache_usage.ps1 b/Rules/SIGMA/file_event/sysmon_susp_adsi_cache_usage.ps1 new file mode 100644 index 00000000..1849f505 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_susp_adsi_cache_usage.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\Local\Microsoft\Windows\SchCache\.*" -and $_.message -match "TargetFilename.*.*.sch") -and -not (($_.message -match "C:\windows\system32\svchost.exe" -or $_.message -match "C:\windows\system32\dllhost.exe" -or $_.message -match "C:\windows\system32\mmc.exe" -or $_.message -match "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" -or $_.message -match "C:\Windows\CCM\CcmExec.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_adsi_cache_usage"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_adsi_cache_usage"; + $detectedMessage = "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger."; + $result = $event | where { (($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\\Local\\Microsoft\\Windows\\SchCache\\.*" -and $_.message -match "TargetFilename.*.*.sch") -and -not (($_.message -match "C:\\windows\\system32\\svchost.exe" -or $_.message -match "C:\\windows\\system32\\dllhost.exe" -or $_.message -match "C:\\windows\\system32\\mmc.exe" -or $_.message -match "C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" -or $_.message -match "C:\\Windows\\CCM\\CcmExec.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_susp_clr_logs.ps1 b/Rules/SIGMA/file_event/sysmon_susp_clr_logs.ps1 new file mode 100644 index 00000000..3a1350d7 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_susp_clr_logs.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\AppData\Local\Microsoft\CLR.*" -and $_.message -match "TargetFilename.*.*\UsageLogs\.*" -and ($_.message -match "TargetFilename.*.*mshta.*" -or $_.message -match "TargetFilename.*.*cscript.*" -or $_.message -match "TargetFilename.*.*wscript.*" -or $_.message -match "TargetFilename.*.*regsvr32.*" -or $_.message -match "TargetFilename.*.*wmic.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_clr_logs"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_clr_logs"; + $detectedMessage = "Detects suspicious .NET assembly executions "; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\AppData\\Local\\Microsoft\\CLR.*" -and $_.message -match "TargetFilename.*.*\\UsageLogs\\.*" -and ($_.message -match "TargetFilename.*.*mshta.*" -or $_.message -match "TargetFilename.*.*cscript.*" -or $_.message -match "TargetFilename.*.*wscript.*" -or $_.message -match "TargetFilename.*.*regsvr32.*" -or $_.message -match "TargetFilename.*.*wmic.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_susp_desktop_ini.ps1 b/Rules/SIGMA/file_event/sysmon_susp_desktop_ini.ps1 new file mode 100644 index 00000000..8c5e405f --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_susp_desktop_ini.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and $_.message -match "TargetFilename.*.*\desktop.ini" -and -not (($_.message -match "C:\Windows\explorer.exe" -or $_.message -match "C:\Windows\System32\msiexec.exe" -or $_.message -match "C:\Windows\System32\mmc.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_desktop_ini"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_desktop_ini"; + $detectedMessage = "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk."; + $result = $event | where { (($_.ID -eq "11") -and $_.message -match "TargetFilename.*.*\\desktop.ini" -and -not (($_.message -match "C:\\Windows\\explorer.exe" -or $_.message -match "C:\\Windows\\System32\\msiexec.exe" -or $_.message -match "C:\\Windows\\System32\\mmc.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_susp_pfx_file_creation.ps1 b/Rules/SIGMA/file_event/sysmon_susp_pfx_file_creation.ps1 new file mode 100644 index 00000000..49b9be09 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_susp_pfx_file_creation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*.pfx") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_pfx_file_creation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_pfx_file_creation"; + $detectedMessage = "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file."; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*.pfx") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.ps1 b/Rules/SIGMA/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.ps1 new file mode 100644 index 00000000..c919fb52 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\AppData\Local\Temp\.*" -and $_.message -match "TargetFilename.*.*PROCEXP152.sys") -and -not (($_.message -match "Image.*.*\procexp64.exe.*" -or $_.message -match "Image.*.*\procexp.exe.*" -or $_.message -match "Image.*.*\procmon64.exe.*" -or $_.message -match "Image.*.*\procmon.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_procexplorer_driver_created_in_tmp_folder"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_procexplorer_driver_created_in_tmp_folder"; + $detectedMessage = "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU."; + $result = $event | where { (($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\.*" -and $_.message -match "TargetFilename.*.*PROCEXP152.sys") -and -not (($_.message -match "Image.*.*\\procexp64.exe.*" -or $_.message -match "Image.*.*\\procexp.exe.*" -or $_.message -match "Image.*.*\\procmon64.exe.*" -or $_.message -match "Image.*.*\\procmon.exe.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_tsclient_filewrite_startup.ps1 b/Rules/SIGMA/file_event/sysmon_tsclient_filewrite_startup.ps1 new file mode 100644 index 00000000..95cb3056 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_tsclient_filewrite_startup.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "Image.*.*\mstsc.exe" -and $_.message -match "TargetFilename.*.*\Microsoft\Windows\Start Menu\Programs\Startup\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_tsclient_filewrite_startup"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_tsclient_filewrite_startup"; + $detectedMessage = "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder"; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "Image.*.*\\mstsc.exe" -and $_.message -match "TargetFilename.*.*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_webshell_creation_detect.ps1 b/Rules/SIGMA/file_event/sysmon_webshell_creation_detect.ps1 new file mode 100644 index 00000000..82bd06ad --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_webshell_creation_detect.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and (((($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\inetpub\wwwroot\.*" -and ($_.message -match "TargetFilename.*.*.asp.*" -or $_.message -match "TargetFilename.*.*.ashx.*" -or $_.message -match "TargetFilename.*.*.ph.*")) -and -not (($_.message -match "TargetFilename.*.*\AppData\Local\Temp\.*" -or $_.message -match "TargetFilename.*.*\Windows\Temp\.*"))) -or (($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\www\.*" -or $_.message -match "TargetFilename.*.*\htdocs\.*" -or $_.message -match "TargetFilename.*.*\html\.*") -and $_.message -match "TargetFilename.*.*.ph.*") -and -not (($_.message -match "TargetFilename.*.*\AppData\Local\Temp\.*" -or $_.message -match "TargetFilename.*.*\Windows\Temp\.*")))) -or (($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*.jsp" -or ($_.message -match "TargetFilename.*.*\cgi-bin\.*" -and $_.message -match "TargetFilename.*.*.pl.*")) -and -not (($_.message -match "TargetFilename.*.*\AppData\Local\Temp\.*" -or $_.message -match "TargetFilename.*.*\Windows\Temp\.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_webshell_creation_detect"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_webshell_creation_detect"; + $detectedMessage = "Possible webshell file creation on a static web site"; + $result = $event | where { (($_.ID -eq "11") -and (((($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\\inetpub\\wwwroot\\.*" -and ($_.message -match "TargetFilename.*.*.asp.*" -or $_.message -match "TargetFilename.*.*.ashx.*" -or $_.message -match "TargetFilename.*.*.ph.*")) -and -not (($_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\.*" -or $_.message -match "TargetFilename.*.*\\Windows\\Temp\\.*"))) -or (($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\\www\\.*" -or $_.message -match "TargetFilename.*.*\\htdocs\\.*" -or $_.message -match "TargetFilename.*.*\\html\\.*") -and $_.message -match "TargetFilename.*.*.ph.*") -and -not (($_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\.*" -or $_.message -match "TargetFilename.*.*\\Windows\\Temp\\.*")))) -or (($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*.jsp" -or ($_.message -match "TargetFilename.*.*\\cgi-bin\\.*" -and $_.message -match "TargetFilename.*.*.pl.*")) -and -not (($_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\.*" -or $_.message -match "TargetFilename.*.*\\Windows\\Temp\\.*"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/sysmon_wmi_persistence_script_event_consumer_write.ps1 b/Rules/SIGMA/file_event/sysmon_wmi_persistence_script_event_consumer_write.ps1 new file mode 100644 index 00000000..7b916c64 --- /dev/null +++ b/Rules/SIGMA/file_event/sysmon_wmi_persistence_script_event_consumer_write.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "Image.*C:\WINDOWS\system32\wbem\scrcons.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wmi_persistence_script_event_consumer_write"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wmi_persistence_script_event_consumer_write"; + $detectedMessage = "Detects file writes of WMI script event consumer"; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "Image.*C:\\WINDOWS\\system32\\wbem\\scrcons.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/win_cve_2021_1675_printspooler.ps1 b/Rules/SIGMA/file_event/win_cve_2021_1675_printspooler.ps1 new file mode 100644 index 00000000..38a711ff --- /dev/null +++ b/Rules/SIGMA/file_event/win_cve_2021_1675_printspooler.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*C:\Windows\System32\spool\drivers\x64\3\old\1\123.*" -or $_.message -match "TargetFilename.*.*C:\Windows\System32\spool\drivers\x64\3\New\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_cve_2021_1675_printspooler"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_cve_2021_1675_printspooler"; + $detectedMessage = "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675"; + $result = $event | where { ($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\123.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/win_hivenightmare_file_exports.ps1 b/Rules/SIGMA/file_event/win_hivenightmare_file_exports.ps1 new file mode 100644 index 00000000..d6b5be48 --- /dev/null +++ b/Rules/SIGMA/file_event/win_hivenightmare_file_exports.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\hive_sam_.*" -or $_.message -match "TargetFilename.*.*\SAM-2021-.*" -or $_.message -match "TargetFilename.*.*\SAM-2022-.*" -or $_.message -match "TargetFilename.*.*\SAM-haxx.*" -or $_.message -match "TargetFilename.*.*\Sam.save.*") -or ($_.message -match "C:\windows\temp\sam"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hivenightmare_file_exports"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hivenightmare_file_exports"; + $detectedMessage = "Detects files written by the different tools that exploit HiveNightmare"; + $result = $event | where { (($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\\hive_sam_.*" -or $_.message -match "TargetFilename.*.*\\SAM-2021-.*" -or $_.message -match "TargetFilename.*.*\\SAM-2022-.*" -or $_.message -match "TargetFilename.*.*\\SAM-haxx.*" -or $_.message -match "TargetFilename.*.*\\Sam.save.*") -or ($_.message -match "C:\\windows\\temp\\sam"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/win_outlook_c2_macro_creation.ps1 b/Rules/SIGMA/file_event/win_outlook_c2_macro_creation.ps1 new file mode 100644 index 00000000..741c0d16 --- /dev/null +++ b/Rules/SIGMA/file_event/win_outlook_c2_macro_creation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\Microsoft\Outlook\VbaProject.OTM") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_outlook_c2_macro_creation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_outlook_c2_macro_creation"; + $detectedMessage = "Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry $result = File Creation happens at the same time."; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\Microsoft\\Outlook\\VbaProject.OTM") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/win_rclone_exec_file.ps1 b/Rules/SIGMA/file_event/win_rclone_exec_file.ps1 new file mode 100644 index 00000000..64829dd5 --- /dev/null +++ b/Rules/SIGMA/file_event/win_rclone_exec_file.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*:\Users\.*" -and $_.message -match "TargetFilename.*.*\.config\rclone\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_rclone_exec_file"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rclone_exec_file"; + $detectedMessage = "Detects Rclone config file being created"; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*:\\Users\\.*" -and $_.message -match "TargetFilename.*.*\\.config\\rclone\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/win_susp_desktopimgdownldr_file.ps1 b/Rules/SIGMA/file_event/win_susp_desktopimgdownldr_file.ps1 new file mode 100644 index 00000000..de19b6b2 --- /dev/null +++ b/Rules/SIGMA/file_event/win_susp_desktopimgdownldr_file.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and (($_.message -match "Image.*.*svchost.exe" -and $_.message -match "TargetFilename.*.*\Personalization\LockScreenImage\.*") -and -not ($_.message -match "TargetFilename.*.*C:\Windows\.*")) -and -not (($_.message -match "TargetFilename.*.*.jpg.*" -or $_.message -match "TargetFilename.*.*.jpeg.*" -or $_.message -match "TargetFilename.*.*.png.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_desktopimgdownldr_file"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_desktopimgdownldr_file"; + $detectedMessage = "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension"; + $result = $event | where { (($_.ID -eq "11") -and (($_.message -match "Image.*.*svchost.exe" -and $_.message -match "TargetFilename.*.*\\Personalization\\LockScreenImage\\.*") -and -not ($_.message -match "TargetFilename.*.*C:\\Windows\\.*")) -and -not (($_.message -match "TargetFilename.*.*.jpg.*" -or $_.message -match "TargetFilename.*.*.jpeg.*" -or $_.message -match "TargetFilename.*.*.png.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/file_event/win_susp_multiple_files_renamed_or_deleted.ps1 b/Rules/SIGMA/file_event/win_susp_multiple_files_renamed_or_deleted.ps1 new file mode 100644 index 00000000..38baab09 --- /dev/null +++ b/Rules/SIGMA/file_event/win_susp_multiple_files_renamed_or_deleted.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4663" -and $_.message -match "ObjectType.*File" -and $_.message -match "AccessList.*%%1537" -and $_.message -match "Keywords.*0x8020000000000000") } | group-object SubjectLogonId | where { $_.count -gt 10 } | select name,count | sort -desc + +function Add-Rule { + + $ruleName = "win_susp_multiple_files_renamed_or_deleted"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_multiple_files_renamed_or_deleted"; + $detectedMessage = "Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity)."; + $result = $event | where { ($_.ID -eq "4663" -and $_.message -match "ObjectType.*File" -and $_.message -match "AccessList.*%%1537" -and $_.message -match "Keywords.*0x8020000000000000") } | group-object SubjectLogonId | where { $_.count -gt 10 } | select name, count | sort -desc; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_abusing_azure_browser_sso.ps1 b/Rules/SIGMA/image_load/sysmon_abusing_azure_browser_sso.ps1 new file mode 100644 index 00000000..1ebd02ad --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_abusing_azure_browser_sso.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and $_.message -match "ImageLoaded.*.*MicrosoftAccountTokenProvider.dll" -and -not (($_.message -match "Image.*.*BackgroundTaskHost.exe" -or $_.message -match "Image.*.*devenv.exe" -or $_.message -match "Image.*.*iexplore.exe" -or $_.message -match "Image.*.*MicrosoftEdge.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_abusing_azure_browser_sso"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_abusing_azure_browser_sso"; + $detectedMessage = "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user."; + $result = $event | where { (($_.ID -eq "7") -and $_.message -match "ImageLoaded.*.*MicrosoftAccountTokenProvider.dll" -and -not (($_.message -match "Image.*.*BackgroundTaskHost.exe" -or $_.message -match "Image.*.*devenv.exe" -or $_.message -match "Image.*.*iexplore.exe" -or $_.message -match "Image.*.*MicrosoftEdge.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_alternate_powershell_hosts_moduleload.ps1 b/Rules/SIGMA/image_load/sysmon_alternate_powershell_hosts_moduleload.ps1 new file mode 100644 index 00000000..4e0f6288 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_alternate_powershell_hosts_moduleload.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ($_.message -match "Description.*System.Management.Automation" -and $_.message -match "ImageLoaded.*.*System.Management.Automation.*") -and -not ($_.message -match "Image.*.*\powershell.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_alternate_powershell_hosts_moduleload"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_alternate_powershell_hosts_moduleload"; + $detectedMessage = "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe"; + $result = $event | where { (($_.ID -eq "7") -and ($_.message -match "Description.*System.Management.Automation" -and $_.message -match "ImageLoaded.*.*System.Management.Automation.*") -and -not ($_.message -match "Image.*.*\powershell.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_in_memory_powershell.ps1 b/Rules/SIGMA/image_load/sysmon_in_memory_powershell.ps1 new file mode 100644 index 00000000..d526f221 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_in_memory_powershell.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ($_.message -match "ImageLoaded.*.*\System.Management.Automation.Dll" -or $_.message -match "ImageLoaded.*.*\System.Management.Automation.ni.Dll") -and -not (($_.message -match "Image.*.*\powershell.exe" -or $_.message -match "Image.*.*\powershell_ise.exe" -or $_.message -match "Image.*.*\WINDOWS\System32\sdiagnhost.exe" -or $_.message -match "Image.*.*\mscorsvw.exe" -or $_.message -match "Image.*.*\WINDOWS\System32\RemoteFXvGPUDisablement.exe" -or $_.message -match "Image.*.*\sqlps.exe" -or $_.message -match "Image.*.*\wsmprovhost.exe" -or $_.message -match "Image.*.*\winrshost.exe" -or $_.message -match "Image.*.*\syncappvpublishingserver.exe" -or $_.message -match "Image.*.*\runscripthelper.exe" -or $_.message -match "Image.*.*\ServerManager.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_in_memory_powershell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_in_memory_powershell"; + $detectedMessage = "Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's ""load powershell"" extension."; + $result = $event | where { (($_.ID -eq "7") -and ($_.message -match "ImageLoaded.*.*\\System.Management.Automation.Dll" -or $_.message -match "ImageLoaded.*.*\\System.Management.Automation.ni.Dll") -and -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\WINDOWS\\System32\\sdiagnhost.exe" -or $_.message -match "Image.*.*\\mscorsvw.exe" -or $_.message -match "Image.*.*\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe" -or $_.message -match "Image.*.*\\sqlps.exe" -or $_.message -match "Image.*.*\\wsmprovhost.exe" -or $_.message -match "Image.*.*\\winrshost.exe" -or $_.message -match "Image.*.*\\syncappvpublishingserver.exe" -or $_.message -match "Image.*.*\\runscripthelper.exe" -or $_.message -match "Image.*.*\\ServerManager.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_pcre_net_load.ps1 b/Rules/SIGMA/image_load/sysmon_pcre_net_load.ps1 new file mode 100644 index 00000000..854ac3be --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_pcre_net_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "ImageLoaded.*.*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_pcre_net_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_pcre_net_load"; + $detectedMessage = "Detects processes loading modules related to PCRE.NET package"; + $result = $event | where { ($_.ID -eq "7" -and $_.message -match "ImageLoaded.*.*\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_powershell_execution_moduleload.ps1 b/Rules/SIGMA/image_load/sysmon_powershell_execution_moduleload.ps1 new file mode 100644 index 00000000..93b3fb63 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_powershell_execution_moduleload.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Description.*System.Management.Automation" -and $_.message -match "ImageLoaded.*.*System.Management.Automation.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_powershell_execution_moduleload"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_powershell_execution_moduleload"; + $detectedMessage = "Detects execution of PowerShell"; + $result = $event | where { ($_.ID -eq "7" -and $_.message -match "Description.*System.Management.Automation" -and $_.message -match "ImageLoaded.*.*System.Management.Automation.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.ps1 b/Rules/SIGMA/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.ps1 new file mode 100644 index 00000000..59e3228a --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*.*\scrcons.exe" -and ($_.message -match "ImageLoaded.*.*\vbscript.dll" -or $_.message -match "ImageLoaded.*.*\wbemdisp.dll" -or $_.message -match "ImageLoaded.*.*\wshom.ocx" -or $_.message -match "ImageLoaded.*.*\scrrun.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_scrcons_imageload_wmi_scripteventconsumer"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_scrcons_imageload_wmi_scripteventconsumer"; + $detectedMessage = "Detects signs of the WMI script host process %SystemRoot%system32wbemscrcons.exe functionality being used via images being loaded by a process."; + $result = $event | where { ($_.ID -eq "7" -and $_.message -match "Image.*.*\\scrcons.exe" -and ($_.message -match "ImageLoaded.*.*\\vbscript.dll" -or $_.message -match "ImageLoaded.*.*\\wbemdisp.dll" -or $_.message -match "ImageLoaded.*.*\\wshom.ocx" -or $_.message -match "ImageLoaded.*.*\\scrrun.dll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_spoolsv_dll_load.ps1 b/Rules/SIGMA/image_load/sysmon_spoolsv_dll_load.ps1 new file mode 100644 index 00000000..c35be462 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_spoolsv_dll_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*spoolsv.exe") -and ($_.message -match "ImageLoaded.*.*\Windows\System32\spool\drivers\x64\3\.*") -and ($_.message -match "ImageLoaded.*.*.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_spoolsv_dll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_spoolsv_dll_load"; + $detectedMessage = "Detect DLL Load from Spooler Service backup folder"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*spoolsv.exe") -and ($_.message -match "ImageLoaded.*.*\\Windows\\System32\\spool\\drivers\\x64\\3\\.*") -and ($_.message -match "ImageLoaded.*.*.dll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_fax_dll.ps1 b/Rules/SIGMA/image_load/sysmon_susp_fax_dll.ps1 new file mode 100644 index 00000000..5881ac9c --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_fax_dll.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and (($_.message -match "Image.*.*fxssvc.exe") -and ($_.message -match "ImageLoaded.*.*ualapi.dll")) -and -not (($_.message -match "ImageLoaded.*C:\Windows\WinSxS\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_fax_dll"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_fax_dll"; + $detectedMessage = "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service."; + $result = $event | where { (($_.ID -eq "7") -and (($_.message -match "Image.*.*fxssvc.exe") -and ($_.message -match "ImageLoaded.*.*ualapi.dll")) -and -not (($_.message -match "ImageLoaded.*C:\\Windows\\WinSxS\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_image_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_image_load.ps1 new file mode 100644 index 00000000..0c6eef0d --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_image_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\notepad.exe") -and ($_.message -match "ImageLoaded.*.*\samlib.dll" -or $_.message -match "ImageLoaded.*.*\WinSCard.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_image_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_image_load"; + $detectedMessage = "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*\\notepad.exe") -and ($_.message -match "ImageLoaded.*.*\\samlib.dll" -or $_.message -match "ImageLoaded.*.*\\WinSCard.dll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_office_dotnet_assembly_dll_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_office_dotnet_assembly_dll_load.ps1 new file mode 100644 index 00000000..a12a3822 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_office_dotnet_assembly_dll_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\winword.exe" -or $_.message -match "Image.*.*\powerpnt.exe" -or $_.message -match "Image.*.*\excel.exe" -or $_.message -match "Image.*.*\outlook.exe") -and ($_.message -match "ImageLoaded.*C:\Windows\assembly\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_office_dotnet_assembly_dll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_office_dotnet_assembly_dll_load"; + $detectedMessage = "Detects any assembly DLL being loaded by an Office Product"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*C:\\Windows\\assembly\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_office_dotnet_clr_dll_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_office_dotnet_clr_dll_load.ps1 new file mode 100644 index 00000000..219dd80c --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_office_dotnet_clr_dll_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\winword.exe" -or $_.message -match "Image.*.*\powerpnt.exe" -or $_.message -match "Image.*.*\excel.exe" -or $_.message -match "Image.*.*\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\clr.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_office_dotnet_clr_dll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_office_dotnet_clr_dll_load"; + $detectedMessage = "Detects CLR DLL being loaded by an Office Product"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\\clr.dll.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_office_dotnet_gac_dll_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_office_dotnet_gac_dll_load.ps1 new file mode 100644 index 00000000..2f4defa5 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_office_dotnet_gac_dll_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\winword.exe" -or $_.message -match "Image.*.*\powerpnt.exe" -or $_.message -match "Image.*.*\excel.exe" -or $_.message -match "Image.*.*\outlook.exe") -and ($_.message -match "ImageLoaded.*C:\Windows\Microsoft.NET\assembly\GAC_MSIL.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_office_dotnet_gac_dll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_office_dotnet_gac_dll_load"; + $detectedMessage = "Detects any GAC DLL being loaded by an Office Product"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_office_dsparse_dll_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_office_dsparse_dll_load.ps1 new file mode 100644 index 00000000..75a5b231 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_office_dsparse_dll_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\winword.exe" -or $_.message -match "Image.*.*\powerpnt.exe" -or $_.message -match "Image.*.*\excel.exe" -or $_.message -match "Image.*.*\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\dsparse.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_office_dsparse_dll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_office_dsparse_dll_load"; + $detectedMessage = "Detects DSParse DLL being loaded by an Office Product"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\\dsparse.dll.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_office_kerberos_dll_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_office_kerberos_dll_load.ps1 new file mode 100644 index 00000000..27496631 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_office_kerberos_dll_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\winword.exe" -or $_.message -match "Image.*.*\powerpnt.exe" -or $_.message -match "Image.*.*\excel.exe" -or $_.message -match "Image.*.*\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\kerberos.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_office_kerberos_dll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_office_kerberos_dll_load"; + $detectedMessage = "Detects Kerberos DLL being loaded by an Office Product"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\\kerberos.dll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_python_image_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_python_image_load.ps1 new file mode 100644 index 00000000..47bc6ea3 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_python_image_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Description.*Python Core") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_python_image_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_python_image_load"; + $detectedMessage = "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe."; + $result = $event | where { ($_.ID -eq "7" -and $_.message -match "Description.*Python Core") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_script_dotnet_clr_dll_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_script_dotnet_clr_dll_load.ps1 new file mode 100644 index 00000000..775c037c --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_script_dotnet_clr_dll_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\wscript.exe" -or $_.message -match "Image.*.*\cscript.exe" -or $_.message -match "Image.*.*\mshta.exe") -and ($_.message -match "ImageLoaded.*.*\clr.dll" -or $_.message -match "ImageLoaded.*.*\mscoree.dll" -or $_.message -match "ImageLoaded.*.*\mscorlib.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_script_dotnet_clr_dll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_script_dotnet_clr_dll_load"; + $detectedMessage = "Detects CLR DLL being loaded by an scripting applications"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\mshta.exe") -and ($_.message -match "ImageLoaded.*.*\\clr.dll" -or $_.message -match "ImageLoaded.*.*\\mscoree.dll" -or $_.message -match "ImageLoaded.*.*\\mscorlib.dll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_system_drawing_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_system_drawing_load.ps1 new file mode 100644 index 00000000..2c7bfd44 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_system_drawing_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and $_.message -match "ImageLoaded.*.*\System.Drawing.ni.dll" -and -not ($_.message -match "Image.*.*\WmiPrvSE.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_system_drawing_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_system_drawing_load"; + $detectedMessage = "A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture."; + $result = $event | where { (($_.ID -eq "7") -and $_.message -match "ImageLoaded.*.*\\System.Drawing.ni.dll" -and -not ($_.message -match "Image.*.*\\WmiPrvSE.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_winword_vbadll_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_winword_vbadll_load.ps1 new file mode 100644 index 00000000..28f5b889 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_winword_vbadll_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\winword.exe" -or $_.message -match "Image.*.*\powerpnt.exe" -or $_.message -match "Image.*.*\excel.exe" -or $_.message -match "Image.*.*\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\VBE7.DLL" -or $_.message -match "ImageLoaded.*.*\VBEUI.DLL" -or $_.message -match "ImageLoaded.*.*\VBE7INTL.DLL")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_winword_vbadll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_winword_vbadll_load"; + $detectedMessage = "Detects DLL's Loaded Via Word Containing VBA Macros"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\\VBE7.DLL" -or $_.message -match "ImageLoaded.*.*\\VBEUI.DLL" -or $_.message -match "ImageLoaded.*.*\\VBE7INTL.DLL")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_susp_winword_wmidll_load.ps1 b/Rules/SIGMA/image_load/sysmon_susp_winword_wmidll_load.ps1 new file mode 100644 index 00000000..b3c3f7f2 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_susp_winword_wmidll_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\winword.exe" -or $_.message -match "Image.*.*\powerpnt.exe" -or $_.message -match "Image.*.*\excel.exe" -or $_.message -match "Image.*.*\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\wmiutils.dll" -or $_.message -match "ImageLoaded.*.*\wbemcomn.dll" -or $_.message -match "ImageLoaded.*.*\wbemprox.dll" -or $_.message -match "ImageLoaded.*.*\wbemdisp.dll" -or $_.message -match "ImageLoaded.*.*\wbemsvc.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_winword_wmidll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_winword_wmidll_load"; + $detectedMessage = "Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\\wmiutils.dll" -or $_.message -match "ImageLoaded.*.*\\wbemcomn.dll" -or $_.message -match "ImageLoaded.*.*\\wbemprox.dll" -or $_.message -match "ImageLoaded.*.*\\wbemdisp.dll" -or $_.message -match "ImageLoaded.*.*\\wbemsvc.dll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_suspicious_dbghelp_dbgcore_load.ps1 b/Rules/SIGMA/image_load/sysmon_suspicious_dbghelp_dbgcore_load.ps1 new file mode 100644 index 00000000..685c9b70 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_suspicious_dbghelp_dbgcore_load.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ((($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\dbghelp.dll" -or $_.message -match "ImageLoaded.*.*\dbgcore.dll") -and ($_.message -match "Image.*.*\msbuild.exe" -or $_.message -match "Image.*.*\cmd.exe" -or $_.message -match "Image.*.*\svchost.exe" -or $_.message -match "Image.*.*\rundll32.exe" -or $_.message -match "Image.*.*\powershell.exe" -or $_.message -match "Image.*.*\word.exe" -or $_.message -match "Image.*.*\excel.exe" -or $_.message -match "Image.*.*\powerpnt.exe" -or $_.message -match "Image.*.*\outlook.exe" -or $_.message -match "Image.*.*\monitoringhost.exe" -or $_.message -match "Image.*.*\wmic.exe" -or $_.message -match "Image.*.*\bash.exe" -or $_.message -match "Image.*.*\wscript.exe" -or $_.message -match "Image.*.*\cscript.exe" -or $_.message -match "Image.*.*\mshta.exe" -or $_.message -match "Image.*.*\regsvr32.exe" -or $_.message -match "Image.*.*\schtasks.exe" -or $_.message -match "Image.*.*\dnx.exe" -or $_.message -match "Image.*.*\regsvcs.exe" -or $_.message -match "Image.*.*\sc.exe" -or $_.message -match "Image.*.*\scriptrunner.exe")) -and -not ($_.message -match "Image.*.*Visual Studio.*")) -or (($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\dbghelp.dll" -or $_.message -match "ImageLoaded.*.*\dbgcore.dll") -and $_.message -match "Signed.*FALSE") -and -not ($_.message -match "Image.*.*Visual Studio.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_suspicious_dbghelp_dbgcore_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_suspicious_dbghelp_dbgcore_load"; + $detectedMessage = "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump + API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and + transfer it over the network back to the attacker's machine."; + $result = $event | where { (($_.ID -eq "7") -and ((($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\\dbghelp.dll" -or $_.message -match "ImageLoaded.*.*\\dbgcore.dll") -and ($_.message -match "Image.*.*\\msbuild.exe" -or $_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\word.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\outlook.exe" -or $_.message -match "Image.*.*\\monitoringhost.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\dnx.exe" -or $_.message -match "Image.*.*\\regsvcs.exe" -or $_.message -match "Image.*.*\\sc.exe" -or $_.message -match "Image.*.*\\scriptrunner.exe")) -and -not ($_.message -match "Image.*.*Visual Studio.*")) -or (($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\\dbghelp.dll" -or $_.message -match "ImageLoaded.*.*\\dbgcore.dll") -and $_.message -match "Signed.*FALSE") -and -not ($_.message -match "Image.*.*Visual Studio.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_svchost_dll_search_order_hijack.ps1 b/Rules/SIGMA/image_load/sysmon_svchost_dll_search_order_hijack.ps1 new file mode 100644 index 00000000..76c06213 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_svchost_dll_search_order_hijack.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and (($_.message -match "Image.*.*\svchost.exe") -and ($_.message -match "ImageLoaded.*.*\tsmsisrv.dll" -or $_.message -match "ImageLoaded.*.*\tsvipsrv.dll" -or $_.message -match "ImageLoaded.*.*\wlbsctrl.dll")) -and -not (($_.message -match "ImageLoaded.*C:\Windows\WinSxS\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_svchost_dll_search_order_hijack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_svchost_dll_search_order_hijack"; + $detectedMessage = "IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:WindowsSystem32 by default. An attacker can place their"; + $result = $event | where { (($_.ID -eq "7") -and (($_.message -match "Image.*.*\\svchost.exe") -and ($_.message -match "ImageLoaded.*.*\\tsmsisrv.dll" -or $_.message -match "ImageLoaded.*.*\\tsvipsrv.dll" -or $_.message -match "ImageLoaded.*.*\\wlbsctrl.dll")) -and -not (($_.message -match "ImageLoaded.*C:\\Windows\\WinSxS\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_tttracer_mod_load.ps1 b/Rules/SIGMA/image_load/sysmon_tttracer_mod_load.ps1 new file mode 100644 index 00000000..5820b0d8 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_tttracer_mod_load.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "ImageLoaded.*.*\\ttdrecord.dll" -or $_.message -match "ImageLoaded.*.*\\ttdwriter.dll" -or $_.message -match "ImageLoaded.*.*\\ttdloader.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\tttracer.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_tttracer_mod_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_tttracer_mod_load"; + $detectedMessage = "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe."; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "7" -and ($_.message -match "ImageLoaded.*.*\\ttdrecord.dll" -or $_.message -match "ImageLoaded.*.*\\ttdwriter.dll" -or $_.message -match "ImageLoaded.*.*\\ttdloader.dll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\tttracer.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_uac_bypass_via_dism.ps1 b/Rules/SIGMA/image_load/sysmon_uac_bypass_via_dism.ps1 new file mode 100644 index 00000000..ade440e2 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_uac_bypass_via_dism.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\dism.exe") -and ($_.message -match "ImageLoaded.*.*\dismcore.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_uac_bypass_via_dism"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_uac_bypass_via_dism"; + $detectedMessage = "Attempts to load dismcore.dll after dropping it"; + $result = $event | where { ($_.ID -eq "7" -and ($_.message -match "Image.*.*\\dism.exe") -and ($_.message -match "ImageLoaded.*.*\\dismcore.dll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_uipromptforcreds_dlls.ps1 b/Rules/SIGMA/image_load/sysmon_uipromptforcreds_dlls.ps1 new file mode 100644 index 00000000..1a6e4cc3 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_uipromptforcreds_dlls.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\credui.dll" -or $_.message -match "ImageLoaded.*.*\wincredui.dll") -or ($_.message -match "credui.dll" -or $_.message -match "wincredui.dll"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_uipromptforcreds_dlls"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_uipromptforcreds_dlls"; + $detectedMessage = "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it."; + $result = $event | where { (($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\\credui.dll" -or $_.message -match "ImageLoaded.*.*\\wincredui.dll") -or ($_.message -match "credui.dll" -or $_.message -match "wincredui.dll"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_unsigned_image_loaded_into_lsass.ps1 b/Rules/SIGMA/image_load/sysmon_unsigned_image_loaded_into_lsass.ps1 new file mode 100644 index 00000000..9e5abf89 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_unsigned_image_loaded_into_lsass.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*.*\lsass.exe" -and $_.message -match "Signed.*false") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_unsigned_image_loaded_into_lsass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_unsigned_image_loaded_into_lsass"; + $detectedMessage = "Loading unsigned image (DLL, EXE) into LSASS process"; + $result = $event | where { ($_.ID -eq "7" -and $_.message -match "Image.*.*\\lsass.exe" -and $_.message -match "Signed.*false") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_wmi_module_load.ps1 b/Rules/SIGMA/image_load/sysmon_wmi_module_load.ps1 new file mode 100644 index 00000000..40da6837 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_wmi_module_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ($_.message -match "ImageLoaded.*.*\wmiclnt.dll" -or $_.message -match "ImageLoaded.*.*\WmiApRpl.dll" -or $_.message -match "ImageLoaded.*.*\wmiprov.dll" -or $_.message -match "ImageLoaded.*.*\wmiutils.dll" -or $_.message -match "ImageLoaded.*.*\wbemcomn.dll" -or $_.message -match "ImageLoaded.*.*\wbemprox.dll" -or $_.message -match "ImageLoaded.*.*\WMINet_Utils.dll" -or $_.message -match "ImageLoaded.*.*\wbemsvc.dll" -or $_.message -match "ImageLoaded.*.*\fastprox.dll") -and -not (($_.message -match "Image.*.*\WmiPrvSE.exe" -or $_.message -match "Image.*.*\WmiApSrv.exe" -or $_.message -match "Image.*.*\svchost.exe" -or $_.message -match "Image.*.*\DeviceCensus.exe" -or $_.message -match "Image.*.*\CompatTelRunner.exe" -or $_.message -match "Image.*.*\sdiagnhost.exe" -or $_.message -match "Image.*.*\SIHClient.exe" -or $_.message -match "Image.*.*\ngentask.exe" -or $_.message -match "Image.*.*\windows\system32\taskhostw.exe" -or $_.message -match "Image.*.*\windows\system32\MoUsoCoreWorker.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wmi_module_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wmi_module_load"; + $detectedMessage = "Detects non wmiprvse loading WMI modules"; + $result = $event | where { (($_.ID -eq "7") -and ($_.message -match "ImageLoaded.*.*\\wmiclnt.dll" -or $_.message -match "ImageLoaded.*.*\\WmiApRpl.dll" -or $_.message -match "ImageLoaded.*.*\\wmiprov.dll" -or $_.message -match "ImageLoaded.*.*\\wmiutils.dll" -or $_.message -match "ImageLoaded.*.*\\wbemcomn.dll" -or $_.message -match "ImageLoaded.*.*\\wbemprox.dll" -or $_.message -match "ImageLoaded.*.*\\WMINet_Utils.dll" -or $_.message -match "ImageLoaded.*.*\\wbemsvc.dll" -or $_.message -match "ImageLoaded.*.*\\fastprox.dll") -and -not (($_.message -match "Image.*.*\\WmiPrvSE.exe" -or $_.message -match "Image.*.*\\WmiApSrv.exe" -or $_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\DeviceCensus.exe" -or $_.message -match "Image.*.*\\CompatTelRunner.exe" -or $_.message -match "Image.*.*\\sdiagnhost.exe" -or $_.message -match "Image.*.*\\SIHClient.exe" -or $_.message -match "Image.*.*\\ngentask.exe" -or $_.message -match "Image.*.*\\windows\\system32\\taskhostw.exe" -or $_.message -match "Image.*.*\\windows\\system32\\MoUsoCoreWorker.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_wmi_persistence_commandline_event_consumer.ps1 b/Rules/SIGMA/image_load/sysmon_wmi_persistence_commandline_event_consumer.ps1 new file mode 100644 index 00000000..fe0a99d8 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_wmi_persistence_commandline_event_consumer.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*C:\Windows\System32\wbem\WmiPrvSE.exe" -and $_.message -match "ImageLoaded.*.*\wbemcons.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wmi_persistence_commandline_event_consumer"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wmi_persistence_commandline_event_consumer"; + $detectedMessage = "Detects WMI command line event consumers"; + $result = $event | where { ($_.ID -eq "7" -and $_.message -match "Image.*C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" -and $_.message -match "ImageLoaded.*.*\\wbemcons.dll") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_wmic_remote_xsl_scripting_dlls.ps1 b/Rules/SIGMA/image_load/sysmon_wmic_remote_xsl_scripting_dlls.ps1 new file mode 100644 index 00000000..96f30841 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_wmic_remote_xsl_scripting_dlls.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*.*\wmic.exe" -and ($_.message -match "ImageLoaded.*.*\jscript.dll" -or $_.message -match "ImageLoaded.*.*\vbscript.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wmic_remote_xsl_scripting_dlls"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wmic_remote_xsl_scripting_dlls"; + $detectedMessage = "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc)."; + $result = $event | where { ($_.ID -eq "7" -and $_.message -match "Image.*.*\\wmic.exe" -and ($_.message -match "ImageLoaded.*.*\\jscript.dll" -or $_.message -match "ImageLoaded.*.*\\vbscript.dll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/sysmon_wsman_provider_image_load.ps1 b/Rules/SIGMA/image_load/sysmon_wsman_provider_image_load.ps1 new file mode 100644 index 00000000..e8d08787 --- /dev/null +++ b/Rules/SIGMA/image_load/sysmon_wsman_provider_image_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ((($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\WsmSvc.dll" -or $_.message -match "ImageLoaded.*.*\WsmAuto.dll" -or $_.message -match "ImageLoaded.*.*\Microsoft.WSMan.Management.ni.dll") -or ($_.message -match "WsmSvc.dll" -or $_.message -match "WSMANAUTOMATION.DLL" -or $_.message -match "Microsoft.WSMan.Management.dll")) -and -not ($_.message -match "Image.*.*\powershell.exe")) -or ($_.message -match "Image.*.*\svchost.exe" -and $_.message -match "OriginalFileName.*WsmWmiPl.dll"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wsman_provider_image_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wsman_provider_image_load"; + $detectedMessage = "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution."; + $result = $event | where { (($_.ID -eq "7") -and ((($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\\WsmSvc.dll" -or $_.message -match "ImageLoaded.*.*\\WsmAuto.dll" -or $_.message -match "ImageLoaded.*.*\\Microsoft.WSMan.Management.ni.dll") -or ($_.message -match "WsmSvc.dll" -or $_.message -match "WSMANAUTOMATION.DLL" -or $_.message -match "Microsoft.WSMan.Management.dll")) -and -not ($_.message -match "Image.*.*\\powershell.exe")) -or ($_.message -match "Image.*.*\\svchost.exe" -and $_.message -match "OriginalFileName.*WsmWmiPl.dll"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/image_load/win_suspicious_vss_ps_load.ps1 b/Rules/SIGMA/image_load/win_suspicious_vss_ps_load.ps1 new file mode 100644 index 00000000..391835af --- /dev/null +++ b/Rules/SIGMA/image_load/win_suspicious_vss_ps_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ($_.message -match "ImageLoaded.*.*\vss_ps.dll") -and -not (($_.message -match "Image.*.*\svchost.exe" -or $_.message -match "Image.*.*\msiexec.exe" -or $_.message -match "Image.*.*\vssvc.exe" -or $_.message -match "Image.*.*\srtasks.exe" -or $_.message -match "Image.*.*\tiworker.exe" -or $_.message -match "Image.*.*\dllhost.exe" -or $_.message -match "Image.*.*\searchindexer.exe" -or $_.message -match "Image.*.*dismhost.exe" -or $_.message -match "Image.*.*taskhostw.exe" -or $_.message -match "Image.*.*\clussvc.exe") -and $_.message -match "Image.*.*c:\windows\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_suspicious_vss_ps_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_suspicious_vss_ps_load"; + $detectedMessage = "Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint"; + $result = $event | where { (($_.ID -eq "7") -and ($_.message -match "ImageLoaded.*.*\\vss_ps.dll") -and -not (($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\vssvc.exe" -or $_.message -match "Image.*.*\\srtasks.exe" -or $_.message -match "Image.*.*\\tiworker.exe" -or $_.message -match "Image.*.*\\dllhost.exe" -or $_.message -match "Image.*.*\\searchindexer.exe" -or $_.message -match "Image.*.*dismhost.exe" -or $_.message -match "Image.*.*taskhostw.exe" -or $_.message -match "Image.*.*\\clussvc.exe") -and $_.message -match "Image.*.*c:\\windows\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/malware/av_exploiting.ps1 b/Rules/SIGMA/malware/av_exploiting.ps1 new file mode 100644 index 00000000..d0519fbd --- /dev/null +++ b/Rules/SIGMA/malware/av_exploiting.ps1 @@ -0,0 +1,36 @@ +# Get-WinEvent | where { ($_.message -match "Signature.*.*MeteTool.*" -or $_.message -match "Signature.*.*MPreter.*" -or $_.message -match "Signature.*.*Meterpreter.*" -or $_.message -match "Signature.*.*Metasploit.*" -or $_.message -match "Signature.*.*PowerSploit.*" -or $_.message -match "Signature.*.*CobaltSrike.*" -or $_.message -match "Signature.*.*Swrort.*" -or $_.message -match "Signature.*.*Rozena.*" -or $_.message -match "Signature.*.*Backdoor.Cobalt.*" -or $_.message -match "Signature.*.*CobaltStr.*" -or $_.message -match "Signature.*.*COBEACON.*" -or $_.message -match "Signature.*.*Cometer.*" -or $_.message -match "Signature.*.*Razy.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + + +function Add-Rule { + + if ($isLiveAnalysis) { + # LiveAnalysysが必要か確認する + } + else { + $ruleName = "av_exploing"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $ruleName = "av_exploing"; + $detectedMessage = "Detects a highly relevant Antivirus alert that reports an exploitation framework"; + $result = $event | where { ($_.message -match "Signature.*.*MeteTool.*" -or $_.message -match "Signature.*.*MPreter.*" -or $_.message -match "Signature.*.*Meterpreter.*" -or $_.message -match "Signature.*.*Metasploit.*" -or $_.message -match "Signature.*.*PowerSploit.*" -or $_.message -match "Signature.*.*CobaltSrike.*" -or $_.message -match "Signature.*.*Swrort.*" -or $_.message -match "Signature.*.*Rozena.*" -or $_.message -match "Signature.*.*Backdoor.Cobalt.*" -or $_.message -match "Signature.*.*CobaltStr.*" -or $_.message -match "Signature.*.*COBEACON.*" -or $_.message -match "Signature.*.*Cometer.*" -or $_.message -match "Signature.*.*Razy.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + if ($result) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + . Search-DetectableEvents $args; + } + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } + } +} \ No newline at end of file diff --git a/Rules/SIGMA/malware/av_password_dumper.ps1 b/Rules/SIGMA/malware/av_password_dumper.ps1 new file mode 100644 index 00000000..d478a3e8 --- /dev/null +++ b/Rules/SIGMA/malware/av_password_dumper.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent | where {($_.message -match "Signature.*.*DumpCreds.*" -or $_.message -match "Signature.*.*Mimikatz.*" -or $_.message -match "Signature.*.*PWCrack.*" -or $_.message -match "Signature.*.*HTool/WCE.*" -or $_.message -match "Signature.*.*PSWtool.*" -or $_.message -match "Signature.*.*PWDump.*" -or $_.message -match "Signature.*.*SecurityTool.*" -or $_.message -match "Signature.*.*PShlSpy.*" -or $_.message -match "Signature.*.*Rubeus.*" -or $_.message -match "Signature.*.*Kekeo.*" -or $_.message -match "Signature.*.*LsassDump.*" -or $_.message -match "Signature.*.*Outflank.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "av_password_dumper"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "av_password_dumper"; + $detectedMessage = "Detects a highly relevant Antivirus alert that reports a password dumper."; + $result = $event | where { ($_.message -match "Signature.*.*DumpCreds.*" -or $_.message -match "Signature.*.*Mimikatz.*" -or $_.message -match "Signature.*.*PWCrack.*" -or $_.message -match "Signature.*.*HTool/WCE.*" -or $_.message -match "Signature.*.*PSWtool.*" -or $_.message -match "Signature.*.*PWDump.*" -or $_.message -match "Signature.*.*SecurityTool.*" -or $_.message -match "Signature.*.*PShlSpy.*" -or $_.message -match "Signature.*.*Rubeus.*" -or $_.message -match "Signature.*.*Kekeo.*" -or $_.message -match "Signature.*.*LsassDump.*" -or $_.message -match "Signature.*.*Outflank.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/SIGMA/malware/av_printernightmare_cve_2021_34527.ps1 b/Rules/SIGMA/malware/av_printernightmare_cve_2021_34527.ps1 new file mode 100644 index 00000000..50467464 --- /dev/null +++ b/Rules/SIGMA/malware/av_printernightmare_cve_2021_34527.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent | where {$_.message -match "FileName.*.*C:\\Windows\\System32\\spool\\drivers\\x64\\.*" } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + + +function Add-Rule { + + $ruleName = "av_printernightmare_cve_2021_34527"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "av_printernightmare_cve_2021_34527"; + $detectedMessage = "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 ."; + $result = $event | where { $_.message -match "FileName.*.*C:\\Windows\\System32\\spool\\drivers\\x64\\.*" } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/SIGMA/malware/av_relevant_files.ps1 b/Rules/SIGMA/malware/av_relevant_files.ps1 new file mode 100644 index 00000000..51fc0f52 --- /dev/null +++ b/Rules/SIGMA/malware/av_relevant_files.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent | where {(($_.message -match "FileName.*C:\\Windows\\.*" -or $_.message -match "FileName.*C:\\Temp\\.*" -or $_.message -match "FileName.*C:\\PerfLogs\\.*" -or $_.message -match "FileName.*C:\\Users\\Public\\.*" -or $_.message -match "FileName.*C:\\Users\\Default\\.*") -or ($_.message -match "FileName.*.*\\Client\\.*" -or $_.message -match "FileName.*.*\\tsclient\\.*" -or $_.message -match "FileName.*.*\\inetpub\\.*" -or $_.message -match "FileName.*.*/www/.*" -or $_.message -match "FileName.*.*apache.*" -or $_.message -match "FileName.*.*tomcat.*" -or $_.message -match "FileName.*.*nginx.*" -or $_.message -match "FileName.*.*weblogic.*") -or ($_.message -match "Filename.*.*.ps1" -or $_.message -match "Filename.*.*.psm1" -or $_.message -match "Filename.*.*.vbs" -or $_.message -match "Filename.*.*.bat" -or $_.message -match "Filename.*.*.cmd" -or $_.message -match "Filename.*.*.sh" -or $_.message -match "Filename.*.*.chm" -or $_.message -match "Filename.*.*.xml" -or $_.message -match "Filename.*.*.txt" -or $_.message -match "Filename.*.*.jsp" -or $_.message -match "Filename.*.*.jspx" -or $_.message -match "Filename.*.*.asp" -or $_.message -match "Filename.*.*.aspx" -or $_.message -match "Filename.*.*.ashx" -or $_.message -match "Filename.*.*.asax" -or $_.message -match "Filename.*.*.asmx" -or $_.message -match "Filename.*.*.php" -or $_.message -match "Filename.*.*.cfm" -or $_.message -match "Filename.*.*.py" -or $_.message -match "Filename.*.*.pyc" -or $_.message -match "Filename.*.*.pl" -or $_.message -match "Filename.*.*.rb" -or $_.message -match "Filename.*.*.cgi" -or $_.message -match "Filename.*.*.war" -or $_.message -match "Filename.*.*.ear" -or $_.message -match "Filename.*.*.hta" -or $_.message -match "Filename.*.*.lnk" -or $_.message -match "Filename.*.*.scf" -or $_.message -match "Filename.*.*.sct" -or $_.message -match "Filename.*.*.vbe" -or $_.message -match "Filename.*.*.wsf" -or $_.message -match "Filename.*.*.wsh" -or $_.message -match "Filename.*.*.gif" -or $_.message -match "Filename.*.*.png" -or $_.message -match "Filename.*.*.jpg" -or $_.message -match "Filename.*.*.jpeg" -or $_.message -match "Filename.*.*.svg" -or $_.message -match "Filename.*.*.dat")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + + +function Add-Rule { + + $ruleName = "av_relevant_files"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "av_relevant_files"; + $detectedMessage = "Detects an Antivirus alert in a highly relevant file path or with a relevant file name."; + $result = $event | where { (($_.message -match "FileName.*C:\\Windows\\.*" -or $_.message -match "FileName.*C:\\Temp\\.*" -or $_.message -match "FileName.*C:\\PerfLogs\\.*" -or $_.message -match "FileName.*C:\\Users\\Public\\.*" -or $_.message -match "FileName.*C:\\Users\\Default\\.*") -or ($_.message -match "FileName.*.*\\Client\\.*" -or $_.message -match "FileName.*.*\\tsclient\\.*" -or $_.message -match "FileName.*.*\\inetpub\\.*" -or $_.message -match "FileName.*.*/www/.*" -or $_.message -match "FileName.*.*apache.*" -or $_.message -match "FileName.*.*tomcat.*" -or $_.message -match "FileName.*.*nginx.*" -or $_.message -match "FileName.*.*weblogic.*") -or ($_.message -match "Filename.*.*.ps1" -or $_.message -match "Filename.*.*.psm1" -or $_.message -match "Filename.*.*.vbs" -or $_.message -match "Filename.*.*.bat" -or $_.message -match "Filename.*.*.cmd" -or $_.message -match "Filename.*.*.sh" -or $_.message -match "Filename.*.*.chm" -or $_.message -match "Filename.*.*.xml" -or $_.message -match "Filename.*.*.txt" -or $_.message -match "Filename.*.*.jsp" -or $_.message -match "Filename.*.*.jspx" -or $_.message -match "Filename.*.*.asp" -or $_.message -match "Filename.*.*.aspx" -or $_.message -match "Filename.*.*.ashx" -or $_.message -match "Filename.*.*.asax" -or $_.message -match "Filename.*.*.asmx" -or $_.message -match "Filename.*.*.php" -or $_.message -match "Filename.*.*.cfm" -or $_.message -match "Filename.*.*.py" -or $_.message -match "Filename.*.*.pyc" -or $_.message -match "Filename.*.*.pl" -or $_.message -match "Filename.*.*.rb" -or $_.message -match "Filename.*.*.cgi" -or $_.message -match "Filename.*.*.war" -or $_.message -match "Filename.*.*.ear" -or $_.message -match "Filename.*.*.hta" -or $_.message -match "Filename.*.*.lnk" -or $_.message -match "Filename.*.*.scf" -or $_.message -match "Filename.*.*.sct" -or $_.message -match "Filename.*.*.vbe" -or $_.message -match "Filename.*.*.wsf" -or $_.message -match "Filename.*.*.wsh" -or $_.message -match "Filename.*.*.gif" -or $_.message -match "Filename.*.*.png" -or $_.message -match "Filename.*.*.jpg" -or $_.message -match "Filename.*.*.jpeg" -or $_.message -match "Filename.*.*.svg" -or $_.message -match "Filename.*.*.dat")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/SIGMA/malware/av_webshell.ps1 b/Rules/SIGMA/malware/av_webshell.ps1 new file mode 100644 index 00000000..9be0f11b --- /dev/null +++ b/Rules/SIGMA/malware/av_webshell.ps1 @@ -0,0 +1,31 @@ +#Get-WinEvent | where {(($_.message -match "Signature.*PHP/.*" -or $_.message -match "Signature.*JSP/.*" -or $_.message -match "Signature.*ASP/.*" -or $_.message -match "Signature.*Perl/.*" -or $_.message -match "Signature.*PHP..*" -or $_.message -match "Signature.*JSP..*" -or $_.message -match "Signature.*ASP..*" -or $_.message -match "Signature.*Perl..*" -or $_.message -match "Signature.*VBS/Uxor.*" -or $_.message -match "Signature.*IIS/BackDoor.*" -or $_.message -match "Signature.*JAVA/Backdoor.*" -or $_.message -match "Signature.*Troj/ASP.*" -or $_.message -match "Signature.*Troj/PHP.*" -or $_.message -match "Signature.*Troj/JSP.*") -or ($_.message -match "Signature.*.*Webshell.*" -or $_.message -match "Signature.*.*Chopper.*" -or $_.message -match "Signature.*.*SinoChoper.*" -or $_.message -match "Signature.*.*ASPXSpy.*" -or $_.message -match "Signature.*.*Aspdoor.*" -or $_.message -match "Signature.*.*filebrowser.*" -or $_.message -match "Signature.*.*PHP_.*" -or $_.message -match "Signature.*.*JSP_.*" -or $_.message -match "Signature.*.*ASP_.*" -or $_.message -match "Signature.*.*PHP:.*" -or $_.message -match "Signature.*.*JSP:.*" -or $_.message -match "Signature.*.*ASP:.*" -or $_.message -match "Signature.*.*Perl:.*" -or $_.message -match "Signature.*.*PHPShell.*" -or $_.message -match "Signature.*.*Trojan.PHP.*" -or $_.message -match "Signature.*.*Trojan.ASP.*" -or $_.message -match "Signature.*.*Trojan.JSP.*" -or $_.message -match "Signature.*.*Trojan.VBS.*" -or $_.message -match "Signature.*.*PHP?Agent.*" -or $_.message -match "Signature.*.*ASP?Agent.*" -or $_.message -match "Signature.*.*JSP?Agent.*" -or $_.message -match "Signature.*.*VBS?Agent.*" -or $_.message -match "Signature.*.*Backdoor?PHP.*" -or $_.message -match "Signature.*.*Backdoor?JSP.*" -or $_.message -match "Signature.*.*Backdoor?ASP.*" -or $_.message -match "Signature.*.*Backdoor?VBS.*" -or $_.message -match "Signature.*.*Backdoor?Java.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "av_webshell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "av_webshell"; + $detectedMessage = " Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches."; + $result = $event | where { (($_.message -match "Signature.*PHP/.*" -or $_.message -match "Signature.*JSP/.*" -or $_.message -match "Signature.*ASP/.*" -or $_.message -match "Signature.*Perl/.*" -or $_.message -match "Signature.*PHP..*" -or $_.message -match "Signature.*JSP..*" -or $_.message -match "Signature.*ASP..*" -or $_.message -match "Signature.*Perl..*" -or $_.message -match "Signature.*VBS/Uxor.*" -or $_.message -match "Signature.*IIS/BackDoor.*" -or $_.message -match "Signature.*JAVA/Backdoor.*" -or $_.message -match "Signature.*Troj/ASP.*" -or $_.message -match "Signature.*Troj/PHP.*" -or $_.message -match "Signature.*Troj/JSP.*") -or ($_.message -match "Signature.*.*Webshell.*" -or $_.message -match "Signature.*.*Chopper.*" -or $_.message -match "Signature.*.*SinoChoper.*" -or $_.message -match "Signature.*.*ASPXSpy.*" -or $_.message -match "Signature.*.*Aspdoor.*" -or $_.message -match "Signature.*.*filebrowser.*" -or $_.message -match "Signature.*.*PHP_.*" -or $_.message -match "Signature.*.*JSP_.*" -or $_.message -match "Signature.*.*ASP_.*" -or $_.message -match "Signature.*.*PHP:.*" -or $_.message -match "Signature.*.*JSP:.*" -or $_.message -match "Signature.*.*ASP:.*" -or $_.message -match "Signature.*.*Perl:.*" -or $_.message -match "Signature.*.*PHPShell.*" -or $_.message -match "Signature.*.*Trojan.PHP.*" -or $_.message -match "Signature.*.*Trojan.ASP.*" -or $_.message -match "Signature.*.*Trojan.JSP.*" -or $_.message -match "Signature.*.*Trojan.VBS.*" -or $_.message -match "Signature.*.*PHP?Agent.*" -or $_.message -match "Signature.*.*ASP?Agent.*" -or $_.message -match "Signature.*.*JSP?Agent.*" -or $_.message -match "Signature.*.*VBS?Agent.*" -or $_.message -match "Signature.*.*Backdoor?PHP.*" -or $_.message -match "Signature.*.*Backdoor?JSP.*" -or $_.message -match "Signature.*.*Backdoor?ASP.*" -or $_.message -match "Signature.*.*Backdoor?VBS.*" -or $_.message -match "Signature.*.*Backdoor?Java.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/SIGMA/malware/mal_azorult_reg.ps1 b/Rules/SIGMA/malware/mal_azorult_reg.ps1 new file mode 100644 index 00000000..f21d932b --- /dev/null +++ b/Rules/SIGMA/malware/mal_azorult_reg.ps1 @@ -0,0 +1,32 @@ +#Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.ID -eq "12" -or $_.ID -eq "13") -and $_.message -match "TargetObject.*.*SYSTEM\\.*" -and $_.message -match "TargetObject.*.*\\services\\localNETService") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "mal_azorult_reg"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "mal_azorult_reg"; + $detectedMessage = " Detects the presence of a registry key created during Azorult execution"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.ID -eq "12" -or $_.ID -eq "13") -and $_.message -match "TargetObject.*.*SYSTEM\\.*" -and $_.message -match "TargetObject.*.*\\services\\localNETService") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/SIGMA/malware/win_mal_blue_mockingbird.ps1 b/Rules/SIGMA/malware/win_mal_blue_mockingbird.ps1 new file mode 100644 index 00000000..f4dfbd07 --- /dev/null +++ b/Rules/SIGMA/malware/win_mal_blue_mockingbird.ps1 @@ -0,0 +1,43 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*sc config.*" -and $_.message -match "CommandLine.*.*wercplsupporte.dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*COR_PROFILER") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mal_blue_mockingbird"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mal_blue_mockingbird"; + $detectedMessage = "Attempts to detect system changes made by Blue Mockingbird"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*sc config.*" -and $_.message -match "CommandLine.*.*wercplsupporte.dll.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*COR_PROFILER") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/malware/win_mal_darkside.ps1 b/Rules/SIGMA/malware/win_mal_darkside.ps1 new file mode 100644 index 00000000..4b84a16f --- /dev/null +++ b/Rules/SIGMA/malware/win_mal_darkside.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*=[char][byte]('0x'+.*" -or $_.message -match "CommandLine.*.* -work worker0 -path .*") -or (($_.message -match "ParentCommandLine.*.*DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}.*") -and ($_.message -match "Image.*.*\AppData\Local\Temp\.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mal_darkside"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mal_darkside"; + $detectedMessage = "Detects DarkSide Ransomware and helpers"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*=[char][byte]\(\'0x\'+.*" -or $_.message -match "CommandLine.*.* -work worker0 -path .*") -or (($_.message -match "ParentCommandLine.*.*DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}.*") -and ($_.message -match "Image.*.*\\AppData\\Local\\Temp\\.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMesssage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/malware/win_mal_flowcloud.ps1 b/Rules/SIGMA/malware/win_mal_flowcloud.ps1 new file mode 100644 index 00000000..2a5ba116 --- /dev/null +++ b/Rules/SIGMA/malware/win_mal_flowcloud.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" -or $_.message -match "HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" -or $_.message -match "HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}") -or ($_.message -match "TargetObject.*HKLM\SYSTEM\Setup\PrintResponsor\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mal_flowcloud"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mal_flowcloud"; + $detectedMessage = "Detects FlowCloud malware from threat group TA410."; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "HKLM\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" -or $_.message -match "HKLM\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" -or $_.message -match "HKLM\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}") -or ($_.message -match "TargetObject.*HKLM\\SYSTEM\\Setup\\PrintResponsor\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/malware/win_mal_lockergoga.ps1 b/Rules/SIGMA/malware/win_mal_lockergoga.ps1 new file mode 100644 index 00000000..6e989a2d --- /dev/null +++ b/Rules/SIGMA/malware/win_mal_lockergoga.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*-i SM-tgytutrc -s.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mal_lockergoga"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mal_lockergoga"; + $detectedMessage = "Detects LockerGoga Ransomware command line."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*-i SM-tgytutrc -s.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/malware/win_mal_octopus_scanner.ps1 b/Rules/SIGMA/malware/win_mal_octopus_scanner.ps1 new file mode 100644 index 00000000..d3c2f010 --- /dev/null +++ b/Rules/SIGMA/malware/win_mal_octopus_scanner.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\AppData\Local\Microsoft\Cache134.dat" -or $_.message -match "TargetFilename.*.*\AppData\Local\Microsoft\ExplorerSync.db")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mal_octopus_scanner"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mal_octopus_scanner"; + $detectedMessage = "Detects Octopus Scanner Malware."; + $result = $event | where { ($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\\AppData\\Local\\Microsoft\\Cache134.dat" -or $_.message -match "TargetFilename.*.*\\AppData\\Local\\Microsoft\\ExplorerSync.db")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/malware/win_mal_ryuk.ps1 b/Rules/SIGMA/malware/win_mal_ryuk.ps1 new file mode 100644 index 00000000..f043f47e --- /dev/null +++ b/Rules/SIGMA/malware/win_mal_ryuk.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\net.exe" -or $_.message -match "Image.*.*\net1.exe") -and $_.message -match "CommandLine.*.*stop.*" -and ($_.message -match "CommandLine.*.*samss.*" -or $_.message -match "CommandLine.*.*audioendpointbuilder.*" -or $_.message -match "CommandLine.*.*unistoresvc_?????.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mal_ryuk"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mal_ryuk"; + $detectedMessage = "Detects Ryuk Ransomware command lines"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*stop.*" -and ($_.message -match "CommandLine.*.*samss.*" -or $_.message -match "CommandLine.*.*audioendpointbuilder.*" -or $_.message -match "CommandLine.*.*unistoresvc_?????.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/malware/win_mal_ursnif.ps1 b/Rules/SIGMA/malware/win_mal_ursnif.ps1 new file mode 100644 index 00000000..be014a39 --- /dev/null +++ b/Rules/SIGMA/malware/win_mal_ursnif.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\Software\AppDataLow\Software\Microsoft\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mal_ursnif"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mal_ursnif"; + $detectedMessage = "Detects new registry key created by Ursnif malware."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Software\\AppDataLow\\Software\\Microsoft\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/silenttrinity_stager_msbuild_activity.ps1 b/Rules/SIGMA/network_connection/silenttrinity_stager_msbuild_activity.ps1 new file mode 100644 index 00000000..6a060594 --- /dev/null +++ b/Rules/SIGMA/network_connection/silenttrinity_stager_msbuild_activity.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "3" -and $_.message -match "ParentImage.*.*\msbuild.exe" -and ($_.message -match "80" -or $_.message -match "443") -and $_.message -match "Initiated.*true") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "silenttrinity_stager_msbuild_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "silenttrinity_stager_msbuild_activity"; + $detectedMessage = "Detects a possible remote connections to Silenttrinity c2"; + $result = $event | where { ($_.ID -eq "3" -and $_.message -match "ParentImage.*.*\\msbuild.exe" -and ($_.message -match "80" -or $_.message -match "443") -and $_.message -match "Initiated.*true") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_dllhost_net_connections.ps1 b/Rules/SIGMA/network_connection/sysmon_dllhost_net_connections.ps1 new file mode 100644 index 00000000..a3b02fed --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_dllhost_net_connections.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "Image.*.*\dllhost.exe" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127..*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_dllhost_net_connections"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_dllhost_net_connections"; + $detectedMessage = "Detects Dllhost that communicates with public IP addresses"; + $result = $event | where { (($_.ID -eq "3") -and ($_.message -match "Image.*.*\\dllhost.exe" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127..*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_malware_backconnect_ports.ps1 b/Rules/SIGMA/network_connection/sysmon_malware_backconnect_ports.ps1 new file mode 100644 index 00000000..da03998f --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_malware_backconnect_ports.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "Initiated.*true" -and ($_.message -match "4443" -or $_.message -match "2448" -or $_.message -match "8143" -or $_.message -match "1777" -or $_.message -match "1443" -or $_.message -match "243" -or $_.message -match "65535" -or $_.message -match "13506" -or $_.message -match "3360" -or $_.message -match "200" -or $_.message -match "198" -or $_.message -match "49180" -or $_.message -match "13507" -or $_.message -match "6625" -or $_.message -match "4444" -or $_.message -match "4438" -or $_.message -match "1904" -or $_.message -match "13505" -or $_.message -match "13504" -or $_.message -match "12102" -or $_.message -match "9631" -or $_.message -match "5445" -or $_.message -match "2443" -or $_.message -match "777" -or $_.message -match "13394" -or $_.message -match "13145" -or $_.message -match "12103" -or $_.message -match "5552" -or $_.message -match "3939" -or $_.message -match "3675" -or $_.message -match "666" -or $_.message -match "473" -or $_.message -match "5649" -or $_.message -match "4455" -or $_.message -match "4433" -or $_.message -match "1817" -or $_.message -match "100" -or $_.message -match "65520" -or $_.message -match "1960" -or $_.message -match "1515" -or $_.message -match "743" -or $_.message -match "700" -or $_.message -match "14154" -or $_.message -match "14103" -or $_.message -match "14102" -or $_.message -match "12322" -or $_.message -match "10101" -or $_.message -match "7210" -or $_.message -match "4040" -or $_.message -match "9943")) -and -not ((($_.ID -eq "3") -and ($_.message -match "Image.*.*\Program Files.*" -or (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127..*") -and $_.message -match "DestinationIsIpv6.*false"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_malware_backconnect_ports"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_malware_backconnect_ports"; + $detectedMessage = "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases"; + $result = $event | where { (($_.ID -eq "3") -and ($_.message -match "Initiated.*true" -and ($_.message -match "4443" -or $_.message -match "2448" -or $_.message -match "8143" -or $_.message -match "1777" -or $_.message -match "1443" -or $_.message -match "243" -or $_.message -match "65535" -or $_.message -match "13506" -or $_.message -match "3360" -or $_.message -match "200" -or $_.message -match "198" -or $_.message -match "49180" -or $_.message -match "13507" -or $_.message -match "6625" -or $_.message -match "4444" -or $_.message -match "4438" -or $_.message -match "1904" -or $_.message -match "13505" -or $_.message -match "13504" -or $_.message -match "12102" -or $_.message -match "9631" -or $_.message -match "5445" -or $_.message -match "2443" -or $_.message -match "777" -or $_.message -match "13394" -or $_.message -match "13145" -or $_.message -match "12103" -or $_.message -match "5552" -or $_.message -match "3939" -or $_.message -match "3675" -or $_.message -match "666" -or $_.message -match "473" -or $_.message -match "5649" -or $_.message -match "4455" -or $_.message -match "4433" -or $_.message -match "1817" -or $_.message -match "100" -or $_.message -match "65520" -or $_.message -match "1960" -or $_.message -match "1515" -or $_.message -match "743" -or $_.message -match "700" -or $_.message -match "14154" -or $_.message -match "14103" -or $_.message -match "14102" -or $_.message -match "12322" -or $_.message -match "10101" -or $_.message -match "7210" -or $_.message -match "4040" -or $_.message -match "9943")) -and -not ((($_.ID -eq "3") -and ($_.message -match "Image.*.*\Program Files.*" -or (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127..*") -and $_.message -match "DestinationIsIpv6.*false"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_notepad_network_connection.ps1 b/Rules/SIGMA/network_connection/sysmon_notepad_network_connection.ps1 new file mode 100644 index 00000000..236bef72 --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_notepad_network_connection.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and $_.message -match "Image.*.*\notepad.exe" -and -not ($_.message -match "DestinationPort.*9100")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_notepad_network_connection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_notepad_network_connection"; + $detectedMessage = "Detects suspicious network connection by Notepad"; + $result = $event | where { (($_.ID -eq "3") -and $_.message -match "Image.*.*\\notepad.exe" -and -not ($_.message -match "DestinationPort.*9100")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_powershell_network_connection.ps1 b/Rules/SIGMA/network_connection/sysmon_powershell_network_connection.ps1 new file mode 100644 index 00000000..9ce39337 --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_powershell_network_connection.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "Image.*.*\powershell.exe" -and $_.message -match "Initiated.*true" -and $_.message -match "DestinationIsIpv6.*false") -and -not (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127.0.0.1.*") -and $_.message -match "DestinationIsIpv6.*false" -and $_.message -match "User.*NT AUTHORITY\SYSTEM" -and $_.message -match "User.*.*AUT.*" -and $_.message -match "User.*.* NT.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_powershell_network_connection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_powershell_network_connection"; + $detectedMessage = "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g."; + $result = $event | where { (($_.ID -eq "3") -and ($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "Initiated.*true" -and $_.message -match "DestinationIsIpv6.*false") -and -not (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127.0.0.1.*") -and $_.message -match "DestinationIsIpv6.*false" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "User.*.*AUT.*" -and $_.message -match "User.*.* NT.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_rdp_reverse_tunnel.ps1 b/Rules/SIGMA/network_connection/sysmon_rdp_reverse_tunnel.ps1 new file mode 100644 index 00000000..9293c04a --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_rdp_reverse_tunnel.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "Image.*.*\svchost.exe" -and $_.message -match "Initiated.*true" -and $_.message -match "SourcePort.*3389") -and (($_.message -match "DestinationIp.*127..*") -or ($_.message -match "::1"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_rdp_reverse_tunnel"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_rdp_reverse_tunnel"; + $detectedMessage = "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389"; + $result = $event | where { (($_.ID -eq "3") -and ($_.message -match "Image.*.*\\svchost.exe" -and $_.message -match "Initiated.*true" -and $_.message -match "SourcePort.*3389") -and (($_.message -match "DestinationIp.*127..*") -or ($_.message -match "::1"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_regsvr32_network_activity.ps1 b/Rules/SIGMA/network_connection/sysmon_regsvr32_network_activity.ps1 new file mode 100644 index 00000000..6df086f2 --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_regsvr32_network_activity.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "3" -and $_.message -match "Image.*.*\\regsvr32.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "22" -and $_.message -match "Image.*.*\\regsvr32.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + + +function Add-Rule { + + $ruleName = "sysmon_regsvr32_network_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $ruleName = "sysmon_regsvr32_network_activity"; + $detectedMessage = "Detects network connections and DNS queries initiated by Regsvr32.exe"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "3" -and $_.message -match "Image.*.*\\regsvr32.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "22" -and $_.message -match "Image.*.*\\regsvr32.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_remote_powershell_session_network.ps1 b/Rules/SIGMA/network_connection/sysmon_remote_powershell_session_network.ps1 new file mode 100644 index 00000000..35166537 --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_remote_powershell_session_network.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "5985" -or $_.message -match "5986") -and -not ($_.message -match "User.*NT AUTHORITY\NETWORK SERVICE")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_remote_powershell_session_network"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_remote_powershell_session_network"; + $detectedMessage = "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account."; + $result = $event | where { (($_.ID -eq "3") -and ($_.message -match "5985" -or $_.message -match "5986") -and -not ($_.message -match "User.*NT AUTHORITY\NETWORK SERVICE")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_rundll32_net_connections.ps1 b/Rules/SIGMA/network_connection/sysmon_rundll32_net_connections.ps1 new file mode 100644 index 00000000..5953bde5 --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_rundll32_net_connections.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "Image.*.*\rundll32.exe" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127..*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_rundll32_net_connections"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_rundll32_net_connections"; + $detectedMessage = "Detects a rundll32 that communicates with public IP addresses"; + $result = $event | where { (($_.ID -eq "3") -and ($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127..*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_susp_prog_location_network_connection.ps1 b/Rules/SIGMA/network_connection/sysmon_susp_prog_location_network_connection.ps1 new file mode 100644 index 00000000..a50b2fee --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_susp_prog_location_network_connection.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and (($_.message -match "Image.*.*\Users\All Users\.*" -or $_.message -match "Image.*.*\Users\Default\.*" -or $_.message -match "Image.*.*\Users\Public\.*" -or $_.message -match "Image.*.*\Users\Contacts\.*" -or $_.message -match "Image.*.*\Users\Searches\.*" -or $_.message -match "Image.*.*\config\systemprofile\.*" -or $_.message -match "Image.*.*\Windows\Fonts\.*" -or $_.message -match "Image.*.*\Windows\IME\.*" -or $_.message -match "Image.*.*\Windows\addins\.*") -or ($_.message -match "Image.*.*\$Recycle.bin") -or ($_.message -match "Image.*C:\Perflogs\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_prog_location_network_connection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_prog_location_network_connection"; + $detectedMessage = "Detects programs with network connections running in suspicious files system locations"; + $result = $event | where { (($_.ID -eq "3") -and (($_.message -match "Image.*.*\\Users\\All Users\\.*" -or $_.message -match "Image.*.*\\Users\\Default\\.*" -or $_.message -match "Image.*.*\\Users\\Public\\.*" -or $_.message -match "Image.*.*\\Users\\Contacts\\.*" -or $_.message -match "Image.*.*\\Users\\Searches\\.*" -or $_.message -match "Image.*.*\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Windows\\Fonts\\.*" -or $_.message -match "Image.*.*\\Windows\\IME\\.*" -or $_.message -match "Image.*.*\\Windows\\addins\\.*") -or ($_.message -match "Image.*.*\\$Recycle.bin") -or ($_.message -match "Image.*C:\\Perflogs\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_susp_rdp.ps1 b/Rules/SIGMA/network_connection/sysmon_susp_rdp.ps1 new file mode 100644 index 00000000..571c9fde --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_susp_rdp.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "DestinationPort.*3389" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "Image.*.*\\mstsc.exe" -or $_.message -match "Image.*.*\\RTSApp.exe" -or $_.message -match "Image.*.*\\RTS2App.exe" -or $_.message -match "Image.*.*\\RDCMan.exe" -or $_.message -match "Image.*.*\\ws_TunnelService.exe" -or $_.message -match "Image.*.*\\RSSensor.exe" -or $_.message -match "Image.*.*\\RemoteDesktopManagerFree.exe" -or $_.message -match "Image.*.*\\RemoteDesktopManager.exe" -or $_.message -match "Image.*.*\\RemoteDesktopManager64.exe" -or $_.message -match "Image.*.*\\mRemoteNG.exe" -or $_.message -match "Image.*.*\\mRemote.exe" -or $_.message -match "Image.*.*\\Terminals.exe" -or $_.message -match "Image.*.*\\spiceworks-finder.exe" -or $_.message -match "Image.*.*\\FSDiscovery.exe" -or $_.message -match "Image.*.*\\FSAssessment.exe" -or $_.message -match "Image.*.*\\MobaRTE.exe" -or $_.message -match "Image.*.*\\chrome.exe" -or $_.message -match "Image.*.*\\thor.exe" -or $_.message -match "Image.*.*\\thor64.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_rdp"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_rdp"; + $detectedMessage = "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement"; + $result = $event | where { (($_.ID -eq "3") -and ($_.message -match "DestinationPort.*3389" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "Image.*.*\\mstsc.exe" -or $_.message -match "Image.*.*\\RTSApp.exe" -or $_.message -match "Image.*.*\\RTS2App.exe" -or $_.message -match "Image.*.*\\RDCMan.exe" -or $_.message -match "Image.*.*\\ws_TunnelService.exe" -or $_.message -match "Image.*.*\\RSSensor.exe" -or $_.message -match "Image.*.*\\RemoteDesktopManagerFree.exe" -or $_.message -match "Image.*.*\\RemoteDesktopManager.exe" -or $_.message -match "Image.*.*\\RemoteDesktopManager64.exe" -or $_.message -match "Image.*.*\\mRemoteNG.exe" -or $_.message -match "Image.*.*\\mRemote.exe" -or $_.message -match "Image.*.*\\Terminals.exe" -or $_.message -match "Image.*.*\\spiceworks-finder.exe" -or $_.message -match "Image.*.*\\FSDiscovery.exe" -or $_.message -match "Image.*.*\\FSAssessment.exe" -or $_.message -match "Image.*.*\\MobaRTE.exe" -or $_.message -match "Image.*.*\\chrome.exe" -or $_.message -match "Image.*.*\\thor.exe" -or $_.message -match "Image.*.*\\thor64.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_suspicious_outbound_kerberos_connection.ps1 b/Rules/SIGMA/network_connection/sysmon_suspicious_outbound_kerberos_connection.ps1 new file mode 100644 index 00000000..103fe652 --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_suspicious_outbound_kerberos_connection.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "DestinationPort.*88" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "Image.*.*\lsass.exe" -or $_.message -match "Image.*.*\opera.exe" -or $_.message -match "Image.*.*\chrome.exe" -or $_.message -match "Image.*.*\firefox.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_suspicious_outbound_kerberos_connection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_suspicious_outbound_kerberos_connection"; + $detectedMessage = "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation."; + $result = $event | where { (($_.ID -eq "3") -and ($_.message -match "DestinationPort.*88" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\opera.exe" -or $_.message -match "Image.*.*\\chrome.exe" -or $_.message -match "Image.*.*\\firefox.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_win_binary_github_com.ps1 b/Rules/SIGMA/network_connection/sysmon_win_binary_github_com.ps1 new file mode 100644 index 00000000..47bae1e2 --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_win_binary_github_com.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "3" -and $_.message -match "Initiated.*true" -and ($_.message -match "DestinationHostname.*.*.github.com" -or $_.message -match "DestinationHostname.*.*.githubusercontent.com") -and $_.message -match "Image.*C:\Windows\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_win_binary_github_com"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_win_binary_github_com"; + $detectedMessage = "Detects an executable in the Windows folder accessing github.com"; + $result = $event | where { ($_.ID -eq "3" -and $_.message -match "Initiated.*true" -and ($_.message -match "DestinationHostname.*.*.github.com" -or $_.message -match "DestinationHostname.*.*.githubusercontent.com") -and $_.message -match "Image.*C:\\Windows\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_win_binary_susp_com.ps1 b/Rules/SIGMA/network_connection/sysmon_win_binary_susp_com.ps1 new file mode 100644 index 00000000..382c0333 --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_win_binary_susp_com.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "3" -and $_.message -match "Initiated.*true" -and ($_.message -match "DestinationHostname.*.*dl.dropboxusercontent.com" -or $_.message -match "DestinationHostname.*.*.pastebin.com" -or $_.message -match "DestinationHostname.*.*.githubusercontent.com") -and $_.message -match "Image.*C:\Windows\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_win_binary_susp_com"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_win_binary_susp_com"; + $detectedMessage = "Detects an executable in the Windows folder accessing suspicious domains"; + $result = $event | where { ($_.ID -eq "3" -and $_.message -match "Initiated.*true" -and ($_.message -match "DestinationHostname.*.*dl.dropboxusercontent.com" -or $_.message -match "DestinationHostname.*.*.pastebin.com" -or $_.message -match "DestinationHostname.*.*.githubusercontent.com") -and $_.message -match "Image.*C:\\Windows\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/network_connection/sysmon_wuauclt_network_connection.ps1 b/Rules/SIGMA/network_connection/sysmon_wuauclt_network_connection.ps1 new file mode 100644 index 00000000..06c0c802 --- /dev/null +++ b/Rules/SIGMA/network_connection/sysmon_wuauclt_network_connection.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "3" -and $_.message -match "Image.*.*wuauclt.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wuauclt_network_connection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wuauclt_network_connection"; + $detectedMessage = "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule."; + $result = $event | where { ($_.ID -eq "3" -and $_.message -match "Image.*.*wuauclt.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_defender_amsi_trigger.ps1 b/Rules/SIGMA/other/win_defender_amsi_trigger.ps1 new file mode 100644 index 00000000..1408a6d5 --- /dev/null +++ b/Rules/SIGMA/other/win_defender_amsi_trigger.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {($_.ID -eq "1116" -and $_.message -match "DetectionSource.*AMSI") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_defender_amsi_trigger"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_defender_amsi_trigger"; + $detectedMessage = "Detects triggering of AMSI by Windows Defender."; + $result = $event | where { ($_.ID -eq "1116" -and $_.message -match "DetectionSource.*AMSI") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_defender_bypass.ps1 b/Rules/SIGMA/other/win_defender_bypass.ps1 new file mode 100644 index 00000000..7c0b0d91 --- /dev/null +++ b/Rules/SIGMA/other/win_defender_bypass.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {(($_.ID -eq "4657" -or $_.ID -eq "4656" -or $_.ID -eq "4660" -or $_.ID -eq "4663") -and $_.message -match "ObjectName.*.*\Microsoft\Windows Defender\Exclusions\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_defender_bypass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_defender_bypass"; + $detectedMessage = "'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender'"; + $result = $event | where { (($_.ID -eq "4657" -or $_.ID -eq "4656" -or $_.ID -eq "4660" -or $_.ID -eq "4663") -and $_.message -match "ObjectName.*.*\\Microsoft\\Windows Defender\\Exclusions\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_defender_disabled.ps1 b/Rules/SIGMA/other/win_defender_disabled.ps1 new file mode 100644 index 00000000..b68deed3 --- /dev/null +++ b/Rules/SIGMA/other/win_defender_disabled.ps1 @@ -0,0 +1,43 @@ +# Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where { ((($_.ID -eq "5001" -or $_.ID -eq "5010" -or $_.ID -eq "5012" -or $_.ID -eq "5101") -or (($_.message -match "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinDefend" -or $_.message -match "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender" -or $_.message -match "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender") -and $_.message -match "Details.*DWORD (0x00000001)"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" -and $_.message -match "Details.*DWORD (0x00000001)") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "7036" -and $_.message -match "Message.*The Windows Defender Antivirus Service service entered the stopped state") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_defender_disabled"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_defender_disabled"; + $detectedMessage = "Detects disabling Windows Defender threat protection"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ((($_.ID -eq "5001" -or $_.ID -eq "5010" -or $_.ID -eq "5012" -or $_.ID -eq "5101") -or (($_.message -match "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinDefend" -or $_.message -match "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender" -or $_.message -match "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender") -and $_.message -match "Details.*DWORD (0x00000001)"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" -and $_.message -match "Details.*DWORD (0x00000001)") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "7036" -and $_.message -match "Message.*The Windows Defender Antivirus Service service entered the stopped state") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_defender_exclusions.ps1 b/Rules/SIGMA/other/win_defender_exclusions.ps1 new file mode 100644 index 00000000..20c49256 --- /dev/null +++ b/Rules/SIGMA/other/win_defender_exclusions.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where { (($_.ID -eq "5007") -and ($_.message -match "New Value.*.*\\Microsoft\\Windows Defender\\Exclusions.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.ID -eq "13") -and ($_.message -match "TargetObject.*.*\\Microsoft\\Windows Defender\\Exclusions.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_defender_exclusions"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_defender_exclusions"; + $detectedMessage = "Detects the Setting of Windows Defender Exclusions"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "5007") -and ($_.message -match "New Value.*.*\\Microsoft\\Windows Defender\\Exclusions.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.ID -eq "13") -and ($_.message -match "TargetObject.*.*\\Microsoft\\Windows Defender\\Exclusions.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_defender_history_delete.ps1 b/Rules/SIGMA/other/win_defender_history_delete.ps1 new file mode 100644 index 00000000..0c626f69 --- /dev/null +++ b/Rules/SIGMA/other/win_defender_history_delete.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {($_.ID -eq "1013" -and $_.message -match "EventType.*4") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_defender_history_delete"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_defender_history_delete"; + $detectedMessage = "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message ""Windows Defender Antivirus has removed history of malware and other potentially unwanted software""."; + $result = $event | where { ($_.ID -eq "1013" -and $_.message -match "EventType.*4") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_defender_psexec_wmi_asr.ps1 b/Rules/SIGMA/other/win_defender_psexec_wmi_asr.ps1 new file mode 100644 index 00000000..651daa5e --- /dev/null +++ b/Rules/SIGMA/other/win_defender_psexec_wmi_asr.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent | where {($_.ID -eq "1121" -and ($_.message -match "ProcessName.*.*\wmiprvse.exe" -or $_.message -match "ProcessName.*.*\psexesvc.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_defender_psexec_wmi_asr"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_defender_psexec_wmi_asr"; + $detectedMessage = "Detects blocking of process creations originating from PSExec and WMI commands"; + $result = $event | where { ($_.ID -eq "1121" -and ($_.message -match "ProcessName.*.*\\wmiprvse.exe" -or $_.message -match "ProcessName.*.*\\psexesvc.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_defender_tamper_protection_trigger.ps1 b/Rules/SIGMA/other/win_defender_tamper_protection_trigger.ps1 new file mode 100644 index 00000000..af0730be --- /dev/null +++ b/Rules/SIGMA/other/win_defender_tamper_protection_trigger.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {(($_.ID -eq "5013") -and ($_.message -match "Value.*.*\Windows Defender\DisableAntiSpyware = 0x1()" -or $_.message -match "Value.*.*\Real-Time Protection\DisableRealtimeMonitoring = (Current)")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_defender_tamper_protection_trigger"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_defender_tamper_protection_trigger"; + $detectedMessage = "Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection"; + $result = $event | where { (($_.ID -eq "5013") -and ($_.message -match "Value.*.*\\Windows Defender\\DisableAntiSpyware = 0x1()" -or $_.message -match "Value.*.*\\Real-Time Protection\\DisableRealtimeMonitoring = (Current)")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_defender_threat.ps1 b/Rules/SIGMA/other/win_defender_threat.ps1 new file mode 100644 index 00000000..fc36f5a9 --- /dev/null +++ b/Rules/SIGMA/other/win_defender_threat.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {(($_.ID -eq "1006" -or $_.ID -eq "1116" -or $_.ID -eq "1015" -or $_.ID -eq "1117")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_defender_threat"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_defender_threat"; + $detectedMessage = "Detects all actions taken by Windows Defender malware detection engines"; + $result = $event | where { (($_.ID -eq "1006" -or $_.ID -eq "1116" -or $_.ID -eq "1015" -or $_.ID -eq "1117")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_exchange_TransportAgent_failed.ps1 b/Rules/SIGMA/other/win_exchange_TransportAgent_failed.ps1 new file mode 100644 index 00000000..668c5464 --- /dev/null +++ b/Rules/SIGMA/other/win_exchange_TransportAgent_failed.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName MSExchange Management | where {($_.message -match ".*Install-TransportAgent.*" -and $_.ID -eq "6") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exchange_TransportAgent_failed"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exchange_TransportAgent_failed"; + $detectedMessage = "Detects a failed installation of a Exchange Transport Agent"; + $result = $event | where { ($_.message -match ".*Install-TransportAgent.*" -and $_.ID -eq "6") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_lateral_movement_condrv.ps1 b/Rules/SIGMA/other/win_lateral_movement_condrv.ps1 new file mode 100644 index 00000000..7d8f3332 --- /dev/null +++ b/Rules/SIGMA/other/win_lateral_movement_condrv.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4674" -and $_.message -match "ObjectServer.*Security" -and $_.message -match "ObjectType.*File" -and $_.message -match "ObjectName.*\Device\ConDrv") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_lateral_movement_condrv"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_lateral_movement_condrv"; + $detectedMessage = "This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context."; + $result = $event | where { ($_.ID -eq "4674" -and $_.message -match "ObjectServer.*Security" -and $_.message -match "ObjectType.*File" -and $_.message -match "ObjectName.*\\Device\\ConDrv") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_ldap_recon.ps1 b/Rules/SIGMA/other/win_ldap_recon.ps1 new file mode 100644 index 00000000..8bd997b0 --- /dev/null +++ b/Rules/SIGMA/other/win_ldap_recon.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent | where {((($_.ID -eq "30" -and ($_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483648).*" -or $_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483656).*" -or $_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483652).*" -or $_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483650).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=805306369).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=805306368).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=536870913).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=536870912).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=268435457).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=268435456).*" -or $_.message -match "SearchFilter.*.*(objectCategory=groupPolicyContainer).*" -or $_.message -match "SearchFilter.*.*(objectCategory=organizationalUnit).*" -or $_.message -match "SearchFilter.*.*(objectCategory=Computer).*" -or $_.message -match "SearchFilter.*.*(objectCategory=nTDSDSA).*" -or $_.message -match "SearchFilter.*.*(objectCategory=server).*" -or $_.message -match "SearchFilter.*.*(objectCategory=domain).*" -or $_.message -match "SearchFilter.*.*(objectCategory=person).*" -or $_.message -match "SearchFilter.*.*(objectCategory=group).*" -or $_.message -match "SearchFilter.*.*(objectCategory=user).*" -or $_.message -match "SearchFilter.*.*(objectClass=trustedDomain).*" -or $_.message -match "SearchFilter.*.*(objectClass=computer).*" -or $_.message -match "SearchFilter.*.*(objectClass=server).*" -or $_.message -match "SearchFilter.*.*(objectClass=group).*" -or $_.message -match "SearchFilter.*.*(objectClass=user).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=521).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=516).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=515).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=512).*" -or $_.message -match "SearchFilter.*.*Domain Admins.*")) -and -not ($_.ID -eq "30" -and ($_.message -match "SearchFilter.*.*(domainSid=.*).*" -or $_.message -match "SearchFilter.*.*(objectSid=.*).*"))) -or ($_.ID -eq "30" -and ($_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=4194304).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=2097152).*" -or $_.message -match "SearchFilter.*.*!(userAccountControl:1.2.840.113556.1.4.803:=1048574).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=524288).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=65536).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=8192).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=544).*" -or $_.message -match "SearchFilter.*.*!(UserAccountControl:1.2.840.113556.1.4.803:=2).*" -or $_.message -match "SearchFilter.*.*msDS-AllowedToActOnBehalfOfOtherIdentity.*" -or $_.message -match "SearchFilter.*.*msDS-AllowedToDelegateTo.*" -or $_.message -match "SearchFilter.*.*(accountExpires=9223372036854775807).*" -or $_.message -match "SearchFilter.*.*(accountExpires=0).*" -or $_.message -match "SearchFilter.*.*(adminCount=1).*" -or $_.message -match "SearchFilter.*.*ms-MCS-AdmPwd.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_ldap_recon"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_ldap_recon"; + $detectedMessage = "Detects possible Active Directory enumeration via LDAP"; + $result = $event | where { ((($_.ID -eq "30" -and ($_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483648).*" -or $_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483656).*" -or $_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483652).*" -or $_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483650).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=805306369).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=805306368).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=536870913).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=536870912).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=268435457).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=268435456).*" -or $_.message -match "SearchFilter.*.*(objectCategory=groupPolicyContainer).*" -or $_.message -match "SearchFilter.*.*(objectCategory=organizationalUnit).*" -or $_.message -match "SearchFilter.*.*(objectCategory=Computer).*" -or $_.message -match "SearchFilter.*.*(objectCategory=nTDSDSA).*" -or $_.message -match "SearchFilter.*.*(objectCategory=server).*" -or $_.message -match "SearchFilter.*.*(objectCategory=domain).*" -or $_.message -match "SearchFilter.*.*(objectCategory=person).*" -or $_.message -match "SearchFilter.*.*(objectCategory=group).*" -or $_.message -match "SearchFilter.*.*(objectCategory=user).*" -or $_.message -match "SearchFilter.*.*(objectClass=trustedDomain).*" -or $_.message -match "SearchFilter.*.*(objectClass=computer).*" -or $_.message -match "SearchFilter.*.*(objectClass=server).*" -or $_.message -match "SearchFilter.*.*(objectClass=group).*" -or $_.message -match "SearchFilter.*.*(objectClass=user).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=521).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=516).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=515).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=512).*" -or $_.message -match "SearchFilter.*.*Domain Admins.*")) -and -not ($_.ID -eq "30" -and ($_.message -match "SearchFilter.*.*(domainSid=.*).*" -or $_.message -match "SearchFilter.*.*(objectSid=.*).*"))) -or ($_.ID -eq "30" -and ($_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=4194304).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=2097152).*" -or $_.message -match "SearchFilter.*.*!(userAccountControl:1.2.840.113556.1.4.803:=1048574).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=524288).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=65536).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=8192).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=544).*" -or $_.message -match "SearchFilter.*.*!(UserAccountControl:1.2.840.113556.1.4.803:=2).*" -or $_.message -match "SearchFilter.*.*msDS-AllowedToActOnBehalfOfOtherIdentity.*" -or $_.message -match "SearchFilter.*.*msDS-AllowedToDelegateTo.*" -or $_.message -match "SearchFilter.*.*(accountExpires=9223372036854775807).*" -or $_.message -match "SearchFilter.*.*(accountExpires=0).*" -or $_.message -match "SearchFilter.*.*(adminCount=1).*" -or $_.message -match "SearchFilter.*.*ms-MCS-AdmPwd.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_pcap_drivers.ps1 b/Rules/SIGMA/other/win_pcap_drivers.ps1 new file mode 100644 index 00000000..ed1c88d7 --- /dev/null +++ b/Rules/SIGMA/other/win_pcap_drivers.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4697" -and ($_.Service File Name -eq "*pcap*" -or $_.message -match "Service File Name.*.*npcap.*" -or $_.message -match "Service File Name.*.*npf.*" -or $_.message -match "Service File Name.*.*nm3.*" -or $_.message -match "Service File Name.*.*ndiscap.*" -or $_.message -match "Service File Name.*.*nmnt.*" -or $_.message -match "Service File Name.*.*windivert.*" -or $_.message -match "Service File Name.*.*USBPcap.*" -or $_.message -match "Service File Name.*.*pktmon.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_pcap_drivers"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_pcap_drivers"; + $detectedMessage = "Detects Windows Pcap driver installation based on a list of associated .sys files."; + $result = $event | where { ($_.ID -eq "4697" -and ($_.message -Like "*pcap*" -or $_.message -match "Service File Name.*.*npcap.*" -or $_.message -match "Service File Name.*.*npf.*" -or $_.message -match "Service File Name.*.*nm3.*" -or $_.message -match "Service File Name.*.*ndiscap.*" -or $_.message -match "Service File Name.*.*nmnt.*" -or $_.message -match "Service File Name.*.*windivert.*" -or $_.message -match "Service File Name.*.*USBPcap.*" -or $_.message -match "Service File Name.*.*pktmon.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_possible_zerologon_exploitation_using_wellknown_tools.ps1 b/Rules/SIGMA/other/win_possible_zerologon_exploitation_using_wellknown_tools.ps1 new file mode 100644 index 00000000..5d2509d4 --- /dev/null +++ b/Rules/SIGMA/other/win_possible_zerologon_exploitation_using_wellknown_tools.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName System | where {(($_.message -match ".*kali.*" -or $_.message -match ".*mimikatz.*") -and ($_.ID -eq "5805" -or $_.ID -eq "5723")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_possible_zerologon_exploitation_using_wellknown_tools"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_possible_zerologon_exploitation_using_wellknown_tools"; + $detectedMessage = "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with ""kali"" hostname."; + $result = $event | where { (($_.message -match ".*kali.*" -or $_.message -match ".*mimikatz.*") -and ($_.ID -eq "5805" -or $_.ID -eq "5723")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_rare_schtask_creation.ps1 b/Rules/SIGMA/other/win_rare_schtask_creation.ps1 new file mode 100644 index 00000000..ae14bfc8 --- /dev/null +++ b/Rules/SIGMA/other/win_rare_schtask_creation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | where {($_.ID -eq "106") } | group-object TaskName | where { $_.count -lt 5 } | select name,count | sort -desc + +function Add-Rule { + + $ruleName = "win_rare_schtask_creation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rare_schtask_creation"; + $detectedMessage = "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names."; + $result = $event | where { ($_.ID -eq "106") } | group-object TaskName | where { $_.count -lt 5 } | select name, count | sort -desc; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_tool_psexec.ps1 b/Rules/SIGMA/other/win_tool_psexec.ps1 new file mode 100644 index 00000000..a8c5ddb7 --- /dev/null +++ b/Rules/SIGMA/other/win_tool_psexec.ps1 @@ -0,0 +1,46 @@ +# Get-WinEvent -LogName System | where { ($_.message -match "ServiceName.*PSEXESVC" -and (($_.ID -eq "7045" -and $_.Service File Name -eq "*\\PSEXESVC.exe") -or $_.ID -eq "7036")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\PSEXESVC.exe" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { (($_.ID -eq "17" -or $_.ID -eq "18") -and $_.message -match "PipeName.*\\PSEXESVC") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\PSEXESVC.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_tool_psexec"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_tool_psexec"; + $detectedMessage = "Detects PsExec service installation and execution events (service and Sysmon)"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.message -match "ServiceName.*PSEXESVC" -and (($_.ID -eq "7045" -and $_.message -like "*\\PSEXESVC.exe") -or $_.ID -eq "7036")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\PSEXESVC.exe" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "17" -or $_.ID -eq "18") -and $_.message -match "PipeName.*\\PSEXESVC") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\PSEXESVC.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/other/win_wmi_persistence.ps1 b/Rules/SIGMA/other/win_wmi_persistence.ps1 new file mode 100644 index 00000000..588e4509 --- /dev/null +++ b/Rules/SIGMA/other/win_wmi_persistence.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-WMI-Activity/Operational | where { ((($_.ID -eq "5861" -and ($_.message -match ".*ActiveScriptEventConsumer.*" -or $_.message -match ".*CommandLineEventConsumer.*" -or $_.message -match ".*CommandLineTemplate.*")) -or $_.ID -eq "5859")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Security | where { ($_.ID -eq "4662" -and $_.message -match "ObjectType.*WMI Namespace" -and $_.message -match "ObjectName.*.*subscription.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_wmi_persistence"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_wmi_persistence"; + $detectedMessage = "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs."; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ((($_.ID -eq "5861" -and ($_.message -match ".*ActiveScriptEventConsumer.*" -or $_.message -match ".*CommandLineEventConsumer.*" -or $_.message -match ".*CommandLineTemplate.*")) -or $_.ID -eq "5859")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "4662" -and $_.message -match "ObjectType.*WMI Namespace" -and $_.message -match "ObjectName.*.*subscription.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/pipe_created/sysmon_alternate_powershell_hosts_pipe.ps1 b/Rules/SIGMA/pipe_created/sysmon_alternate_powershell_hosts_pipe.ps1 new file mode 100644 index 00000000..af9d9abc --- /dev/null +++ b/Rules/SIGMA/pipe_created/sysmon_alternate_powershell_hosts_pipe.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "17" -or $_.ID -eq "18")) -and $_.message -match "PipeName.*\PSHost.*" -and -not (($_.message -match "Image.*.*\powershell.exe" -or $_.message -match "Image.*.*\powershell_ise.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_alternate_powershell_hosts_pipe"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_alternate_powershell_hosts_pipe"; + $detectedMessage = "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe"; + $result = $event | where { ((($_.ID -eq "17" -or $_.ID -eq "18")) -and $_.message -match "PipeName.*\\PSHost.*" -and -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/pipe_created/sysmon_apt_turla_namedpipes.ps1 b/Rules/SIGMA/pipe_created/sysmon_apt_turla_namedpipes.ps1 new file mode 100644 index 00000000..e264176e --- /dev/null +++ b/Rules/SIGMA/pipe_created/sysmon_apt_turla_namedpipes.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "\atctl" -or $_.message -match "\userpipe" -or $_.message -match "\iehelper" -or $_.message -match "\sdlrpc" -or $_.message -match "\comnap")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_apt_turla_namedpipes"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_apt_turla_namedpipes"; + $detectedMessage = "Detects a named pipe used by Turla group samples"; + $result = $event | where { (($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "\\atctl" -or $_.message -match "\\userpipe" -or $_.message -match "\\iehelper" -or $_.message -match "\\sdlrpc" -or $_.message -match "\\comnap")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/pipe_created/sysmon_cred_dump_tools_named_pipes.ps1 b/Rules/SIGMA/pipe_created/sysmon_cred_dump_tools_named_pipes.ps1 new file mode 100644 index 00000000..3f248e0b --- /dev/null +++ b/Rules/SIGMA/pipe_created/sysmon_cred_dump_tools_named_pipes.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "PipeName.*.*\lsadump.*" -or $_.message -match "PipeName.*.*\cachedump.*" -or $_.message -match "PipeName.*.*\wceservicepipe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cred_dump_tools_named_pipes"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cred_dump_tools_named_pipes"; + $detectedMessage = "Detects well-known credential dumping tools execution via specific named pipes"; + $result = $event | where { (($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "PipeName.*.*\\lsadump.*" -or $_.message -match "PipeName.*.*\\cachedump.*" -or $_.message -match "PipeName.*.*\\wceservicepipe.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/pipe_created/sysmon_mal_cobaltstrike.ps1 b/Rules/SIGMA/pipe_created/sysmon_mal_cobaltstrike.ps1 new file mode 100644 index 00000000..1b059aa5 --- /dev/null +++ b/Rules/SIGMA/pipe_created/sysmon_mal_cobaltstrike.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "17" -or $_.ID -eq "18")) -and (($_.message -match "PipeName.*.*\MSSE-.*" -and $_.message -match "PipeName.*.*-server.*") -or $_.message -match "PipeName.*\postex_.*" -or $_.message -match "PipeName.*\postex_ssh_.*" -or $_.message -match "PipeName.*\status_.*" -or $_.message -match "PipeName.*\msagent_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_mal_cobaltstrike"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_mal_cobaltstrike"; + $detectedMessage = "Detects the creation of a named pipe as used by CobaltStrike"; + $result = $event | where { ((($_.ID -eq "17" -or $_.ID -eq "18")) -and (($_.message -match "PipeName.*.*\\MSSE-.*" -and $_.message -match "PipeName.*.*-server.*") -or $_.message -match "PipeName.*\\postex_.*" -or $_.message -match "PipeName.*\\postex_ssh_.*" -or $_.message -match "PipeName.*\\status_.*" -or $_.message -match "PipeName.*\\msagent_.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/pipe_created/sysmon_mal_namedpipes.ps1 b/Rules/SIGMA/pipe_created/sysmon_mal_namedpipes.ps1 new file mode 100644 index 00000000..ddc214b3 --- /dev/null +++ b/Rules/SIGMA/pipe_created/sysmon_mal_namedpipes.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "\isapi_http" -or $_.message -match "\isapi_dg" -or $_.message -match "\isapi_dg2" -or $_.message -match "\sdlrpc" -or $_.message -match "\ahexec" -or $_.message -match "\winsession" -or $_.message -match "\lsassw" -or $_.message -match "\46a676ab7f179e511e30dd2dc41bd388" -or $_.message -match "\9f81f59bc58452127884ce513865ed20" -or $_.message -match "\e710f28d59aa529d6792ca6ff0ca1b34" -or $_.message -match "\rpchlp_3" -or $_.message -match "\NamePipe_MoreWindows" -or $_.message -match "\pcheap_reuse" -or $_.message -match "\gruntsvc" -or $_.message -match "\583da945-62af-10e8-4902-a8f205c72b2e" -or $_.message -match "\bizkaz" -or $_.message -match "\svcctl" -or $_.message -match "PipeName.*\Posh.*" -or $_.message -match "\jaccdpqnvbrrxlaf" -or $_.message -match "\csexecsvc")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_mal_namedpipes"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_mal_namedpipes"; + $detectedMessage = "Detects the creation of a named pipe used by known APT malware"; + $result = $event | where { (($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "\\isapi_http" -or $_.message -match "\\isapi_dg" -or $_.message -match "\\isapi_dg2" -or $_.message -match "\\sdlrpc" -or $_.message -match "\\ahexec" -or $_.message -match "\\winsession" -or $_.message -match "\\lsassw" -or $_.message -match "\\46a676ab7f179e511e30dd2dc41bd388" -or $_.message -match "\\9f81f59bc58452127884ce513865ed20" -or $_.message -match "\\e710f28d59aa529d6792ca6ff0ca1b34" -or $_.message -match "\\rpchlp_3" -or $_.message -match "\\NamePipe_MoreWindows" -or $_.message -match "\\pcheap_reuse" -or $_.message -match "\\gruntsvc" -or $_.message -match "\\583da945-62af-10e8-4902-a8f205c72b2e" -or $_.message -match "\\bizkaz" -or $_.message -match "\\svcctl" -or $_.message -match "PipeName.*\\Posh.*" -or $_.message -match "\\jaccdpqnvbrrxlaf" -or $_.message -match "\\csexecsvc")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/pipe_created/sysmon_powershell_execution_pipe.ps1 b/Rules/SIGMA/pipe_created/sysmon_powershell_execution_pipe.ps1 new file mode 100644 index 00000000..84f37839 --- /dev/null +++ b/Rules/SIGMA/pipe_created/sysmon_powershell_execution_pipe.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and $_.message -match "PipeName.*\PSHost.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_powershell_execution_pipe"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_powershell_execution_pipe"; + $detectedMessage = "Detects execution of PowerShell"; + $result = $event | where { (($_.ID -eq "17" -or $_.ID -eq "18") -and $_.message -match "PipeName.*\\PSHost.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/pipe_created/sysmon_psexec_pipes_artifacts.ps1 b/Rules/SIGMA/pipe_created/sysmon_psexec_pipes_artifacts.ps1 new file mode 100644 index 00000000..07863fcf --- /dev/null +++ b/Rules/SIGMA/pipe_created/sysmon_psexec_pipes_artifacts.ps1 @@ -0,0 +1,30 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "PipeName.*psexec.*" -or $_.message -match "PipeName.*paexec.*" -or $_.message -match "PipeName.*remcom.*" -or $_.message -match "PipeName.*csexec.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_psexec_pipes_artifacts"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_psexec_pipes_artifacts"; + $result = $event | where { (($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "PipeName.*psexec.*" -or $_.message -match "PipeName.*paexec.*" -or $_.message -match "PipeName.*remcom.*" -or $_.message -match "PipeName.*csexec.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.ps1 b/Rules/SIGMA/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.ps1 new file mode 100644 index 00000000..661345a6 --- /dev/null +++ b/Rules/SIGMA/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "PipeName.*\mojo.5688.8052.183894939787088877.*" -or $_.message -match "PipeName.*\mojo.5688.8052.35780273329370473.*" -or $_.message -match "PipeName.*\mypipe-f.*" -or $_.message -match "PipeName.*\mypipe-h.*" -or $_.message -match "PipeName.*\ntsvcs_.*" -or $_.message -match "PipeName.*\scerpc_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_cobaltstrike_pipe_patterns"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_cobaltstrike_pipe_patterns"; + $detectedMessage = "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles"; + $result = $event | where { (($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "PipeName.*\\mojo.5688.8052.183894939787088877.*" -or $_.message -match "PipeName.*\\mojo.5688.8052.35780273329370473.*" -or $_.message -match "PipeName.*\\mypipe-f.*" -or $_.message -match "PipeName.*\\mypipe-h.*" -or $_.message -match "PipeName.*\\ntsvcs_.*" -or $_.message -match "PipeName.*\\scerpc_.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_CL_Invocation_LOLScript.ps1 b/Rules/SIGMA/powershell/powershell_CL_Invocation_LOLScript.ps1 new file mode 100644 index 00000000..141b152e --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_CL_Invocation_LOLScript.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CL_Invocation.ps1.*" -and $_.message -match "ScriptBlockText.*.*SyncInvoke.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_CL_Invocation_LOLScript"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_CL_Invocation_LOLScript"; + $detectedMessage = "Detects Execution via SyncInvoke in CL_Invocation.ps1 module"; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CL_Invocation.ps1.*" -and $_.message -match "ScriptBlockText.*.*SyncInvoke.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_CL_Invocation_LOLScript_v2.ps1 b/Rules/SIGMA/powershell/powershell_CL_Invocation_LOLScript_v2.ps1 new file mode 100644 index 00000000..d646ee4b --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_CL_Invocation_LOLScript_v2.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*CL_Invocation.ps1.*" -or $_.message -match "ScriptBlockText.*.*SyncInvoke.*")) } | select Computer, ScriptBlockText | group Computer | foreach { [PSCustomObject]@{'Computer'=$_.name;'Count'=($_.group.ScriptBlockText | sort -u).count} } | sort count -desc | where { $_.count -gt 2 } + +function Add-Rule { + + $ruleName = "powershell_CL_Invocation_LOLScript_v2"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_CL_Invocation_LOLScript_v2"; + $detectedMessage = "Detects Execution via SyncInvoke in CL_Invocation.ps1 module"; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*CL_Invocation.ps1.*" -or $_.message -match "ScriptBlockText.*.*SyncInvoke.*")) } | select Computer, ScriptBlockText | group Computer | foreach { [PSCustomObject]@{'Computer' = $_.name; 'Count' = ($_.group.ScriptBlockText | sort -u).count } } | sort count -desc | where { $_.count -gt 2 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_CL_Mutexverifiers_LOLScript.ps1 b/Rules/SIGMA/powershell/powershell_CL_Mutexverifiers_LOLScript.ps1 new file mode 100644 index 00000000..0939a6a4 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_CL_Mutexverifiers_LOLScript.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CL_Mutexverifiers.ps1.*" -and $_.message -match "ScriptBlockText.*.*runAfterCancelProcess.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_CL_Mutexverifiers_LOLScript"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_CL_Mutexverifiers_LOLScript"; + $detectedMessage = "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module"; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CL_Mutexverifiers.ps1.*" -and $_.message -match "ScriptBlockText.*.*runAfterCancelProcess.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.ps1 b/Rules/SIGMA/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.ps1 new file mode 100644 index 00000000..1d7ce891 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*CL_Mutexverifiers.ps1.*" -or $_.message -match "ScriptBlockText.*.*runAfterCancelProcess.*")) } | select Computer, ScriptBlockText | group Computer | foreach { [PSCustomObject]@{'Computer'=$_.name;'Count'=($_.group.ScriptBlockText | sort -u).count} } | sort count -desc | where { $_.count -gt 2 } + +function Add-Rule { + + $ruleName = "powershell_CL_Mutexverifiers_LOLScript_v2"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_CL_Mutexverifiers_LOLScript_v2"; + $detectedMessage = "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module"; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*CL_Mutexverifiers.ps1.*" -or $_.message -match "ScriptBlockText.*.*runAfterCancelProcess.*")) } | select Computer, ScriptBlockText | group Computer | foreach { [PSCustomObject]@{'Computer' = $_.name; 'Count' = ($_.group.ScriptBlockText | sort -u).count } } | sort count -desc | where { $_.count -gt 2 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_accessing_win_api.ps1 b/Rules/SIGMA/powershell/powershell_accessing_win_api.ps1 new file mode 100644 index 00000000..d4cd3b6f --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_accessing_win_api.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*WaitForSingleObject.*" -or $_.message -match "ScriptBlockText.*.*QueueUserApc.*" -or $_.message -match "ScriptBlockText.*.*RtlCreateUserThread.*" -or $_.message -match "ScriptBlockText.*.*OpenProcess.*" -or $_.message -match "ScriptBlockText.*.*VirtualAlloc.*" -or $_.message -match "ScriptBlockText.*.*VirtualFree.*" -or $_.message -match "ScriptBlockText.*.*WriteProcessMemory.*" -or $_.message -match "ScriptBlockText.*.*CreateUserThread.*" -or $_.message -match "ScriptBlockText.*.*CloseHandle.*" -or $_.message -match "ScriptBlockText.*.*GetDelegateForFunctionPointer.*" -or $_.message -match "ScriptBlockText.*.*CreateThread.*" -or $_.message -match "ScriptBlockText.*.*memcpy.*" -or $_.message -match "ScriptBlockText.*.*LoadLibrary.*" -or $_.message -match "ScriptBlockText.*.*GetModuleHandle.*" -or $_.message -match "ScriptBlockText.*.*GetProcAddress.*" -or $_.message -match "ScriptBlockText.*.*VirtualProtect.*" -or $_.message -match "ScriptBlockText.*.*FreeLibrary.*" -or $_.message -match "ScriptBlockText.*.*ReadProcessMemory.*" -or $_.message -match "ScriptBlockText.*.*CreateRemoteThread.*" -or $_.message -match "ScriptBlockText.*.*AdjustTokenPrivileges.*" -or $_.message -match "ScriptBlockText.*.*WriteByte.*" -or $_.message -match "ScriptBlockText.*.*WriteInt32.*" -or $_.message -match "ScriptBlockText.*.*OpenThreadToken.*" -or $_.message -match "ScriptBlockText.*.*PtrToString.*" -or $_.message -match "ScriptBlockText.*.*FreeHGlobal.*" -or $_.message -match "ScriptBlockText.*.*ZeroFreeGlobalAllocUnicode.*" -or $_.message -match "ScriptBlockText.*.*OpenProcessToken.*" -or $_.message -match "ScriptBlockText.*.*GetTokenInformation.*" -or $_.message -match "ScriptBlockText.*.*SetThreadToken.*" -or $_.message -match "ScriptBlockText.*.*ImpersonateLoggedOnUser.*" -or $_.message -match "ScriptBlockText.*.*RevertToSelf.*" -or $_.message -match "ScriptBlockText.*.*GetLogonSessionData.*" -or $_.message -match "ScriptBlockText.*.*CreateProcessWithToken.*" -or $_.message -match "ScriptBlockText.*.*DuplicateTokenEx.*" -or $_.message -match "ScriptBlockText.*.*OpenWindowStation.*" -or $_.message -match "ScriptBlockText.*.*OpenDesktop.*" -or $_.message -match "ScriptBlockText.*.*MiniDumpWriteDump.*" -or $_.message -match "ScriptBlockText.*.*AddSecurityPackage.*" -or $_.message -match "ScriptBlockText.*.*EnumerateSecurityPackages.*" -or $_.message -match "ScriptBlockText.*.*GetProcessHandle.*" -or $_.message -match "ScriptBlockText.*.*DangerousGetHandle.*" -or $_.message -match "ScriptBlockText.*.*kernel32.*" -or $_.message -match "ScriptBlockText.*.*Advapi32.*" -or $_.message -match "ScriptBlockText.*.*msvcrt.*" -or $_.message -match "ScriptBlockText.*.*ntdll.*" -or $_.message -match "ScriptBlockText.*.*user32.*" -or $_.message -match "ScriptBlockText.*.*secur32.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_accessing_win_api"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_accessing_win_api"; + $detectedMessage = " Detecting use WinAPI Functions in PowerShell"; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*WaitForSingleObject.*" -or $_.message -match "ScriptBlockText.*.*QueueUserApc.*" -or $_.message -match "ScriptBlockText.*.*RtlCreateUserThread.*" -or $_.message -match "ScriptBlockText.*.*OpenProcess.*" -or $_.message -match "ScriptBlockText.*.*VirtualAlloc.*" -or $_.message -match "ScriptBlockText.*.*VirtualFree.*" -or $_.message -match "ScriptBlockText.*.*WriteProcessMemory.*" -or $_.message -match "ScriptBlockText.*.*CreateUserThread.*" -or $_.message -match "ScriptBlockText.*.*CloseHandle.*" -or $_.message -match "ScriptBlockText.*.*GetDelegateForFunctionPointer.*" -or $_.message -match "ScriptBlockText.*.*CreateThread.*" -or $_.message -match "ScriptBlockText.*.*memcpy.*" -or $_.message -match "ScriptBlockText.*.*LoadLibrary.*" -or $_.message -match "ScriptBlockText.*.*GetModuleHandle.*" -or $_.message -match "ScriptBlockText.*.*GetProcAddress.*" -or $_.message -match "ScriptBlockText.*.*VirtualProtect.*" -or $_.message -match "ScriptBlockText.*.*FreeLibrary.*" -or $_.message -match "ScriptBlockText.*.*ReadProcessMemory.*" -or $_.message -match "ScriptBlockText.*.*CreateRemoteThread.*" -or $_.message -match "ScriptBlockText.*.*AdjustTokenPrivileges.*" -or $_.message -match "ScriptBlockText.*.*WriteByte.*" -or $_.message -match "ScriptBlockText.*.*WriteInt32.*" -or $_.message -match "ScriptBlockText.*.*OpenThreadToken.*" -or $_.message -match "ScriptBlockText.*.*PtrToString.*" -or $_.message -match "ScriptBlockText.*.*FreeHGlobal.*" -or $_.message -match "ScriptBlockText.*.*ZeroFreeGlobalAllocUnicode.*" -or $_.message -match "ScriptBlockText.*.*OpenProcessToken.*" -or $_.message -match "ScriptBlockText.*.*GetTokenInformation.*" -or $_.message -match "ScriptBlockText.*.*SetThreadToken.*" -or $_.message -match "ScriptBlockText.*.*ImpersonateLoggedOnUser.*" -or $_.message -match "ScriptBlockText.*.*RevertToSelf.*" -or $_.message -match "ScriptBlockText.*.*GetLogonSessionData.*" -or $_.message -match "ScriptBlockText.*.*CreateProcessWithToken.*" -or $_.message -match "ScriptBlockText.*.*DuplicateTokenEx.*" -or $_.message -match "ScriptBlockText.*.*OpenWindowStation.*" -or $_.message -match "ScriptBlockText.*.*OpenDesktop.*" -or $_.message -match "ScriptBlockText.*.*MiniDumpWriteDump.*" -or $_.message -match "ScriptBlockText.*.*AddSecurityPackage.*" -or $_.message -match "ScriptBlockText.*.*EnumerateSecurityPackages.*" -or $_.message -match "ScriptBlockText.*.*GetProcessHandle.*" -or $_.message -match "ScriptBlockText.*.*DangerousGetHandle.*" -or $_.message -match "ScriptBlockText.*.*kernel32.*" -or $_.message -match "ScriptBlockText.*.*Advapi32.*" -or $_.message -match "ScriptBlockText.*.*msvcrt.*" -or $_.message -match "ScriptBlockText.*.*ntdll.*" -or $_.message -match "ScriptBlockText.*.*user32.*" -or $_.message -match "ScriptBlockText.*.*secur32.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/SIGMA/powershell/powershell_adrecon_execution.ps1 b/Rules/SIGMA/powershell/powershell_adrecon_execution.ps1 new file mode 100644 index 00000000..b98ec2af --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_adrecon_execution.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Function Get-ADRExcelComOb.*" -or $_.message -match "ScriptBlockText.*.*ADRecon-Report.xlsx.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_adrecon_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_adrecon_execution"; + $detectedMessage = " Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 "; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Function Get-ADRExcelComOb.*" -or $_.message -match "ScriptBlockText.*.*ADRecon-Report.xlsx.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/SIGMA/powershell/powershell_alternate_powershell_hosts.ps1 b/Rules/SIGMA/powershell/powershell_alternate_powershell_hosts.ps1 new file mode 100644 index 00000000..878a076a --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_alternate_powershell_hosts.ps1 @@ -0,0 +1,41 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.ID -eq "4103" -and $_.message -match "ContextInfo.*.*") -and -not ($_.message -match "ContextInfo.*powershell.exe" -or $_.message -match "Message.*powershell.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Windows PowerShell | where {(($_.ID -eq "400" -and $_.message -match "ContextInfo.*.*") -and -not ($_.message -match "ContextInfo.*powershell.exe" -or $_.message -match "Message.*powershell.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + + +function Add-Rule { + + $ruleName = "powershell_alternate_powershell_hosts"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_alternate_powershell_hosts"; + $detectedMessage = "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "4103" -and $_.message -match "ContextInfo.*.*") -and -not ($_.message -match "ContextInfo.*powershell.exe" -or $_.message -match "Message.*powershell.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "400" -and $_.message -match "ContextInfo.*.*") -and -not ($_.message -match "ContextInfo.*powershell.exe" -or $_.message -match "Message.*powershell.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_automated_collection.ps1 b/Rules/SIGMA/powershell/powershell_automated_collection.ps1 new file mode 100644 index 00000000..d92f50bd --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_automated_collection.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*.doc.*" -or $_.message -match "ScriptBlockText.*.*.docx.*" -or $_.message -match "ScriptBlockText.*.*.xls.*" -or $_.message -match "ScriptBlockText.*.*.xlsx.*" -or $_.message -match "ScriptBlockText.*.*.ppt.*" -or $_.message -match "ScriptBlockText.*.*.pptx.*" -or $_.message -match "ScriptBlockText.*.*.rtf.*" -or $_.message -match "ScriptBlockText.*.*.pdf.*" -or $_.message -match "ScriptBlockText.*.*.txt.*") -and $_.message -match "ScriptBlockText.*.*Get-ChildItem.*" -and $_.message -match "ScriptBlockText.*.* -Recurse .*" -and $_.message -match "ScriptBlockText.*.* -Include .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_automated_collection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_automated_collection"; + $detectedMessage = "Once established within a system or network, an adversary may use automated techniques for collecting internal data."; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*.doc.*" -or $_.message -match "ScriptBlockText.*.*.docx.*" -or $_.message -match "ScriptBlockText.*.*.xls.*" -or $_.message -match "ScriptBlockText.*.*.xlsx.*" -or $_.message -match "ScriptBlockText.*.*.ppt.*" -or $_.message -match "ScriptBlockText.*.*.pptx.*" -or $_.message -match "ScriptBlockText.*.*.rtf.*" -or $_.message -match "ScriptBlockText.*.*.pdf.*" -or $_.message -match "ScriptBlockText.*.*.txt.*") -and $_.message -match "ScriptBlockText.*.*Get-ChildItem.*" -and $_.message -match "ScriptBlockText.*.* -Recurse .*" -and $_.message -match "ScriptBlockText.*.* -Include .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_bad_opsec_artifacts.ps1 b/Rules/SIGMA/powershell/powershell_bad_opsec_artifacts.ps1 new file mode 100644 index 00000000..5c04ed30 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_bad_opsec_artifacts.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*$DoIt.*" -or $_.message -match "ScriptBlockText.*.*harmj0y.*" -or $_.message -match "ScriptBlockText.*.*mattifestation.*" -or $_.message -match "ScriptBlockText.*.*_RastaMouse.*" -or $_.message -match "ScriptBlockText.*.*tifkin_.*" -or $_.message -match "ScriptBlockText.*.*0xdeadbeef.*")) -or ($_.ID -eq "4103" -and ($_.message -match "Payload.*.*$DoIt.*" -or $_.message -match "Payload.*.*harmj0y.*" -or $_.message -match "Payload.*.*mattifestation.*" -or $_.message -match "Payload.*.*_RastaMouse.*" -or $_.message -match "Payload.*.*tifkin_.*" -or $_.message -match "Payload.*.*0xdeadbeef.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_bad_opsec_artifacts"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_bad_opsec_artifacts"; + $detectedMessage = "Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec."; + $result = $event | where { ((($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*$DoIt.*" -or $_.message -match "ScriptBlockText.*.*harmj0y.*" -or $_.message -match "ScriptBlockText.*.*mattifestation.*" -or $_.message -match "ScriptBlockText.*.*_RastaMouse.*" -or $_.message -match "ScriptBlockText.*.*tifkin_.*" -or $_.message -match "ScriptBlockText.*.*0xdeadbeef.*")) -or ($_.ID -eq "4103" -and ($_.message -match "Payload.*.*$DoIt.*" -or $_.message -match "Payload.*.*harmj0y.*" -or $_.message -match "Payload.*.*mattifestation.*" -or $_.message -match "Payload.*.*_RastaMouse.*" -or $_.message -match "Payload.*.*tifkin_.*" -or $_.message -match "Payload.*.*0xdeadbeef.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_clear_powershell_history.ps1 b/Rules/SIGMA/powershell/powershell_clear_powershell_history.ps1 new file mode 100644 index 00000000..c7f0b0dc --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_clear_powershell_history.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and ((($_.message -match "ScriptBlockText.*.*del.*" -or $_.message -match "ScriptBlockText.*.*Remove-Item.*" -or $_.message -match "ScriptBlockText.*.*rm.*") -and $_.message -match "ScriptBlockText.*.*(Get-PSReadlineOption).HistorySavePath.*") -or ($_.message -match "ScriptBlockText.*.*Set-PSReadlineOption.*" -and $_.message -match "ScriptBlockText.*.*–HistorySaveStyle.*" -and $_.message -match "ScriptBlockText.*.*SaveNothing.*"))) -or ($_.ID -eq "4103" -and ((($_.message -match "Payload.*.*del.*" -or $_.message -match "Payload.*.*Remove-Item.*" -or $_.message -match "Payload.*.*rm.*") -and $_.message -match "Payload.*.*(Get-PSReadlineOption).HistorySavePath.*") -or ($_.message -match "Payload.*.*Set-PSReadlineOption.*" -and $_.message -match "Payload.*.*–HistorySaveStyle.*" -and $_.message -match "Payload.*.*SaveNothing.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_clear_powershell_history"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_clear_powershell_history"; + $detectedMessage = "Detects keywords that could indicate clearing PowerShell history"; + $result = $event | where { ((($_.ID -eq "4104" -and ((($_.message -match "ScriptBlockText.*.*del.*" -or $_.message -match "ScriptBlockText.*.*Remove-Item.*" -or $_.message -match "ScriptBlockText.*.*rm.*") -and $_.message -match "ScriptBlockText.*.*(Get-PSReadlineOption).HistorySavePath.*") -or ($_.message -match "ScriptBlockText.*.*Set-PSReadlineOption.*" -and $_.message -match "ScriptBlockText.*.*–HistorySaveStyle.*" -and $_.message -match "ScriptBlockText.*.*SaveNothing.*"))) -or ($_.ID -eq "4103" -and ((($_.message -match "Payload.*.*del.*" -or $_.message -match "Payload.*.*Remove-Item.*" -or $_.message -match "Payload.*.*rm.*") -and $_.message -match "Payload.*.*(Get-PSReadlineOption).HistorySavePath.*") -or ($_.message -match "Payload.*.*Set-PSReadlineOption.*" -and $_.message -match "Payload.*.*–HistorySaveStyle.*" -and $_.message -match "Payload.*.*SaveNothing.*"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_cmdline_reversed_strings.ps1 b/Rules/SIGMA/powershell/powershell_cmdline_reversed_strings.ps1 new file mode 100644 index 00000000..68360a7b --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_cmdline_reversed_strings.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\powershell.exe" -and ($_.message -match "CommandLine.*.*hctac.*" -or $_.message -match "CommandLine.*.*kearb.*" -or $_.message -match "CommandLine.*.*dnammoc.*" -or $_.message -match "CommandLine.*.*ekovn.*" -or $_.message -match "CommandLine.*.*eliFd.*" -or $_.message -match "CommandLine.*.*rahc.*" -or $_.message -match "CommandLine.*.*etirw.*" -or $_.message -match "CommandLine.*.*golon.*" -or $_.message -match "CommandLine.*.*tninon.*" -or $_.message -match "CommandLine.*.*eddih.*" -or $_.message -match "CommandLine.*.*tpircS.*" -or $_.message -match "CommandLine.*.*ssecorp.*" -or $_.message -match "CommandLine.*.*llehsrewop.*" -or $_.message -match "CommandLine.*.*esnopser.*" -or $_.message -match "CommandLine.*.*daolnwod.*" -or $_.message -match "CommandLine.*.*tneilCbeW.*" -or $_.message -match "CommandLine.*.*tneilc.*" -or $_.message -match "CommandLine.*.*ptth.*" -or $_.message -match "CommandLine.*.*elifotevas.*" -or $_.message -match "CommandLine.*.*46esab.*" -or $_.message -match "CommandLine.*.*htaPpmeTteG.*" -or $_.message -match "CommandLine.*.*tcejbO.*" -or $_.message -match "CommandLine.*.*maerts.*" -or $_.message -match "CommandLine.*.*hcaerof.*" -or $_.message -match "CommandLine.*.*ekovni.*" -or $_.message -match "CommandLine.*.*retupmoc.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_cmdline_reversed_strings"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_cmdline_reversed_strings"; + $detectedMessage = "Detects the PowerShell command lines with reversed strings"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*hctac.*" -or $_.message -match "CommandLine.*.*kearb.*" -or $_.message -match "CommandLine.*.*dnammoc.*" -or $_.message -match "CommandLine.*.*ekovn.*" -or $_.message -match "CommandLine.*.*eliFd.*" -or $_.message -match "CommandLine.*.*rahc.*" -or $_.message -match "CommandLine.*.*etirw.*" -or $_.message -match "CommandLine.*.*golon.*" -or $_.message -match "CommandLine.*.*tninon.*" -or $_.message -match "CommandLine.*.*eddih.*" -or $_.message -match "CommandLine.*.*tpircS.*" -or $_.message -match "CommandLine.*.*ssecorp.*" -or $_.message -match "CommandLine.*.*llehsrewop.*" -or $_.message -match "CommandLine.*.*esnopser.*" -or $_.message -match "CommandLine.*.*daolnwod.*" -or $_.message -match "CommandLine.*.*tneilCbeW.*" -or $_.message -match "CommandLine.*.*tneilc.*" -or $_.message -match "CommandLine.*.*ptth.*" -or $_.message -match "CommandLine.*.*elifotevas.*" -or $_.message -match "CommandLine.*.*46esab.*" -or $_.message -match "CommandLine.*.*htaPpmeTteG.*" -or $_.message -match "CommandLine.*.*tcejbO.*" -or $_.message -match "CommandLine.*.*maerts.*" -or $_.message -match "CommandLine.*.*hcaerof.*" -or $_.message -match "CommandLine.*.*ekovni.*" -or $_.message -match "CommandLine.*.*retupmoc.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_cmdline_specific_comb_methods.ps1 b/Rules/SIGMA/powershell/powershell_cmdline_specific_comb_methods.ps1 new file mode 100644 index 00000000..598997d9 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_cmdline_specific_comb_methods.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\powershell.exe" -and (((($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*ToInt.*" -or $_.message -match "CommandLine.*.*ToDecimal.*" -or $_.message -match "CommandLine.*.*ToByte.*" -or $_.message -match "CommandLine.*.*ToUint.*" -or $_.message -match "CommandLine.*.*ToSingle.*" -or $_.message -match "CommandLine.*.*ToSByte.*") -and ($_.message -match "CommandLine.*.*ToChar.*" -or $_.message -match "CommandLine.*.*ToString.*" -or $_.message -match "CommandLine.*.*String.*")) -or ($_.message -match "CommandLine.*.*char.*" -and $_.message -match "CommandLine.*.*join.*")) -or ($_.message -match "CommandLine.*.*split.*" -and $_.message -match "CommandLine.*.*join.*")) -or ($_.message -match "CommandLine.*.*ForEach.*" -and $_.message -match "CommandLine.*.*Xor.*") -or ($_.message -match "CommandLine.*.*cOnvErTTO-SECUreStRIng.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_cmdline_specific_comb_methods"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_cmdline_specific_comb_methods"; + $detectedMessage = "Detects specific combinations of encoding methods in the PowerShell command lines"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and (((($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*ToInt.*" -or $_.message -match "CommandLine.*.*ToDecimal.*" -or $_.message -match "CommandLine.*.*ToByte.*" -or $_.message -match "CommandLine.*.*ToUint.*" -or $_.message -match "CommandLine.*.*ToSingle.*" -or $_.message -match "CommandLine.*.*ToSByte.*") -and ($_.message -match "CommandLine.*.*ToChar.*" -or $_.message -match "CommandLine.*.*ToString.*" -or $_.message -match "CommandLine.*.*String.*")) -or ($_.message -match "CommandLine.*.*char.*" -and $_.message -match "CommandLine.*.*join.*")) -or ($_.message -match "CommandLine.*.*split.*" -and $_.message -match "CommandLine.*.*join.*")) -or ($_.message -match "CommandLine.*.*ForEach.*" -and $_.message -match "CommandLine.*.*Xor.*") -or ($_.message -match "CommandLine.*.*cOnvErTTO-SECUreStRIng.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_code_injection.ps1 b/Rules/SIGMA/powershell/powershell_code_injection.ps1 new file mode 100644 index 00000000..4004a5b5 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_code_injection.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "SourceImage.*.*\powershell.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_code_injection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_code_injection"; + $detectedMessage = "Detecting Code injection with PowerShell in another process"; + $result = $event | where { ($_.ID -eq "8" -and $_.message -match "SourceImage.*.*\\powershell.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_create_local_user.ps1 b/Rules/SIGMA/powershell/powershell_create_local_user.ps1 new file mode 100644 index 00000000..e7f68d06 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_create_local_user.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*New-LocalUser.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_create_local_user"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_create_local_user"; + $detectedMessage = "Detects creation of a local user via PowerShell"; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*New-LocalUser.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_data_compressed.ps1 b/Rules/SIGMA/powershell/powershell_data_compressed.ps1 new file mode 100644 index 00000000..9523c34f --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_data_compressed.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*-Recurse.*" -and $_.message -match "ScriptBlockText.*.*|.*" -and $_.message -match "ScriptBlockText.*.*Compress-Archive.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_data_compressed"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_data_compressed"; + $detectedMessage = "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network."; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*-Recurse.*" -and $_.message -match "ScriptBlockText.*.*|.*" -and $_.message -match "ScriptBlockText.*.*Compress-Archive.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_decompress_commands.ps1 b/Rules/SIGMA/powershell/powershell_decompress_commands.ps1 new file mode 100644 index 00000000..a7c39da4 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_decompress_commands.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Expand-Archive.*") -or ($_.ID -eq "4103" -and $_.message -match "Payload.*.*Expand-Archive.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_decompress_commands"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_decompress_commands"; + $detectedMessage = "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files."; + $result = $event | where { ((($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Expand-Archive.*") -or ($_.ID -eq "4103" -and $_.message -match "Payload.*.*Expand-Archive.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_delete_volume_shadow_copies.ps1 b/Rules/SIGMA/powershell/powershell_delete_volume_shadow_copies.ps1 new file mode 100644 index 00000000..2165a578 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_delete_volume_shadow_copies.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Windows PowerShell | where {($_.message -match "CommandLine.*.*Get-WmiObject.*" -and $_.message -match "CommandLine.*.* Win32_Shadowcopy.*" -and ($_.message -match "CommandLine.*.*Delete().*" -or $_.message -match "CommandLine.*.*Remove-WmiObject.*") -and $_.ID -eq "400") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_delete_volume_shadow_copies"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_delete_volume_shadow_copies"; + $detectedMessage = "Shadow Copies deletion using operating systems utilities via PowerShell"; + $result = $event | where { ($_.message -match "CommandLine.*.*Get-WmiObject.*" -and $_.message -match "CommandLine.*.* Win32_Shadowcopy.*" -and ($_.message -match "CommandLine.*.*Delete().*" -or $_.message -match "CommandLine.*.*Remove-WmiObject.*") -and $_.ID -eq "400") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_dnscat_execution.ps1 b/Rules/SIGMA/powershell/powershell_dnscat_execution.ps1 new file mode 100644 index 00000000..a9b3e38d --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_dnscat_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Start-Dnscat2.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_dnscat_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_dnscat_execution"; + $detectedMessage = "Dnscat exfiltration tool execution"; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Start-Dnscat2.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_downgrade_attack.ps1 b/Rules/SIGMA/powershell/powershell_downgrade_attack.ps1 new file mode 100644 index 00000000..90556b5b --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_downgrade_attack.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Windows PowerShell | where {(($_.ID -eq "400" -and $_.message -match "EngineVersion.*2..*") -and -not ($_.message -match "HostVersion.*2..*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_downgrade_attack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_downgrade_attack"; + $detectedMessage = "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0"; + $result = $event | where { (($_.ID -eq "400" -and $_.message -match "EngineVersion.*2..*") -and -not ($_.message -match "HostVersion.*2..*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_exe_calling_ps.ps1 b/Rules/SIGMA/powershell/powershell_exe_calling_ps.ps1 new file mode 100644 index 00000000..03b7c8bc --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_exe_calling_ps.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and ($_.message -match "EngineVersion.*2..*" -or $_.message -match "EngineVersion.*4..*" -or $_.message -match "EngineVersion.*5..*") -and $_.message -match "HostVersion.*3..*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_exe_calling_ps"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_exe_calling_ps"; + $detectedMessage = "Detects PowerShell called from an executable by the version mismatch method"; + $result = $event | where { ($_.ID -eq "400" -and ($_.message -match "EngineVersion.*2..*" -or $_.message -match "EngineVersion.*4..*" -or $_.message -match "EngineVersion.*5..*") -and $_.message -match "HostVersion.*3..*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_get_clipboard.ps1 b/Rules/SIGMA/powershell/powershell_get_clipboard.ps1 new file mode 100644 index 00000000..5a0d3701 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_get_clipboard.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Get-Clipboard.*") -or ($_.ID -eq "4103" -and $_.message -match "Payload.*.*Get-Clipboard.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_get_clipboard"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_get_clipboard"; + $detectedMessage = "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents."; + $result = $event | where { ((($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Get-Clipboard.*") -or ($_.ID -eq "4103" -and $_.message -match "Payload.*.*Get-Clipboard.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_icmp_exfiltration.ps1 b/Rules/SIGMA/powershell/powershell_icmp_exfiltration.ps1 new file mode 100644 index 00000000..9ad2250e --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_icmp_exfiltration.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*New-Object.*" -and $_.message -match "ScriptBlockText.*.*System.Net.NetworkInformation.Ping.*" -and $_.message -match "ScriptBlockText.*.*.Send(.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_icmp_exfiltration"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_icmp_exfiltration"; + $detectedMessage = "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel."; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*New-Object.*" -and $_.message -match "ScriptBlockText.*.*System.Net.NetworkInformation.Ping.*" -and $_.message -match "ScriptBlockText.*.*.Send(.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_keylogging.ps1 b/Rules/SIGMA/powershell/powershell_keylogging.ps1 new file mode 100644 index 00000000..d8cfccbb --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_keylogging.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-Keystrokes.*" -or ($_.message -match "ScriptBlockText.*.*Get-ProcAddress user32.dll GetAsyncKeyState.*" -and $_.message -match "ScriptBlockText.*.*Get-ProcAddress user32.dll GetForegroundWindow.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_keylogging"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_keylogging"; + $detectedMessage = "Adversaries may log user keystrokes to intercept credentials as the user types them."; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-Keystrokes.*" -or ($_.message -match "ScriptBlockText.*.*Get-ProcAddress user32.dll GetAsyncKeyState.*" -and $_.message -match "ScriptBlockText.*.*Get-ProcAddress user32.dll GetForegroundWindow.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_malicious_commandlets.ps1 b/Rules/SIGMA/powershell/powershell_malicious_commandlets.ps1 new file mode 100644 index 00000000..f99ee13d --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_malicious_commandlets.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Invoke-DllInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Shellcode.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WmiCommand.*" -or $_.message -match "ScriptBlockText.*.*Get-GPPPassword.*" -or $_.message -match "ScriptBlockText.*.*Get-Keystrokes.*" -or $_.message -match "ScriptBlockText.*.*Get-TimedScreenshot.*" -or $_.message -match "ScriptBlockText.*.*Get-VaultCredential.*" -or $_.message -match "ScriptBlockText.*.*Invoke-CredentialInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Mimikatz.*" -or $_.message -match "ScriptBlockText.*.*Invoke-NinjaCopy.*" -or $_.message -match "ScriptBlockText.*.*Invoke-TokenManipulation.*" -or $_.message -match "ScriptBlockText.*.*Out-Minidump.*" -or $_.message -match "ScriptBlockText.*.*VolumeShadowCopyTools.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ReflectivePEInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-UserHunter.*" -or $_.message -match "ScriptBlockText.*.*Find-GPOLocation.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ACLScanner.*" -or $_.message -match "ScriptBlockText.*.*Invoke-DowngradeAccount.*" -or $_.message -match "ScriptBlockText.*.*Get-ServiceUnquoted.*" -or $_.message -match "ScriptBlockText.*.*Get-ServiceFilePermission.*" -or $_.message -match "ScriptBlockText.*.*Get-ServicePermission.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ServiceAbuse.*" -or $_.message -match "ScriptBlockText.*.*Install-ServiceBinary.*" -or $_.message -match "ScriptBlockText.*.*Get-RegAutoLogon.*" -or $_.message -match "ScriptBlockText.*.*Get-VulnAutoRun.*" -or $_.message -match "ScriptBlockText.*.*Get-VulnSchTask.*" -or $_.message -match "ScriptBlockText.*.*Get-UnattendedInstallFile.*" -or $_.message -match "ScriptBlockText.*.*Get-ApplicationHost.*" -or $_.message -match "ScriptBlockText.*.*Get-RegAlwaysInstallElevated.*" -or $_.message -match "ScriptBlockText.*.*Get-Unconstrained.*" -or $_.message -match "ScriptBlockText.*.*Add-RegBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Add-ScrnSaveBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Gupt-Backdoor.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ADSBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Enabled-DuplicateToken.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PsUaCme.*" -or $_.message -match "ScriptBlockText.*.*Remove-Update.*" -or $_.message -match "ScriptBlockText.*.*Check-VM.*" -or $_.message -match "ScriptBlockText.*.*Get-LSASecret.*" -or $_.message -match "ScriptBlockText.*.*Get-PassHashes.*" -or $_.message -match "ScriptBlockText.*.*Show-TargetScreen.*" -or $_.message -match "ScriptBlockText.*.*Port-Scan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PoshRatHttp.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerShellTCP.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerShellWMI.*" -or $_.message -match "ScriptBlockText.*.*Add-Exfiltration.*" -or $_.message -match "ScriptBlockText.*.*Add-Persistence.*" -or $_.message -match "ScriptBlockText.*.*Do-Exfiltration.*" -or $_.message -match "ScriptBlockText.*.*Start-CaptureServer.*" -or $_.message -match "ScriptBlockText.*.*Get-ChromeDump.*" -or $_.message -match "ScriptBlockText.*.*Get-ClipboardContents.*" -or $_.message -match "ScriptBlockText.*.*Get-FoxDump.*" -or $_.message -match "ScriptBlockText.*.*Get-IndexedItem.*" -or $_.message -match "ScriptBlockText.*.*Get-Screenshot.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Inveigh.*" -or $_.message -match "ScriptBlockText.*.*Invoke-NetRipper.*" -or $_.message -match "ScriptBlockText.*.*Invoke-EgressCheck.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PostExfil.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PSInject.*" -or $_.message -match "ScriptBlockText.*.*Invoke-RunAs.*" -or $_.message -match "ScriptBlockText.*.*MailRaider.*" -or $_.message -match "ScriptBlockText.*.*New-HoneyHash.*" -or $_.message -match "ScriptBlockText.*.*Set-MacAttribute.*" -or $_.message -match "ScriptBlockText.*.*Invoke-DCSync.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerDump.*" -or $_.message -match "ScriptBlockText.*.*Exploit-Jboss.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ThunderStruck.*" -or $_.message -match "ScriptBlockText.*.*Invoke-VoiceTroll.*" -or $_.message -match "ScriptBlockText.*.*Set-Wallpaper.*" -or $_.message -match "ScriptBlockText.*.*Invoke-InveighRelay.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PsExec.*" -or $_.message -match "ScriptBlockText.*.*Invoke-SSHCommand.*" -or $_.message -match "ScriptBlockText.*.*Get-SecurityPackages.*" -or $_.message -match "ScriptBlockText.*.*Install-SSP.*" -or $_.message -match "ScriptBlockText.*.*Invoke-BackdoorLNK.*" -or $_.message -match "ScriptBlockText.*.*PowerBreach.*" -or $_.message -match "ScriptBlockText.*.*Get-SiteListPassword.*" -or $_.message -match "ScriptBlockText.*.*Get-System.*" -or $_.message -match "ScriptBlockText.*.*Invoke-BypassUAC.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Tater.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WScriptBypassUAC.*" -or $_.message -match "ScriptBlockText.*.*PowerUp.*" -or $_.message -match "ScriptBlockText.*.*PowerView.*" -or $_.message -match "ScriptBlockText.*.*Get-RickAstley.*" -or $_.message -match "ScriptBlockText.*.*Find-Fruit.*" -or $_.message -match "ScriptBlockText.*.*HTTP-Login.*" -or $_.message -match "ScriptBlockText.*.*Find-TrustedDocuments.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Paranoia.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WinEnum.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ARPScan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PortScan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ReverseDNSLookup.*" -or $_.message -match "ScriptBlockText.*.*Invoke-SMBScanner.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Mimikittenz.*" -or $_.message -match "ScriptBlockText.*.*Invoke-AllChecks.*")) -and -not ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-SystemDriveInfo.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_malicious_commandlets"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_malicious_commandlets"; + $detectedMessage = "Detects Commandlet names from well-known PowerShell exploitation frameworks"; + $result = $event | where { (($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Invoke-DllInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Shellcode.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WmiCommand.*" -or $_.message -match "ScriptBlockText.*.*Get-GPPPassword.*" -or $_.message -match "ScriptBlockText.*.*Get-Keystrokes.*" -or $_.message -match "ScriptBlockText.*.*Get-TimedScreenshot.*" -or $_.message -match "ScriptBlockText.*.*Get-VaultCredential.*" -or $_.message -match "ScriptBlockText.*.*Invoke-CredentialInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Mimikatz.*" -or $_.message -match "ScriptBlockText.*.*Invoke-NinjaCopy.*" -or $_.message -match "ScriptBlockText.*.*Invoke-TokenManipulation.*" -or $_.message -match "ScriptBlockText.*.*Out-Minidump.*" -or $_.message -match "ScriptBlockText.*.*VolumeShadowCopyTools.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ReflectivePEInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-UserHunter.*" -or $_.message -match "ScriptBlockText.*.*Find-GPOLocation.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ACLScanner.*" -or $_.message -match "ScriptBlockText.*.*Invoke-DowngradeAccount.*" -or $_.message -match "ScriptBlockText.*.*Get-ServiceUnquoted.*" -or $_.message -match "ScriptBlockText.*.*Get-ServiceFilePermission.*" -or $_.message -match "ScriptBlockText.*.*Get-ServicePermission.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ServiceAbuse.*" -or $_.message -match "ScriptBlockText.*.*Install-ServiceBinary.*" -or $_.message -match "ScriptBlockText.*.*Get-RegAutoLogon.*" -or $_.message -match "ScriptBlockText.*.*Get-VulnAutoRun.*" -or $_.message -match "ScriptBlockText.*.*Get-VulnSchTask.*" -or $_.message -match "ScriptBlockText.*.*Get-UnattendedInstallFile.*" -or $_.message -match "ScriptBlockText.*.*Get-ApplicationHost.*" -or $_.message -match "ScriptBlockText.*.*Get-RegAlwaysInstallElevated.*" -or $_.message -match "ScriptBlockText.*.*Get-Unconstrained.*" -or $_.message -match "ScriptBlockText.*.*Add-RegBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Add-ScrnSaveBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Gupt-Backdoor.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ADSBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Enabled-DuplicateToken.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PsUaCme.*" -or $_.message -match "ScriptBlockText.*.*Remove-Update.*" -or $_.message -match "ScriptBlockText.*.*Check-VM.*" -or $_.message -match "ScriptBlockText.*.*Get-LSASecret.*" -or $_.message -match "ScriptBlockText.*.*Get-PassHashes.*" -or $_.message -match "ScriptBlockText.*.*Show-TargetScreen.*" -or $_.message -match "ScriptBlockText.*.*Port-Scan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PoshRatHttp.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerShellTCP.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerShellWMI.*" -or $_.message -match "ScriptBlockText.*.*Add-Exfiltration.*" -or $_.message -match "ScriptBlockText.*.*Add-Persistence.*" -or $_.message -match "ScriptBlockText.*.*Do-Exfiltration.*" -or $_.message -match "ScriptBlockText.*.*Start-CaptureServer.*" -or $_.message -match "ScriptBlockText.*.*Get-ChromeDump.*" -or $_.message -match "ScriptBlockText.*.*Get-ClipboardContents.*" -or $_.message -match "ScriptBlockText.*.*Get-FoxDump.*" -or $_.message -match "ScriptBlockText.*.*Get-IndexedItem.*" -or $_.message -match "ScriptBlockText.*.*Get-Screenshot.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Inveigh.*" -or $_.message -match "ScriptBlockText.*.*Invoke-NetRipper.*" -or $_.message -match "ScriptBlockText.*.*Invoke-EgressCheck.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PostExfil.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PSInject.*" -or $_.message -match "ScriptBlockText.*.*Invoke-RunAs.*" -or $_.message -match "ScriptBlockText.*.*MailRaider.*" -or $_.message -match "ScriptBlockText.*.*New-HoneyHash.*" -or $_.message -match "ScriptBlockText.*.*Set-MacAttribute.*" -or $_.message -match "ScriptBlockText.*.*Invoke-DCSync.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerDump.*" -or $_.message -match "ScriptBlockText.*.*Exploit-Jboss.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ThunderStruck.*" -or $_.message -match "ScriptBlockText.*.*Invoke-VoiceTroll.*" -or $_.message -match "ScriptBlockText.*.*Set-Wallpaper.*" -or $_.message -match "ScriptBlockText.*.*Invoke-InveighRelay.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PsExec.*" -or $_.message -match "ScriptBlockText.*.*Invoke-SSHCommand.*" -or $_.message -match "ScriptBlockText.*.*Get-SecurityPackages.*" -or $_.message -match "ScriptBlockText.*.*Install-SSP.*" -or $_.message -match "ScriptBlockText.*.*Invoke-BackdoorLNK.*" -or $_.message -match "ScriptBlockText.*.*PowerBreach.*" -or $_.message -match "ScriptBlockText.*.*Get-SiteListPassword.*" -or $_.message -match "ScriptBlockText.*.*Get-System.*" -or $_.message -match "ScriptBlockText.*.*Invoke-BypassUAC.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Tater.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WScriptBypassUAC.*" -or $_.message -match "ScriptBlockText.*.*PowerUp.*" -or $_.message -match "ScriptBlockText.*.*PowerView.*" -or $_.message -match "ScriptBlockText.*.*Get-RickAstley.*" -or $_.message -match "ScriptBlockText.*.*Find-Fruit.*" -or $_.message -match "ScriptBlockText.*.*HTTP-Login.*" -or $_.message -match "ScriptBlockText.*.*Find-TrustedDocuments.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Paranoia.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WinEnum.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ARPScan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PortScan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ReverseDNSLookup.*" -or $_.message -match "ScriptBlockText.*.*Invoke-SMBScanner.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Mimikittenz.*" -or $_.message -match "ScriptBlockText.*.*Invoke-AllChecks.*")) -and -not ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-SystemDriveInfo.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_malicious_keywords.ps1 b/Rules/SIGMA/powershell/powershell_malicious_keywords.ps1 new file mode 100644 index 00000000..16080f92 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_malicious_keywords.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match ".*AdjustTokenPrivileges.*" -or $_.message -match ".*IMAGE_NT_OPTIONAL_HDR64_MAGIC.*" -or $_.message -match ".*Microsoft.Win32.UnsafeNativeMethods.*" -or $_.message -match ".*ReadProcessMemory.Invoke.*" -or $_.message -match ".*SE_PRIVILEGE_ENABLED.*" -or $_.message -match ".*LSA_UNICODE_STRING.*" -or $_.message -match ".*MiniDumpWriteDump.*" -or $_.message -match ".*PAGE_EXECUTE_READ.*" -or $_.message -match ".*SECURITY_DELEGATION.*" -or $_.message -match ".*TOKEN_ADJUST_PRIVILEGES.*" -or $_.message -match ".*TOKEN_ALL_ACCESS.*" -or $_.message -match ".*TOKEN_ASSIGN_PRIMARY.*" -or $_.message -match ".*TOKEN_DUPLICATE.*" -or $_.message -match ".*TOKEN_ELEVATION.*" -or $_.message -match ".*TOKEN_IMPERSONATE.*" -or $_.message -match ".*TOKEN_INFORMATION_CLASS.*" -or $_.message -match ".*TOKEN_PRIVILEGES.*" -or $_.message -match ".*TOKEN_QUERY.*" -or $_.message -match ".*Metasploit.*" -or $_.message -match ".*Mimikatz.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_malicious_keywords"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_malicious_keywords"; + $detectedMessage = "Detects keywords from well-known PowerShell exploitation frameworks"; + $result = $event | where { (($_.message -match ".*AdjustTokenPrivileges.*" -or $_.message -match ".*IMAGE_NT_OPTIONAL_HDR64_MAGIC.*" -or $_.message -match ".*Microsoft.Win32.UnsafeNativeMethods.*" -or $_.message -match ".*ReadProcessMemory.Invoke.*" -or $_.message -match ".*SE_PRIVILEGE_ENABLED.*" -or $_.message -match ".*LSA_UNICODE_STRING.*" -or $_.message -match ".*MiniDumpWriteDump.*" -or $_.message -match ".*PAGE_EXECUTE_READ.*" -or $_.message -match ".*SECURITY_DELEGATION.*" -or $_.message -match ".*TOKEN_ADJUST_PRIVILEGES.*" -or $_.message -match ".*TOKEN_ALL_ACCESS.*" -or $_.message -match ".*TOKEN_ASSIGN_PRIMARY.*" -or $_.message -match ".*TOKEN_DUPLICATE.*" -or $_.message -match ".*TOKEN_ELEVATION.*" -or $_.message -match ".*TOKEN_IMPERSONATE.*" -or $_.message -match ".*TOKEN_INFORMATION_CLASS.*" -or $_.message -match ".*TOKEN_PRIVILEGES.*" -or $_.message -match ".*TOKEN_QUERY.*" -or $_.message -match ".*Metasploit.*" -or $_.message -match ".*Mimikatz.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_nishang_malicious_commandlets.ps1 b/Rules/SIGMA/powershell/powershell_nishang_malicious_commandlets.ps1 new file mode 100644 index 00000000..8e010dd7 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_nishang_malicious_commandlets.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "Payload.*.*Add-ConstrainedDelegationBackdoor.*" -or $_.message -match "Payload.*.*Set-DCShadowPermissions.*" -or $_.message -match "Payload.*.*DNS_TXT_Pwnage.*" -or $_.message -match "Payload.*.*Execute-OnTime.*" -or $_.message -match "Payload.*.*HTTP-Backdoor.*" -or $_.message -match "Payload.*.*Set-RemotePSRemoting.*" -or $_.message -match "Payload.*.*Set-RemoteWMI.*" -or $_.message -match "Payload.*.*Invoke-AmsiBypass.*" -or $_.message -match "Payload.*.*Out-CHM.*" -or $_.message -match "Payload.*.*Out-HTA.*" -or $_.message -match "Payload.*.*Out-SCF.*" -or $_.message -match "Payload.*.*Out-SCT.*" -or $_.message -match "Payload.*.*Out-Shortcut.*" -or $_.message -match "Payload.*.*Out-WebQuery.*" -or $_.message -match "Payload.*.*Out-Word.*" -or $_.message -match "Payload.*.*Enable-Duplication.*" -or $_.message -match "Payload.*.*Remove-Update.*" -or $_.message -match "Payload.*.*Download-Execute-PS.*" -or $_.message -match "Payload.*.*Download_Execute.*" -or $_.message -match "Payload.*.*Execute-Command-MSSQL.*" -or $_.message -match "Payload.*.*Execute-DNSTXT-Code.*" -or $_.message -match "Payload.*.*Out-RundllCommand.*" -or $_.message -match "Payload.*.*Copy-VSS.*" -or $_.message -match "Payload.*.*FireBuster.*" -or $_.message -match "Payload.*.*FireListener.*" -or $_.message -match "Payload.*.*Get-Information.*" -or $_.message -match "Payload.*.*Get-PassHints.*" -or $_.message -match "Payload.*.*Get-WLAN-Keys.*" -or $_.message -match "Payload.*.*Get-Web-Credentials.*" -or $_.message -match "Payload.*.*Invoke-CredentialsPhish.*" -or $_.message -match "Payload.*.*Invoke-MimikatzWDigestDowngrade.*" -or $_.message -match "Payload.*.*Invoke-SSIDExfil.*" -or $_.message -match "Payload.*.*Invoke-SessionGopher.*" -or $_.message -match "Payload.*.*Keylogger.*" -or $_.message -match "Payload.*.*Invoke-Interceptor.*" -or $_.message -match "Payload.*.*Create-MultipleSessions.*" -or $_.message -match "Payload.*.*Invoke-NetworkRelay.*" -or $_.message -match "Payload.*.*Run-EXEonRemote.*" -or $_.message -match "Payload.*.*Invoke-Prasadhak.*" -or $_.message -match "Payload.*.*Invoke-BruteForce.*" -or $_.message -match "Payload.*.*Password-List.*" -or $_.message -match "Payload.*.*Invoke-JSRatRegsvr.*" -or $_.message -match "Payload.*.*Invoke-JSRatRundll.*" -or $_.message -match "Payload.*.*Invoke-PoshRatHttps.*" -or $_.message -match "Payload.*.*Invoke-PowerShellIcmp.*" -or $_.message -match "Payload.*.*Invoke-PowerShellUdp.*" -or $_.message -match "Payload.*.*Invoke-PSGcat.*" -or $_.message -match "Payload.*.*Invoke-PsGcatAgent.*" -or $_.message -match "Payload.*.*Remove-PoshRat.*" -or $_.message -match "Payload.*.*Add-Persistance.*" -or $_.message -match "Payload.*.*ExetoText.*" -or $_.message -match "Payload.*.*Invoke-Decode.*" -or $_.message -match "Payload.*.*Invoke-Encode.*" -or $_.message -match "Payload.*.*Parse_Keys.*" -or $_.message -match "Payload.*.*Remove-Persistence.*" -or $_.message -match "Payload.*.*StringtoBase64.*" -or $_.message -match "Payload.*.*TexttoExe.*" -or $_.message -match "Payload.*.*Powerpreter.*" -or $_.message -match "Payload.*.*Nishang.*" -or $_.message -match "Payload.*.*DataToEncode.*" -or $_.message -match "Payload.*.*LoggedKeys.*" -or $_.message -match "Payload.*.*OUT-DNSTXT.*" -or $_.message -match "Payload.*.*ExfilOption.*" -or $_.message -match "Payload.*.*DumpCerts.*" -or $_.message -match "Payload.*.*DumpCreds.*" -or $_.message -match "Payload.*.*Shellcode32.*" -or $_.message -match "Payload.*.*Shellcode64.*" -or $_.message -match "Payload.*.*NotAllNameSpaces.*" -or $_.message -match "Payload.*.*exfill.*" -or $_.message -match "Payload.*.*FakeDC.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_nishang_malicious_commandlets"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_nishang_malicious_commandlets"; + $detectedMessage = "Detects Commandlet names and arguments from the Nishang exploitation framework"; + $result = $event | where { (($_.message -match "Payload.*.*Add-ConstrainedDelegationBackdoor.*" -or $_.message -match "Payload.*.*Set-DCShadowPermissions.*" -or $_.message -match "Payload.*.*DNS_TXT_Pwnage.*" -or $_.message -match "Payload.*.*Execute-OnTime.*" -or $_.message -match "Payload.*.*HTTP-Backdoor.*" -or $_.message -match "Payload.*.*Set-RemotePSRemoting.*" -or $_.message -match "Payload.*.*Set-RemoteWMI.*" -or $_.message -match "Payload.*.*Invoke-AmsiBypass.*" -or $_.message -match "Payload.*.*Out-CHM.*" -or $_.message -match "Payload.*.*Out-HTA.*" -or $_.message -match "Payload.*.*Out-SCF.*" -or $_.message -match "Payload.*.*Out-SCT.*" -or $_.message -match "Payload.*.*Out-Shortcut.*" -or $_.message -match "Payload.*.*Out-WebQuery.*" -or $_.message -match "Payload.*.*Out-Word.*" -or $_.message -match "Payload.*.*Enable-Duplication.*" -or $_.message -match "Payload.*.*Remove-Update.*" -or $_.message -match "Payload.*.*Download-Execute-PS.*" -or $_.message -match "Payload.*.*Download_Execute.*" -or $_.message -match "Payload.*.*Execute-Command-MSSQL.*" -or $_.message -match "Payload.*.*Execute-DNSTXT-Code.*" -or $_.message -match "Payload.*.*Out-RundllCommand.*" -or $_.message -match "Payload.*.*Copy-VSS.*" -or $_.message -match "Payload.*.*FireBuster.*" -or $_.message -match "Payload.*.*FireListener.*" -or $_.message -match "Payload.*.*Get-Information.*" -or $_.message -match "Payload.*.*Get-PassHints.*" -or $_.message -match "Payload.*.*Get-WLAN-Keys.*" -or $_.message -match "Payload.*.*Get-Web-Credentials.*" -or $_.message -match "Payload.*.*Invoke-CredentialsPhish.*" -or $_.message -match "Payload.*.*Invoke-MimikatzWDigestDowngrade.*" -or $_.message -match "Payload.*.*Invoke-SSIDExfil.*" -or $_.message -match "Payload.*.*Invoke-SessionGopher.*" -or $_.message -match "Payload.*.*Keylogger.*" -or $_.message -match "Payload.*.*Invoke-Interceptor.*" -or $_.message -match "Payload.*.*Create-MultipleSessions.*" -or $_.message -match "Payload.*.*Invoke-NetworkRelay.*" -or $_.message -match "Payload.*.*Run-EXEonRemote.*" -or $_.message -match "Payload.*.*Invoke-Prasadhak.*" -or $_.message -match "Payload.*.*Invoke-BruteForce.*" -or $_.message -match "Payload.*.*Password-List.*" -or $_.message -match "Payload.*.*Invoke-JSRatRegsvr.*" -or $_.message -match "Payload.*.*Invoke-JSRatRundll.*" -or $_.message -match "Payload.*.*Invoke-PoshRatHttps.*" -or $_.message -match "Payload.*.*Invoke-PowerShellIcmp.*" -or $_.message -match "Payload.*.*Invoke-PowerShellUdp.*" -or $_.message -match "Payload.*.*Invoke-PSGcat.*" -or $_.message -match "Payload.*.*Invoke-PsGcatAgent.*" -or $_.message -match "Payload.*.*Remove-PoshRat.*" -or $_.message -match "Payload.*.*Add-Persistance.*" -or $_.message -match "Payload.*.*ExetoText.*" -or $_.message -match "Payload.*.*Invoke-Decode.*" -or $_.message -match "Payload.*.*Invoke-Encode.*" -or $_.message -match "Payload.*.*Parse_Keys.*" -or $_.message -match "Payload.*.*Remove-Persistence.*" -or $_.message -match "Payload.*.*StringtoBase64.*" -or $_.message -match "Payload.*.*TexttoExe.*" -or $_.message -match "Payload.*.*Powerpreter.*" -or $_.message -match "Payload.*.*Nishang.*" -or $_.message -match "Payload.*.*DataToEncode.*" -or $_.message -match "Payload.*.*LoggedKeys.*" -or $_.message -match "Payload.*.*OUT-DNSTXT.*" -or $_.message -match "Payload.*.*ExfilOption.*" -or $_.message -match "Payload.*.*DumpCerts.*" -or $_.message -match "Payload.*.*DumpCreds.*" -or $_.message -match "Payload.*.*Shellcode32.*" -or $_.message -match "Payload.*.*Shellcode64.*" -or $_.message -match "Payload.*.*NotAllNameSpaces.*" -or $_.message -match "Payload.*.*exfill.*" -or $_.message -match "Payload.*.*FakeDC.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_ntfs_ads_access.ps1 b/Rules/SIGMA/powershell/powershell_ntfs_ads_access.ps1 new file mode 100644 index 00000000..83894322 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_ntfs_ads_access.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "set-content" -or $_.message -match "add-content") -and $_.message -match "-stream") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_ntfs_ads_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_ntfs_ads_access"; + $detectedMessage = "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging."; + $result = $event | where { (($_.message -match "set-content" -or $_.message -match "add-content") -and $_.message -match "-stream") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_powercat.ps1 b/Rules/SIGMA/powershell/powershell_powercat.ps1 new file mode 100644 index 00000000..aff50008 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_powercat.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Windows PowerShell | where { ($_.ID -eq "400" -and ($_.message -match "HostApplication.*.*powercat .*" -or $_.message -match "HostApplication.*.*powercat.ps1.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where { ($_.ID -eq "4103" -and ($_.message -match "ContextInfo.*.*powercat .*" -or $_.message -match "ContextInfo.*.*powercat.ps1.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "powershell_powercat"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_powercat"; + $detectedMessage = "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network"; + $results = [System.Collections.ArrayList] @() + $tmp = $event | where { ($_.ID -eq "400" -and ($_.message -match "HostApplication.*.*powercat .*" -or $_.message -match "HostApplication.*.*powercat.ps1.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "4103" -and ($_.message -match "ContextInfo.*.*powercat .*" -or $_.message -match "ContextInfo.*.*powercat.ps1.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_powerview_malicious_commandlets.ps1 b/Rules/SIGMA/powershell/powershell_powerview_malicious_commandlets.ps1 new file mode 100644 index 00000000..9cc57cbe --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_powerview_malicious_commandlets.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "Export-PowerViewCSV" -or $_.message -match "Get-IPAddress" -or $_.message -match "Resolve-IPAddress" -or $_.message -match "Convert-NameToSid" -or $_.message -match "ConvertTo-SID" -or $_.message -match "Convert-ADName" -or $_.message -match "ConvertFrom-UACValue" -or $_.message -match "Add-RemoteConnection" -or $_.message -match "Remove-RemoteConnection" -or $_.message -match "Invoke-UserImpersonation" -or $_.message -match "Invoke-RevertToSelf" -or $_.message -match "Request-SPNTicket" -or $_.message -match "Get-DomainSPNTicket" -or $_.message -match "Invoke-Kerberoast" -or $_.message -match "Get-PathAcl" -or $_.message -match "Get-DNSZone" -or $_.message -match "Get-DomainDNSZone" -or $_.message -match "Get-DNSRecord" -or $_.message -match "Get-DomainDNSRecord" -or $_.message -match "Get-NetDomain" -or $_.message -match "Get-Domain" -or $_.message -match "Get-NetDomainController" -or $_.message -match "Get-DomainController" -or $_.message -match "Get-NetForest" -or $_.message -match "Get-Forest" -or $_.message -match "Get-NetForestDomain" -or $_.message -match "Get-ForestDomain" -or $_.message -match "Get-NetForestCatalog" -or $_.message -match "Get-ForestGlobalCatalog" -or $_.message -match "Find-DomainObjectPropertyOutlier" -or $_.message -match "Get-NetUser" -or $_.message -match "Get-DomainUser" -or $_.message -match "New-DomainUser" -or $_.message -match "Set-DomainUserPassword" -or $_.message -match "Get-UserEvent" -or $_.message -match "Get-DomainUserEvent" -or $_.message -match "Get-NetComputer" -or $_.message -match "Get-DomainComputer" -or $_.message -match "Get-ADObject" -or $_.message -match "Get-DomainObject" -or $_.message -match "Set-ADObject" -or $_.message -match "Set-DomainObject" -or $_.message -match "Get-ObjectAcl" -or $_.message -match "Get-DomainObjectAcl" -or $_.message -match "Add-ObjectAcl" -or $_.message -match "Add-DomainObjectAcl" -or $_.message -match "Invoke-ACLScanner" -or $_.message -match "Find-InterestingDomainAcl" -or $_.message -match "Get-NetOU" -or $_.message -match "Get-DomainOU" -or $_.message -match "Get-NetSite" -or $_.message -match "Get-DomainSite" -or $_.message -match "Get-NetSubnet" -or $_.message -match "Get-DomainSubnet" -or $_.message -match "Get-DomainSID" -or $_.message -match "Get-NetGroup" -or $_.message -match "Get-DomainGroup" -or $_.message -match "New-DomainGroup" -or $_.message -match "Find-ManagedSecurityGroups" -or $_.message -match "Get-DomainManagedSecurityGroup" -or $_.message -match "Get-NetGroupMember" -or $_.message -match "Get-DomainGroupMember" -or $_.message -match "Add-DomainGroupMember" -or $_.message -match "Get-NetFileServer" -or $_.message -match "Get-DomainFileServer" -or $_.message -match "Get-DFSshare" -or $_.message -match "Get-DomainDFSShare" -or $_.message -match "Get-NetGPO" -or $_.message -match "Get-DomainGPO" -or $_.message -match "Get-NetGPOGroup" -or $_.message -match "Get-DomainGPOLocalGroup" -or $_.message -match "Find-GPOLocation" -or $_.message -match "Get-DomainGPOUserLocalGroupMapping" -or $_.message -match "Find-GPOComputerAdmin" -or $_.message -match "Get-DomainGPOComputerLocalGroupMapping" -or $_.message -match "Get-DomainPolicy" -or $_.message -match "Get-NetLocalGroup" -or $_.message -match "Get-NetLocalGroupMember" -or $_.message -match "Get-NetShare" -or $_.message -match "Get-NetLoggedon" -or $_.message -match "Get-NetSession" -or $_.message -match "Get-LoggedOnLocal" -or $_.message -match "Get-RegLoggedOn" -or $_.message -match "Get-NetRDPSession" -or $_.message -match "Invoke-CheckLocalAdminAccess" -or $_.message -match "Test-AdminAccess" -or $_.message -match "Get-SiteName" -or $_.message -match "Get-NetComputerSiteName" -or $_.message -match "Get-Proxy" -or $_.message -match "Get-WMIRegProxy" -or $_.message -match "Get-LastLoggedOn" -or $_.message -match "Get-WMIRegLastLoggedOn" -or $_.message -match "Get-CachedRDPConnection" -or $_.message -match "Get-WMIRegCachedRDPConnection" -or $_.message -match "Get-RegistryMountedDrive" -or $_.message -match "Get-WMIRegMountedDrive" -or $_.message -match "Get-NetProcess" -or $_.message -match "Get-WMIProcess" -or $_.message -match "Find-InterestingFile" -or $_.message -match "Invoke-UserHunter" -or $_.message -match "Find-DomainUserLocation" -or $_.message -match "Invoke-ProcessHunter" -or $_.message -match "Find-DomainProcess" -or $_.message -match "Invoke-EventHunter" -or $_.message -match "Find-DomainUserEvent" -or $_.message -match "Invoke-ShareFinder" -or $_.message -match "Find-DomainShare" -or $_.message -match "Invoke-FileFinder" -or $_.message -match "Find-InterestingDomainShareFile" -or $_.message -match "Find-LocalAdminAccess" -or $_.message -match "Invoke-EnumerateLocalAdmin" -or $_.message -match "Find-DomainLocalGroupMember" -or $_.message -match "Get-NetDomainTrust" -or $_.message -match "Get-DomainTrust" -or $_.message -match "Get-NetForestTrust" -or $_.message -match "Get-ForestTrust" -or $_.message -match "Find-ForeignUser" -or $_.message -match "Get-DomainForeignUser" -or $_.message -match "Find-ForeignGroup" -or $_.message -match "Get-DomainForeignGroupMember" -or $_.message -match "Invoke-MapDomainTrust" -or $_.message -match "Get-DomainTrustMapping")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_powerview_malicious_commandlets"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_powerview_malicious_commandlets"; + $detectedMessage = "Detects Commandlet names from PowerView of PowerSploit exploitation framework."; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "Export-PowerViewCSV" -or $_.message -match "Get-IPAddress" -or $_.message -match "Resolve-IPAddress" -or $_.message -match "Convert-NameToSid" -or $_.message -match "ConvertTo-SID" -or $_.message -match "Convert-ADName" -or $_.message -match "ConvertFrom-UACValue" -or $_.message -match "Add-RemoteConnection" -or $_.message -match "Remove-RemoteConnection" -or $_.message -match "Invoke-UserImpersonation" -or $_.message -match "Invoke-RevertToSelf" -or $_.message -match "Request-SPNTicket" -or $_.message -match "Get-DomainSPNTicket" -or $_.message -match "Invoke-Kerberoast" -or $_.message -match "Get-PathAcl" -or $_.message -match "Get-DNSZone" -or $_.message -match "Get-DomainDNSZone" -or $_.message -match "Get-DNSRecord" -or $_.message -match "Get-DomainDNSRecord" -or $_.message -match "Get-NetDomain" -or $_.message -match "Get-Domain" -or $_.message -match "Get-NetDomainController" -or $_.message -match "Get-DomainController" -or $_.message -match "Get-NetForest" -or $_.message -match "Get-Forest" -or $_.message -match "Get-NetForestDomain" -or $_.message -match "Get-ForestDomain" -or $_.message -match "Get-NetForestCatalog" -or $_.message -match "Get-ForestGlobalCatalog" -or $_.message -match "Find-DomainObjectPropertyOutlier" -or $_.message -match "Get-NetUser" -or $_.message -match "Get-DomainUser" -or $_.message -match "New-DomainUser" -or $_.message -match "Set-DomainUserPassword" -or $_.message -match "Get-UserEvent" -or $_.message -match "Get-DomainUserEvent" -or $_.message -match "Get-NetComputer" -or $_.message -match "Get-DomainComputer" -or $_.message -match "Get-ADObject" -or $_.message -match "Get-DomainObject" -or $_.message -match "Set-ADObject" -or $_.message -match "Set-DomainObject" -or $_.message -match "Get-ObjectAcl" -or $_.message -match "Get-DomainObjectAcl" -or $_.message -match "Add-ObjectAcl" -or $_.message -match "Add-DomainObjectAcl" -or $_.message -match "Invoke-ACLScanner" -or $_.message -match "Find-InterestingDomainAcl" -or $_.message -match "Get-NetOU" -or $_.message -match "Get-DomainOU" -or $_.message -match "Get-NetSite" -or $_.message -match "Get-DomainSite" -or $_.message -match "Get-NetSubnet" -or $_.message -match "Get-DomainSubnet" -or $_.message -match "Get-DomainSID" -or $_.message -match "Get-NetGroup" -or $_.message -match "Get-DomainGroup" -or $_.message -match "New-DomainGroup" -or $_.message -match "Find-ManagedSecurityGroups" -or $_.message -match "Get-DomainManagedSecurityGroup" -or $_.message -match "Get-NetGroupMember" -or $_.message -match "Get-DomainGroupMember" -or $_.message -match "Add-DomainGroupMember" -or $_.message -match "Get-NetFileServer" -or $_.message -match "Get-DomainFileServer" -or $_.message -match "Get-DFSshare" -or $_.message -match "Get-DomainDFSShare" -or $_.message -match "Get-NetGPO" -or $_.message -match "Get-DomainGPO" -or $_.message -match "Get-NetGPOGroup" -or $_.message -match "Get-DomainGPOLocalGroup" -or $_.message -match "Find-GPOLocation" -or $_.message -match "Get-DomainGPOUserLocalGroupMapping" -or $_.message -match "Find-GPOComputerAdmin" -or $_.message -match "Get-DomainGPOComputerLocalGroupMapping" -or $_.message -match "Get-DomainPolicy" -or $_.message -match "Get-NetLocalGroup" -or $_.message -match "Get-NetLocalGroupMember" -or $_.message -match "Get-NetShare" -or $_.message -match "Get-NetLoggedon" -or $_.message -match "Get-NetSession" -or $_.message -match "Get-LoggedOnLocal" -or $_.message -match "Get-RegLoggedOn" -or $_.message -match "Get-NetRDPSession" -or $_.message -match "Invoke-CheckLocalAdminAccess" -or $_.message -match "Test-AdminAccess" -or $_.message -match "Get-SiteName" -or $_.message -match "Get-NetComputerSiteName" -or $_.message -match "Get-Proxy" -or $_.message -match "Get-WMIRegProxy" -or $_.message -match "Get-LastLoggedOn" -or $_.message -match "Get-WMIRegLastLoggedOn" -or $_.message -match "Get-CachedRDPConnection" -or $_.message -match "Get-WMIRegCachedRDPConnection" -or $_.message -match "Get-RegistryMountedDrive" -or $_.message -match "Get-WMIRegMountedDrive" -or $_.message -match "Get-NetProcess" -or $_.message -match "Get-WMIProcess" -or $_.message -match "Find-InterestingFile" -or $_.message -match "Invoke-UserHunter" -or $_.message -match "Find-DomainUserLocation" -or $_.message -match "Invoke-ProcessHunter" -or $_.message -match "Find-DomainProcess" -or $_.message -match "Invoke-EventHunter" -or $_.message -match "Find-DomainUserEvent" -or $_.message -match "Invoke-ShareFinder" -or $_.message -match "Find-DomainShare" -or $_.message -match "Invoke-FileFinder" -or $_.message -match "Find-InterestingDomainShareFile" -or $_.message -match "Find-LocalAdminAccess" -or $_.message -match "Invoke-EnumerateLocalAdmin" -or $_.message -match "Find-DomainLocalGroupMember" -or $_.message -match "Get-NetDomainTrust" -or $_.message -match "Get-DomainTrust" -or $_.message -match "Get-NetForestTrust" -or $_.message -match "Get-ForestTrust" -or $_.message -match "Find-ForeignUser" -or $_.message -match "Get-DomainForeignUser" -or $_.message -match "Find-ForeignGroup" -or $_.message -match "Get-DomainForeignGroupMember" -or $_.message -match "Invoke-MapDomainTrust" -or $_.message -match "Get-DomainTrustMapping")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_prompt_credentials.ps1 b/Rules/SIGMA/powershell/powershell_prompt_credentials.ps1 new file mode 100644 index 00000000..6704e1a6 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_prompt_credentials.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*PromptForCredential.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_prompt_credentials"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_prompt_credentials"; + $detectedMessage = "Detects PowerShell calling a credential prompt"; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*PromptForCredential.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_psattack.ps1 b/Rules/SIGMA/powershell/powershell_psattack.ps1 new file mode 100644 index 00000000..775b0b14 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_psattack.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4103" -and $_.message -match "PS ATTACK!!!") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_psattack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_psattack"; + $detectedMessage = "Detects the use of PSAttack PowerShell hack tool"; + $result = $event | where { ($_.ID -eq "4103" -and $_.message -match "PS ATTACK!!!") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_remote_powershell_session.ps1 b/Rules/SIGMA/powershell/powershell_remote_powershell_session.ps1 new file mode 100644 index 00000000..f16e83b9 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_remote_powershell_session.ps1 @@ -0,0 +1,39 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4103" -and $_.message -match "HostName.*ServerRemoteHost" -and $_.message -match "HostApplication.*.*wsmprovhost.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and $_.message -match "HostName.*ServerRemoteHost" -and $_.message -match "HostApplication.*.*wsmprovhost.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_remote_powershell_session"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_remote_powershell_session"; + $detectedMessage = "Detects remote PowerShell sessions"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "4103" -and $_.message -match "HostName.*ServerRemoteHost" -and $_.message -match "HostApplication.*.*wsmprovhost.exe.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "400" -and $_.message -match "HostName.*ServerRemoteHost" -and $_.message -match "HostApplication.*.*wsmprovhost.exe.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + if ($results.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + } + foreach ($result in $results) { + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_renamed_powershell.ps1 b/Rules/SIGMA/powershell/powershell_renamed_powershell.ps1 new file mode 100644 index 00000000..b17fef33 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_renamed_powershell.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Windows PowerShell | where {(($_.ID -eq "400" -and $_.message -match "HostName.*ConsoleHost") -and -not (($_.message -match "HostApplication.*powershell.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_renamed_powershell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_renamed_powershell"; + $detectedMessage = "Detects renamed powershell"; + $result = $event | where { (($_.ID -eq "400" -and $_.message -match "HostName.*ConsoleHost") -and -not (($_.message -match "HostApplication.*powershell.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_shellcode_b64.ps1 b/Rules/SIGMA/powershell/powershell_shellcode_b64.ps1 new file mode 100644 index 00000000..5e96749e --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_shellcode_b64.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*AAAAYInlM.*" -and ($_.message -match "ScriptBlockText.*.*OiCAAAAYInlM.*" -or $_.message -match "ScriptBlockText.*.*OiJAAAAYInlM.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_shellcode_b64"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_shellcode_b64"; + $detectedMessage = "Detects Base64 encoded Shellcode"; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*AAAAYInlM.*" -and ($_.message -match "ScriptBlockText.*.*OiCAAAAYInlM.*" -or $_.message -match "ScriptBlockText.*.*OiJAAAAYInlM.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_suspicious_download.ps1 b/Rules/SIGMA/powershell/powershell_suspicious_download.ps1 new file mode 100644 index 00000000..f234be2a --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_suspicious_download.ps1 @@ -0,0 +1,41 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.message -match ".*System.Net.WebClient.*" -and ($_.message -match ".*.DownloadFile(.*" -or $_.message -match ".*.DownloadString(.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and $_.message -match "HostApplication.*.*System.Net.WebClient.*" -and ($_.message -match "HostApplication.*.*.DownloadFile(.*" -or $_.message -match "HostApplication.*.*.DownloadString(.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + + +function Add-Rule { + + $ruleName = "powershell_suspicious_download"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_suspicious_download"; + $detectedMessage = "Detects suspicious PowerShell download command"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.message -match ".*System.Net.WebClient.*" -and ($_.message -match ".*.DownloadFile\(.*" -or $_.message -match ".*.DownloadString\(.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "400" -and $_.message -match "HostApplication.*.*System.Net.WebClient.*" -and ($_.message -match "HostApplication.*.*.DownloadFile\(.*" -or $_.message -match "HostApplication.*.*.DownloadString\(.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + } + foreach ($result in $results) { + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_suspicious_export_pfxcertificate.ps1 b/Rules/SIGMA/powershell/powershell_suspicious_export_pfxcertificate.ps1 new file mode 100644 index 00000000..a436bc74 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_suspicious_export_pfxcertificate.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Export-PfxCertificate.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_suspicious_export_pfxcertificate"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_suspicious_export_pfxcertificate"; + $detectedMessage = "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal provate keys from compromised machines"; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Export-PfxCertificate.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_suspicious_getprocess_lsass.ps1 b/Rules/SIGMA/powershell/powershell_suspicious_getprocess_lsass.ps1 new file mode 100644 index 00000000..c26e5296 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_suspicious_getprocess_lsass.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Get-Process lsass.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_suspicious_getprocess_lsass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_suspicious_getprocess_lsass"; + $detectedMessage = "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity"; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Get-Process lsass.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_suspicious_invocation_generic.ps1 b/Rules/SIGMA/powershell/powershell_suspicious_invocation_generic.ps1 new file mode 100644 index 00000000..f7333a4a --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_suspicious_invocation_generic.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match " -enc " -or $_.message -match " -EncodedCommand ") -and ($_.message -match " -w hidden " -or $_.message -match " -window hidden " -or $_.message -match " -windowstyle hidden ") -and ($_.message -match " -noni " -or $_.message -match " -noninteractive ")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_suspicious_invocation_generic"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_suspicious_invocation_generic"; + $detectedMessage = "Detects suspicious PowerShell invocation command parameters"; + $result = $event | where { (($_.message -match " -enc " -or $_.message -match " -EncodedCommand ") -and ($_.message -match " -w hidden " -or $_.message -match " -window hidden " -or $_.message -match " -windowstyle hidden ") -and ($_.message -match " -noni " -or $_.message -match " -noninteractive ")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_suspicious_invocation_specific.ps1 b/Rules/SIGMA/powershell/powershell_suspicious_invocation_specific.ps1 new file mode 100644 index 00000000..c53e332a --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_suspicious_invocation_specific.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.message -match ".*-nop.*" -and $_.message -match ".* -w .*" -and $_.message -match ".*hidden.*" -and $_.message -match ".* -c .*" -and $_.message -match ".*[Convert]::FromBase64String.*") -or ($_.message -match ".* -w .*" -and $_.message -match ".*hidden.*" -and $_.message -match ".*-noni.*" -and $_.message -match ".*-nop.*" -and $_.message -match ".* -c .*" -and $_.message -match ".*iex.*" -and $_.message -match ".*New-Object.*") -or ($_.message -match ".* -w .*" -and $_.message -match ".*hidden.*" -and $_.message -match ".*-ep.*" -and $_.message -match ".*bypass.*" -and $_.message -match ".*-Enc.*") -or ($_.message -match ".*powershell.*" -and $_.message -match ".*reg.*" -and $_.message -match ".*add.*" -and $_.message -match ".*HKCU\software\microsoft\windows\currentversion\run.*") -or ($_.message -match ".*bypass.*" -and $_.message -match ".*-noprofile.*" -and $_.message -match ".*-windowstyle.*" -and $_.message -match ".*hidden.*" -and $_.message -match ".*new-object.*" -and $_.message -match ".*system.net.webclient.*" -and $_.message -match ".*.download.*") -or ($_.message -match ".*iex.*" -and $_.message -match ".*New-Object.*" -and $_.message -match ".*Net.WebClient.*" -and $_.message -match ".*.Download.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_suspicious_invocation_specific"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_suspicious_invocation_specific"; + $detectedMessage = "Detects suspicious PowerShell invocation command parameters"; + $result = $event | where { ((($_.message -match ".*-nop.*" -and $_.message -match ".* -w .*" -and $_.message -match ".*hidden.*" -and $_.message -match ".* -c .*" -and $_.message -match ".*[Convert]::FromBase64String.*") -or ($_.message -match ".* -w .*" -and $_.message -match ".*hidden.*" -and $_.message -match ".*-noni.*" -and $_.message -match ".*-nop.*" -and $_.message -match ".* -c .*" -and $_.message -match ".*iex.*" -and $_.message -match ".*New-Object.*") -or ($_.message -match ".* -w .*" -and $_.message -match ".*hidden.*" -and $_.message -match ".*-ep.*" -and $_.message -match ".*bypass.*" -and $_.message -match ".*-Enc.*") -or ($_.message -match ".*powershell.*" -and $_.message -match ".*reg.*" -and $_.message -match ".*add.*" -and $_.message -match ".*HKCU\\software\\microsoft\\windows\\currentversion\\run.*") -or ($_.message -match ".*bypass.*" -and $_.message -match ".*-noprofile.*" -and $_.message -match ".*-windowstyle.*" -and $_.message -match ".*hidden.*" -and $_.message -match ".*new-object.*" -and $_.message -match ".*system.net.webclient.*" -and $_.message -match ".*.download.*") -or ($_.message -match ".*iex.*" -and $_.message -match ".*New-Object.*" -and $_.message -match ".*Net.WebClient.*" -and $_.message -match ".*.Download.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_suspicious_keywords.ps1 b/Rules/SIGMA/powershell/powershell_suspicious_keywords.ps1 new file mode 100644 index 00000000..9f91e768 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_suspicious_keywords.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match ".*System.Reflection.Assembly.Load.*" -or $_.message -match ".*[System.Reflection.Assembly]::Load.*" -or $_.message -match ".*[Reflection.Assembly]::Load.*" -or $_.message -match ".*System.Reflection.AssemblyName.*" -or $_.message -match ".*Reflection.Emit.AssemblyBuilderAccess.*" -or $_.message -match ".*Runtime.InteropServices.DllImportAttribute.*" -or $_.message -match ".*SuspendThread.*" -or $_.message -match ".*rundll32.*" -or $_.message -match ".*FromBase64.*" -or $_.message -match ".*Invoke-WMIMethod.*" -or $_.message -match ".*http://127.0.0.1.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_suspicious_keywords"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_suspicious_keywords"; + $detectedMessage = "Detects keywords that could indicate the use of some PowerShell exploitation framework"; + $result = $event | where { (($_.message -match ".*System.Reflection.Assembly.Load.*" -or $_.message -match ".*[System.Reflection.Assembly]::Load.*" -or $_.message -match ".*[Reflection.Assembly]::Load.*" -or $_.message -match ".*System.Reflection.AssemblyName.*" -or $_.message -match ".*Reflection.Emit.AssemblyBuilderAccess.*" -or $_.message -match ".*Runtime.InteropServices.DllImportAttribute.*" -or $_.message -match ".*SuspendThread.*" -or $_.message -match ".*rundll32.*" -or $_.message -match ".*FromBase64.*" -or $_.message -match ".*Invoke-WMIMethod.*" -or $_.message -match ".*http://127.0.0.1.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_suspicious_mail_acces.ps1 b/Rules/SIGMA/powershell/powershell_suspicious_mail_acces.ps1 new file mode 100644 index 00000000..bb7aff7b --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_suspicious_mail_acces.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-Inbox.ps1.*" -or $_.message -match "ScriptBlockText.*.*Microsoft.Office.Interop.Outlook.*" -or $_.message -match "ScriptBlockText.*.*Microsoft.Office.Interop.Outlook.olDefaultFolders.*" -or $_.message -match "ScriptBlockText.*.*-comobject outlook.application.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_suspicious_mail_acces"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_suspicious_mail_acces"; + $detectedMessage = "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. "; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-Inbox.ps1.*" -or $_.message -match "ScriptBlockText.*.*Microsoft.Office.Interop.Outlook.*" -or $_.message -match "ScriptBlockText.*.*Microsoft.Office.Interop.Outlook.olDefaultFolders.*" -or $_.message -match "ScriptBlockText.*.*-comobject outlook.application.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_suspicious_mounted_share_deletion.ps1 b/Rules/SIGMA/powershell/powershell_suspicious_mounted_share_deletion.ps1 new file mode 100644 index 00000000..30ec8971 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_suspicious_mounted_share_deletion.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Remove-SmbShare.*" -or $_.message -match "ScriptBlockText.*.*Remove-FileShare.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_suspicious_mounted_share_deletion"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_suspicious_mounted_share_deletion"; + $detectedMessage = "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation"; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Remove-SmbShare.*" -or $_.message -match "ScriptBlockText.*.*Remove-FileShare.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_suspicious_profile_create.ps1 b/Rules/SIGMA/powershell/powershell_suspicious_profile_create.ps1 new file mode 100644 index 00000000..28b11c45 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_suspicious_profile_create.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\profile.ps1.*" -and ($_.message -match "TargetFilename.*.*\My Documents\PowerShell\.*" -or $_.message -match "TargetFilename.*.*C:\Windows\System32\WindowsPowerShell\v1.0\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_suspicious_profile_create"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_suspicious_profile_create"; + $detectedMessage = "Detects a change in profile.ps1 of the Powershell profile"; + $result = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\profile.ps1.*" -and ($_.message -match "TargetFilename.*.*\\My Documents\\PowerShell\\.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_suspicious_recon.ps1 b/Rules/SIGMA/powershell/powershell_suspicious_recon.ps1 new file mode 100644 index 00000000..19c1eaeb --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_suspicious_recon.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-Service .*" -or $_.message -match "ScriptBlockText.*.*Get-ChildItem .*" -or $_.message -match "ScriptBlockText.*.*Get-Process .*") -and $_.message -match "ScriptBlockText.*.*> $env:TEMP\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_suspicious_recon"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_suspicious_recon"; + $detectedMessage = "Once established within a system or network, an adversary may use automated techniques for collecting internal data"; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-Service .*" -or $_.message -match "ScriptBlockText.*.*Get-ChildItem .*" -or $_.message -match "ScriptBlockText.*.*Get-Process .*") -and $_.message -match "ScriptBlockText.*.*> $env:TEMP\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_tamper_with_windows_defender.ps1 b/Rules/SIGMA/powershell/powershell_tamper_with_windows_defender.ps1 new file mode 100644 index 00000000..e13faa6a --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_tamper_with_windows_defender.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent | where {($_.ID -eq "600" -and $_.message -match "HostApplication.*.*Set-MpPreference.*" -and ($_.message -match "HostApplication.*.*-DisableRealtimeMonitoring 1.*" -or $_.message -match "HostApplication.*.*-DisableBehaviorMonitoring 1.*" -or $_.message -match "HostApplication.*.*-DisableScriptScanning 1.*" -or $_.message -match "HostApplication.*.*-DisableBlockAtFirstSeen 1.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_tamper_with_windows_defender"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_tamper_with_windows_defender"; + $detectedMessage = "Attempting to disable scheduled scanning and other parts of windows defender atp."; + $result = $event | where { ($_.ID -eq "600" -and $_.message -match "HostApplication.*.*Set-MpPreference.*" -and ($_.message -match "HostApplication.*.*-DisableRealtimeMonitoring 1.*" -or $_.message -match "HostApplication.*.*-DisableBehaviorMonitoring 1.*" -or $_.message -match "HostApplication.*.*-DisableScriptScanning 1.*" -or $_.message -match "HostApplication.*.*-DisableBlockAtFirstSeen 1.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_timestomp.ps1 b/Rules/SIGMA/powershell/powershell_timestomp.ps1 new file mode 100644 index 00000000..f85c042c --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_timestomp.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*.CreationTime =.*" -or $_.message -match "ScriptBlockText.*.*.LastWriteTime =.*" -or $_.message -match "ScriptBlockText.*.*.LastAccessTime =.*" -or $_.message -match "ScriptBlockText.*.*[IO.File]::SetCreationTime.*" -or $_.message -match "ScriptBlockText.*.*[IO.File]::SetLastAccessTime.*" -or $_.message -match "ScriptBlockText.*.*[IO.File]::SetLastWriteTime.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_timestomp"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_timestomp"; + $detectedMessage = "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. "; + $result = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*.CreationTime =.*" -or $_.message -match "ScriptBlockText.*.*.LastWriteTime =.*" -or $_.message -match "ScriptBlockText.*.*.LastAccessTime =.*" -or $_.message -match "ScriptBlockText.*.*[IO.File]::SetCreationTime.*" -or $_.message -match "ScriptBlockText.*.*[IO.File]::SetLastAccessTime.*" -or $_.message -match "ScriptBlockText.*.*[IO.File]::SetLastWriteTime.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_winlogon_helper_dll.ps1 b/Rules/SIGMA/powershell/powershell_winlogon_helper_dll.ps1 new file mode 100644 index 00000000..3e40089e --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_winlogon_helper_dll.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CurrentVersion\Winlogon.*" -and ($_.message -match "ScriptBlockText.*.*Set-ItemProperty.*" -or $_.message -match "ScriptBlockText.*.*New-Item.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_winlogon_helper_dll"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_winlogon_helper_dll"; + $detectedMessage = "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables."; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CurrentVersion\\Winlogon.*" -and ($_.message -match "ScriptBlockText.*.*Set-ItemProperty.*" -or $_.message -match "ScriptBlockText.*.*New-Item.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_wmimplant.ps1 b/Rules/SIGMA/powershell/powershell_wmimplant.ps1 new file mode 100644 index 00000000..45bf4a4e --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_wmimplant.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "ScriptBlockText.*.*WMImplant.*" -or $_.message -match "ScriptBlockText.*.* change_user .*" -or $_.message -match "ScriptBlockText.*.* gen_cli .*" -or $_.message -match "ScriptBlockText.*.* command_exec .*" -or $_.message -match "ScriptBlockText.*.* disable_wdigest .*" -or $_.message -match "ScriptBlockText.*.* disable_winrm .*" -or $_.message -match "ScriptBlockText.*.* enable_wdigest .*" -or $_.message -match "ScriptBlockText.*.* enable_winrm .*" -or $_.message -match "ScriptBlockText.*.* registry_mod .*" -or $_.message -match "ScriptBlockText.*.* remote_posh .*" -or $_.message -match "ScriptBlockText.*.* sched_job .*" -or $_.message -match "ScriptBlockText.*.* service_mod .*" -or $_.message -match "ScriptBlockText.*.* process_kill .*" -or $_.message -match "ScriptBlockText.*.* active_users .*" -or $_.message -match "ScriptBlockText.*.* basic_info .*" -or $_.message -match "ScriptBlockText.*.* power_off .*" -or $_.message -match "ScriptBlockText.*.* vacant_system .*" -or $_.message -match "ScriptBlockText.*.* logon_events .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_wmimplant"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_wmimplant"; + $detectedMessage = "Detects parameters used by WMImplant"; + $result = $event | where { (($_.message -match "ScriptBlockText.*.*WMImplant.*" -or $_.message -match "ScriptBlockText.*.* change_user .*" -or $_.message -match "ScriptBlockText.*.* gen_cli .*" -or $_.message -match "ScriptBlockText.*.* command_exec .*" -or $_.message -match "ScriptBlockText.*.* disable_wdigest .*" -or $_.message -match "ScriptBlockText.*.* disable_winrm .*" -or $_.message -match "ScriptBlockText.*.* enable_wdigest .*" -or $_.message -match "ScriptBlockText.*.* enable_winrm .*" -or $_.message -match "ScriptBlockText.*.* registry_mod .*" -or $_.message -match "ScriptBlockText.*.* remote_posh .*" -or $_.message -match "ScriptBlockText.*.* sched_job .*" -or $_.message -match "ScriptBlockText.*.* service_mod .*" -or $_.message -match "ScriptBlockText.*.* process_kill .*" -or $_.message -match "ScriptBlockText.*.* active_users .*" -or $_.message -match "ScriptBlockText.*.* basic_info .*" -or $_.message -match "ScriptBlockText.*.* power_off .*" -or $_.message -match "ScriptBlockText.*.* vacant_system .*" -or $_.message -match "ScriptBlockText.*.* logon_events .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_wsman_com_provider_no_powershell.ps1 b/Rules/SIGMA/powershell/powershell_wsman_com_provider_no_powershell.ps1 new file mode 100644 index 00000000..365ef704 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_wsman_com_provider_no_powershell.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.message -match ".*ProviderName=WSMan.*" -and -not ($_.message -match ".*HostApplication=.*powershell.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_wsman_com_provider_no_powershell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_wsman_com_provider_no_powershell"; + $detectedMessage = "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application."; + $result = $event | where { ($_.message -match ".*ProviderName=WSMan.*" -and -not ($_.message -match ".*HostApplication=.*powershell.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/powershell_xor_commandline.ps1 b/Rules/SIGMA/powershell/powershell_xor_commandline.ps1 new file mode 100644 index 00000000..d1e18ff1 --- /dev/null +++ b/Rules/SIGMA/powershell/powershell_xor_commandline.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and $_.message -match "HostName.*ConsoleHost" -and ($_.message -match "CommandLine.*.*bxor.*" -or $_.message -match "CommandLine.*.*join.*" -or $_.message -match "CommandLine.*.*char.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "powershell_xor_commandline"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "powershell_xor_commandline"; + $detectedMessage = "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands."; + $result = $event | where { ($_.ID -eq "400" -and $_.message -match "HostName.*ConsoleHost" -and ($_.message -match "CommandLine.*.*bxor.*" -or $_.message -match "CommandLine.*.*join.*" -or $_.message -match "CommandLine.*.*char.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/poweshell_detect_vm_env.ps1 b/Rules/SIGMA/powershell/poweshell_detect_vm_env.ps1 new file mode 100644 index 00000000..5fc5b7be --- /dev/null +++ b/Rules/SIGMA/powershell/poweshell_detect_vm_env.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Get-WmiObject.*" -and ($_.message -match "ScriptBlockText.*.*MSAcpi_ThermalZoneTemperature.*" -or $_.message -match "ScriptBlockText.*.*Win32_ComputerSystem.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "poweshell_detect_vm_env"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "poweshell_detect_vm_env"; + $detectedMessage = "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox"; + $result = $event | where { ($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Get-WmiObject.*" -and ($_.message -match "ScriptBlockText.*.*MSAcpi_ThermalZoneTemperature.*" -or $_.message -match "ScriptBlockText.*.*Win32_ComputerSystem.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/powershell/win_powershell_web_request.ps1 b/Rules/SIGMA/powershell/win_powershell_web_request.ps1 new file mode 100644 index 00000000..d6e84ee3 --- /dev/null +++ b/Rules/SIGMA/powershell/win_powershell_web_request.ps1 @@ -0,0 +1,40 @@ +#Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Invoke-WebRequest.*" -or $_.message -match "CommandLine.*.*iwr .*" -or $_.message -match "CommandLine.*.*wget .*" -or $_.message -match "CommandLine.*.*curl .*" -or $_.message -match "CommandLine.*.*Net.WebClient.*" -or $_.message -match "CommandLine.*.*Start-BitsTransfer.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +#Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Invoke-WebRequest.*" -or $_.message -match "ScriptBlockText.*.*iwr .*" -or $_.message -match "ScriptBlockText.*.*wget .*" -or $_.message -match "ScriptBlockText.*.*curl .*" -or $_.message -match "ScriptBlockText.*.*Net.WebClient.*" -or $_.message -match "ScriptBlockText.*.*Start-BitsTransfer.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_powershell_web_request"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_web_request"; + $detectedMessage = "Detects the use of various web request methods (including aliases) via Windows PowerShell"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Invoke-WebRequest.*" -or $_.message -match "CommandLine.*.*iwr .*" -or $_.message -match "CommandLine.*.*wget .*" -or $_.message -match "CommandLine.*.*curl .*" -or $_.message -match "CommandLine.*.*Net.WebClient.*" -or $_.message -match "CommandLine.*.*Start-BitsTransfer.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Invoke-WebRequest.*" -or $_.message -match "ScriptBlockText.*.*iwr .*" -or $_.message -match "ScriptBlockText.*.*wget .*" -or $_.message -match "ScriptBlockText.*.*curl .*" -or $_.message -match "ScriptBlockText.*.*Net.WebClient.*" -or $_.message -match "ScriptBlockText.*.*Start-BitsTransfer.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_cmstp_execution_by_access.ps1 b/Rules/SIGMA/process_access/sysmon_cmstp_execution_by_access.ps1 new file mode 100644 index 00000000..100aa92d --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_cmstp_execution_by_access.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "CallTrace.*.*cmlua.dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cmstp_execution_by_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cmstp_execution_by_access"; + $detectedMessage = "Detects various indicators of Microsoft Connection Manager Profile Installer execution"; + $result = $event | where { ($_.ID -eq "10" -and $_.message -match "CallTrace.*.*cmlua.dll.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_cred_dump_lsass_access.ps1 b/Rules/SIGMA/process_access/sysmon_cred_dump_lsass_access.ps1 new file mode 100644 index 00000000..11d3b515 --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_cred_dump_lsass_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "10") -and ($_.message -match "TargetImage.*.*\lsass.exe" -and ($_.message -match "GrantedAccess.*.*0x40.*" -or $_.message -match "GrantedAccess.*.*0x1000.*" -or $_.message -match "GrantedAccess.*.*0x1400.*" -or $_.message -match "GrantedAccess.*.*0x100000.*" -or $_.message -match "GrantedAccess.*.*0x1410.*" -or $_.message -match "GrantedAccess.*.*0x1010.*" -or $_.message -match "GrantedAccess.*.*0x1438.*" -or $_.message -match "GrantedAccess.*.*0x143a.*" -or $_.message -match "GrantedAccess.*.*0x1418.*" -or $_.message -match "GrantedAccess.*.*0x1f0fff.*" -or $_.message -match "GrantedAccess.*.*0x1f1fff.*" -or $_.message -match "GrantedAccess.*.*0x1f2fff.*" -or $_.message -match "GrantedAccess.*.*0x1f3fff.*")) -and -not (($_.message -match "ProcessName.*.*\wmiprvse.exe" -or $_.message -match "ProcessName.*.*\taskmgr.exe" -or $_.message -match "ProcessName.*.*\procexp64.exe" -or $_.message -match "ProcessName.*.*\procexp.exe" -or $_.message -match "ProcessName.*.*\lsm.exe" -or $_.message -match "ProcessName.*.*\MsMpEng.exe" -or $_.message -match "ProcessName.*.*\csrss.exe" -or $_.message -match "ProcessName.*.*\wininit.exe" -or $_.message -match "ProcessName.*.*\vmtoolsd.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cred_dump_lsass_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cred_dump_lsass_access"; + $detectedMessage = "Detects process access LSASS memory which is typical for credentials dumping tools"; + $result = $event | where { (($_.ID -eq "10") -and ($_.message -match "TargetImage.*.*\\lsass.exe" -and ($_.message -match "GrantedAccess.*.*0x40.*" -or $_.message -match "GrantedAccess.*.*0x1000.*" -or $_.message -match "GrantedAccess.*.*0x1400.*" -or $_.message -match "GrantedAccess.*.*0x100000.*" -or $_.message -match "GrantedAccess.*.*0x1410.*" -or $_.message -match "GrantedAccess.*.*0x1010.*" -or $_.message -match "GrantedAccess.*.*0x1438.*" -or $_.message -match "GrantedAccess.*.*0x143a.*" -or $_.message -match "GrantedAccess.*.*0x1418.*" -or $_.message -match "GrantedAccess.*.*0x1f0fff.*" -or $_.message -match "GrantedAccess.*.*0x1f1fff.*" -or $_.message -match "GrantedAccess.*.*0x1f2fff.*" -or $_.message -match "GrantedAccess.*.*0x1f3fff.*")) -and -not (($_.message -match "ProcessName.*.*\\wmiprvse.exe" -or $_.message -match "ProcessName.*.*\\taskmgr.exe" -or $_.message -match "ProcessName.*.*\\procexp64.exe" -or $_.message -match "ProcessName.*.*\\procexp.exe" -or $_.message -match "ProcessName.*.*\\lsm.exe" -or $_.message -match "ProcessName.*.*\\MsMpEng.exe" -or $_.message -match "ProcessName.*.*\\csrss.exe" -or $_.message -match "ProcessName.*.*\\wininit.exe" -or $_.message -match "ProcessName.*.*\\vmtoolsd.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_direct_syscall_ntopenprocess.ps1 b/Rules/SIGMA/process_access/sysmon_direct_syscall_ntopenprocess.ps1 new file mode 100644 index 00000000..ea2a715f --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_direct_syscall_ntopenprocess.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "CallTrace.*UNKNOWN.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_direct_syscall_ntopenprocess"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_direct_syscall_ntopenprocess"; + $detectedMessage = "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF."; + $result = $event | where { ($_.ID -eq "10" -and $_.message -match "CallTrace.*UNKNOWN.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_in_memory_assembly_execution.ps1 b/Rules/SIGMA/process_access/sysmon_in_memory_assembly_execution.ps1 new file mode 100644 index 00000000..71e784b0 --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_in_memory_assembly_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "10") -and ((($_.ID -eq "10") -and (($_.message -match "CallTrace.*.*C:\Windows\SYSTEM32\ntdll.dll+.*" -and $_.message -match "CallTrace.*.*|C:\Windows\System32\KERNELBASE.dll+.*" -and $_.message -match "CallTrace.*.*|UNKNOWN(.*" -and $_.message -match "CallTrace.*.*).*") -or ($_.message -match "CallTrace.*.*UNKNOWN(.*" -and $_.message -match "CallTrace.*.*)|UNKNOWN(.*" -and $_.message -match "CallTrace.*.*)"))) -or (($_.ID -eq "10" -and $_.message -match "CallTrace.*.*UNKNOWN.*" -and ($_.message -match "0x1F0FFF" -or $_.message -match "0x1F1FFF" -or $_.message -match "0x143A" -or $_.message -match "0x1410" -or $_.message -match "0x1010" -or $_.message -match "0x1F2FFF" -or $_.message -match "0x1F3FFF" -or $_.message -match "0x1FFFFF")) -and -not (($_.message -match "SourceImage.*.*\Windows\System32\sdiagnhost.exe"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_in_memory_assembly_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_in_memory_assembly_execution"; + $detectedMessage = "Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity"; + $result = $event | where { (($_.ID -eq "10") -and ((($_.ID -eq "10") -and (($_.message -match "CallTrace.*.*C:\\Windows\\SYSTEM32\\ntdll.dll+.*" -and $_.message -match "CallTrace.*.*|C:\\Windows\\System32\\KERNELBASE.dll+.*" -and $_.message -match "CallTrace.*.*|UNKNOWN\(.*" -and $_.message -match "CallTrace.*.*\).*") -or ($_.message -match "CallTrace.*.*UNKNOWN\(.*" -and $_.message -match "CallTrace.*.*\)|UNKNOWN\(.*" -and $_.message -match "CallTrace.*.*\)"))) -or (($_.ID -eq "10" -and $_.message -match "CallTrace.*.*UNKNOWN.*" -and ($_.message -match "0x1F0FFF" -or $_.message -match "0x1F1FFF" -or $_.message -match "0x143A" -or $_.message -match "0x1410" -or $_.message -match "0x1010" -or $_.message -match "0x1F2FFF" -or $_.message -match "0x1F3FFF" -or $_.message -match "0x1FFFFF")) -and -not (($_.message -match "SourceImage.*.*\\Windows\\System32\\sdiagnhost.exe"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_invoke_phantom.ps1 b/Rules/SIGMA/process_access/sysmon_invoke_phantom.ps1 new file mode 100644 index 00000000..d4be82ed --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_invoke_phantom.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\windows\system32\svchost.exe" -and $_.message -match "GrantedAccess.*0x1f3fff" -and ($_.message -match "CallTrace.*.*unknown.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_invoke_phantom"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_invoke_phantom"; + $detectedMessage = "Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service."; + $result = $event | where { ($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\windows\\system32\\svchost.exe" -and $_.message -match "GrantedAccess.*0x1f3fff" -and ($_.message -match "CallTrace.*.*unknown.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_lazagne_cred_dump_lsass_access.ps1 b/Rules/SIGMA/process_access/sysmon_lazagne_cred_dump_lsass_access.ps1 new file mode 100644 index 00000000..06b287d4 --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_lazagne_cred_dump_lsass_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\lsass.exe" -and $_.message -match "CallTrace.*.*C:\Windows\SYSTEM32\ntdll.dll+.*" -and $_.message -match "CallTrace.*.*|C:\Windows\System32\KERNELBASE.dll+.*" -and $_.message -match "CallTrace.*.*_ctypes.pyd+.*" -and $_.message -match "CallTrace.*.*python27.dll+.*" -and $_.message -match "GrantedAccess.*0x1FFFFF") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_lazagne_cred_dump_lsass_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_lazagne_cred_dump_lsass_access"; + $detectedMessage = "Detects LSASS process access by LaZagne for credential dumping."; + $result = $event | where { ($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "CallTrace.*.*C:\\Windows\\SYSTEM32\\ntdll.dll+.*" -and $_.message -match "CallTrace.*.*|C:\\Windows\\System32\\KERNELBASE.dll+.*" -and $_.message -match "CallTrace.*.*_ctypes.pyd+.*" -and $_.message -match "CallTrace.*.*python27.dll+.*" -and $_.message -match "GrantedAccess.*0x1FFFFF") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_load_undocumented_autoelevated_com_interface.ps1 b/Rules/SIGMA/process_access/sysmon_load_undocumented_autoelevated_com_interface.ps1 new file mode 100644 index 00000000..6d3a4e5f --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_load_undocumented_autoelevated_com_interface.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "CallTrace.*.*editionupgrademanagerobj.dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_load_undocumented_autoelevated_com_interface"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_load_undocumented_autoelevated_com_interface"; + $detectedMessage = "COM interface (EditionUpgradeManager) that is not used by standard executables."; + $result = $event | where {($_.ID -eq "10" -and $_.message -match "CallTrace.*.*editionupgrademanagerobj.dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_lsass_dump_comsvcs_dll.ps1 b/Rules/SIGMA/process_access/sysmon_lsass_dump_comsvcs_dll.ps1 new file mode 100644 index 00000000..ff973821 --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_lsass_dump_comsvcs_dll.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\lsass.exe" -and $_.message -match "SourceImage.*C:\Windows\System32\rundll32.exe" -and $_.message -match "CallTrace.*.*comsvcs.dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_lsass_dump_comsvcs_dll"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_lsass_dump_comsvcs_dll"; + $detectedMessage = "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass."; + $result = $event | where { ($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "SourceImage.*C:\\Windows\\System32\\rundll32.exe" -and $_.message -match "CallTrace.*.*comsvcs.dll.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_lsass_memdump.ps1 b/Rules/SIGMA/process_access/sysmon_lsass_memdump.ps1 new file mode 100644 index 00000000..020a4d1c --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_lsass_memdump.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\lsass.exe" -and $_.message -match "GrantedAccess.*0x1fffff" -and ($_.message -match "CallTrace.*.*dbghelp.dll.*" -or $_.message -match "CallTrace.*.*dbgcore.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_lsass_memdump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_lsass_memdump"; + $detectedMessage = "Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10"; + $result = $event | where { ($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "GrantedAccess.*0x1fffff" -and ($_.message -match "CallTrace.*.*dbghelp.dll.*" -or $_.message -match "CallTrace.*.*dbgcore.dll.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_malware_verclsid_shellcode.ps1 b/Rules/SIGMA/process_access/sysmon_malware_verclsid_shellcode.ps1 new file mode 100644 index 00000000..8a9997eb --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_malware_verclsid_shellcode.ps1 @@ -0,0 +1,30 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "10") -and ($_.message -match "TargetImage.*.*\verclsid.exe" -and $_.message -match "GrantedAccess.*0x1FFFFF") -and (($_.message -match "CallTrace.*.*|UNKNOWN(.*" -and $_.message -match "CallTrace.*.*VBE7.DLL.*") -or ($_.message -match "SourceImage.*.*\Microsoft Office\.*" -and $_.message -match "CallTrace.*.*|UNKNOWN.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_malware_verclsid_shellcode"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_malware_verclsid_shellcode"; + $result = $event | where { (($_.ID -eq "10") -and ($_.message -match "TargetImage.*.*\\verclsid.exe" -and $_.message -match "GrantedAccess.*0x1FFFFF") -and (($_.message -match "CallTrace.*.*|UNKNOWN(.*" -and $_.message -match "CallTrace.*.*VBE7.DLL.*") -or ($_.message -match "SourceImage.*.*\\Microsoft Office\\.*" -and $_.message -match "CallTrace.*.*|UNKNOWN.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_mimikatz_trough_winrm.ps1 b/Rules/SIGMA/process_access/sysmon_mimikatz_trough_winrm.ps1 new file mode 100644 index 00000000..ac27b875 --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_mimikatz_trough_winrm.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\lsass.exe" -and $_.message -match "SourceImage.*C:\Windows\system32\wsmprovhost.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_mimikatz_trough_winrm"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_mimikatz_trough_winrm"; + $detectedMessage = "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe."; + $result = $event | where { ($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "SourceImage.*C:\\Windows\\system32\\wsmprovhost.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_pypykatz_cred_dump_lsass_access.ps1 b/Rules/SIGMA/process_access/sysmon_pypykatz_cred_dump_lsass_access.ps1 new file mode 100644 index 00000000..681ba99c --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_pypykatz_cred_dump_lsass_access.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\lsass.exe" -and $_.message -match "CallTrace.*.*C:\Windows\SYSTEM32\ntdll.dll+.*" -and $_.message -match "CallTrace.*.*C:\Windows\System32\KERNELBASE.dll+.*" -and $_.message -match "CallTrace.*.*libffi-7.dll.*" -and $_.message -match "CallTrace.*.*_ctypes.pyd+.*" -and $_.message -match "CallTrace.*.*python3.*.dll+.*" -and $_.message -match "GrantedAccess.*0x1FFFFF") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_pypykatz_cred_dump_lsass_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_pypykatz_cred_dump_lsass_access"; + $detectedMessage = "Detects LSASS process access by pypykatz for credential dumping."; + $result = $event | where { ($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "CallTrace.*.*C:\\Windows\\SYSTEM32\\ntdll.dll+.*" -and $_.message -match "CallTrace.*.*C:\\Windows\\System32\\KERNELBASE.dll+.*" -and $_.message -match "CallTrace.*.*libffi-7.dll.*" -and $_.message -match "CallTrace.*.*_ctypes.pyd+.*" -and $_.message -match "CallTrace.*.*python3.*.dll+.*" -and $_.message -match "GrantedAccess.*0x1FFFFF") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/sysmon_svchost_cred_dump.ps1 b/Rules/SIGMA/process_access/sysmon_svchost_cred_dump.ps1 new file mode 100644 index 00000000..ec38f246 --- /dev/null +++ b/Rules/SIGMA/process_access/sysmon_svchost_cred_dump.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "10") -and ($_.message -match "TargetImage.*.*\svchost.exe" -and $_.message -match "GrantedAccess.*0x143a") -and -not (($_.message -match "SourceImage.*.*\services.exe" -or $_.message -match "SourceImage.*.*\msiexec.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_svchost_cred_dump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_svchost_cred_dump"; + $detectedMessage = "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials"; + $result = $event | where { (($_.ID -eq "10") -and ($_.message -match "TargetImage.*.*\\svchost.exe" -and $_.message -match "GrantedAccess.*0x143a") -and -not (($_.message -match "SourceImage.*.*\\services.exe" -or $_.message -match "SourceImage.*.*\\msiexec.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_access/win_susp_shell_spawn_from_winrm.ps1 b/Rules/SIGMA/process_access/win_susp_shell_spawn_from_winrm.ps1 new file mode 100644 index 00000000..2e918852 --- /dev/null +++ b/Rules/SIGMA/process_access/win_susp_shell_spawn_from_winrm.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\wsmprovhost.exe" -and ($_.message -match "Image.*.*\cmd.exe" -or $_.message -match "Image.*.*\sh.exe" -or $_.message -match "Image.*.*\bash.exe" -or $_.message -match "Image.*.*\powershell.exe" -or $_.message -match "Image.*.*\schtasks.exe" -or $_.message -match "Image.*.*\certutil.exe" -or $_.message -match "Image.*.*\whoami.exe" -or $_.message -match "Image.*.*\bitsadmin.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_shell_spawn_from_winrm"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_shell_spawn_from_winrm"; + $detectedMessage = "Detects suspicious shell spawn from WinRM host process"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\wsmprovhost.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_SDelete.ps1 b/Rules/SIGMA/process_creation/process_creation_SDelete.ps1 new file mode 100644 index 00000000..4a1c9758 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_SDelete.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "OriginalFileName.*sdelete.exe" -and -not (($_.message -match "CommandLine.*.* -h.*" -or $_.message -match "CommandLine.*.* -c.*" -or $_.message -match "CommandLine.*.* -z.*" -or $_.message -match "CommandLine.*.* /?.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_SDelete"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_SDelete"; + $detectedMessage = "Use of SDelete to erase a file not the free space"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "OriginalFileName.*sdelete.exe" -and -not (($_.message -match "CommandLine.*.* -h.*" -or $_.message -match "CommandLine.*.* -c.*" -or $_.message -match "CommandLine.*.* -z.*" -or $_.message -match "CommandLine.*.* /?.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_automated_collection.ps1 b/Rules/SIGMA/process_creation/process_creation_automated_collection.ps1 new file mode 100644 index 00000000..e056dfda --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_automated_collection.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*.doc.*" -or $_.message -match "CommandLine.*.*.docx.*" -or $_.message -match "CommandLine.*.*.xls.*" -or $_.message -match "CommandLine.*.*.xlsx.*" -or $_.message -match "CommandLine.*.*.ppt.*" -or $_.message -match "CommandLine.*.*.pptx.*" -or $_.message -match "CommandLine.*.*.rtf.*" -or $_.message -match "CommandLine.*.*.pdf.*" -or $_.message -match "CommandLine.*.*.txt.*") -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*dir .*" -and $_.message -match "CommandLine.*.* /b .*" -and $_.message -match "CommandLine.*.* /s .*") -or ($_.message -match "OriginalFileName.*FINDSTR.EXE" -and $_.message -match "CommandLine.*.* /e .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_automated_collection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_automated_collection"; + $detectedMessage = "Once established within a system or network, an adversary may use automated techniques for collecting internal data."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*.doc.*" -or $_.message -match "CommandLine.*.*.docx.*" -or $_.message -match "CommandLine.*.*.xls.*" -or $_.message -match "CommandLine.*.*.xlsx.*" -or $_.message -match "CommandLine.*.*.ppt.*" -or $_.message -match "CommandLine.*.*.pptx.*" -or $_.message -match "CommandLine.*.*.rtf.*" -or $_.message -match "CommandLine.*.*.pdf.*" -or $_.message -match "CommandLine.*.*.txt.*") -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*dir .*" -and $_.message -match "CommandLine.*.* /b .*" -and $_.message -match "CommandLine.*.* /s .*") -or ($_.message -match "OriginalFileName.*FINDSTR.EXE" -and $_.message -match "CommandLine.*.* /e .*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_c3_load_by_rundll32.ps1 b/Rules/SIGMA/process_creation/process_creation_c3_load_by_rundll32.ps1 new file mode 100644 index 00000000..23d1e693 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_c3_load_by_rundll32.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "CommandLine.*.*StartNodeRelay.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_c3_load_by_rundll32"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_c3_load_by_rundll32"; + $detectedMessage = "F-Secure C3 produces DLLs with a default exported StartNodeRelay function."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "CommandLine.*.*StartNodeRelay.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_clip.ps1 b/Rules/SIGMA/process_creation/process_creation_clip.ps1 new file mode 100644 index 00000000..ea9f4816 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_clip.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "OriginalFileName.*clip.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_clip"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_clip"; + $detectedMessage = "Adversaries may collect data stored in the clipboard from users copying information within or between applications. "; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "OriginalFileName.*clip.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_cobaltstrike_load_by_rundll32.ps1 b/Rules/SIGMA/process_creation/process_creation_cobaltstrike_load_by_rundll32.ps1 new file mode 100644 index 00000000..96f770ff --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_cobaltstrike_load_by_rundll32.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "CommandLine.*.*StartW.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_cobaltstrike_load_by_rundll32"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_cobaltstrike_load_by_rundll32"; + $detectedMessage = "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "CommandLine.*.*StartW.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_discover_private_keys.ps1 b/Rules/SIGMA/process_creation/process_creation_discover_private_keys.ps1 new file mode 100644 index 00000000..72c34c3c --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_discover_private_keys.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*dir .*" -or $_.message -match "CommandLine.*.*findstr .*") -and ($_.message -match "CommandLine.*.*.key.*" -or $_.message -match "CommandLine.*.*.pgp.*" -or $_.message -match "CommandLine.*.*.gpg.*" -or $_.message -match "CommandLine.*.*.ppk.*" -or $_.message -match "CommandLine.*.*.p12.*" -or $_.message -match "CommandLine.*.*.pem.*" -or $_.message -match "CommandLine.*.*.pfx.*" -or $_.message -match "CommandLine.*.*.cer.*" -or $_.message -match "CommandLine.*.*.p7b.*" -or $_.message -match "CommandLine.*.*.asc.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_discover_private_keys"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_discover_private_keys"; + $detectedMessage = "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*dir .*" -or $_.message -match "CommandLine.*.*findstr .*") -and ($_.message -match "CommandLine.*.*.key.*" -or $_.message -match "CommandLine.*.*.pgp.*" -or $_.message -match "CommandLine.*.*.gpg.*" -or $_.message -match "CommandLine.*.*.ppk.*" -or $_.message -match "CommandLine.*.*.p12.*" -or $_.message -match "CommandLine.*.*.pem.*" -or $_.message -match "CommandLine.*.*.pfx.*" -or $_.message -match "CommandLine.*.*.cer.*" -or $_.message -match "CommandLine.*.*.p7b.*" -or $_.message -match "CommandLine.*.*.asc.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_dotnet.ps1 b/Rules/SIGMA/process_creation/process_creation_dotnet.ps1 new file mode 100644 index 00000000..42ce3327 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_dotnet.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*.dll" -or $_.message -match "CommandLine.*.*.csproj") -and ($_.message -match "Image.*.*\dotnet.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_dotnet"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_dotnet"; + $detectedMessage = "dotnet.exe will execute any DLL and execute unsigned code"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*.dll" -or $_.message -match "CommandLine.*.*.csproj") -and ($_.message -match "Image.*.*\\dotnet.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_infdefaultinstall.ps1 b/Rules/SIGMA/process_creation/process_creation_infdefaultinstall.ps1 new file mode 100644 index 00000000..d5b36dd1 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_infdefaultinstall.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*InfDefaultInstall.exe .*" -and $_.message -match "CommandLine.*.*.inf.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_infdefaultinstall"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_infdefaultinstall"; + $detectedMessage = "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*InfDefaultInstall.exe .*" -and $_.message -match "CommandLine.*.*.inf.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_msdeploy.ps1 b/Rules/SIGMA/process_creation/process_creation_msdeploy.ps1 new file mode 100644 index 00000000..44231444 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_msdeploy.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*verb:sync.*" -and $_.message -match "CommandLine.*.*-source:RunCommand.*" -and $_.message -match "CommandLine.*.*-dest:runCommand.*" -and ($_.message -match "Image.*.*\msdeploy.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_msdeploy"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_msdeploy"; + $detectedMessage = "Detects file execution using the msdeploy.exe lolbin"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*verb:sync.*" -and $_.message -match "CommandLine.*.*-source:RunCommand.*" -and $_.message -match "CommandLine.*.*-dest:runCommand.*" -and ($_.message -match "Image.*.*\msdeploy.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_protocolhandler_suspicious_file.ps1 b/Rules/SIGMA/process_creation/process_creation_protocolhandler_suspicious_file.ps1 new file mode 100644 index 00000000..d049c818 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_protocolhandler_suspicious_file.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\protocolhandler.exe" -and $_.message -match "CommandLine.*.*"ms-word.*" -and $_.message -match "CommandLine.*.*.docx".*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_protocolhandler_suspicious_file"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_protocolhandler_suspicious_file"; + $detectedMessage = "Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\protocolhandler.exe" -and $_.message -match "CommandLine.*.*.ms-word.*" -and $_.message -match "CommandLine.*.*.docx.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_susp_7z.ps1 b/Rules/SIGMA/process_creation/process_creation_susp_7z.ps1 new file mode 100644 index 00000000..84072f50 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_susp_7z.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*7z.exe.*" -or $_.message -match "CommandLine.*.*7za.exe.*") -and $_.message -match "CommandLine.*.* -p.*" -and ($_.message -match "CommandLine.*.* a .*" -or $_.message -match "CommandLine.*.* u .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_susp_7z"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_susp_7z"; + $detectedMessage = "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*7z.exe.*" -or $_.message -match "CommandLine.*.*7za.exe.*") -and $_.message -match "CommandLine.*.* -p.*" -and ($_.message -match "CommandLine.*.* a .*" -or $_.message -match "CommandLine.*.* u .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_susp_recon.ps1 b/Rules/SIGMA/process_creation/process_creation_susp_recon.ps1 new file mode 100644 index 00000000..f0576761 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_susp_recon.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\tree.com" -or $_.message -match "Image.*.*\WMIC.exe" -or $_.message -match "Image.*.*\doskey.exe" -or $_.message -match "Image.*.*\sc.exe") -and $_.message -match "ParentCommandLine.*.* > %TEMP%\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_susp_recon"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_susp_recon"; + $detectedMessage = "Once established within a system or network, an adversary may use automated techniques for collecting internal data."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\tree.com" -or $_.message -match "Image.*.*\\WMIC.exe" -or $_.message -match "Image.*.*\\doskey.exe" -or $_.message -match "Image.*.*\\sc.exe") -and $_.message -match "ParentCommandLine.*.* > %TEMP%\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_susp_winzip.ps1 b/Rules/SIGMA/process_creation/process_creation_susp_winzip.ps1 new file mode 100644 index 00000000..66a586b2 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_susp_winzip.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*winzip.exe.*" -or $_.message -match "CommandLine.*.*winzip64.exe.*") -and ($_.message -match "CommandLine.*.*-s".*") -and ($_.message -match "CommandLine.*.* -min .*" -or $_.message -match "CommandLine.*.* -a .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_susp_winzip"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_susp_winzip"; + $detectedMessage = "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*winzip.exe.*" -or $_.message -match "CommandLine.*.*winzip64.exe.*") -and ($_.message -match "CommandLine.*.*-s.*") -and ($_.message -match "CommandLine.*.* -min .*" -or $_.message -match "CommandLine.*.* -a .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.ps1 b/Rules/SIGMA/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.ps1 new file mode 100644 index 00000000..11e80aa7 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\SyncAppvPublishingServer.exe" -and $_.message -match "CommandLine.*.*"n; .*" -and $_.message -match "CommandLine.*.* Start-Process .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_syncappvpublishingserver_execute_arbitrary_powershell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_syncappvpublishingserver_execute_arbitrary_powershell"; + $detectedMessage = "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\SyncAppvPublishingServer.exe" -and $_.message -match "CommandLine.*.*n; .*" -and $_.message -match "CommandLine.*.* Start-Process .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.ps1 b/Rules/SIGMA/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.ps1 new file mode 100644 index 00000000..16b603b3 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\SyncAppvPublishingServer.vbs.*" -and $_.message -match "CommandLine.*.*"n;.*" -and $_.message -match "CommandLine.*.*Start-Process .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_creation_syncappvpublishingserver_vbs_execute_powershell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_creation_syncappvpublishingserver_vbs_execute_powershell"; + $detectedMessage = "Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\SyncAppvPublishingServer.vbs.*" -and $_.message -match "CommandLine.*.*n;.*" -and $_.message -match "CommandLine.*.*Start-Process .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_mailboxexport_share.ps1 b/Rules/SIGMA/process_creation/process_mailboxexport_share.ps1 new file mode 100644 index 00000000..57a35f97 --- /dev/null +++ b/Rules/SIGMA/process_creation/process_mailboxexport_share.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*New-MailboxExport.*" -and $_.message -match "CommandLine.*.* -Mailbox .*" -and $_.message -match "CommandLine.*.* -FilePath \127.0.0.1\C$.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_mailboxexport_share"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_mailboxexport_share"; + $detectedMessage = "Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*New-MailboxExport.*" -and $_.message -match "CommandLine.*.* -Mailbox .*" -and $_.message -match "CommandLine.*.* -FilePath \\127.0.0.1\\C$.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/process_susp_esentutl_params.ps1 b/Rules/SIGMA/process_creation/process_susp_esentutl_params.ps1 new file mode 100644 index 00000000..7bf7547c --- /dev/null +++ b/Rules/SIGMA/process_creation/process_susp_esentutl_params.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*esentutl.*" -and $_.message -match "CommandLine.*.* /p.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "process_susp_esentutl_params"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "process_susp_esentutl_params"; + $detectedMessage = "Conti recommendation to its affiliates to use esentult to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*esentutl.*" -and $_.message -match "CommandLine.*.* /p.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_abusing_debug_privilege.ps1 b/Rules/SIGMA/process_creation/sysmon_abusing_debug_privilege.ps1 new file mode 100644 index 00000000..ae96a4e5 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_abusing_debug_privilege.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\winlogon.exe" -or $_.message -match "ParentImage.*.*\services.exe" -or $_.message -match "ParentImage.*.*\lsass.exe" -or $_.message -match "ParentImage.*.*\csrss.exe" -or $_.message -match "ParentImage.*.*\smss.exe" -or $_.message -match "ParentImage.*.*\wininit.exe" -or $_.message -match "ParentImage.*.*\spoolsv.exe" -or $_.message -match "ParentImage.*.*\searchindexer.exe") -and ($_.message -match "Image.*.*\powershell.exe" -or $_.message -match "Image.*.*\cmd.exe") -and $_.message -match "User.*NT AUTHORITY\SYSTEM") -and -not ($_.message -match "CommandLine.*.* route .*" -and $_.message -match "CommandLine.*.* ADD .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_abusing_debug_privilege"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_abusing_debug_privilege"; + $detectedMessage = "Detection of unusual child processes by different system processes"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\winlogon.exe" -or $_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\lsass.exe" -or $_.message -match "ParentImage.*.*\\csrss.exe" -or $_.message -match "ParentImage.*.*\\smss.exe" -or $_.message -match "ParentImage.*.*\\wininit.exe" -or $_.message -match "ParentImage.*.*\\spoolsv.exe" -or $_.message -match "ParentImage.*.*\\searchindexer.exe") -and ($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\cmd.exe") -and $_.message -match "User.*NT AUTHORITY\\SYSTEM") -and -not ($_.message -match "CommandLine.*.* route .*" -and $_.message -match "CommandLine.*.* ADD .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_accesschk_usage_after_priv_escalation.ps1 b/Rules/SIGMA/process_creation/sysmon_accesschk_usage_after_priv_escalation.ps1 new file mode 100644 index 00000000..1683c6b7 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_accesschk_usage_after_priv_escalation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "1") -and ($_.message -match "Product.*.*AccessChk" -or $_.message -match "Description.*.*Reports effective permissions.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_accesschk_usage_after_priv_escalation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_accesschk_usage_after_priv_escalation"; + $detectedMessage = "Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process succesfull or not "; + $result = $event | where {($_.ID -eq "1" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "1") -and ($_.message -match "Product.*.*AccessChk" -or $_.message -match "Description.*.*Reports effective permissions.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.ps1 b/Rules/SIGMA/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.ps1 new file mode 100644 index 00000000..73ed994c --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.ps1 @@ -0,0 +1,30 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\cmd.exe" -or $_.message -match "Image.*.*\powershell.exe") -and $_.message -match "ParentImage.*.*\Windows\Installer\.*" -and $_.message -match "ParentImage.*.*msi.*" -and ($_.message -match "ParentImage.*.*tmp")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_always_install_elevated_msi_spawned_cmd_and_powershell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_always_install_elevated_msi_spawned_cmd_and_powershell"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe") -and $_.message -match "ParentImage.*.*\\Windows\\Installer\\.*" -and $_.message -match "ParentImage.*.*msi.*" -and ($_.message -match "ParentImage.*.*tmp")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_always_install_elevated_windows_installer.ps1 b/Rules/SIGMA/process_creation/sysmon_always_install_elevated_windows_installer.ps1 new file mode 100644 index 00000000..5e2a96dd --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_always_install_elevated_windows_installer.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\SYSTEM" -and (($_.message -match "Image.*.*\Windows\Installer\.*" -and $_.message -match "Image.*.*msi.*" -and ($_.message -match "Image.*.*tmp")) -or (($_.message -match "Image.*.*\msiexec.exe") -and $_.message -match "IntegrityLevel.*System"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_always_install_elevated_windows_installer"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_always_install_elevated_windows_installer"; + $detectedMessage = "This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege "; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and (($_.message -match "Image.*.*\\Windows\\Installer\\.*" -and $_.message -match "Image.*.*msi.*" -and ($_.message -match "Image.*.*tmp")) -or (($_.message -match "Image.*.*\\msiexec.exe") -and $_.message -match "IntegrityLevel.*System"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_apt_muddywater_dnstunnel.ps1 b/Rules/SIGMA/process_creation/sysmon_apt_muddywater_dnstunnel.ps1 new file mode 100644 index 00000000..028b6f7c --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_apt_muddywater_dnstunnel.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\powershell.exe") -and ($_.message -match "ParentImage.*.*\excel.exe") -and ($_.message -match "CommandLine.*.*DataExchange.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_apt_muddywater_dnstunnel"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_apt_muddywater_dnstunnel"; + $detectedMessage = "Detecting DNS tunnel activity for Muddywater actor"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powershell.exe") -and ($_.message -match "ParentImage.*.*\\excel.exe") -and ($_.message -match "CommandLine.*.*DataExchange.dll.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_apt_sourgrum.ps1 b/Rules/SIGMA/process_creation/sysmon_apt_sourgrum.ps1 new file mode 100644 index 00000000..dff33631 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_apt_sourgrum.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*windows\system32\Physmem.sys.*" -or ($_.message -match "Image.*.*Windows\system32\ime\SHARED\WimBootConfigurations.ini.*" -or $_.message -match "Image.*.*Windows\system32\ime\IMEJP\WimBootConfigurations.ini.*" -or $_.message -match "Image.*.*Windows\system32\ime\IMETC\WimBootConfigurations.ini.*")) -or ($_.ID -eq "1" -and ($_.message -match "Image.*.*windows\system32\filepath2.*" -or $_.message -match "Image.*.*windows\system32\ime.*") -and ($_.message -match "CommandLine.*.*reg add.*") -and ($_.message -match "CommandLine.*.*HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32.*" -or $_.message -match "CommandLine.*.*HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_apt_sourgrum"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_apt_sourgrum"; + $detectedMessage = "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*windows\\system32\\Physmem.sys.*" -or ($_.message -match "Image.*.*Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini.*" -or $_.message -match "Image.*.*Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini.*" -or $_.message -match "Image.*.*Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini.*")) -or ($_.ID -eq "1" -and ($_.message -match "Image.*.*windows\\system32\\filepath2.*" -or $_.message -match "Image.*.*windows\\system32\\ime.*") -and ($_.message -match "CommandLine.*.*reg add.*") -and ($_.message -match "CommandLine.*.*HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{7c857801-7381-11cf-884d-00aa004b2e24}\\inprocserver32.*" -or $_.message -match "CommandLine.*.*HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\inprocserver32.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_cmstp_execution_by_creation.ps1 b/Rules/SIGMA/process_creation/sysmon_cmstp_execution_by_creation.ps1 new file mode 100644 index 00000000..6557805b --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_cmstp_execution_by_creation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\cmstp.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cmstp_execution_by_creation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cmstp_execution_by_creation"; + $detectedMessage = "Detects various indicators of Microsoft Connection Manager Profile Installer execution"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\cmstp.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_creation_mavinject_dll.ps1 b/Rules/SIGMA/process_creation/sysmon_creation_mavinject_dll.ps1 new file mode 100644 index 00000000..a38a6539 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_creation_mavinject_dll.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /INJECTRUNNING.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "OriginalFileName.*.*mavinject.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_creation_mavinject_dll"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_creation_mavinject_dll"; + $detectedMessage = "Injects arbitrary DLL into running process specified by process ID. Requires Windows 10."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /INJECTRUNNING.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "OriginalFileName.*.*mavinject.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_cve_2021_26857_msexchange.ps1 b/Rules/SIGMA/process_creation/sysmon_cve_2021_26857_msexchange.ps1 new file mode 100644 index 00000000..43767546 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_cve_2021_26857_msexchange.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*UMWorkerProcess.exe" -and -not (($_.message -match "Image.*.*wermgr.exe" -or $_.message -match "Image.*.*WerFault.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cve_2021_26857_msexchange"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cve_2021_26857_msexchange"; + $detectedMessage = "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for |"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "ParentImage.*.*UMWorkerProcess.exe" -and -not (($_.message -match "Image.*.*wermgr.exe" -or $_.message -match "Image.*.*WerFault.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_expand_cabinet_files.ps1 b/Rules/SIGMA/process_creation/sysmon_expand_cabinet_files.ps1 new file mode 100644 index 00000000..f2c3f99e --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_expand_cabinet_files.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\expand.exe") -and ($_.message -match "CommandLine.*.*.cab.*" -or $_.message -match "CommandLine.*.*/F:.*" -or $_.message -match "CommandLine.*.*C:\ProgramData\.*" -or $_.message -match "CommandLine.*.*C:\Public\.*" -or $_.message -match "CommandLine.*.*\AppData\Local\Temp\.*" -or $_.message -match "CommandLine.*.*\AppData\Roaming\Temp\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_expand_cabinet_files"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_expand_cabinet_files"; + $detectedMessage = "Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\expand.exe") -and ($_.message -match "CommandLine.*.*.cab.*" -or $_.message -match "CommandLine.*.*/F:.*" -or $_.message -match "CommandLine.*.*C:\\ProgramData\\.*" -or $_.message -match "CommandLine.*.*C:\\Public\\.*" -or $_.message -match "CommandLine.*.*\\AppData\\Local\\Temp\\.*" -or $_.message -match "CommandLine.*.*\\AppData\\Roaming\\Temp\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_hack_wce.ps1 b/Rules/SIGMA/process_creation/sysmon_hack_wce.ps1 new file mode 100644 index 00000000..b62ad6a6 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_hack_wce.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1") -and (($_.message -match "a53a02b997935fd8eedcb5f7abab9b9f" -or $_.message -match "e96a73c7bf33a464c510ede582318bf2") -or ($_.message -match "CommandLine.*.*.exe -S" -and $_.message -match "ParentImage.*.*\services.exe"))) -and -not ($_.message -match "Image.*.*\clussvc.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_hack_wce"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_hack_wce"; + $detectedMessage = "Detects the use of Windows Credential Editor (WCE)"; + $result = $event | where { (($_.ID -eq "1") -and (($_.ID -eq "1") -and (($_.message -match "a53a02b997935fd8eedcb5f7abab9b9f" -or $_.message -match "e96a73c7bf33a464c510ede582318bf2") -or ($_.message -match "CommandLine.*.*.exe -S" -and $_.message -match "ParentImage.*.*\\services.exe"))) -and -not ($_.message -match "Image.*.*\\clussvc.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_high_integrity_sdclt.ps1 b/Rules/SIGMA/process_creation/sysmon_high_integrity_sdclt.ps1 new file mode 100644 index 00000000..dd088afc --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_high_integrity_sdclt.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*sdclt.exe" -and $_.message -match "IntegrityLevel.*High") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_high_integrity_sdclt"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_high_integrity_sdclt"; + $detectedMessage = "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*sdclt.exe" -and $_.message -match "IntegrityLevel.*High") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.ps1 b/Rules/SIGMA/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.ps1 new file mode 100644 index 00000000..51992a6e --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\userinit.exe" -and -not ($_.message -match "Image.*.*\explorer.exe")) -and -not (($_.message -match "CommandLine.*.*netlogon.bat.*" -or $_.message -match "CommandLine.*.*UsrLogon.cmd.*"))) -or $_.message -match "CommandLine.*.*UserInitMprLogonScript.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_logon_scripts_userinitmprlogonscript_proc"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_logon_scripts_userinitmprlogonscript_proc"; + $detectedMessage = "Detects creation or execution of UserInitMprLogonScript persistence method"; + $result = $event | where { (($_.ID -eq "1") -and ((($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\userinit.exe" -and -not ($_.message -match "Image.*.*\\explorer.exe")) -and -not (($_.message -match "CommandLine.*.*netlogon.bat.*" -or $_.message -match "CommandLine.*.*UsrLogon.cmd.*"))) -or $_.message -match "CommandLine.*.*UserInitMprLogonScript.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_netcat_execution.ps1 b/Rules/SIGMA/process_creation/sysmon_netcat_execution.ps1 new file mode 100644 index 00000000..7ba481ff --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_netcat_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\ncat.exe") -or ($_.message -match "CommandLine.*.* -lvp .*" -or $_.message -match "CommandLine.*.* -l --proxy-type http .*" -or $_.message -match "CommandLine.*.* --exec cmd.exe .*" -or $_.message -match "CommandLine.*.* -vnl --exec .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_netcat_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_netcat_execution"; + $detectedMessage = "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\ncat.exe") -or ($_.message -match "CommandLine.*.* -lvp .*" -or $_.message -match "CommandLine.*.* -l --proxy-type http .*" -or $_.message -match "CommandLine.*.* --exec cmd.exe .*" -or $_.message -match "CommandLine.*.* -vnl --exec .*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_proxy_execution_wuauclt.ps1 b/Rules/SIGMA/process_creation/sysmon_proxy_execution_wuauclt.ps1 new file mode 100644 index 00000000..528695d7 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_proxy_execution_wuauclt.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*wuauclt.*" -or $_.message -match "OriginalFileName.*wuauclt.exe") -and ($_.message -match "CommandLine.*.*UpdateDeploymentProvider.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "CommandLine.*.*RunHandlerComServer.*")) -and -not (($_.message -match "CommandLine.*.* /UpdateDeploymentProvider UpdateDeploymentProvider.dll .*" -or $_.message -match "CommandLine.*.* wuaueng.dll .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_proxy_execution_wuauclt"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_proxy_execution_wuauclt"; + $detectedMessage = "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*wuauclt.*" -or $_.message -match "OriginalFileName.*wuauclt.exe") -and ($_.message -match "CommandLine.*.*UpdateDeploymentProvider.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "CommandLine.*.*RunHandlerComServer.*")) -and -not (($_.message -match "CommandLine.*.* /UpdateDeploymentProvider UpdateDeploymentProvider.dll .*" -or $_.message -match "CommandLine.*.* wuaueng.dll .*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_rclone_execution.ps1 b/Rules/SIGMA/process_creation/sysmon_rclone_execution.ps1 new file mode 100644 index 00000000..df65eba4 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_rclone_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Description.*Rsync for cloud storage" -or ($_.message -match "CommandLine.*.*--config .*" -and $_.message -match "CommandLine.*.*--no-check-certificate .*" -and $_.message -match "CommandLine.*.* copy .*") -or (($_.message -match "Image.*.*\rclone.exe") -and ($_.message -match "CommandLine.*.*mega.*" -or $_.message -match "CommandLine.*.*pcloud.*" -or $_.message -match "CommandLine.*.*ftp.*" -or $_.message -match "CommandLine.*.*--progress.*" -or $_.message -match "CommandLine.*.*--ignore-existing.*" -or $_.message -match "CommandLine.*.*--auto-confirm.*" -or $_.message -match "CommandLine.*.*--transfers.*" -or $_.message -match "CommandLine.*.*--multi-thread-streams.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_rclone_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_rclone_execution"; + $detectedMessage = "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Description.*Rsync for cloud storage" -or ($_.message -match "CommandLine.*.*--config .*" -and $_.message -match "CommandLine.*.*--no-check-certificate .*" -and $_.message -match "CommandLine.*.* copy .*") -or (($_.message -match "Image.*.*\\rclone.exe") -and ($_.message -match "CommandLine.*.*mega.*" -or $_.message -match "CommandLine.*.*pcloud.*" -or $_.message -match "CommandLine.*.*ftp.*" -or $_.message -match "CommandLine.*.*--progress.*" -or $_.message -match "CommandLine.*.*--ignore-existing.*" -or $_.message -match "CommandLine.*.*--auto-confirm.*" -or $_.message -match "CommandLine.*.*--transfers.*" -or $_.message -match "CommandLine.*.*--multi-thread-streams.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_remove_windows_defender_definition_files.ps1 b/Rules/SIGMA/process_creation/sysmon_remove_windows_defender_definition_files.ps1 new file mode 100644 index 00000000..6b586c40 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_remove_windows_defender_definition_files.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "OriginalFileName.*MpCmdRun.exe" -and $_.message -match "CommandLine.*.* -RemoveDefinitions.*" -and $_.message -match "CommandLine.*.* -All.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_remove_windows_defender_definition_files"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_remove_windows_defender_definition_files"; + $detectedMessage = "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "OriginalFileName.*MpCmdRun.exe" -and $_.message -match "CommandLine.*.* -RemoveDefinitions.*" -and $_.message -match "CommandLine.*.* -All.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_sdclt_child_process.ps1 b/Rules/SIGMA/process_creation/sysmon_sdclt_child_process.ps1 new file mode 100644 index 00000000..acc4775c --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_sdclt_child_process.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\sdclt.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_sdclt_child_process"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_sdclt_child_process"; + $detectedMessage = "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\sdclt.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_susp_plink_remote_forward.ps1 b/Rules/SIGMA/process_creation/sysmon_susp_plink_remote_forward.ps1 new file mode 100644 index 00000000..05a82f58 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_susp_plink_remote_forward.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Description.*Command-line SSH, Telnet, and Rlogin client" -and $_.message -match "CommandLine.*.* -R .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_plink_remote_forward"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_plink_remote_forward"; + $detectedMessage = "Detects suspicious Plink tunnel remote forarding to a local port"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Description.*Command-line SSH, Telnet, and Rlogin client" -and $_.message -match "CommandLine.*.* -R .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_susp_service_modification.ps1 b/Rules/SIGMA/process_creation/sysmon_susp_service_modification.ps1 new file mode 100644 index 00000000..13cddfca --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_susp_service_modification.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Stop-Service .*" -or $_.message -match "CommandLine.*.*Remove-Service .*") -and ($_.message -match "CommandLine.*.* McAfeeDLPAgentService.*" -or $_.message -match "CommandLine.*.* Trend Micro Deep Security Manager.*" -or $_.message -match "CommandLine.*.* TMBMServer.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_service_modification"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_service_modification"; + $detectedMessage = "Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Stop-Service .*" -or $_.message -match "CommandLine.*.*Remove-Service .*") -and ($_.message -match "CommandLine.*.* McAfeeDLPAgentService.*" -or $_.message -match "CommandLine.*.* Trend Micro Deep Security Manager.*" -or $_.message -match "CommandLine.*.* TMBMServer.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_susp_webdav_client_execution.ps1 b/Rules/SIGMA/process_creation/sysmon_susp_webdav_client_execution.ps1 new file mode 100644 index 00000000..e9bcf80c --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_susp_webdav_client_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\rundll32.exe" -and $_.message -match "CommandLine.*.*C:\windows\system32\davclnt.dll,DavSetCookie.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_webdav_client_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_webdav_client_execution"; + $detectedMessage = "A General detection for svchost.exe spawning rundll32.exe with command arguments like C:windowssystem32davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server)."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*C:\\windows\\system32\\davclnt.dll,DavSetCookie.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/sysmon_uninstall_crowdstrike_falcon.ps1 b/Rules/SIGMA/process_creation/sysmon_uninstall_crowdstrike_falcon.ps1 new file mode 100644 index 00000000..c4ac8e42 --- /dev/null +++ b/Rules/SIGMA/process_creation/sysmon_uninstall_crowdstrike_falcon.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\WindowsSensor.exe.*" -and $_.message -match "CommandLine.*.* /uninstall.*" -and $_.message -match "CommandLine.*.* /quiet.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_uninstall_crowdstrike_falcon"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_uninstall_crowdstrike_falcon"; + $detectedMessage = "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\WindowsSensor.exe.*" -and $_.message -match "CommandLine.*.* /uninstall.*" -and $_.message -match "CommandLine.*.* /quiet.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_CL_Invocation_LOLScript.ps1 b/Rules/SIGMA/process_creation/win_CL_Invocation_LOLScript.ps1 new file mode 100644 index 00000000..0f822c65 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_CL_Invocation_LOLScript.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*CL_Invocation.ps1.*" -and $_.message -match "CommandLine.*.*SyncInvoke.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_CL_Invocation_LOLScript"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_CL_Invocation_LOLScript"; + $detectedMessage = "Detects Execution via SyncInvoke in CL_Invocation.ps1 module"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*CL_Invocation.ps1.*" -and $_.message -match "CommandLine.*.*SyncInvoke.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_CL_Mutexverifiers_LOLScript.ps1 b/Rules/SIGMA/process_creation/win_CL_Mutexverifiers_LOLScript.ps1 new file mode 100644 index 00000000..e9f74b78 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_CL_Mutexverifiers_LOLScript.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*CL_Mutexverifiers.ps1.*" -and $_.message -match "CommandLine.*.*runAfterCancelProcess.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_CL_Mutexverifiers_LOLScript"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_CL_Mutexverifiers_LOLScript"; + $detectedMessage = "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*CL_Mutexverifiers.ps1.*" -and $_.message -match "CommandLine.*.*runAfterCancelProcess.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_ad_find_discovery.ps1 b/Rules/SIGMA/process_creation/win_ad_find_discovery.ps1 new file mode 100644 index 00000000..69437df3 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_ad_find_discovery.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*domainlist.*" -or $_.message -match "CommandLine.*.*trustdmp.*" -or $_.message -match "CommandLine.*.*dcmodes.*" -or $_.message -match "CommandLine.*.*adinfo.*" -or $_.message -match "CommandLine.*.* dclist .*" -or $_.message -match "CommandLine.*.*computer_pwdnotreqd.*" -or $_.message -match "CommandLine.*.*objectcategory=.*" -or $_.message -match "CommandLine.*.*-subnets -f.*" -or $_.message -match "CommandLine.*.*name="Domain Admins".*" -or $_.message -match "CommandLine.*.*-sc u:.*" -or $_.message -match "CommandLine.*.*domainncs.*" -or $_.message -match "CommandLine.*.*dompol.*" -or $_.message -match "CommandLine.*.* oudmp .*" -or $_.message -match "CommandLine.*.*subnetdmp.*" -or $_.message -match "CommandLine.*.*gpodmp.*" -or $_.message -match "CommandLine.*.*fspdmp.*" -or $_.message -match "CommandLine.*.*users_noexpire.*" -or $_.message -match "CommandLine.*.*computers_active.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_ad_find_discovery"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_ad_find_discovery"; + $detectedMessage = "AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*domainlist.*" -or $_.message -match "CommandLine.*.*trustdmp.*" -or $_.message -match "CommandLine.*.*dcmodes.*" -or $_.message -match "CommandLine.*.*adinfo.*" -or $_.message -match "CommandLine.*.* dclist .*" -or $_.message -match "CommandLine.*.*computer_pwdnotreqd.*" -or $_.message -match "CommandLine.*.*objectcategory=.*" -or $_.message -match "CommandLine.*.*-subnets -f.*" -or $_.message -match "CommandLine.*.*name=""Domain Admins"".*" -or $_.message -match "CommandLine.*.*-sc u:.*" -or $_.message -match "CommandLine.*.*domainncs.*" -or $_.message -match "CommandLine.*.*dompol.*" -or $_.message -match "CommandLine.*.* oudmp .*" -or $_.message -match "CommandLine.*.*subnetdmp.*" -or $_.message -match "CommandLine.*.*gpodmp.*" -or $_.message -match "CommandLine.*.*fspdmp.*" -or $_.message -match "CommandLine.*.*users_noexpire.*" -or $_.message -match "CommandLine.*.*computers_active.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_advanced_ip_scanner.ps1 b/Rules/SIGMA/process_creation/win_advanced_ip_scanner.ps1 new file mode 100644 index 00000000..66ab81fc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_advanced_ip_scanner.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\advanced_ip_scanner.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\Advanced IP Scanner 2.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_advanced_ip_scanner"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_advanced_ip_scanner"; + $detectedMessage = "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups."; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\advanced_ip_scanner.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\Advanced IP Scanner 2.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_apt29_thinktanks.ps1 b/Rules/SIGMA/process_creation/win_apt_apt29_thinktanks.ps1 new file mode 100644 index 00000000..0e1d6bec --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_apt29_thinktanks.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*-noni.*" -and $_.message -match "CommandLine.*.*-ep.*" -and $_.message -match "CommandLine.*.*bypass.*" -and $_.message -match "CommandLine.*.*$.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_apt29_thinktanks"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_apt29_thinktanks"; + $detectedMessage = "This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*-noni.*" -and $_.message -match "CommandLine.*.*-ep.*" -and $_.message -match "CommandLine.*.*bypass.*" -and $_.message -match "CommandLine.*.*$.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_babyshark.ps1 b/Rules/SIGMA/process_creation/win_apt_babyshark.ps1 new file mode 100644 index 00000000..1f9c863e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_babyshark.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"" -or $_.message -match "CommandLine.*powershell.exe mshta.exe http.*" -or $_.message -match "cmd.exe /c taskkill /im cmd.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_babyshark"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_babyshark"; + $detectedMessage = "Detects activity that could be related to Baby Shark malware"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "reg query ""HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default""" -or $_.message -match "CommandLine.*powershell.exe mshta.exe http.*" -or $_.message -match "cmd.exe /c taskkill /im cmd.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_bear_activity_gtr19.ps1 b/Rules/SIGMA/process_creation/win_apt_bear_activity_gtr19.ps1 new file mode 100644 index 00000000..69e79044 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_bear_activity_gtr19.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\xcopy.exe" -and $_.message -match "CommandLine.*.*/S.*" -and $_.message -match "CommandLine.*.*/E.*" -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*/Q.*" -and $_.message -match "CommandLine.*.*/H.*" -and $_.message -match "CommandLine.*.*\.*") -or ($_.message -match "Image.*.*\adexplorer.exe" -and $_.message -match "CommandLine.*.*-snapshot.*" -and $_.message -match "CommandLine.*.*"".*" -and $_.message -match "CommandLine.*.*c:\users\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_bear_activity_gtr19"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_bear_activity_gtr19"; + $detectedMessage = "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\xcopy.exe" -and $_.message -match "CommandLine.*.*/S.*" -and $_.message -match "CommandLine.*.*/E.*" -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*/Q.*" -and $_.message -match "CommandLine.*.*/H.*" -and $_.message -match "CommandLine.*.*\\.*") -or ($_.message -match "Image.*.*\\adexplorer.exe" -and $_.message -match "CommandLine.*.*-snapshot.*" -and $_.message -match "CommandLine.*.*"".*" -and $_.message -match "CommandLine.*.*c:\\users\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_bluemashroom.ps1 b/Rules/SIGMA/process_creation/win_apt_bluemashroom.ps1 new file mode 100644 index 00000000..215d4679 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_bluemashroom.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\AppData\Local\.*" -and ($_.message -match "CommandLine.*.*\regsvr32.*" -or $_.message -match "CommandLine.*.*,DllEntry.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_bluemashroom"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_bluemashroom"; + $detectedMessage = "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\AppData\\Local\\.*" -and ($_.message -match "CommandLine.*.*\\regsvr32.*" -or $_.message -match "CommandLine.*.*,DllEntry.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_chafer_mar18.ps1 b/Rules/SIGMA/process_creation/win_apt_chafer_mar18.ps1 new file mode 100644 index 00000000..6f36b1ab --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_chafer_mar18.ps1 @@ -0,0 +1,47 @@ +# Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and ($_.message -match "SC Scheduled Scan" -or $_.message -match "UpdatMachine")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Security | where {($_.ID -eq "4698" -and ($_.message -match "SC Scheduled Scan" -or $_.message -match "UpdatMachine")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" -or $_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\Service.exe.*" -and ($_.message -match "CommandLine.*.*i" -or $_.message -match "CommandLine.*.*u")) -or ($_.message -match "CommandLine.*.*\\microsoft\\Taskbar\\autoit3.exe" -or $_.message -match "CommandLine.*C:\\wsc.exe.*") -or ($_.message -match "Image.*.*\\Windows\\Temp\\DB\\.*" -and $_.message -match "Image.*.*.exe") -or ($_.message -match "CommandLine.*.*\\nslookup.exe.*" -and $_.message -match "CommandLine.*.*-q=TXT.*" -and $_.message -match "ParentImage.*.*\\Autoit.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + + +function Add-Rule { + + $ruleName = "win_apt_chafer_mar18"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_chafer_mar18"; + $detectedMessage = "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "7045" -and ($_.message -match "SC Scheduled Scan" -or $_.message -match "UpdatMachine")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "4698" -and ($_.message -match "SC Scheduled Scan" -or $_.message -match "UpdatMachine")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" -or $_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\Service.exe.*" -and ($_.message -match "CommandLine.*.*i" -or $_.message -match "CommandLine.*.*u")) -or ($_.message -match "CommandLine.*.*\\microsoft\\Taskbar\\autoit3.exe" -or $_.message -match "CommandLine.*C:\\wsc.exe.*") -or ($_.message -match "Image.*.*\\Windows\\Temp\\DB\\.*" -and $_.message -match "Image.*.*.exe") -or ($_.message -match "CommandLine.*.*\\nslookup.exe.*" -and $_.message -match "CommandLine.*.*-q=TXT.*" -and $_.message -match "ParentImage.*.*\\Autoit.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_cloudhopper.ps1 b/Rules/SIGMA/process_creation/win_apt_cloudhopper.ps1 new file mode 100644 index 00000000..9c7e0cdf --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_cloudhopper.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\cscript.exe" -and $_.message -match "CommandLine.*.*.vbs.*" -and $_.message -match "CommandLine.*.*/shell.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_cloudhopper"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_cloudhopper"; + $detectedMessage = "Detects suspicious file execution by wscript and cscript"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cscript.exe" -and $_.message -match "CommandLine.*.*.vbs.*" -and $_.message -match "CommandLine.*.*/shell.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_dragonfly.ps1 b/Rules/SIGMA/process_creation/win_apt_dragonfly.ps1 new file mode 100644 index 00000000..425592f7 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_dragonfly.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\crackmapexec.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_dragonfly"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_dragonfly"; + $detectedMessage = "Detects CrackMapExecWin Activity as Described by NCSC"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\crackmapexec.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_elise.ps1 b/Rules/SIGMA/process_creation/win_apt_elise.ps1 new file mode 100644 index 00000000..39a19471 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_elise.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*C:\Windows\SysWOW64\cmd.exe" -and $_.message -match "CommandLine.*.*\Windows\Caches\NavShExt.dll .*") -or $_.message -match "CommandLine.*.*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_elise"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_elise"; + $detectedMessage = "Detects Elise backdoor acitivty as used by APT32"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*C:\\Windows\\SysWOW64\\cmd.exe" -and $_.message -match "CommandLine.*.*\\Windows\\Caches\\NavShExt.dll .*") -or $_.message -match "CommandLine.*.*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_emissarypanda_sep19.ps1 b/Rules/SIGMA/process_creation/win_apt_emissarypanda_sep19.ps1 new file mode 100644 index 00000000..081f8f0c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_emissarypanda_sep19.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\sllauncher.exe" -and $_.message -match "Image.*.*\svchost.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_emissarypanda_sep19"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_emissarypanda_sep19"; + $detectedMessage = "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\sllauncher.exe" -and $_.message -match "Image.*.*\\svchost.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_empiremonkey.ps1 b/Rules/SIGMA/process_creation/win_apt_empiremonkey.ps1 new file mode 100644 index 00000000..381a1781 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_empiremonkey.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*/i:%APPDATA%\logs.txt scrobj.dll") -and (($_.message -match "Image.*.*\cutil.exe") -or ($_.message -match "Microsoft(C) Registerserver"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_empiremonkey"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_empiremonkey"; + $detectedMessage = "Detects EmpireMonkey APT reported Activity"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*/i:%APPDATA%\\logs.txt scrobj.dll") -and (($_.message -match "Image.*.*\\cutil.exe") -or ($_.message -match "Microsoft(C) Registerserver"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_equationgroup_dll_u_load.ps1 b/Rules/SIGMA/process_creation/win_apt_equationgroup_dll_u_load.ps1 new file mode 100644 index 00000000..ca936536 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_equationgroup_dll_u_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\rundll32.exe" -and $_.message -match "CommandLine.*.*,dll_u") -or $_.message -match "CommandLine.*.* -export dll_u .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_equationgroup_dll_u_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_equationgroup_dll_u_load"; + $detectedMessage = "Detects a specific tool and export used by EquationGroup"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*,dll_u") -or $_.message -match "CommandLine.*.* -export dll_u .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_evilnum_jul20.ps1 b/Rules/SIGMA/process_creation/win_apt_evilnum_jul20.ps1 new file mode 100644 index 00000000..231150fd --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_evilnum_jul20.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*regsvr32.*" -and $_.message -match "CommandLine.*.*/s.*" -and $_.message -match "CommandLine.*.*/i.*" -and $_.message -match "CommandLine.*.*\AppData\Roaming\.*" -and $_.message -match "CommandLine.*.*.ocx.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_evilnum_jul20"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_evilnum_jul20"; + $detectedMessage = "Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*regsvr32.*" -and $_.message -match "CommandLine.*.*/s.*" -and $_.message -match "CommandLine.*.*/i.*" -and $_.message -match "CommandLine.*.*\\AppData\\Roaming\\.*" -and $_.message -match "CommandLine.*.*.ocx.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_gallium.ps1 b/Rules/SIGMA/process_creation/win_apt_gallium.ps1 new file mode 100644 index 00000000..4bf137b3 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_gallium.ps1 @@ -0,0 +1,43 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "53a44c2396d15c3a03723fa5e5db54cafd527635" -or $_.message -match "9c5e496921e3bc882dc40694f1dcc3746a75db19" -or $_.message -match "aeb573accfd95758550cf30bf04f389a92922844" -or $_.message -match "79ef78a797403a4ed1a616c68e07fff868a8650a" -or $_.message -match "4f6f38b4cec35e895d91c052b1f5a83d665c2196" -or $_.message -match "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" -or $_.message -match "e841a63e47361a572db9a7334af459ddca11347a" -or $_.message -match "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" -or $_.message -match "2e94b305d6812a9f96e6781c888e48c7fb157b6b" -or $_.message -match "dd44133716b8a241957b912fa6a02efde3ce3025" -or $_.message -match "8793bf166cb89eb55f0593404e4e933ab605e803" -or $_.message -match "a39b57032dbb2335499a51e13470a7cd5d86b138" -or $_.message -match "41cc2b15c662bc001c0eb92f6cc222934f0beeea" -or $_.message -match "d209430d6af54792371174e70e27dd11d3def7a7" -or $_.message -match "1c6452026c56efd2c94cea7e0f671eb55515edb0" -or $_.message -match "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" -or $_.message -match "4923d460e22fbbf165bbbaba168e5a46b8157d9f" -or $_.message -match "f201504bd96e81d0d350c3a8332593ee1c9e09de" -or $_.message -match "ddd2db1127632a2a52943a2fe516a2e7d05d70d2")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "257" -and ($_.message -match "asyspy256.ddns.net" -or $_.message -match "hotkillmail9sddcc.ddns.net" -or $_.message -match "rosaf112.ddns.net" -or $_.message -match "cvdfhjh1231.myftp.biz" -or $_.message -match "sz2016rose.ddns.net" -or $_.message -match "dffwescwer4325.myftp.biz" -or $_.message -match "cvdfhjh1231.ddns.net")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "e570585edc69f9074cb5e8a790708336bd45ca0f") -and -not (($_.message -match "Image.*.*:\\Program Files(x86)\\.*" -or $_.message -match "Image.*.*:\\Program Files\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_gallium"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_gallium"; + $detectedMessage = "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019."; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and ($_.message -match "53a44c2396d15c3a03723fa5e5db54cafd527635" -or $_.message -match "9c5e496921e3bc882dc40694f1dcc3746a75db19" -or $_.message -match "aeb573accfd95758550cf30bf04f389a92922844" -or $_.message -match "79ef78a797403a4ed1a616c68e07fff868a8650a" -or $_.message -match "4f6f38b4cec35e895d91c052b1f5a83d665c2196" -or $_.message -match "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" -or $_.message -match "e841a63e47361a572db9a7334af459ddca11347a" -or $_.message -match "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" -or $_.message -match "2e94b305d6812a9f96e6781c888e48c7fb157b6b" -or $_.message -match "dd44133716b8a241957b912fa6a02efde3ce3025" -or $_.message -match "8793bf166cb89eb55f0593404e4e933ab605e803" -or $_.message -match "a39b57032dbb2335499a51e13470a7cd5d86b138" -or $_.message -match "41cc2b15c662bc001c0eb92f6cc222934f0beeea" -or $_.message -match "d209430d6af54792371174e70e27dd11d3def7a7" -or $_.message -match "1c6452026c56efd2c94cea7e0f671eb55515edb0" -or $_.message -match "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" -or $_.message -match "4923d460e22fbbf165bbbaba168e5a46b8157d9f" -or $_.message -match "f201504bd96e81d0d350c3a8332593ee1c9e09de" -or $_.message -match "ddd2db1127632a2a52943a2fe516a2e7d05d70d2")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "257" -and ($_.message -match "asyspy256.ddns.net" -or $_.message -match "hotkillmail9sddcc.ddns.net" -or $_.message -match "rosaf112.ddns.net" -or $_.message -match "cvdfhjh1231.myftp.biz" -or $_.message -match "sz2016rose.ddns.net" -or $_.message -match "dffwescwer4325.myftp.biz" -or $_.message -match "cvdfhjh1231.ddns.net")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "1") -and ($_.message -match "e570585edc69f9074cb5e8a790708336bd45ca0f") -and -not (($_.message -match "Image.*.*:\\Program Files(x86)\\.*" -or $_.message -match "Image.*.*:\\Program Files\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_greenbug_may20.ps1 b/Rules/SIGMA/process_creation/win_apt_greenbug_may20.ps1 new file mode 100644 index 00000000..fc011a0c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_greenbug_may20.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*bitsadmin.*" -and $_.message -match "CommandLine.*.*/transfer.*" -and $_.message -match "CommandLine.*.*CSIDL_APPDATA.*") -or ($_.message -match "CommandLine.*.*CSIDL_SYSTEM_DRIVE.*") -or ($_.message -match "CommandLine.*.*\msf.ps1.*" -or $_.message -match "CommandLine.*.*8989 -e cmd.exe.*" -or $_.message -match "CommandLine.*.*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill.*" -or $_.message -match "CommandLine.*.*-nop -w hidden -c $k=new-object.*" -or $_.message -match "CommandLine.*.*[Net.CredentialCache]::DefaultCredentials;IEX .*" -or $_.message -match "CommandLine.*.* -nop -w hidden -c $m=new-object net.webclient;$m.*" -or $_.message -match "CommandLine.*.*-noninteractive -executionpolicy bypass whoami.*" -or $_.message -match "CommandLine.*.*-noninteractive -executionpolicy bypass netstat -a.*" -or $_.message -match "CommandLine.*.*L3NlcnZlc.*") -or ($_.message -match "Image.*.*\adobe\Adobe.exe" -or $_.message -match "Image.*.*\oracle\local.exe" -or $_.message -match "Image.*.*\revshell.exe" -or $_.message -match "Image.*.*infopagesbackup\ncat.exe" -or $_.message -match "Image.*.*CSIDL_SYSTEM\cmd.exe" -or $_.message -match "Image.*.*\programdata\oracle\java.exe" -or $_.message -match "Image.*.*CSIDL_COMMON_APPDATA\comms\comms.exe" -or $_.message -match "Image.*.*\Programdata\VMware\Vmware.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_greenbug_may20"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_greenbug_may20"; + $detectedMessage = "Detects tools and process executions as observed in a Greenbug campaign in May 2020"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*bitsadmin.*" -and $_.message -match "CommandLine.*.*/transfer.*" -and $_.message -match "CommandLine.*.*CSIDL_APPDATA.*") -or ($_.message -match "CommandLine.*.*CSIDL_SYSTEM_DRIVE.*") -or ($_.message -match "CommandLine.*.*\\msf.ps1.*" -or $_.message -match "CommandLine.*.*8989 -e cmd.exe.*" -or $_.message -match "CommandLine.*.*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill.*" -or $_.message -match "CommandLine.*.*-nop -w hidden -c $k=new-object.*" -or $_.message -match "CommandLine.*.*[Net.CredentialCache]::DefaultCredentials;IEX .*" -or $_.message -match "CommandLine.*.* -nop -w hidden -c $m=new-object net.webclient;$m.*" -or $_.message -match "CommandLine.*.*-noninteractive -executionpolicy bypass whoami.*" -or $_.message -match "CommandLine.*.*-noninteractive -executionpolicy bypass netstat -a.*" -or $_.message -match "CommandLine.*.*L3NlcnZlc.*") -or ($_.message -match "Image.*.*\\adobe\\Adobe.exe" -or $_.message -match "Image.*.*\\oracle\\local.exe" -or $_.message -match "Image.*.*\\revshell.exe" -or $_.message -match "Image.*.*infopagesbackup\\ncat.exe" -or $_.message -match "Image.*.*CSIDL_SYSTEM\\cmd.exe" -or $_.message -match "Image.*.*\\programdata\\oracle\\java.exe" -or $_.message -match "Image.*.*CSIDL_COMMON_APPDATA\\comms\\comms.exe" -or $_.message -match "Image.*.*\\Programdata\\VMware\\Vmware.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_hafnium.ps1 b/Rules/SIGMA/process_creation/win_apt_hafnium.ps1 new file mode 100644 index 00000000..1095434a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_hafnium.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*attrib.*" -and $_.message -match "CommandLine.*.* +h .*" -and $_.message -match "CommandLine.*.* +s .*" -and $_.message -match "CommandLine.*.* +r .*" -and $_.message -match "CommandLine.*.*.aspx.*") -or ($_.message -match "CommandLine.*.*schtasks.*" -and $_.message -match "CommandLine.*.*VSPerfMon.*") -or ($_.message -match "CommandLine.*.*vssadmin list shadows.*" -and $_.message -match "CommandLine.*.*Temp\__output.*") -or $_.message -match "CommandLine.*.*%TEMP%\execute.bat.*" -or $_.message -match "Image.*.*Users\Public\opera\Opera_browser.exe" -or ($_.message -match "Image.*.*Opera_browser.exe" -and ($_.message -match "ParentImage.*.*\services.exe" -or $_.message -match "ParentImage.*.*\svchost.exe")) -or $_.message -match "Image.*.*\ProgramData\VSPerfMon\.*" -or ($_.message -match "CommandLine.*.* -t7z .*" -and $_.message -match "CommandLine.*.*C:\Programdata\pst.*" -and $_.message -match "CommandLine.*.*\it.zip.*") -or ($_.message -match "Image.*.*\makecab.exe" -and ($_.message -match "CommandLine.*.*Microsoft\Exchange Server\.*" -or $_.message -match "CommandLine.*.*inetpub\wwwroot.*")) -or ($_.message -match "CommandLine.*.*\Temp\xx.bat.*" -or $_.message -match "CommandLine.*.*Windows\WwanSvcdcs.*" -or $_.message -match "CommandLine.*.*Windows\Temp\cw.exe.*") -or ($_.message -match "CommandLine.*.*\comsvcs.dll.*" -and $_.message -match "CommandLine.*.*Minidump.*" -and $_.message -match "CommandLine.*.*\inetpub\wwwroot.*") -or ($_.message -match "CommandLine.*.*dsquery.*" -and $_.message -match "CommandLine.*.* -uco .*" -and $_.message -match "CommandLine.*.*\inetpub\wwwroot.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_hafnium"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_hafnium"; + $detectedMessage = "Detects activity observed by different researchers to be HAFNIUM group acitivity (or related) on Exchange servers"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*attrib.*" -and $_.message -match "CommandLine.*.* +h .*" -and $_.message -match "CommandLine.*.* +s .*" -and $_.message -match "CommandLine.*.* +r .*" -and $_.message -match "CommandLine.*.*.aspx.*") -or ($_.message -match "CommandLine.*.*schtasks.*" -and $_.message -match "CommandLine.*.*VSPerfMon.*") -or ($_.message -match "CommandLine.*.*vssadmin list shadows.*" -and $_.message -match "CommandLine.*.*Temp\\__output.*") -or $_.message -match "CommandLine.*.*%TEMP%\\execute.bat.*" -or $_.message -match "Image.*.*Users\\Public\\opera\\Opera_browser.exe" -or ($_.message -match "Image.*.*Opera_browser.exe" -and ($_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\svchost.exe")) -or $_.message -match "Image.*.*\\ProgramData\\VSPerfMon\\.*" -or ($_.message -match "CommandLine.*.* -t7z .*" -and $_.message -match "CommandLine.*.*C:\\Programdata\\pst.*" -and $_.message -match "CommandLine.*.*\\it.zip.*") -or ($_.message -match "Image.*.*\\makecab.exe" -and ($_.message -match "CommandLine.*.*Microsoft\\Exchange Server\\.*" -or $_.message -match "CommandLine.*.*inetpub\\wwwroot.*")) -or ($_.message -match "CommandLine.*.*\\Temp\\xx.bat.*" -or $_.message -match "CommandLine.*.*Windows\\WwanSvcdcs.*" -or $_.message -match "CommandLine.*.*Windows\\Temp\\cw.exe.*") -or ($_.message -match "CommandLine.*.*\\comsvcs.dll.*" -and $_.message -match "CommandLine.*.*Minidump.*" -and $_.message -match "CommandLine.*.*\\inetpub\\wwwroot.*") -or ($_.message -match "CommandLine.*.*dsquery.*" -and $_.message -match "CommandLine.*.* -uco .*" -and $_.message -match "CommandLine.*.*\\inetpub\\wwwroot.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_hurricane_panda.ps1 b/Rules/SIGMA/process_creation/win_apt_hurricane_panda.ps1 new file mode 100644 index 00000000..18696609 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_hurricane_panda.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*localgroup.*" -and $_.message -match "CommandLine.*.*admin.*" -and $_.message -match "CommandLine.*.*/add.*") -or ($_.message -match "CommandLine.*.*\Win64.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_hurricane_panda"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_hurricane_panda"; + $detectedMessage = "Detects Hurricane Panda Activity"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*localgroup.*" -and $_.message -match "CommandLine.*.*admin.*" -and $_.message -match "CommandLine.*.*/add.*") -or ($_.message -match "CommandLine.*.*\\Win64.exe.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_judgement_panda_gtr19.ps1 b/Rules/SIGMA/process_creation/win_apt_judgement_panda_gtr19.ps1 new file mode 100644 index 00000000..e0e9b40f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_judgement_panda_gtr19.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*eprod.ldf" -or ($_.message -match "CommandLine.*.*\ldifde.exe -f -n .*" -or $_.message -match "CommandLine.*.*\7za.exe a 1.7z .*" -or $_.message -match "CommandLine.*.*\aaaa\procdump64.exe.*" -or $_.message -match "CommandLine.*.*\aaaa\netsess.exe.*" -or $_.message -match "CommandLine.*.*\aaaa\7za.exe.*" -or $_.message -match "CommandLine.*.*copy .\1.7z \.*" -or $_.message -match "CommandLine.*.*copy \client\c$\aaaa\.*") -or $_.message -match "Image.*C:\Users\Public\7za.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_judgement_panda_gtr19"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_judgement_panda_gtr19"; + $detectedMessage = "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*eprod.ldf" -or ($_.message -match "CommandLine.*.*\\ldifde.exe -f -n .*" -or $_.message -match "CommandLine.*.*\\7za.exe a 1.7z .*" -or $_.message -match "CommandLine.*.*\\aaaa\\procdump64.exe.*" -or $_.message -match "CommandLine.*.*\\aaaa\\netsess.exe.*" -or $_.message -match "CommandLine.*.*\\aaaa\\7za.exe.*" -or $_.message -match "CommandLine.*.*copy .\\1.7z \\.*" -or $_.message -match "CommandLine.*.*copy \\client\\c$\\aaaa\\.*") -or $_.message -match "Image.*C:\\Users\\Public\\7za.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_ke3chang_regadd.ps1 b/Rules/SIGMA/process_creation/win_apt_ke3chang_regadd.ps1 new file mode 100644 index 00000000..175079d2 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_ke3chang_regadd.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force.*" -or $_.message -match "CommandLine.*.*-Property String -name Check_Associations -value.*" -or $_.message -match "CommandLine.*.*-Property DWORD -name IEHarden -value 0 -Force.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_ke3chang_regadd"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_ke3chang_regadd"; + $detectedMessage = "Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force.*" -or $_.message -match "CommandLine.*.*-Property String -name Check_Associations -value.*" -or $_.message -match "CommandLine.*.*-Property DWORD -name IEHarden -value 0 -Force.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_lazarus_activity_apr21.ps1 b/Rules/SIGMA/process_creation/win_apt_lazarus_activity_apr21.ps1 new file mode 100644 index 00000000..b92bcc4e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_lazarus_activity_apr21.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*mshta.*" -and $_.message -match "CommandLine.*.*.zip.*") -or (($_.message -match "C:\Windows\System32\wbem\wmiprvse.exe") -and ($_.message -match "C:\Windows\System32\mshta.exe")) -or (($_.message -match "ParentImage.*.*:\Users\Public\.*") -and ($_.message -match "C:\Windows\System32\rundll32.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_lazarus_activity_apr21"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_lazarus_activity_apr21"; + $detectedMessage = "Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*mshta.*" -and $_.message -match "CommandLine.*.*.zip.*") -or (($_.message -match "C:\\Windows\\System32\\wbem\\wmiprvse.exe") -and ($_.message -match "C:\\Windows\\System32\\mshta.exe")) -or (($_.message -match "ParentImage.*.*:\\Users\\Public\\.*") -and ($_.message -match "C:\\Windows\\System32\\rundll32.exe")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_lazarus_activity_dec20.ps1 b/Rules/SIGMA/process_creation/win_apt_lazarus_activity_dec20.ps1 new file mode 100644 index 00000000..88a1cb4c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_lazarus_activity_dec20.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*reg.exe save hklm\sam %temp%\~reg_sam.save.*" -or $_.message -match "CommandLine.*.*1q2w3e4r@#$@#$@#$.*" -or $_.message -match "CommandLine.*.* -hp1q2w3e4 .*" -or $_.message -match "CommandLine.*.*.dat data03 10000 -p .*") -or ($_.message -match "CommandLine.*.*process call create.*" -and $_.message -match "CommandLine.*.* > %temp%\~.*") -or ($_.message -match "CommandLine.*.*netstat -aon | find .*" -and $_.message -match "CommandLine.*.* > %temp%\~.*") -or ($_.message -match "CommandLine.*.*.255 10 C:\ProgramData\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_lazarus_activity_dec20"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_lazarus_activity_dec20"; + $detectedMessage = "Detects different process creation events as described in various threat reports on Lazarus group activity"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*reg.exe save hklm\\sam %temp%\\~reg_sam.save.*" -or $_.message -match "CommandLine.*.*1q2w3e4r@#$@#$@#$.*" -or $_.message -match "CommandLine.*.* -hp1q2w3e4 .*" -or $_.message -match "CommandLine.*.*.dat data03 10000 -p .*") -or ($_.message -match "CommandLine.*.*process call create.*" -and $_.message -match "CommandLine.*.* > %temp%\\~.*") -or ($_.message -match "CommandLine.*.*netstat -aon | find .*" -and $_.message -match "CommandLine.*.* > %temp%\\~.*") -or ($_.message -match "CommandLine.*.*.255 10 C:\\ProgramData\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_lazarus_loader.ps1 b/Rules/SIGMA/process_creation/win_apt_lazarus_loader.ps1 new file mode 100644 index 00000000..26e42942 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_lazarus_loader.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.message -match "CommandLine.*.*cmd.exe /c .*" -and $_.message -match "CommandLine.*.* -p 0x.*" -and ($_.message -match "CommandLine.*.*C:\ProgramData\.*" -or $_.message -match "CommandLine.*.*C:\RECYCLER\.*")) -or ($_.message -match "CommandLine.*.*rundll32.exe .*" -and $_.message -match "CommandLine.*.*C:\ProgramData\.*" -and ($_.message -match "CommandLine.*.*.bin,.*" -or $_.message -match "CommandLine.*.*.tmp,.*" -or $_.message -match "CommandLine.*.*.dat,.*" -or $_.message -match "CommandLine.*.*.io,.*" -or $_.message -match "CommandLine.*.*.ini,.*" -or $_.message -match "CommandLine.*.*.db,.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_lazarus_loader"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_lazarus_loader"; + $detectedMessage = "Detects different loaders as described in various threat reports on Lazarus group activity"; + $result = $event | where { ($_.ID -eq "1" -and (($_.message -match "CommandLine.*.*cmd.exe /c .*" -and $_.message -match "CommandLine.*.* -p 0x.*" -and ($_.message -match "CommandLine.*.*C:\\ProgramData\\.*" -or $_.message -match "CommandLine.*.*C:\\RECYCLER\\.*")) -or ($_.message -match "CommandLine.*.*rundll32.exe .*" -and $_.message -match "CommandLine.*.*C:\\ProgramData\\.*" -and ($_.message -match "CommandLine.*.*.bin,.*" -or $_.message -match "CommandLine.*.*.tmp,.*" -or $_.message -match "CommandLine.*.*.dat,.*" -or $_.message -match "CommandLine.*.*.io,.*" -or $_.message -match "CommandLine.*.*.ini,.*" -or $_.message -match "CommandLine.*.*.db,.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_lazarus_session_highjack.ps1 b/Rules/SIGMA/process_creation/win_apt_lazarus_session_highjack.ps1 new file mode 100644 index 00000000..6a572b76 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_lazarus_session_highjack.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\msdtc.exe" -or $_.message -match "Image.*.*\gpvc.exe") -and -not (($_.message -match "Image.*C:\Windows\System32\.*" -or $_.message -match "Image.*C:\Windows\SysWOW64\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_lazarus_session_highjack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_lazarus_session_highjack"; + $detectedMessage = "Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\msdtc.exe" -or $_.message -match "Image.*.*\\gpvc.exe") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_mustangpanda.ps1 b/Rules/SIGMA/process_creation/win_apt_mustangpanda.ps1 new file mode 100644 index 00000000..58d2bdbf --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_mustangpanda.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*Temp\wtask.exe /create.*" -or $_.message -match "CommandLine.*.*%windir:~-3,1%%PUBLIC:~-9,1%.*" -or $_.message -match "CommandLine.*.*/tn "Security Script .*" -or $_.message -match "CommandLine.*.*%windir:~-1,1%.*") -or ($_.message -match "CommandLine.*.*/E:vbscript.*" -and $_.message -match "CommandLine.*.*C:\Users\.*" -and $_.message -match "CommandLine.*.*.txt.*" -and $_.message -match "CommandLine.*.*/F.*") -or $_.message -match "Image.*.*Temp\winwsh.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_mustangpanda"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_mustangpanda"; + $detectedMessage = "Detects specific process parameters as used by Mustang Panda droppers"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*Temp\\wtask.exe /create.*" -or $_.message -match "CommandLine.*.*%windir:~-3,1%%PUBLIC:~-9,1%.*" -or $_.message -match "CommandLine.*.*/tn Security Script .*" -or $_.message -match "CommandLine.*.*%windir:~-1, 1%.*") -or ($_.message -match "CommandLine.*.*/E:vbscript.*" -and $_.message -match "CommandLine.*.*C:\\Users\\.*" -and $_.message -match "CommandLine.*.*.txt.*" -and $_.message -match "CommandLine.*.*/F.*") -or $_.message -match "Image.*.*Temp\\winwsh.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_revil_kaseya.ps1 b/Rules/SIGMA/process_creation/win_apt_revil_kaseya.ps1 new file mode 100644 index 00000000..abcdb9f2 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_revil_kaseya.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*C:\Windows\cert.exe.*" -or $_.message -match "CommandLine.*.*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled.*" -or $_.message -match "CommandLine.*.*del /q /f c:\kworking\agent.crt.*" -or $_.message -match "CommandLine.*.*Kaseya VSA Agent Hot-fix.*" -or $_.message -match "CommandLine.*.*\AppData\Local\Temp\MsMpEng.exe.*" -or $_.message -match "CommandLine.*.*rmdir /s /q %SystemDrive%\inetpub\logs.*" -or $_.message -match "CommandLine.*.*del /s /q /f %SystemDrive%\.*.log.*" -or $_.message -match "CommandLine.*.*c:\kworking1\agent.exe.*" -or $_.message -match "CommandLine.*.*c:\kworking1\agent.crt.*") -and ($_.message -match "C:\Windows\MsMpEng.exe" -or $_.message -match "C:\Windows\cert.exe" -or $_.message -match "C:\kworking\agent.exe" -or $_.message -match "C:\kworking1\agent.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_revil_kaseya"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_revil_kaseya"; + $detectedMessage = "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*C:\\Windows\\cert.exe.*" -or $_.message -match "CommandLine.*.*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled.*" -or $_.message -match "CommandLine.*.*del /q /f c:\\kworking\\agent.crt.*" -or $_.message -match "CommandLine.*.*Kaseya VSA Agent Hot-fix.*" -or $_.message -match "CommandLine.*.*\\AppData\\Local\\Temp\\MsMpEng.exe.*" -or $_.message -match "CommandLine.*.*rmdir /s /q %SystemDrive%\\inetpub\\logs.*" -or $_.message -match "CommandLine.*.*del /s /q /f %SystemDrive%\\.*.log.*" -or $_.message -match "CommandLine.*.*c:\\kworking1\\agent.exe.*" -or $_.message -match "CommandLine.*.*c:\\kworking1\\agent.crt.*") -and ($_.message -match "C:\\Windows\\MsMpEng.exe" -or $_.message -match "C:\\Windows\\cert.exe" -or $_.message -match "C:\\kworking\\agent.exe" -or $_.message -match "C:\\kworking1\\agent.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_slingshot.ps1 b/Rules/SIGMA/process_creation/win_apt_slingshot.ps1 new file mode 100644 index 00000000..467d2347 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_slingshot.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\schtasks.exe" -and ($_.message -match "CommandLine.*.*/delete.*" -or $_.message -match "CommandLine.*.*/change.*") -and $_.message -match "CommandLine.*.*/TN.*" -and $_.message -match "CommandLine.*.*\\Microsoft\\Windows\\Defrag\\ScheduledDefrag.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Security | where {($_.ID -eq "4701" -and $_.message -match "TaskName.*\\Microsoft\\Windows\\Defrag\\ScheduledDefrag") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_slingshot"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_slingshot"; + $detectedMessage = "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\schtasks.exe" -and ($_.message -match "CommandLine.*.*/delete.*" -or $_.message -match "CommandLine.*.*/change.*") -and $_.message -match "CommandLine.*.*/TN.*" -and $_.message -match "CommandLine.*.*\\Microsoft\\Windows\\Defrag\\ScheduledDefrag.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "4701" -and $_.message -match "TaskName.*\\Microsoft\\Windows\\Defrag\\ScheduledDefrag") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_sofacy.ps1 b/Rules/SIGMA/process_creation/win_apt_sofacy.ps1 new file mode 100644 index 00000000..82c02969 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_sofacy.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*%APPDATA%\.*") -and ($_.message -match "CommandLine.*.*.dat",.*" -or $_.message -match "CommandLine.*.*.dll",#1")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_sofacy"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_sofacy"; + $detectedMessage = "Detects Trojan loader acitivty as used by APT28"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*%APPDATA%\\.*") -and ($_.message -match "CommandLine.*.*.dat.*" -or $_.message -match "CommandLine.*.*.dll#1")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_ta17_293a_ps.ps1 b/Rules/SIGMA/process_creation/win_apt_ta17_293a_ps.ps1 new file mode 100644 index 00000000..5c73e9d7 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_ta17_293a_ps.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*ps.exe -accepteula") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_ta17_293a_ps"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_ta17_293a_ps"; + $detectedMessage = "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*ps.exe -accepteula") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_ta505_dropper.ps1 b/Rules/SIGMA/process_creation/win_apt_ta505_dropper.ps1 new file mode 100644 index 00000000..d2c1c019 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_ta505_dropper.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\mshta.exe" -and $_.message -match "ParentImage.*.*\wmiprvse.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_ta505_dropper"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_ta505_dropper"; + $detectedMessage = "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\mshta.exe" -and $_.message -match "ParentImage.*.*\\wmiprvse.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_taidoor.ps1 b/Rules/SIGMA/process_creation/win_apt_taidoor.ps1 new file mode 100644 index 00000000..5acd8e92 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_taidoor.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*dll,MyStart.*" -or $_.message -match "CommandLine.*.*dll MyStart.*") -or ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* MyStart") -and ($_.message -match "CommandLine.*.*rundll32.exe.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_taidoor"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_taidoor"; + $detectedMessage = "Detects specific process characteristics of Chinese TAIDOOR RAT malware load"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*dll,MyStart.*" -or $_.message -match "CommandLine.*.*dll MyStart.*") -or ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* MyStart") -and ($_.message -match "CommandLine.*.*rundll32.exe.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_tropictrooper.ps1 b/Rules/SIGMA/process_creation/win_apt_tropictrooper.ps1 new file mode 100644 index 00000000..bc7a8c45 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_tropictrooper.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_tropictrooper"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_tropictrooper"; + $detectedMessage = "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_turla_comrat_may20.ps1 b/Rules/SIGMA/process_creation/win_apt_turla_comrat_may20.ps1 new file mode 100644 index 00000000..3ab42155 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_turla_comrat_may20.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*tracert -h 10 yahoo.com.*" -or $_.message -match "CommandLine.*.*.WSqmCons))|iex;.*" -or $_.message -match "CommandLine.*.*Fr`omBa`se6`4Str`ing.*") -or ($_.message -match "CommandLine.*.*net use https://docs.live.net.*" -and $_.message -match "CommandLine.*.*@aol.co.uk.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_turla_comrat_may20"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_turla_comrat_may20"; + $detectedMessage = "Detects commands used by Turla group as reported by ESET in May 2020"; + $result = $event | where { $_.ID -eq "1" -and (($_.message -match "CommandLine.*.*tracert -h 10 yahoo.com.*" -or $_.message -match "CommandLine.*.*.WSqmCons\)\)|iex;.*" -or $_.message -match "CommandLine.*.*Fr`omBa`se6`4Str`ing.*") -or ($_.message -match "CommandLine.*.*net use https://docs.live.net.*" -and $_.message -match "CommandLine.*.*@aol.co.uk.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMesssage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_unc2452_cmds.ps1 b/Rules/SIGMA/process_creation/win_apt_unc2452_cmds.ps1 new file mode 100644 index 00000000..998a1939 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_unc2452_cmds.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((((($_.message -match "CommandLine.*.*7z.exe a -v500m -mx9 -r0 -p.*") -or ($_.message -match "ParentCommandLine.*.*wscript.exe.*" -and $_.message -match "ParentCommandLine.*.*.vbs.*" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*C:\Windows.*" -and $_.message -match "CommandLine.*.*.dll,Tk_.*")) -or ($_.message -match "ParentImage.*.*\rundll32.exe" -and $_.message -match "ParentCommandLine.*.*C:\Windows.*" -and $_.message -match "CommandLine.*.*cmd.exe /C .*")) -or ($_.message -match "CommandLine.*.*rundll32 c:\windows\.*" -and $_.message -match "CommandLine.*.*.dll .*")) -or (($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\rundll32.exe" -and $_.message -match "Image.*.*\dllhost.exe") -and -not (($_.message -match " " -or $_.message -match ""))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_unc2452_cmds"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_unc2452_cmds"; + $detectedMessage = "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries"; + $result = $event | where { (($_.ID -eq "1") -and ((((($_.message -match "CommandLine.*.*7z.exe a -v500m -mx9 -r0 -p.*") -or ($_.message -match "ParentCommandLine.*.*wscript.exe.*" -and $_.message -match "ParentCommandLine.*.*.vbs.*" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*C:\\Windows.*" -and $_.message -match "CommandLine.*.*.dll,Tk_.*")) -or ($_.message -match "ParentImage.*.*\\rundll32.exe" -and $_.message -match "ParentCommandLine.*.*C:\\Windows.*" -and $_.message -match "CommandLine.*.*cmd.exe /C .*")) -or ($_.message -match "CommandLine.*.*rundll32 c:\\windows\\.*" -and $_.message -match "CommandLine.*.*.dll .*")) -or (($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\rundll32.exe" -and $_.message -match "Image.*.*\\dllhost.exe") -and -not (($_.message -match " " -or $_.message -match ""))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_unc2452_ps.ps1 b/Rules/SIGMA/process_creation/win_apt_unc2452_ps.ps1 new file mode 100644 index 00000000..dc83373f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_unc2452_ps.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*Invoke-WMIMethod win32_process -name create -argumentlist.*" -and $_.message -match "CommandLine.*.*rundll32 c:\windows.*") -or ($_.message -match "CommandLine.*.*wmic /node:.*" -and $_.message -match "CommandLine.*.*process call create "rundll32 c:\windows.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_unc2452_ps"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_unc2452_ps"; + $detectedMessage = "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*Invoke-WMIMethod win32_process -name create -argumentlist.*" -and $_.message -match "CommandLine.*.*rundll32 c:\\windows.*") -or ($_.message -match "CommandLine.*.*wmic /node:.*" -and $_.message -match "CommandLine.*.*process call create ""rundll32 c:\\windows.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_unidentified_nov_18.ps1 b/Rules/SIGMA/process_creation/win_apt_unidentified_nov_18.ps1 new file mode 100644 index 00000000..3e41166a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_unidentified_nov_18.ps1 @@ -0,0 +1,41 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cyzfc.dat,.*" -and $_.message -match "CommandLine.*.*PointFunctionCall") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*ds7002.lnk.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_apt_unidentified_nov_18"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_unidentified_nov_18"; + $detectedMessage = "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with +YYTRIUM/APT29 campaign in 2016."; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cyzfc.dat,.*" -and $_.message -match "CommandLine.*.*PointFunctionCall") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*ds7002.lnk.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_winnti_mal_hk_jan20.ps1 b/Rules/SIGMA/process_creation/win_apt_winnti_mal_hk_jan20.ps1 new file mode 100644 index 00000000..50d1cc73 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_winnti_mal_hk_jan20.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*C:\Windows\Temp.*" -or $_.message -match "ParentImage.*.*\hpqhvind.exe.*") -and $_.message -match "Image.*C:\ProgramData\DRM.*") -or ($_.message -match "ParentImage.*C:\ProgramData\DRM.*" -and $_.message -match "Image.*.*\wmplayer.exe") -or ($_.message -match "ParentImage.*.*\Test.exe" -and $_.message -match "Image.*.*\wmplayer.exe") -or $_.message -match "Image.*C:\ProgramData\DRM\CLR\CLR.exe" -or ($_.message -match "ParentImage.*C:\ProgramData\DRM\Windows.*" -and $_.message -match "Image.*.*\SearchFilterHost.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_winnti_mal_hk_jan20"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_winnti_mal_hk_jan20"; + $result = $event | where { (($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*C:\\Windows\\Temp.*" -or $_.message -match "ParentImage.*.*\\hpqhvind.exe.*") -and $_.message -match "Image.*C:\\ProgramData\\DRM.*") -or ($_.message -match "ParentImage.*C:\\ProgramData\\DRM.*" -and $_.message -match "Image.*.*\\wmplayer.exe") -or ($_.message -match "ParentImage.*.*\\Test.exe" -and $_.message -match "Image.*.*\\wmplayer.exe") -or $_.message -match "Image.*C:\\ProgramData\\DRM\\CLR\\CLR.exe" -or ($_.message -match "ParentImage.*C:\\ProgramData\\DRM\\Windows.*" -and $_.message -match "Image.*.*\\SearchFilterHost.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_winnti_pipemon.ps1 b/Rules/SIGMA/process_creation/win_apt_winnti_pipemon.ps1 new file mode 100644 index 00000000..a502a2f3 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_winnti_pipemon.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*setup0.exe -p.*") -or ($_.message -match "CommandLine.*.*setup.exe.*" -and ($_.message -match "CommandLine.*.*-x:0" -or $_.message -match "CommandLine.*.*-x:1" -or $_.message -match "CommandLine.*.*-x:2")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_winnti_pipemon"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_winnti_pipemon"; + $detectedMessage = "Detects specific process characteristics of Winnti Pipemon malware reported by ESET"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*setup0.exe -p.*") -or ($_.message -match "CommandLine.*.*setup.exe.*" -and ($_.message -match "CommandLine.*.*-x:0" -or $_.message -match "CommandLine.*.*-x:1" -or $_.message -match "CommandLine.*.*-x:2")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_wocao.ps1 b/Rules/SIGMA/process_creation/win_apt_wocao.ps1 new file mode 100644 index 00000000..d572d3cb --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_wocao.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Security | where {($_.ID -eq "4799" -and $_.message -match "TargetUserName.*Administr.*" -and $_.message -match "CallerProcessName.*.*\\checkadmin.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*checkadmin.exe 127.0.0.1 -all.*" -or $_.message -match "CommandLine.*.*netsh advfirewall firewall add rule name=powershell dir=in.*" -or $_.message -match "CommandLine.*.*cmd /c powershell.exe -ep bypass -file c:\\s.ps1.*" -or $_.message -match "CommandLine.*.*/tn win32times /f.*" -or $_.message -match "CommandLine.*.*create win32times binPath=.*" -or $_.message -match "CommandLine.*.*\\c$\\windows\\system32\\devmgr.dll.*" -or $_.message -match "CommandLine.*.* -exec bypass -enc JgAg.*" -or $_.message -match "CommandLine.*.*type .*keepass\\KeePass.config.xml.*" -or $_.message -match "CommandLine.*.*iie.exe iie.txt.*" -or $_.message -match "CommandLine.*.*reg query HKEY_CURRENT_USER\\Software\\.*\\PuTTY\\Sessions\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_wocao"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_wocao"; + $detectedMessage = "Detects activity mentioned in Operation Wocao report"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "4799" -and $_.message -match "TargetUserName.*Administr.*" -and $_.message -match "CallerProcessName.*.*\\checkadmin.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*checkadmin.exe 127.0.0.1 -all.*" -or $_.message -match "CommandLine.*.*netsh advfirewall firewall add rule name=powershell dir=in.*" -or $_.message -match "CommandLine.*.*cmd /c powershell.exe -ep bypass -file c:\\s.ps1.*" -or $_.message -match "CommandLine.*.*/tn win32times /f.*" -or $_.message -match "CommandLine.*.*create win32times binPath=.*" -or $_.message -match "CommandLine.*.*\\c$\\windows\\system32\\devmgr.dll.*" -or $_.message -match "CommandLine.*.* -exec bypass -enc JgAg.*" -or $_.message -match "CommandLine.*.*type .*keepass\\KeePass.config.xml.*" -or $_.message -match "CommandLine.*.*iie.exe iie.txt.*" -or $_.message -match "CommandLine.*.*reg query HKEY_CURRENT_USER\\Software\\.*\\PuTTY\\Sessions\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.count() -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_apt_zxshell.ps1 b/Rules/SIGMA/process_creation/win_apt_zxshell.ps1 new file mode 100644 index 00000000..a8c3d9cc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_apt_zxshell.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\rundll32.exe") -and ($_.message -match "CommandLine.*.*zxFunction.*" -or $_.message -match "CommandLine.*.*RemoteDiskXXXXX.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_apt_zxshell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_apt_zxshell"; + $detectedMessage = "Detects a ZxShell start by the called and well-known function name"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\rundll32.exe") -and ($_.message -match "CommandLine.*.*zxFunction.*" -or $_.message -match "CommandLine.*.*RemoteDiskXXXXX.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_attrib_hiding_files.ps1 b/Rules/SIGMA/process_creation/win_attrib_hiding_files.ps1 new file mode 100644 index 00000000..0b645132 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_attrib_hiding_files.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\attrib.exe" -and $_.message -match "CommandLine.*.* +h .*") -and -not ((($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\desktop.ini .*" -or ($_.message -match "ParentImage.*.*\cmd.exe" -and $_.message -match "CommandLine.*+R +H +S +A \.*.cui" -and $_.message -match "ParentCommandLine.*C:\WINDOWS\system32\.*.bat"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_attrib_hiding_files"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_attrib_hiding_files"; + $detectedMessage = "Detects usage of attrib.exe to hide files from users."; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\attrib.exe" -and $_.message -match "CommandLine.*.* +h .*") -and -not ((($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\desktop.ini .*" -or ($_.message -match "ParentImage.*.*\\cmd.exe" -and $_.message -match "CommandLine.*+R +H +S +A \\.*.cui" -and $_.message -match "ParentCommandLine.*C:\\WINDOWS\\system32\\.*.bat"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_bad_opsec_sacrificial_processes.ps1 b/Rules/SIGMA/process_creation/win_bad_opsec_sacrificial_processes.ps1 new file mode 100644 index 00000000..137bc089 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_bad_opsec_sacrificial_processes.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\WerFault.exe" -or $_.message -match "CommandLine.*.*\rundll32.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_bad_opsec_sacrificial_processes"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_bad_opsec_sacrificial_processes"; + $detectedMessage = "'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.'"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\WerFault.exe" -or $_.message -match "CommandLine.*.*\\rundll32.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_bootconf_mod.ps1 b/Rules/SIGMA/process_creation/win_bootconf_mod.ps1 new file mode 100644 index 00000000..784e6e93 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_bootconf_mod.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\bcdedit.exe" -and $_.message -match "CommandLine.*.*set.*") -and (($_.message -match "CommandLine.*.*bootstatuspolicy.*" -and $_.message -match "CommandLine.*.*ignoreallfailures.*") -or ($_.message -match "CommandLine.*.*recoveryenabled.*" -and $_.message -match "CommandLine.*.*no.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_bootconf_mod"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_bootconf_mod"; + $detectedMessage = "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\bcdedit.exe" -and $_.message -match "CommandLine.*.*set.*") -and (($_.message -match "CommandLine.*.*bootstatuspolicy.*" -and $_.message -match "CommandLine.*.*ignoreallfailures.*") -or ($_.message -match "CommandLine.*.*recoveryenabled.*" -and $_.message -match "CommandLine.*.*no.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_bypass_squiblytwo.ps1 b/Rules/SIGMA/process_creation/win_bypass_squiblytwo.ps1 new file mode 100644 index 00000000..a1b3ad11 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_bypass_squiblytwo.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*http.*" -and ((($_.message -match "Image.*.*\wmic.exe") -and $_.message -match "CommandLine.*.*wmic.*" -and $_.message -match "CommandLine.*.*format.*") -or (($_.message -match "1B1A3F43BF37B5BFE60751F2EE2F326E" -or $_.message -match "37777A96245A3C74EB217308F3546F4C" -or $_.message -match "9D87C9D67CE724033C0B40CC4CA1B206") -and $_.message -match "CommandLine.*.*format:.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_bypass_squiblytwo"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_bypass_squiblytwo"; + $detectedMessage = "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*http.*" -and ((($_.message -match "Image.*.*\\wmic.exe") -and $_.message -match "CommandLine.*.*wmic.*" -and $_.message -match "CommandLine.*.*format.*") -or (($_.message -match "1B1A3F43BF37B5BFE60751F2EE2F326E" -or $_.message -match "37777A96245A3C74EB217308F3546F4C" -or $_.message -match "9D87C9D67CE724033C0B40CC4CA1B206") -and $_.message -match "CommandLine.*.*format:.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_change_default_file_association.ps1 b/Rules/SIGMA/process_creation/win_change_default_file_association.ps1 new file mode 100644 index 00000000..59711606 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_change_default_file_association.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cmd.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*assoc.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_change_default_file_association"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_change_default_file_association"; + $detectedMessage = "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cmd.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*assoc.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_cmdkey_recon.ps1 b/Rules/SIGMA/process_creation/win_cmdkey_recon.ps1 new file mode 100644 index 00000000..dc95ce57 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_cmdkey_recon.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\cmdkey.exe" -and $_.message -match "CommandLine.*.* /list.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_cmdkey_recon"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_cmdkey_recon"; + $detectedMessage = "Detects usage of cmdkey to look for cached credentials"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmdkey.exe" -and $_.message -match "CommandLine.*.* /list.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_cmstp_com_object_access.ps1 b/Rules/SIGMA/process_creation/win_cmstp_com_object_access.ps1 new file mode 100644 index 00000000..4a6eb030 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_cmstp_com_object_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentCommandLine.*.*\DllHost.exe .*" -and ($_.message -match "ParentCommandLine.*.*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" -or $_.message -match "ParentCommandLine.*.*{3E000D72-A845-4CD9-BD83-80C07C3B881F}")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_cmstp_com_object_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_cmstp_com_object_access"; + $detectedMessage = "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentCommandLine.*.*\\DllHost.exe .*" -and ($_.message -match "ParentCommandLine.*.*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" -or $_.message -match "ParentCommandLine.*.*{3E000D72-A845-4CD9-BD83-80C07C3B881F}")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_cobaltstrike_process_patterns.ps1 b/Rules/SIGMA/process_creation/win_cobaltstrike_process_patterns.ps1 new file mode 100644 index 00000000..91f6bec0 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_cobaltstrike_process_patterns.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\cmd.exe /C whoami.*" -and $_.message -match "ParentImage.*C:\Temp.*") -or ($_.message -match "CommandLine.*.*conhost.exe 0xffffffff -ForceV1.*" -and ($_.message -match "ParentCommandLine.*.*/C whoami.*" -or $_.message -match "ParentCommandLine.*.*cmd.exe /C echo.*" -or $_.message -match "ParentCommandLine.*.* > \.\pipe.*")) -or (($_.message -match "CommandLine.*.*cmd.exe /c echo.*" -or $_.message -match "CommandLine.*.*> \.\pipe.*" -or $_.message -match "CommandLine.*.*\whoami.exe.*") -and $_.message -match "ParentImage.*.*\dllhost.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_cobaltstrike_process_patterns"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_cobaltstrike_process_patterns"; + $detectedMessage = "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details)"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\cmd.exe /C whoami.*" -and $_.message -match "ParentImage.*C:\\Temp.*") -or ($_.message -match "CommandLine.*.*conhost.exe 0xffffffff -ForceV1.*" -and ($_.message -match "ParentCommandLine.*.*/C whoami.*" -or $_.message -match "ParentCommandLine.*.*cmd.exe /C echo.*" -or $_.message -match "ParentCommandLine.*.* > \\.\\pipe.*")) -or (($_.message -match "CommandLine.*.*cmd.exe /c echo.*" -or $_.message -match "CommandLine.*.*> \\.\\pipe.*" -or $_.message -match "CommandLine.*.*\\whoami.exe.*") -and $_.message -match "ParentImage.*.*\\dllhost.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_commandline_path_traversal.ps1 b/Rules/SIGMA/process_creation/win_commandline_path_traversal.ps1 new file mode 100644 index 00000000..4c4b48cd --- /dev/null +++ b/Rules/SIGMA/process_creation/win_commandline_path_traversal.ps1 @@ -0,0 +1,30 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentCommandLine.*.*cmd.*" -and $_.message -match "ParentCommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*/../../.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_commandline_path_traversal"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_commandline_path_traversal"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentCommandLine.*.*cmd.*" -and $_.message -match "ParentCommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*/../../.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_control_panel_item.ps1 b/Rules/SIGMA/process_creation/win_control_panel_item.ps1 new file mode 100644 index 00000000..017c4e4d --- /dev/null +++ b/Rules/SIGMA/process_creation/win_control_panel_item.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.ID -eq "1") -and $_.message -match "CommandLine.*.*.cpl" -and -not (($_.message -match "CommandLine.*.*\System32\.*" -or $_.message -match "CommandLine.*.*%System%.*"))) -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\reg.exe" -and $_.message -match "CommandLine.*.*add.*" -and ($_.message -match "CommandLine.*.*CurrentVersion\Control Panel\CPLs.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_control_panel_item"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_control_panel_item"; + $detectedMessage = "Detects the malicious use of a control panel item"; + $result = $event | where { (($_.ID -eq "1") -and ((($_.ID -eq "1") -and $_.message -match "CommandLine.*.*.cpl" -and -not (($_.message -match "CommandLine.*.*\\System32\\.*" -or $_.message -match "CommandLine.*.*%System%.*"))) -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and $_.message -match "CommandLine.*.*add.*" -and ($_.message -match "CommandLine.*.*CurrentVersion\\Control Panel\\CPLs.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_copying_sensitive_files_with_credential_data.ps1 b/Rules/SIGMA/process_creation/win_copying_sensitive_files_with_credential_data.ps1 new file mode 100644 index 00000000..e34615d6 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_copying_sensitive_files_with_credential_data.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\esentutl.exe" -and ($_.message -match "CommandLine.*.*vss.*" -or $_.message -match "CommandLine.*.* /m .*" -or $_.message -match "CommandLine.*.* /y .*")) -or ($_.message -match "CommandLine.*.*\windows\ntds\ntds.dit.*" -or $_.message -match "CommandLine.*.*\config\sam.*" -or $_.message -match "CommandLine.*.*\config\security.*" -or $_.message -match "CommandLine.*.*\config\system .*" -or $_.message -match "CommandLine.*.*\repair\sam.*" -or $_.message -match "CommandLine.*.*\repair\system.*" -or $_.message -match "CommandLine.*.*\repair\security.*" -or $_.message -match "CommandLine.*.*\config\RegBack\sam.*" -or $_.message -match "CommandLine.*.*\config\RegBack\system.*" -or $_.message -match "CommandLine.*.*\config\RegBack\security.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_copying_sensitive_files_with_credential_data"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_copying_sensitive_files_with_credential_data"; + $detectedMessage = "Files with well-known filenames (sensitive files with credential data) copying"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\esentutl.exe" -and ($_.message -match "CommandLine.*.*vss.*" -or $_.message -match "CommandLine.*.* /m .*" -or $_.message -match "CommandLine.*.* /y .*")) -or ($_.message -match "CommandLine.*.*\\windows\\ntds\\ntds.dit.*" -or $_.message -match "CommandLine.*.*\\config\\sam.*" -or $_.message -match "CommandLine.*.*\\config\\security.*" -or $_.message -match "CommandLine.*.*\\config\\system .*" -or $_.message -match "CommandLine.*.*\\repair\\sam.*" -or $_.message -match "CommandLine.*.*\\repair\\system.*" -or $_.message -match "CommandLine.*.*\\repair\\security.*" -or $_.message -match "CommandLine.*.*\\config\\RegBack\\sam.*" -or $_.message -match "CommandLine.*.*\\config\\RegBack\\system.*" -or $_.message -match "CommandLine.*.*\\config\\RegBack\\security.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_credential_access_via_password_filter.ps1 b/Rules/SIGMA/process_creation/win_credential_access_via_password_filter.ps1 new file mode 100644 index 00000000..59320072 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_credential_access_via_password_filter.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*HKLM\SYSTEM\CurrentControlSet\Control\Lsa.*" -and $_.message -match "CommandLine.*.*scecli\0.*" -and $_.message -match "CommandLine.*.*reg add.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_credential_access_via_password_filter"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_credential_access_via_password_filter"; + $detectedMessage = "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*HKLM\\\\SYSTEM\\CurrentControlSet\\Control\\Lsa.*" -and $_.message -match "CommandLine.*.*scecli\\0.*" -and $_.message -match "CommandLine.*.*reg add.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_crime_fireball.ps1 b/Rules/SIGMA/process_creation/win_crime_fireball.ps1 new file mode 100644 index 00000000..322e8731 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_crime_fireball.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*InstallArcherSvc.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_crime_fireball"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_crime_fireball"; + $detectedMessage = "Detects Archer malware invocation via rundll32"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*InstallArcherSvc.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_crime_maze_ransomware.ps1 b/Rules/SIGMA/process_creation/win_crime_maze_ransomware.ps1 new file mode 100644 index 00000000..f4d7aca6 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_crime_maze_ransomware.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\WINWORD.exe") -and ($_.message -match "Image.*.*.tmp")) -or ($_.message -match "Image.*.*\wmic.exe" -and $_.message -match "ParentImage.*.*\Temp\.*" -and $_.message -match "CommandLine.*.*shadowcopy delete") -or ($_.message -match "CommandLine.*.*shadowcopy delete" -and $_.message -match "CommandLine.*.*\..\..\system32.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_crime_maze_ransomware"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_crime_maze_ransomware"; + $detectedMessage = "Detects specific process characteristics of Maze ransomware word document droppers"; + $result = $event | where { (($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\\WINWORD.exe") -and ($_.message -match "Image.*.*.tmp")) -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "ParentImage.*.*\\Temp\\.*" -and $_.message -match "CommandLine.*.*shadowcopy delete") -or ($_.message -match "CommandLine.*.*shadowcopy delete" -and $_.message -match "CommandLine.*.*\\..\\..\\system32.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_crime_snatch_ransomware.ps1 b/Rules/SIGMA/process_creation/win_crime_snatch_ransomware.ps1 new file mode 100644 index 00000000..158e5e49 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_crime_snatch_ransomware.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*shutdown /r /f /t 00.*" -or $_.message -match "CommandLine.*.*net stop SuperBackupMan.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_crime_snatch_ransomware"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_crime_snatch_ransomware"; + $detectedMessage = "Detects specific process characteristics of Snatch ransomware word document droppers"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*shutdown /r /f /t 00.*" -or $_.message -match "CommandLine.*.*net stop SuperBackupMan.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_data_compressed_with_rar.ps1 b/Rules/SIGMA/process_creation/win_data_compressed_with_rar.ps1 new file mode 100644 index 00000000..cc763943 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_data_compressed_with_rar.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\rar.exe" -and $_.message -match "CommandLine.*.* a .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_data_compressed_with_rar"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_data_compressed_with_rar"; + $detectedMessage = "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\rar.exe" -and $_.message -match "CommandLine.*.* a .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_dns_exfiltration_tools_execution.ps1 b/Rules/SIGMA/process_creation/win_dns_exfiltration_tools_execution.ps1 new file mode 100644 index 00000000..a598db5f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_dns_exfiltration_tools_execution.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\iodine.exe" -or $_.message -match "Image.*.*\dnscat2.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_dns_exfiltration_tools_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_dns_exfiltration_tools_execution"; + $detectedMessage = "Well-known DNS Exfiltration tools execution"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\iodine.exe" -or $_.message -match "Image.*.*\\dnscat2.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_dnscat2_powershell_implementation.ps1 b/Rules/SIGMA/process_creation/win_dnscat2_powershell_implementation.ps1 new file mode 100644 index 00000000..f6966bf3 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_dnscat2_powershell_implementation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\powershell.exe" -and $_.message -match "Image.*.*\nslookup.exe" -and $_.message -match "CommandLine.*.*\nslookup.exe") } | select ParentImage, Image | group ParentImage | foreach { [PSCustomObject]@{'ParentImage'=$_.name;'Count'=($_.group.Image | sort -u).count} } | sort count -desc | where { $_.count -gt 100 } + +function Add-Rule { + + $ruleName = "win_dnscat2_powershell_implementation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_dnscat2_powershell_implementation"; + $detectedMessage = "The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "Image.*.*\\nslookup.exe" -and $_.message -match "CommandLine.*.*\\nslookup.exe") } | select ParentImage, Image | group ParentImage | foreach { [PSCustomObject]@{'ParentImage' = $_.name; 'Count' = ($_.group.Image | sort -u).count } } | sort count -desc | where { $_.count -gt 100 }; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_encoded_frombase64string.ps1 b/Rules/SIGMA/process_creation/win_encoded_frombase64string.ps1 new file mode 100644 index 00000000..0fd54378 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_encoded_frombase64string.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*OjpGcm9tQmFzZTY0U3RyaW5n.*" -or $_.message -match "CommandLine.*.*o6RnJvbUJhc2U2NFN0cmluZ.*" -or $_.message -match "CommandLine.*.*6OkZyb21CYXNlNjRTdHJpbm.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_encoded_frombase64string"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_encoded_frombase64string"; + $detectedMessage = "Detects a base64 encoded FromBase64String keyword in a process command line"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*OjpGcm9tQmFzZTY0U3RyaW5n.*" -or $_.message -match "CommandLine.*.*o6RnJvbUJhc2U2NFN0cmluZ.*" -or $_.message -match "CommandLine.*.*6OkZyb21CYXNlNjRTdHJpbm.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_encoded_iex.ps1 b/Rules/SIGMA/process_creation/win_encoded_iex.ps1 new file mode 100644 index 00000000..3e56d82b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_encoded_iex.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*SUVYIChb.*" -or $_.message -match "CommandLine.*.*lFWCAoW.*" -or $_.message -match "CommandLine.*.*JRVggKF.*" -or $_.message -match "CommandLine.*.*aWV4IChb.*" -or $_.message -match "CommandLine.*.*lleCAoW.*" -or $_.message -match "CommandLine.*.*pZXggKF.*" -or $_.message -match "CommandLine.*.*aWV4IChOZX.*" -or $_.message -match "CommandLine.*.*lleCAoTmV3.*" -or $_.message -match "CommandLine.*.*pZXggKE5ld.*" -or $_.message -match "CommandLine.*.*SUVYIChOZX.*" -or $_.message -match "CommandLine.*.*lFWCAoTmV3.*" -or $_.message -match "CommandLine.*.*JRVggKE5ld.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_encoded_iex"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_encoded_iex"; + $detectedMessage = "Detects a base64 encoded IEX command string in a process command line"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*SUVYIChb.*" -or $_.message -match "CommandLine.*.*lFWCAoW.*" -or $_.message -match "CommandLine.*.*JRVggKF.*" -or $_.message -match "CommandLine.*.*aWV4IChb.*" -or $_.message -match "CommandLine.*.*lleCAoW.*" -or $_.message -match "CommandLine.*.*pZXggKF.*" -or $_.message -match "CommandLine.*.*aWV4IChOZX.*" -or $_.message -match "CommandLine.*.*lleCAoTmV3.*" -or $_.message -match "CommandLine.*.*pZXggKE5ld.*" -or $_.message -match "CommandLine.*.*SUVYIChOZX.*" -or $_.message -match "CommandLine.*.*lFWCAoTmV3.*" -or $_.message -match "CommandLine.*.*JRVggKE5ld.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_etw_modification_cmdline.ps1 b/Rules/SIGMA/process_creation/win_etw_modification_cmdline.ps1 new file mode 100644 index 00000000..5a7ee827 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_etw_modification_cmdline.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*COMPlus_ETWEnabled=0.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_etw_modification_cmdline"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_etw_modification_cmdline"; + $detectedMessage = "Potential adversaries stopping ETW providers recording loaded .NET assemblies."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*COMPlus_ETWEnabled=0.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_etw_trace_evasion.ps1 b/Rules/SIGMA/process_creation/win_etw_trace_evasion.ps1 new file mode 100644 index 00000000..031c89f4 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_etw_trace_evasion.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*cl.*" -and $_.message -match "CommandLine.*.*/Trace.*") -or ($_.message -match "CommandLine.*.*clear-log.*" -and $_.message -match "CommandLine.*.*/Trace.*") -or ($_.message -match "CommandLine.*.*sl.*" -and $_.message -match "CommandLine.*.*/e:false.*") -or ($_.message -match "CommandLine.*.*set-log.*" -and $_.message -match "CommandLine.*.*/e:false.*") -or ($_.message -match "CommandLine.*.*Remove-EtwTraceProvider.*" -and $_.message -match "CommandLine.*.*EventLog-Microsoft-Windows-WMI-Activity-Trace.*" -and $_.message -match "CommandLine.*.*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}.*") -or ($_.message -match "CommandLine.*.*Set-EtwTraceProvider.*" -and $_.message -match "CommandLine.*.*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}.*" -and $_.message -match "CommandLine.*.*EventLog-Microsoft-Windows-WMI-Activity-Trace.*" -and $_.message -match "CommandLine.*.*0x11.*") -or ($_.message -match "CommandLine.*.*logman.*" -and $_.message -match "CommandLine.*.*update.*" -and $_.message -match "CommandLine.*.*trace.*" -and $_.message -match "CommandLine.*.*--p.*" -and $_.message -match "CommandLine.*.*-ets.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_etw_trace_evasion"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_etw_trace_evasion"; + $detectedMessage = "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*cl.*" -and $_.message -match "CommandLine.*.*/Trace.*") -or ($_.message -match "CommandLine.*.*clear-log.*" -and $_.message -match "CommandLine.*.*/Trace.*") -or ($_.message -match "CommandLine.*.*sl.*" -and $_.message -match "CommandLine.*.*/e:false.*") -or ($_.message -match "CommandLine.*.*set-log.*" -and $_.message -match "CommandLine.*.*/e:false.*") -or ($_.message -match "CommandLine.*.*Remove-EtwTraceProvider.*" -and $_.message -match "CommandLine.*.*EventLog-Microsoft-Windows-WMI-Activity-Trace.*" -and $_.message -match "CommandLine.*.*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}.*") -or ($_.message -match "CommandLine.*.*Set-EtwTraceProvider.*" -and $_.message -match "CommandLine.*.*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}.*" -and $_.message -match "CommandLine.*.*EventLog-Microsoft-Windows-WMI-Activity-Trace.*" -and $_.message -match "CommandLine.*.*0x11.*") -or ($_.message -match "CommandLine.*.*logman.*" -and $_.message -match "CommandLine.*.*update.*" -and $_.message -match "CommandLine.*.*trace.*" -and $_.message -match "CommandLine.*.*--p.*" -and $_.message -match "CommandLine.*.*-ets.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exchange_transportagent.ps1 b/Rules/SIGMA/process_creation/win_exchange_transportagent.ps1 new file mode 100644 index 00000000..976fc511 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exchange_transportagent.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Install-TransportAgent.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName MSExchange Management | where { ($_.message -match ".*Install-TransportAgent.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_exchange_transportagent"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exchange_transportagent"; + $detectedMessage = "Detects the Installation of a Exchange Transport Agent"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Install-TransportAgent.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.message -match ".*Install-TransportAgent.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMesssage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exfiltration_and_tunneling_tools_execution.ps1 b/Rules/SIGMA/process_creation/win_exfiltration_and_tunneling_tools_execution.ps1 new file mode 100644 index 00000000..e759f8d5 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exfiltration_and_tunneling_tools_execution.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\plink.exe" -or $_.message -match "Image.*.*\socat.exe" -or $_.message -match "Image.*.*\stunnel.exe" -or $_.message -match "Image.*.*\httptunnel.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exfiltration_and_tunneling_tools_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exfiltration_and_tunneling_tools_execution"; + $detectedMessage = "Execution of well known tools for data exfiltration and tunneling"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\plink.exe" -or $_.message -match "Image.*.*\\socat.exe" -or $_.message -match "Image.*.*\\stunnel.exe" -or $_.message -match "Image.*.*\\httptunnel.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exploit_cve_2015_1641.ps1 b/Rules/SIGMA/process_creation/win_exploit_cve_2015_1641.ps1 new file mode 100644 index 00000000..39132bdd --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exploit_cve_2015_1641.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\WINWORD.EXE" -and $_.message -match "Image.*.*\MicroScMgmt.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2015_1641"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2015_1641"; + $detectedMessage = "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\WINWORD.EXE" -and $_.message -match "Image.*.*\\MicroScMgmt.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exploit_cve_2017_0261.ps1 b/Rules/SIGMA/process_creation/win_exploit_cve_2017_0261.ps1 new file mode 100644 index 00000000..394e58b5 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exploit_cve_2017_0261.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\WINWORD.EXE" -and $_.message -match "Image.*.*\FLTLDR.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2017_0261"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2017_0261"; + $detectedMessage = "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\WINWORD.EXE" -and $_.message -match "Image.*.*\\FLTLDR.exe.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exploit_cve_2017_11882.ps1 b/Rules/SIGMA/process_creation/win_exploit_cve_2017_11882.ps1 new file mode 100644 index 00000000..21ec9aec --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exploit_cve_2017_11882.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\EQNEDT32.EXE") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2017_11882"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2017_11882"; + $detectedMessage = "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\EQNEDT32.EXE") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exploit_cve_2017_8759.ps1 b/Rules/SIGMA/process_creation/win_exploit_cve_2017_8759.ps1 new file mode 100644 index 00000000..10902da0 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exploit_cve_2017_8759.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\WINWORD.EXE" -and $_.message -match "Image.*.*\csc.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2017_8759"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2017_8759"; + $detectedMessage = "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\WINWORD.EXE" -and $_.message -match "Image.*.*\\csc.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exploit_cve_2019_1378.ps1 b/Rules/SIGMA/process_creation/win_exploit_cve_2019_1378.ps1 new file mode 100644 index 00000000..5d208662 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exploit_cve_2019_1378.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "ParentCommandLine.*.*\cmd.exe.*" -and $_.message -match "ParentCommandLine.*.*/c.*" -and $_.message -match "ParentCommandLine.*.*C:\Windows\Setup\Scripts\.*" -and ($_.message -match "ParentCommandLine.*.*SetupComplete.cmd" -or $_.message -match "ParentCommandLine.*.*PartnerSetupComplete.cmd")) -and -not (($_.message -match "Image.*C:\Windows\System32\.*" -or $_.message -match "Image.*C:\Windows\SysWOW64\.*" -or $_.message -match "Image.*C:\Windows\WinSxS\.*" -or $_.message -match "Image.*C:\Windows\Setup\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2019_1378"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2019_1378"; + $detectedMessage = "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 "; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "ParentCommandLine.*.*\\cmd.exe.*" -and $_.message -match "ParentCommandLine.*.*/c.*" -and $_.message -match "ParentCommandLine.*.*C:\\Windows\\Setup\\Scripts\\.*" -and ($_.message -match "ParentCommandLine.*.*SetupComplete.cmd" -or $_.message -match "ParentCommandLine.*.*PartnerSetupComplete.cmd")) -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*" -or $_.message -match "Image.*C:\\Windows\\Setup\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exploit_cve_2019_1388.ps1 b/Rules/SIGMA/process_creation/win_exploit_cve_2019_1388.ps1 new file mode 100644 index 00000000..5e370ec0 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exploit_cve_2019_1388.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\consent.exe" -and $_.message -match "Image.*.*\iexplore.exe" -and $_.message -match "CommandLine.*.* http.*" -and ($_.ID -eq "1") -and ($_.message -match "IntegrityLevel.*System" -or $_.message -match "User.*NT AUTHORITY\SYSTEM")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2019_1388"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2019_1388"; + $detectedMessage = "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\consent.exe" -and $_.message -match "Image.*.*\\iexplore.exe" -and $_.message -match "CommandLine.*.* http.*" -and ($_.ID -eq "1") -and ($_.message -match "IntegrityLevel.*System" -or $_.message -match "User.*NT AUTHORITY\\SYSTEM")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exploit_cve_2020_10189.ps1 b/Rules/SIGMA/process_creation/win_exploit_cve_2020_10189.ps1 new file mode 100644 index 00000000..a2130c99 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exploit_cve_2020_10189.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*DesktopCentral_Server\jre\bin\java.exe" -and ($_.message -match "Image.*.*\cmd.exe" -or $_.message -match "Image.*.*\powershell.exe" -or $_.message -match "Image.*.*\bitsadmin.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2020_10189"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2020_10189"; + $detectedMessage = "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*DesktopCentral_Server\\jre\\bin\\java.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exploit_cve_2020_1048.ps1 b/Rules/SIGMA/process_creation/win_exploit_cve_2020_1048.ps1 new file mode 100644 index 00000000..d8fbbd84 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exploit_cve_2020_1048.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Add-PrinterPort -Name.*") -and ($_.message -match "CommandLine.*.*.exe.*" -or $_.message -match "CommandLine.*.*.dll.*" -or $_.message -match "CommandLine.*.*.bat.*")) -or ($_.message -match "CommandLine.*.*Generic / Text Only.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2020_1048"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2020_1048"; + $detectedMessage = "Detects new commands that add new printer port which point to suspicious file"; + $result = $event | where { (($_.ID -eq "1") -and (($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Add-PrinterPort -Name.*") -and ($_.message -match "CommandLine.*.*.exe.*" -or $_.message -match "CommandLine.*.*.dll.*" -or $_.message -match "CommandLine.*.*.bat.*")) -or ($_.message -match "CommandLine.*.*Generic / Text Only.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_exploit_cve_2020_1350.ps1 b/Rules/SIGMA/process_creation/win_exploit_cve_2020_1350.ps1 new file mode 100644 index 00000000..2ecc5e22 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_exploit_cve_2020_1350.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\System32\dns.exe" -and -not (($_.message -match "Image.*.*\System32\werfault.exe" -or $_.message -match "Image.*.*\System32\conhost.exe" -or $_.message -match "Image.*.*\System32\dnscmd.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_exploit_cve_2020_1350"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_exploit_cve_2020_1350"; + $detectedMessage = "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\System32\\dns.exe" -and -not (($_.message -match "Image.*.*\\System32\\werfault.exe" -or $_.message -match "Image.*.*\\System32\\conhost.exe" -or $_.message -match "Image.*.*\\System32\\dnscmd.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_file_permission_modifications.ps1 b/Rules/SIGMA/process_creation/win_file_permission_modifications.ps1 new file mode 100644 index 00000000..80082c03 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_file_permission_modifications.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\takeown.exe" -or $_.message -match "Image.*.*\cacls.exe" -or $_.message -match "Image.*.*\icacls.exe") -and $_.message -match "CommandLine.*.*/grant.*") -or ($_.message -match "Image.*.*\attrib.exe" -and $_.message -match "CommandLine.*.*-r.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_file_permission_modifications"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_file_permission_modifications"; + $detectedMessage = "Detects a file or folder's permissions being modified."; + $result = $event | where { (($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\takeown.exe" -or $_.message -match "Image.*.*\\cacls.exe" -or $_.message -match "Image.*.*\\icacls.exe") -and $_.message -match "CommandLine.*.*/grant.*") -or ($_.message -match "Image.*.*\\attrib.exe" -and $_.message -match "CommandLine.*.*-r.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_grabbing_sensitive_hives_via_reg.ps1 b/Rules/SIGMA/process_creation/win_grabbing_sensitive_hives_via_reg.ps1 new file mode 100644 index 00000000..039a41b7 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_grabbing_sensitive_hives_via_reg.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\reg.exe" -and ($_.message -match "CommandLine.*.*save.*" -or $_.message -match "CommandLine.*.*export.*" -or $_.message -match "CommandLine.*.*ˢave.*" -or $_.message -match "CommandLine.*.*eˣport.*") -and ($_.message -match "CommandLine.*.*hklm.*" -or $_.message -match "CommandLine.*.*hk˪m.*" -or $_.message -match "CommandLine.*.*hkey_local_machine.*" -or $_.message -match "CommandLine.*.*hkey_˪ocal_machine.*" -or $_.message -match "CommandLine.*.*hkey_loca˪_machine.*" -or $_.message -match "CommandLine.*.*hkey_˪oca˪_machine.*") -and ($_.message -match "CommandLine.*.*\system" -or $_.message -match "CommandLine.*.*\sam" -or $_.message -match "CommandLine.*.*\security" -or $_.message -match "CommandLine.*.*\ˢystem" -or $_.message -match "CommandLine.*.*\syˢtem" -or $_.message -match "CommandLine.*.*\ˢyˢtem" -or $_.message -match "CommandLine.*.*\ˢam" -or $_.message -match "CommandLine.*.*\ˢecurity")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_grabbing_sensitive_hives_via_reg"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_grabbing_sensitive_hives_via_reg"; + $detectedMessage = "Dump sam, system or security hives using REG.exe utility"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and ($_.message -match "CommandLine.*.*save.*" -or $_.message -match "CommandLine.*.*export.*" -or $_.message -match "CommandLine.*.*ˢave.*" -or $_.message -match "CommandLine.*.*eˣport.*") -and ($_.message -match "CommandLine.*.*hklm.*" -or $_.message -match "CommandLine.*.*hk˪m.*" -or $_.message -match "CommandLine.*.*hkey_local_machine.*" -or $_.message -match "CommandLine.*.*hkey_˪ocal_machine.*" -or $_.message -match "CommandLine.*.*hkey_loca˪_machine.*" -or $_.message -match "CommandLine.*.*hkey_˪oca˪_machine.*") -and ($_.message -match "CommandLine.*.*\\system" -or $_.message -match "CommandLine.*.*\\sam" -or $_.message -match "CommandLine.*.*\\security" -or $_.message -match "CommandLine.*.*\\ˢystem" -or $_.message -match "CommandLine.*.*\\syˢtem" -or $_.message -match "CommandLine.*.*\\ˢyˢtem" -or $_.message -match "CommandLine.*.*\\ˢam" -or $_.message -match "CommandLine.*.*\\ˢecurity")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_hack_adcspwn.ps1 b/Rules/SIGMA/process_creation/win_hack_adcspwn.ps1 new file mode 100644 index 00000000..c8eaaf80 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_hack_adcspwn.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* --adcs .*" -and $_.message -match "CommandLine.*.* --port .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hack_adcspwn"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hack_adcspwn"; + $detectedMessage = "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.* --adcs .*" -and $_.message -match "CommandLine.*.* --port .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_hack_bloodhound.ps1 b/Rules/SIGMA/process_creation/win_hack_bloodhound.ps1 new file mode 100644 index 00000000..34475acb --- /dev/null +++ b/Rules/SIGMA/process_creation/win_hack_bloodhound.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\Bloodhound.exe.*" -or $_.message -match "Image.*.*\SharpHound.exe.*") -or ($_.message -match "CommandLine.*.* -CollectionMethod All .*" -or $_.message -match "CommandLine.*.*.exe -c All -d .*" -or $_.message -match "CommandLine.*.*Invoke-Bloodhound.*" -or $_.message -match "CommandLine.*.*Get-BloodHoundData.*") -or ($_.message -match "CommandLine.*.* -JsonFolder .*" -and $_.message -match "CommandLine.*.* -ZipFileName .*") -or ($_.message -match "CommandLine.*.* DCOnly .*" -and $_.message -match "CommandLine.*.* --NoSaveCache .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hack_bloodhound"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hack_bloodhound"; + $detectedMessage = "Detects command line parameters used by Bloodhound and Sharphound hack tools"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\Bloodhound.exe.*" -or $_.message -match "Image.*.*\\SharpHound.exe.*") -or ($_.message -match "CommandLine.*.* -CollectionMethod All .*" -or $_.message -match "CommandLine.*.*.exe -c All -d .*" -or $_.message -match "CommandLine.*.*Invoke-Bloodhound.*" -or $_.message -match "CommandLine.*.*Get-BloodHoundData.*") -or ($_.message -match "CommandLine.*.* -JsonFolder .*" -and $_.message -match "CommandLine.*.* -ZipFileName .*") -or ($_.message -match "CommandLine.*.* DCOnly .*" -and $_.message -match "CommandLine.*.* --NoSaveCache .*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_hack_koadic.ps1 b/Rules/SIGMA/process_creation/win_hack_koadic.ps1 new file mode 100644 index 00000000..6c95e9a4 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_hack_koadic.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\cmd.exe" -and $_.message -match "CommandLine.*.*/q.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*chcp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hack_koadic"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hack_koadic"; + $detectedMessage = "Detects command line parameters used by Koadic hack tool"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*/q.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*chcp.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_hack_rubeus.ps1 b/Rules/SIGMA/process_creation/win_hack_rubeus.ps1 new file mode 100644 index 00000000..fbe31282 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_hack_rubeus.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* asreproast .*" -or $_.message -match "CommandLine.*.* dump /service:krbtgt .*" -or $_.message -match "CommandLine.*.* kerberoast .*" -or $_.message -match "CommandLine.*.* createnetonly /program:.*" -or $_.message -match "CommandLine.*.* ptt /ticket:.*" -or $_.message -match "CommandLine.*.* /impersonateuser:.*" -or $_.message -match "CommandLine.*.* renew /ticket:.*" -or $_.message -match "CommandLine.*.* asktgt /user:.*" -or $_.message -match "CommandLine.*.* harvest /interval:.*" -or $_.message -match "CommandLine.*.* s4u /user:.*" -or $_.message -match "CommandLine.*.* s4u /ticket:.*" -or $_.message -match "CommandLine.*.* hash /password:.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hack_rubeus"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hack_rubeus"; + $detectedMessage = "Detects command line parameters used by Rubeus hack tool"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* asreproast .*" -or $_.message -match "CommandLine.*.* dump /service:krbtgt .*" -or $_.message -match "CommandLine.*.* kerberoast .*" -or $_.message -match "CommandLine.*.* createnetonly /program:.*" -or $_.message -match "CommandLine.*.* ptt /ticket:.*" -or $_.message -match "CommandLine.*.* /impersonateuser:.*" -or $_.message -match "CommandLine.*.* renew /ticket:.*" -or $_.message -match "CommandLine.*.* asktgt /user:.*" -or $_.message -match "CommandLine.*.* harvest /interval:.*" -or $_.message -match "CommandLine.*.* s4u /user:.*" -or $_.message -match "CommandLine.*.* s4u /ticket:.*" -or $_.message -match "CommandLine.*.* hash /password:.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_hack_secutyxploded.ps1 b/Rules/SIGMA/process_creation/win_hack_secutyxploded.ps1 new file mode 100644 index 00000000..9d744c1e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_hack_secutyxploded.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Company.*SecurityXploded" -or $_.message -match "Image.*.*PasswordDump.exe" -or $_.message -match "OriginalFileName.*.*PasswordDump.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hack_secutyxploded"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hack_secutyxploded"; + $detectedMessage = "Detects the execution of SecurityXploded Tools"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Company.*SecurityXploded" -or $_.message -match "Image.*.*PasswordDump.exe" -or $_.message -match "OriginalFileName.*.*PasswordDump.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_hh_chm.ps1 b/Rules/SIGMA/process_creation/win_hh_chm.ps1 new file mode 100644 index 00000000..85684daf --- /dev/null +++ b/Rules/SIGMA/process_creation/win_hh_chm.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\hh.exe" -and $_.message -match "CommandLine.*.*.chm.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hh_chm"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hh_chm"; + $detectedMessage = "Identifies usage of hh.exe executing recently modified .chm files."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\hh.exe" -and $_.message -match "CommandLine.*.*.chm.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_hktl_createminidump.ps1 b/Rules/SIGMA/process_creation/win_hktl_createminidump.ps1 new file mode 100644 index 00000000..baffa635 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_hktl_createminidump.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\CreateMiniDump.exe.*" -or $_.message -match "Imphash.*4a07f944a83e8a7c2525efa35dd30e2f")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\lsass.dmp") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_hktl_createminidump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hktl_createminidump"; + $detectedMessage = "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\CreateMiniDump.exe.*" -or $_.message -match "Imphash.*4a07f944a83e8a7c2525efa35dd30e2f")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\lsass.dmp") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + } + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_html_help_spawn.ps1 b/Rules/SIGMA/process_creation/win_html_help_spawn.ps1 new file mode 100644 index 00000000..e360ba1b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_html_help_spawn.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*C:\Windows\hh.exe" -and ($_.message -match "Image.*.*\cmd.exe" -or $_.message -match "Image.*.*\powershell.exe" -or $_.message -match "Image.*.*\wscript.exe" -or $_.message -match "Image.*.*\cscript.exe" -or $_.message -match "Image.*.*\regsvr32.exe" -or $_.message -match "Image.*.*\wmic.exe" -or $_.message -match "Image.*.*\rundll32.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_html_help_spawn"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_html_help_spawn"; + $detectedMessage = "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*C:\\Windows\\hh.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\rundll32.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_hwp_exploits.ps1 b/Rules/SIGMA/process_creation/win_hwp_exploits.ps1 new file mode 100644 index 00000000..c2065490 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_hwp_exploits.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\Hwp.exe" -and $_.message -match "Image.*.*\gbb.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_hwp_exploits"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_hwp_exploits"; + $detectedMessage = "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\Hwp.exe" -and $_.message -match "Image.*.*\\gbb.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_impacket_compiled_tools.ps1 b/Rules/SIGMA/process_creation/win_impacket_compiled_tools.ps1 new file mode 100644 index 00000000..0431715e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_impacket_compiled_tools.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\goldenPac.*" -or $_.message -match "Image.*.*\karmaSMB.*" -or $_.message -match "Image.*.*\kintercept.*" -or $_.message -match "Image.*.*\ntlmrelayx.*" -or $_.message -match "Image.*.*\rpcdump.*" -or $_.message -match "Image.*.*\samrdump.*" -or $_.message -match "Image.*.*\secretsdump.*" -or $_.message -match "Image.*.*\smbexec.*" -or $_.message -match "Image.*.*\smbrelayx.*" -or $_.message -match "Image.*.*\wmiexec.*" -or $_.message -match "Image.*.*\wmipersist.*") -or ($_.message -match "Image.*.*\atexec_windows.exe" -or $_.message -match "Image.*.*\dcomexec_windows.exe" -or $_.message -match "Image.*.*\dpapi_windows.exe" -or $_.message -match "Image.*.*\findDelegation_windows.exe" -or $_.message -match "Image.*.*\GetADUsers_windows.exe" -or $_.message -match "Image.*.*\GetNPUsers_windows.exe" -or $_.message -match "Image.*.*\getPac_windows.exe" -or $_.message -match "Image.*.*\getST_windows.exe" -or $_.message -match "Image.*.*\getTGT_windows.exe" -or $_.message -match "Image.*.*\GetUserSPNs_windows.exe" -or $_.message -match "Image.*.*\ifmap_windows.exe" -or $_.message -match "Image.*.*\mimikatz_windows.exe" -or $_.message -match "Image.*.*\netview_windows.exe" -or $_.message -match "Image.*.*\nmapAnswerMachine_windows.exe" -or $_.message -match "Image.*.*\opdump_windows.exe" -or $_.message -match "Image.*.*\psexec_windows.exe" -or $_.message -match "Image.*.*\rdp_check_windows.exe" -or $_.message -match "Image.*.*\sambaPipe_windows.exe" -or $_.message -match "Image.*.*\smbclient_windows.exe" -or $_.message -match "Image.*.*\smbserver_windows.exe" -or $_.message -match "Image.*.*\sniffer_windows.exe" -or $_.message -match "Image.*.*\sniff_windows.exe" -or $_.message -match "Image.*.*\split_windows.exe" -or $_.message -match "Image.*.*\ticketer_windows.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_impacket_compiled_tools"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_impacket_compiled_tools"; + $detectedMessage = "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\goldenPac.*" -or $_.message -match "Image.*.*\\karmaSMB.*" -or $_.message -match "Image.*.*\\kintercept.*" -or $_.message -match "Image.*.*\\ntlmrelayx.*" -or $_.message -match "Image.*.*\\rpcdump.*" -or $_.message -match "Image.*.*\\samrdump.*" -or $_.message -match "Image.*.*\\secretsdump.*" -or $_.message -match "Image.*.*\\smbexec.*" -or $_.message -match "Image.*.*\\smbrelayx.*" -or $_.message -match "Image.*.*\\wmiexec.*" -or $_.message -match "Image.*.*\\wmipersist.*") -or ($_.message -match "Image.*.*\\atexec_windows.exe" -or $_.message -match "Image.*.*\\dcomexec_windows.exe" -or $_.message -match "Image.*.*\\dpapi_windows.exe" -or $_.message -match "Image.*.*\\findDelegation_windows.exe" -or $_.message -match "Image.*.*\\GetADUsers_windows.exe" -or $_.message -match "Image.*.*\\GetNPUsers_windows.exe" -or $_.message -match "Image.*.*\\getPac_windows.exe" -or $_.message -match "Image.*.*\\getST_windows.exe" -or $_.message -match "Image.*.*\\getTGT_windows.exe" -or $_.message -match "Image.*.*\\GetUserSPNs_windows.exe" -or $_.message -match "Image.*.*\\ifmap_windows.exe" -or $_.message -match "Image.*.*\\mimikatz_windows.exe" -or $_.message -match "Image.*.*\\netview_windows.exe" -or $_.message -match "Image.*.*\\nmapAnswerMachine_windows.exe" -or $_.message -match "Image.*.*\\opdump_windows.exe" -or $_.message -match "Image.*.*\\psexec_windows.exe" -or $_.message -match "Image.*.*\\rdp_check_windows.exe" -or $_.message -match "Image.*.*\\sambaPipe_windows.exe" -or $_.message -match "Image.*.*\\smbclient_windows.exe" -or $_.message -match "Image.*.*\\smbserver_windows.exe" -or $_.message -match "Image.*.*\\sniffer_windows.exe" -or $_.message -match "Image.*.*\\sniff_windows.exe" -or $_.message -match "Image.*.*\\split_windows.exe" -or $_.message -match "Image.*.*\\ticketer_windows.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_impacket_lateralization.ps1 b/Rules/SIGMA/process_creation/win_impacket_lateralization.ps1 new file mode 100644 index 00000000..a3cbfaf7 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_impacket_lateralization.ps1 @@ -0,0 +1,30 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.ID -eq "1" -and $_.message -match "CommandLine.*.*cmd.exe.*" -and $_.message -match "CommandLine.*.*&1.*" -and ((($_.message -match "ParentImage.*.*\wmiprvse.exe" -or $_.message -match "ParentImage.*.*\mmc.exe" -or $_.message -match "ParentImage.*.*\explorer.exe" -or $_.message -match "ParentImage.*.*\services.exe") -and $_.message -match "CommandLine.*.*/Q.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*\\127.0.0.1\.*") -or (($_.message -match "ParentCommandLine.*.*svchost.exe -k netsvcs.*" -or $_.message -match "ParentCommandLine.*.*taskeng.exe.*") -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*Windows\Temp\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_impacket_lateralization"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_impacket_lateralization"; + $result = $event | where { (($_.ID -eq "1") -and $_.ID -eq "1" -and $_.message -match "CommandLine.*.*cmd.exe.*" -and $_.message -match "CommandLine.*.*&1.*" -and ((($_.message -match "ParentImage.*.*\\wmiprvse.exe" -or $_.message -match "ParentImage.*.*\\mmc.exe" -or $_.message -match "ParentImage.*.*\\explorer.exe" -or $_.message -match "ParentImage.*.*\\services.exe") -and $_.message -match "CommandLine.*.*/Q.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*\\\\127.0.0.1\\.*") -or (($_.message -match "ParentCommandLine.*.*svchost.exe -k netsvcs.*" -or $_.message -match "ParentCommandLine.*.*taskeng.exe.*") -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*Windows\\Temp\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_indirect_cmd.ps1 b/Rules/SIGMA/process_creation/win_indirect_cmd.ps1 new file mode 100644 index 00000000..c5060756 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_indirect_cmd.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\pcalua.exe" -or $_.message -match "ParentImage.*.*\forfiles.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_indirect_cmd"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_indirect_cmd"; + $detectedMessage = "Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe)."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\pcalua.exe" -or $_.message -match "ParentImage.*.*\\forfiles.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_indirect_cmd_compatibility_assistant.ps1 b/Rules/SIGMA/process_creation/win_indirect_cmd_compatibility_assistant.ps1 new file mode 100644 index 00000000..25008fbe --- /dev/null +++ b/Rules/SIGMA/process_creation/win_indirect_cmd_compatibility_assistant.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\pcwrun.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_indirect_cmd_compatibility_assistant"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_indirect_cmd_compatibility_assistant"; + $detectedMessage = "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\pcwrun.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_install_reg_debugger_backdoor.ps1 b/Rules/SIGMA/process_creation/win_install_reg_debugger_backdoor.ps1 new file mode 100644 index 00000000..ed51064c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_install_reg_debugger_backdoor.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\CurrentVersion\Image File Execution Options\.*" -and ($_.message -match "CommandLine.*.*sethc.exe.*" -or $_.message -match "CommandLine.*.*utilman.exe.*" -or $_.message -match "CommandLine.*.*osk.exe.*" -or $_.message -match "CommandLine.*.*magnify.exe.*" -or $_.message -match "CommandLine.*.*narrator.exe.*" -or $_.message -match "CommandLine.*.*displayswitch.exe.*" -or $_.message -match "CommandLine.*.*atbroker.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_install_reg_debugger_backdoor"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_install_reg_debugger_backdoor"; + $detectedMessage = "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor)."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\CurrentVersion\\Image File Execution Options\\.*" -and ($_.message -match "CommandLine.*.*sethc.exe.*" -or $_.message -match "CommandLine.*.*utilman.exe.*" -or $_.message -match "CommandLine.*.*osk.exe.*" -or $_.message -match "CommandLine.*.*magnify.exe.*" -or $_.message -match "CommandLine.*.*narrator.exe.*" -or $_.message -match "CommandLine.*.*displayswitch.exe.*" -or $_.message -match "CommandLine.*.*atbroker.exe.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_interactive_at.ps1 b/Rules/SIGMA/process_creation/win_interactive_at.ps1 new file mode 100644 index 00000000..0f4f57a6 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_interactive_at.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\at.exe" -and $_.message -match "CommandLine.*.*interactive.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_interactive_at"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_interactive_at"; + $detectedMessage = "Detect an interactive AT job, which may be used as a form of privilege escalation."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\at.exe" -and $_.message -match "CommandLine.*.*interactive.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_lethalhta.ps1 b/Rules/SIGMA/process_creation/win_lethalhta.ps1 new file mode 100644 index 00000000..23932a14 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_lethalhta.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\svchost.exe" -and $_.message -match "Image.*.*\mshta.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_lethalhta"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_lethalhta"; + $detectedMessage = "Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\svchost.exe" -and $_.message -match "Image.*.*\\mshta.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_local_system_owner_account_discovery.ps1 b/Rules/SIGMA/process_creation/win_local_system_owner_account_discovery.ps1 new file mode 100644 index 00000000..8e824fd6 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_local_system_owner_account_discovery.ps1 @@ -0,0 +1,30 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.ID -eq "1") -and ($_.message -match "Image.*.*\whoami.exe" -or ($_.message -match "Image.*.*\wmic.exe" -and $_.message -match "CommandLine.*.*useraccount.*" -and $_.message -match "CommandLine.*.*get.*") -or ($_.message -match "Image.*.*\quser.exe" -or $_.message -match "Image.*.*\qwinsta.exe") -or ($_.message -match "Image.*.*\cmdkey.exe" -and $_.message -match "CommandLine.*.*/list.*") -or ($_.message -match "Image.*.*\cmd.exe" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*dir .*" -and $_.message -match "CommandLine.*.*\Users\.*")) -and -not (($_.message -match "CommandLine.*.* rmdir .*"))) -or (($_.ID -eq "1") -and (($_.message -match "Image.*.*\net.exe" -or $_.message -match "Image.*.*\net1.exe") -and $_.message -match "CommandLine.*.*user.*") -and -not (($_.message -match "CommandLine.*.*/domain.*" -or $_.message -match "CommandLine.*.*/add.*" -or $_.message -match "CommandLine.*.*/delete.*" -or $_.message -match "CommandLine.*.*/active.*" -or $_.message -match "CommandLine.*.*/expires.*" -or $_.message -match "CommandLine.*.*/passwordreq.*" -or $_.message -match "CommandLine.*.*/scriptpath.*" -or $_.message -match "CommandLine.*.*/times.*" -or $_.message -match "CommandLine.*.*/workstations.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_local_system_owner_account_discovery"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_local_system_owner_account_discovery"; + $result = $event | where { (($_.ID -eq "1") -and ((($_.ID -eq "1") -and ($_.message -match "Image.*.*\\whoami.exe" -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*useraccount.*" -and $_.message -match "CommandLine.*.*get.*") -or ($_.message -match "Image.*.*\\quser.exe" -or $_.message -match "Image.*.*\\qwinsta.exe") -or ($_.message -match "Image.*.*\\cmdkey.exe" -and $_.message -match "CommandLine.*.*/list.*") -or ($_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*dir .*" -and $_.message -match "CommandLine.*.*\\Users\\.*")) -and -not (($_.message -match "CommandLine.*.* rmdir .*"))) -or (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*user.*") -and -not (($_.message -match "CommandLine.*.*/domain.*" -or $_.message -match "CommandLine.*.*/add.*" -or $_.message -match "CommandLine.*.*/delete.*" -or $_.message -match "CommandLine.*.*/active.*" -or $_.message -match "CommandLine.*.*/expires.*" -or $_.message -match "CommandLine.*.*/passwordreq.*" -or $_.message -match "CommandLine.*.*/scriptpath.*" -or $_.message -match "CommandLine.*.*/times.*" -or $_.message -match "CommandLine.*.*/workstations.*"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_lolbin_execution_via_winget.ps1 b/Rules/SIGMA/process_creation/win_lolbin_execution_via_winget.ps1 new file mode 100644 index 00000000..11da56c9 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_lolbin_execution_via_winget.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*..*(?i)winget install (--m|-m)..*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_lolbin_execution_via_winget"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_lolbin_execution_via_winget"; + $detectedMessage = "Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*..*(?i)winget install (--m|-m)..*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_lsass_dump.ps1 b/Rules/SIGMA/process_creation/win_lsass_dump.ps1 new file mode 100644 index 00000000..ab975b4b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_lsass_dump.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "CommandLine.*.*lsass.*" -and $_.message -match "CommandLine.*.*.dmp.*") -and -not ($_.message -match "Image.*.*\werfault.exe")) -or ($_.message -match "Image.*.*\procdump.*" -and $_.message -match "Image.*.*.exe" -and $_.message -match "CommandLine.*.*lsass.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_lsass_dump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_lsass_dump"; + $detectedMessage = "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials."; + $result = $event | where { (($_.ID -eq "1") -and ((($_.message -match "CommandLine.*.*lsass.*" -and $_.message -match "CommandLine.*.*.dmp.*") -and -not ($_.message -match "Image.*.*\\werfault.exe")) -or ($_.message -match "Image.*.*\\procdump.*" -and $_.message -match "Image.*.*.exe" -and $_.message -match "CommandLine.*.*lsass.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_mal_adwind.ps1 b/Rules/SIGMA/process_creation/win_mal_adwind.ps1 new file mode 100644 index 00000000..5e4dab6d --- /dev/null +++ b/Rules/SIGMA/process_creation/win_mal_adwind.ps1 @@ -0,0 +1,43 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\AppData\\Roaming\\Oracle.*" -and $_.message -match "CommandLine.*.*\\java.*" -and $_.message -match "CommandLine.*.*.exe .*") -or ($_.message -match "CommandLine.*.*cscript.exe.*" -and $_.message -match "CommandLine.*.*Retrive.*" -and $_.message -match "CommandLine.*.*.vbs .*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { (($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\\AppData\\Roaming\\Oracle\\bin\\java.*" -and $_.message -match "TargetFilename.*.*.exe.*") -or ($_.message -match "TargetFilename.*.*\\Retrive.*" -and $_.message -match "TargetFilename.*.*.vbs.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*" -and $_.message -match "Details.*%AppData%\\Roaming\\Oracle\\bin\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_mal_adwind"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mal_adwind"; + $detectedMessage = "Detects javaw.exe in AppData folder as used by Adwind / JRAT"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\AppData\\Roaming\\Oracle.*" -and $_.message -match "CommandLine.*.*\\java.*" -and $_.message -match "CommandLine.*.*.exe .*") -or ($_.message -match "CommandLine.*.*cscript.exe.*" -and $_.message -match "CommandLine.*.*Retrive.*" -and $_.message -match "CommandLine.*.*.vbs .*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\\AppData\\Roaming\\Oracle\\bin\\java.*" -and $_.message -match "TargetFilename.*.*.exe.*") -or ($_.message -match "TargetFilename.*.*\\Retrive.*" -and $_.message -match "TargetFilename.*.*.vbs.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*" -and $_.message -match "Details.*%AppData%\\Roaming\\Oracle\\bin\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_dridex.ps1 b/Rules/SIGMA/process_creation/win_malware_dridex.ps1 new file mode 100644 index 00000000..ff729739 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_dridex.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\svchost.exe" -and $_.message -match "CommandLine.*.*C:\Users\.*" -and $_.message -match "CommandLine.*.*\Desktop\.*") -or ($_.message -match "ParentImage.*.*\svchost.exe" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\whoami.exe" -and $_.message -match "CommandLine.*.*all.*") -or (($_.message -match "Image.*.*\net.exe" -or $_.message -match "Image.*.*\net1.exe") -and $_.message -match "CommandLine.*.*view.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_dridex"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_dridex"; + $detectedMessage = "Detects typical Dridex process patterns"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\svchost.exe" -and $_.message -match "CommandLine.*.*C:\\Users\\.*" -and $_.message -match "CommandLine.*.*\\Desktop\\.*") -or ($_.message -match "ParentImage.*.*\\svchost.exe" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\whoami.exe" -and $_.message -match "CommandLine.*.*all.*") -or (($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*view.*"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_dtrack.ps1 b/Rules/SIGMA/process_creation/win_malware_dtrack.ps1 new file mode 100644 index 00000000..205ac227 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_dtrack.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* echo EEEE > .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_dtrack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_dtrack"; + $detectedMessage = "Detects specific process parameters as seen in DTRACK infections"; + $result = $event | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* echo EEEE > .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_emotet.ps1 b/Rules/SIGMA/process_creation/win_malware_emotet.ps1 new file mode 100644 index 00000000..18c54ece --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_emotet.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -e.* PAA.*" -or $_.message -match "CommandLine.*.*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ.*" -or $_.message -match "CommandLine.*.*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA.*" -or $_.message -match "CommandLine.*.*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA.*" -or $_.message -match "CommandLine.*.*IgAoACcAKgAnACkAOwAkA.*" -or $_.message -match "CommandLine.*.*IAKAAnACoAJwApADsAJA.*" -or $_.message -match "CommandLine.*.*iACgAJwAqACcAKQA7ACQA.*" -or $_.message -match "CommandLine.*.*JABGAGwAeAByAGgAYwBmAGQ.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_emotet"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_emotet"; + $detectedMessage = "Detects all Emotet like process executions that are not covered by the more generic rules"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -e.* PAA.*" -or $_.message -match "CommandLine.*.*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ.*" -or $_.message -match "CommandLine.*.*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA.*" -or $_.message -match "CommandLine.*.*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA.*" -or $_.message -match "CommandLine.*.*IgAoACcAKgAnACkAOwAkA.*" -or $_.message -match "CommandLine.*.*IAKAAnACoAJwApADsAJA.*" -or $_.message -match "CommandLine.*.*iACgAJwAqACcAKQA7ACQA.*" -or $_.message -match "CommandLine.*.*JABGAGwAeAByAGgAYwBmAGQ.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_formbook.ps1 b/Rules/SIGMA/process_creation/win_malware_formbook.ps1 new file mode 100644 index 00000000..a0a5c950 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_formbook.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentCommandLine.*C:\Windows\System32\.*" -or $_.message -match "ParentCommandLine.*C:\Windows\SysWOW64\.*") -and ($_.message -match "ParentCommandLine.*.*.exe") -and $_.message -match "CommandLine.*.*C:\Users\.*" -and (($_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*del.*" -and $_.message -match "CommandLine.*.*\AppData\Local\Temp\.*") -or ($_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*del.*" -and $_.message -match "CommandLine.*.*\Desktop\.*") -or ($_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*type nul >.*" -and $_.message -match "CommandLine.*.*\Desktop\.*")) -and $_.message -match "CommandLine.*.*.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_formbook"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_formbook"; + $detectedMessage = "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "ParentCommandLine.*C:\\Windows\\System32\\.*" -or $_.message -match "ParentCommandLine.*C:\\Windows\\SysWOW64\\.*") -and ($_.message -match "ParentCommandLine.*.*.exe") -and $_.message -match "CommandLine.*.*C:\\Users\\.*" -and (($_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*del.*" -and $_.message -match "CommandLine.*.*\\AppData\\Local\\Temp\\.*") -or ($_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*del.*" -and $_.message -match "CommandLine.*.*\\Desktop\\.*") -or ($_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*type nul >.*" -and $_.message -match "CommandLine.*.*\\Desktop\\.*")) -and $_.message -match "CommandLine.*.*.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_notpetya.ps1 b/Rules/SIGMA/process_creation/win_malware_notpetya.ps1 new file mode 100644 index 00000000..f1d04135 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_notpetya.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\AppData\Local\Temp\.*" -and $_.message -match "CommandLine.*.*\.\pipe\.*") -or ($_.message -match "Image.*.*\rundll32.exe" -and $_.message -match "CommandLine.*.*.dat,#1") -or $_.message -match "perfc.dat")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_notpetya"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_notpetya"; + $detectedMessage = "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\AppData\\Local\\Temp\\.*" -and $_.message -match "CommandLine.*.*\\.\\pipe\\.*") -or ($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*.dat,#1") -or $_.message -match "perfc.dat")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_qbot.ps1 b/Rules/SIGMA/process_creation/win_malware_qbot.ps1 new file mode 100644 index 00000000..42a37772 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_qbot.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\WinRAR.exe" -and $_.message -match "Image.*.*\wscript.exe") -or $_.message -match "CommandLine.*.* /c ping.exe -n 6 127.0.0.1 & type .*") -or ($_.message -match "CommandLine.*.*regsvr32.exe.*" -and $_.message -match "CommandLine.*.*C:\ProgramData.*" -and $_.message -match "CommandLine.*.*.tmp.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_qbot"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_qbot"; + $detectedMessage = "Detects QBot like process executions"; + $result = $event | where { (($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\\WinRAR.exe" -and $_.message -match "Image.*.*\\wscript.exe") -or $_.message -match "CommandLine.*.* /c ping.exe -n 6 127.0.0.1 & type .*") -or ($_.message -match "CommandLine.*.*regsvr32.exe.*" -and $_.message -match "CommandLine.*.*C:\\ProgramData.*" -and $_.message -match "CommandLine.*.*.tmp.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_ryuk.ps1 b/Rules/SIGMA/process_creation/win_malware_ryuk.ps1 new file mode 100644 index 00000000..942b698f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_ryuk.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Microsoft\Windows\CurrentVersion\Run.*" -and $_.message -match "CommandLine.*.*C:\users\Public\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_ryuk"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_ryuk"; + $detectedMessage = "Detects Ryuk ransomware activity"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Microsoft\\Windows\\CurrentVersion\\Run.*" -and $_.message -match "CommandLine.*.*C:\\users\\Public\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_script_dropper.ps1 b/Rules/SIGMA/process_creation/win_malware_script_dropper.ps1 new file mode 100644 index 00000000..5f6fd43e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_script_dropper.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\wscript.exe" -or $_.message -match "Image.*.*\cscript.exe") -and ($_.message -match "CommandLine.*.*C:\Users\.*" -or $_.message -match "CommandLine.*.*C:\ProgramData\.*") -and ($_.message -match "CommandLine.*.*.jse.*" -or $_.message -match "CommandLine.*.*.vbe.*" -or $_.message -match "CommandLine.*.*.js.*" -or $_.message -match "CommandLine.*.*.vba.*" -or $_.message -match "CommandLine.*.*.vbs.*")) -and -not ($_.message -match "ParentImage.*.*\winzip.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_script_dropper"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_script_dropper"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe") -and ($_.message -match "CommandLine.*.*C:\\Users\\.*" -or $_.message -match "CommandLine.*.*C:\\ProgramData\\.*") -and ($_.message -match "CommandLine.*.*.jse.*" -or $_.message -match "CommandLine.*.*.vbe.*" -or $_.message -match "CommandLine.*.*.js.*" -or $_.message -match "CommandLine.*.*.vba.*" -or $_.message -match "CommandLine.*.*.vbs.*")) -and -not ($_.message -match "ParentImage.*.*\\winzip.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_trickbot_recon_activity.ps1 b/Rules/SIGMA/process_creation/win_malware_trickbot_recon_activity.ps1 new file mode 100644 index 00000000..6d316c5c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_trickbot_recon_activity.ps1 @@ -0,0 +1,30 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\cmd.exe") -and ($_.message -match "Image.*.*\nltest.exe") -and ($_.message -match "CommandLine.*.*/domain_trusts /all_trusts.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_trickbot_recon_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_trickbot_recon_activity"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\cmd.exe") -and ($_.message -match "Image.*.*\\nltest.exe") -and ($_.message -match "CommandLine.*.*/domain_trusts /all_trusts.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_trickbot_wermgr.ps1 b/Rules/SIGMA/process_creation/win_malware_trickbot_wermgr.ps1 new file mode 100644 index 00000000..bebc2b2e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_trickbot_wermgr.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\wermgr.exe") -and ($_.message -match "ParentImage.*.*\rundll32.exe") -and ($_.message -match "ParentCommandLine.*.*DllRegisterServer.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_trickbot_wermgr"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_trickbot_wermgr"; + $detectedMessage = "Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe "; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wermgr.exe") -and ($_.message -match "ParentImage.*.*\\rundll32.exe") -and ($_.message -match "ParentCommandLine.*.*DllRegisterServer.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_malware_wannacry.ps1 b/Rules/SIGMA/process_creation/win_malware_wannacry.ps1 new file mode 100644 index 00000000..073572fb --- /dev/null +++ b/Rules/SIGMA/process_creation/win_malware_wannacry.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\tasksche.exe" -or $_.message -match "Image.*.*\mssecsvc.exe" -or $_.message -match "Image.*.*\taskdl.exe" -or $_.message -match "Image.*.*\taskhsvc.exe" -or $_.message -match "Image.*.*\taskse.exe" -or $_.message -match "Image.*.*\111.exe" -or $_.message -match "Image.*.*\lhdfrgui.exe" -or $_.message -match "Image.*.*\diskpart.exe" -or $_.message -match "Image.*.*\linuxnew.exe" -or $_.message -match "Image.*.*\wannacry.exe") -or $_.message -match "Image.*.*WanaDecryptor.*" -or ($_.message -match "CommandLine.*.*icacls.*" -and $_.message -match "CommandLine.*.*/grant.*" -and $_.message -match "CommandLine.*.*Everyone:F.*" -and $_.message -match "CommandLine.*.*/T.*" -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*/Q.*") -or ($_.message -match "CommandLine.*.*bcdedit.*" -and $_.message -match "CommandLine.*.*/set.*" -and $_.message -match "CommandLine.*.*{default}.*" -and $_.message -match "CommandLine.*.*recoveryenabled.*" -and $_.message -match "CommandLine.*.*no.*") -or ($_.message -match "CommandLine.*.*wbadmin.*" -and $_.message -match "CommandLine.*.*delete.*" -and $_.message -match "CommandLine.*.*catalog.*" -and $_.message -match "CommandLine.*.*-quiet.*") -or $_.message -match "CommandLine.*.*@Please_Read_Me@.txt.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_malware_wannacry"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_malware_wannacry"; + $detectedMessage = "Detects WannaCry ransomware activity"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\tasksche.exe" -or $_.message -match "Image.*.*\\mssecsvc.exe" -or $_.message -match "Image.*.*\\taskdl.exe" -or $_.message -match "Image.*.*\\taskhsvc.exe" -or $_.message -match "Image.*.*\\taskse.exe" -or $_.message -match "Image.*.*\\111.exe" -or $_.message -match "Image.*.*\\lhdfrgui.exe" -or $_.message -match "Image.*.*\\diskpart.exe" -or $_.message -match "Image.*.*\\linuxnew.exe" -or $_.message -match "Image.*.*\\wannacry.exe") -or $_.message -match "Image.*.*WanaDecryptor.*" -or ($_.message -match "CommandLine.*.*icacls.*" -and $_.message -match "CommandLine.*.*/grant.*" -and $_.message -match "CommandLine.*.*Everyone:F.*" -and $_.message -match "CommandLine.*.*/T.*" -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*/Q.*") -or ($_.message -match "CommandLine.*.*bcdedit.*" -and $_.message -match "CommandLine.*.*/set.*" -and $_.message -match "CommandLine.*.*{default}.*" -and $_.message -match "CommandLine.*.*recoveryenabled.*" -and $_.message -match "CommandLine.*.*no.*") -or ($_.message -match "CommandLine.*.*wbadmin.*" -and $_.message -match "CommandLine.*.*delete.*" -and $_.message -match "CommandLine.*.*catalog.*" -and $_.message -match "CommandLine.*.*-quiet.*") -or $_.message -match "CommandLine.*.*@Please_Read_Me@.txt.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_manage-bde_lolbas.ps1 b/Rules/SIGMA/process_creation/win_manage-bde_lolbas.ps1 new file mode 100644 index 00000000..c7b29edd --- /dev/null +++ b/Rules/SIGMA/process_creation/win_manage-bde_lolbas.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cscript.*" -and $_.message -match "CommandLine.*.*manage-bde.wsf.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_manage-bde_lolbas"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_manage-bde_lolbas"; + $detectedMessage = "Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cscript.*" -and $_.message -match "CommandLine.*.*manage-bde.wsf.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_mavinject_proc_inj.ps1 b/Rules/SIGMA/process_creation/win_mavinject_proc_inj.ps1 new file mode 100644 index 00000000..4b9e6fe9 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_mavinject_proc_inj.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /INJECTRUNNING .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mavinject_proc_inj"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mavinject_proc_inj"; + $detectedMessage = "Detects process injection using the signed Windows tool Mavinject32.exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /INJECTRUNNING .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.ps1 b/Rules/SIGMA/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.ps1 new file mode 100644 index 00000000..60bdc838 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.ps1 @@ -0,0 +1,31 @@ +# $event | where {(($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\services.exe" -and (($_.message -match "CommandLine.*.*cmd.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\pipe\.*") -or ($_.message -match "CommandLine.*.*%COMSPEC%.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\pipe\.*") -or ($_.message -match "CommandLine.*.*cmd.exe.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\pipe\.*") -or ($_.message -match "CommandLine.*.*rundll32.*" -and $_.message -match "CommandLine.*.*.dll,a.*" -and $_.message -match "CommandLine.*.*/p:.*"))) -and -not ($_.message -match "CommandLine.*.*MpCmdRun.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_meterpreter_or_cobaltstrike_getsystem_service_start"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_meterpreter_or_cobaltstrike_getsystem_service_start"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\services.exe" -and (($_.message -match "CommandLine.*.*cmd.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\\pipe\\.*") -or ($_.message -match "CommandLine.*.*%COMSPEC%.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\\pipe\\.*") -or ($_.message -match "CommandLine.*.*cmd.exe.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\\pipe\\.*") -or ($_.message -match "CommandLine.*.*rundll32.*" -and $_.message -match "CommandLine.*.*.dll,a.*" -and $_.message -match "CommandLine.*.*/p:.*"))) -and -not ($_.message -match "CommandLine.*.*MpCmdRun.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_mimikatz_command_line.ps1 b/Rules/SIGMA/process_creation/win_mimikatz_command_line.ps1 new file mode 100644 index 00000000..7eca910d --- /dev/null +++ b/Rules/SIGMA/process_creation/win_mimikatz_command_line.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*DumpCreds.*" -or $_.message -match "CommandLine.*.*invoke-mimikatz.*") -or (($_.message -match "CommandLine.*.*rpc.*" -or $_.message -match "CommandLine.*.*token.*" -or $_.message -match "CommandLine.*.*crypto.*" -or $_.message -match "CommandLine.*.*dpapi.*" -or $_.message -match "CommandLine.*.*sekurlsa.*" -or $_.message -match "CommandLine.*.*kerberos.*" -or $_.message -match "CommandLine.*.*lsadump.*" -or $_.message -match "CommandLine.*.*privilege.*" -or $_.message -match "CommandLine.*.*process.*") -and ($_.message -match "CommandLine.*.*::.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mimikatz_command_line"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mimikatz_command_line"; + $detectedMessage = "Detection well-known mimikatz command line arguments"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*DumpCreds.*" -or $_.message -match "CommandLine.*.*invoke-mimikatz.*") -or (($_.message -match "CommandLine.*.*rpc.*" -or $_.message -match "CommandLine.*.*token.*" -or $_.message -match "CommandLine.*.*crypto.*" -or $_.message -match "CommandLine.*.*dpapi.*" -or $_.message -match "CommandLine.*.*sekurlsa.*" -or $_.message -match "CommandLine.*.*kerberos.*" -or $_.message -match "CommandLine.*.*lsadump.*" -or $_.message -match "CommandLine.*.*privilege.*" -or $_.message -match "CommandLine.*.*process.*") -and ($_.message -match "CommandLine.*.*::.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_mmc_spawn_shell.ps1 b/Rules/SIGMA/process_creation/win_mmc_spawn_shell.ps1 new file mode 100644 index 00000000..cd5fd13a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_mmc_spawn_shell.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\mmc.exe" -and (($_.message -match "Image.*.*\cmd.exe" -or $_.message -match "Image.*.*\powershell.exe" -or $_.message -match "Image.*.*\wscript.exe" -or $_.message -match "Image.*.*\cscript.exe" -or $_.message -match "Image.*.*\sh.exe" -or $_.message -match "Image.*.*\bash.exe" -or $_.message -match "Image.*.*\reg.exe" -or $_.message -match "Image.*.*\regsvr32.exe") -or ($_.message -match "Image.*.*\BITSADMIN.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mmc_spawn_shell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mmc_spawn_shell"; + $detectedMessage = "Detects a Windows command line executable started from MMC"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\mmc.exe" -and (($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\reg.exe" -or $_.message -match "Image.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\BITSADMIN.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_mouse_lock.ps1 b/Rules/SIGMA/process_creation/win_mouse_lock.ps1 new file mode 100644 index 00000000..aec11f10 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_mouse_lock.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Product.*.*Mouse Lock.*" -or $_.message -match "Company.*.*Misc314.*" -or $_.message -match "CommandLine.*.*Mouse Lock_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mouse_lock"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mouse_lock"; + $detectedMessage = "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool ""Mouse Lock"" as being used for both credential access and collection in security incidents."; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Product.*.*Mouse Lock.*" -or $_.message -match "Company.*.*Misc314.*" -or $_.message -match "CommandLine.*.*Mouse Lock_.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_mshta_javascript.ps1 b/Rules/SIGMA/process_creation/win_mshta_javascript.ps1 new file mode 100644 index 00000000..57cf1ea8 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_mshta_javascript.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\mshta.exe" -and $_.message -match "CommandLine.*.*javascript.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mshta_javascript"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mshta_javascript"; + $detectedMessage = "Identifies suspicious mshta.exe commands."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\mshta.exe" -and $_.message -match "CommandLine.*.*javascript.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_mshta_spawn_shell.ps1 b/Rules/SIGMA/process_creation/win_mshta_spawn_shell.ps1 new file mode 100644 index 00000000..f02063b5 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_mshta_spawn_shell.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\mshta.exe" -and (($_.message -match "Image.*.*\cmd.exe" -or $_.message -match "Image.*.*\powershell.exe" -or $_.message -match "Image.*.*\wscript.exe" -or $_.message -match "Image.*.*\cscript.exe" -or $_.message -match "Image.*.*\sh.exe" -or $_.message -match "Image.*.*\bash.exe" -or $_.message -match "Image.*.*\reg.exe" -or $_.message -match "Image.*.*\regsvr32.exe") -or ($_.message -match "Image.*.*\BITSADMIN.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_mshta_spawn_shell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_mshta_spawn_shell"; + $detectedMessage = "Detects a Windows command line executable started from MSHTA"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\mshta.exe" -and (($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\reg.exe" -or $_.message -match "Image.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\BITSADMIN.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_multiple_suspicious_cli.ps1 b/Rules/SIGMA/process_creation/win_multiple_suspicious_cli.ps1 new file mode 100644 index 00000000..4bc7049a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_multiple_suspicious_cli.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*arp.exe.*" -or $_.message -match "CommandLine.*.*at.exe.*" -or $_.message -match "CommandLine.*.*attrib.exe.*" -or $_.message -match "CommandLine.*.*cscript.exe.*" -or $_.message -match "CommandLine.*.*dsquery.exe.*" -or $_.message -match "CommandLine.*.*hostname.exe.*" -or $_.message -match "CommandLine.*.*ipconfig.exe.*" -or $_.message -match "CommandLine.*.*mimikatz.exe.*" -or $_.message -match "CommandLine.*.*nbtstat.exe.*" -or $_.message -match "CommandLine.*.*net.exe.*" -or $_.message -match "CommandLine.*.*netsh.exe.*" -or $_.message -match "CommandLine.*.*nslookup.exe.*" -or $_.message -match "CommandLine.*.*ping.exe.*" -or $_.message -match "CommandLine.*.*quser.exe.*" -or $_.message -match "CommandLine.*.*qwinsta.exe.*" -or $_.message -match "CommandLine.*.*reg.exe.*" -or $_.message -match "CommandLine.*.*runas.exe.*" -or $_.message -match "CommandLine.*.*sc.exe.*" -or $_.message -match "CommandLine.*.*schtasks.exe.*" -or $_.message -match "CommandLine.*.*ssh.exe.*" -or $_.message -match "CommandLine.*.*systeminfo.exe.*" -or $_.message -match "CommandLine.*.*taskkill.exe.*" -or $_.message -match "CommandLine.*.*telnet.exe.*" -or $_.message -match "CommandLine.*.*tracert.exe.*" -or $_.message -match "CommandLine.*.*wscript.exe.*" -or $_.message -match "CommandLine.*.*xcopy.exe.*" -or $_.message -match "CommandLine.*.*pscp.exe.*" -or $_.message -match "CommandLine.*.*copy.exe.*" -or $_.message -match "CommandLine.*.*robocopy.exe.*" -or $_.message -match "CommandLine.*.*certutil.exe.*" -or $_.message -match "CommandLine.*.*vssadmin.exe.*" -or $_.message -match "CommandLine.*.*powershell.exe.*" -or $_.message -match "CommandLine.*.*wevtutil.exe.*" -or $_.message -match "CommandLine.*.*psexec.exe.*" -or $_.message -match "CommandLine.*.*bcedit.exe.*" -or $_.message -match "CommandLine.*.*wbadmin.exe.*" -or $_.message -match "CommandLine.*.*icacls.exe.*" -or $_.message -match "CommandLine.*.*diskpart.exe.*")) } | group-object MachineName | where { $_.count -gt 5 } | select name,count | sort -desc + +function Add-Rule { + + $ruleName = "win_multiple_suspicious_cli"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_multiple_suspicious_cli"; + $detectedMessage = "Detects multiple suspicious process in a limited timeframe"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*arp.exe.*" -or $_.message -match "CommandLine.*.*at.exe.*" -or $_.message -match "CommandLine.*.*attrib.exe.*" -or $_.message -match "CommandLine.*.*cscript.exe.*" -or $_.message -match "CommandLine.*.*dsquery.exe.*" -or $_.message -match "CommandLine.*.*hostname.exe.*" -or $_.message -match "CommandLine.*.*ipconfig.exe.*" -or $_.message -match "CommandLine.*.*mimikatz.exe.*" -or $_.message -match "CommandLine.*.*nbtstat.exe.*" -or $_.message -match "CommandLine.*.*net.exe.*" -or $_.message -match "CommandLine.*.*netsh.exe.*" -or $_.message -match "CommandLine.*.*nslookup.exe.*" -or $_.message -match "CommandLine.*.*ping.exe.*" -or $_.message -match "CommandLine.*.*quser.exe.*" -or $_.message -match "CommandLine.*.*qwinsta.exe.*" -or $_.message -match "CommandLine.*.*reg.exe.*" -or $_.message -match "CommandLine.*.*runas.exe.*" -or $_.message -match "CommandLine.*.*sc.exe.*" -or $_.message -match "CommandLine.*.*schtasks.exe.*" -or $_.message -match "CommandLine.*.*ssh.exe.*" -or $_.message -match "CommandLine.*.*systeminfo.exe.*" -or $_.message -match "CommandLine.*.*taskkill.exe.*" -or $_.message -match "CommandLine.*.*telnet.exe.*" -or $_.message -match "CommandLine.*.*tracert.exe.*" -or $_.message -match "CommandLine.*.*wscript.exe.*" -or $_.message -match "CommandLine.*.*xcopy.exe.*" -or $_.message -match "CommandLine.*.*pscp.exe.*" -or $_.message -match "CommandLine.*.*copy.exe.*" -or $_.message -match "CommandLine.*.*robocopy.exe.*" -or $_.message -match "CommandLine.*.*certutil.exe.*" -or $_.message -match "CommandLine.*.*vssadmin.exe.*" -or $_.message -match "CommandLine.*.*powershell.exe.*" -or $_.message -match "CommandLine.*.*wevtutil.exe.*" -or $_.message -match "CommandLine.*.*psexec.exe.*" -or $_.message -match "CommandLine.*.*bcedit.exe.*" -or $_.message -match "CommandLine.*.*wbadmin.exe.*" -or $_.message -match "CommandLine.*.*icacls.exe.*" -or $_.message -match "CommandLine.*.*diskpart.exe.*")) } | group-object MachineName | where { $_.count -gt 5 } | select name, count | sort -desc; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_net_enum.ps1 b/Rules/SIGMA/process_creation/win_net_enum.ps1 new file mode 100644 index 00000000..2591898a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_net_enum.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\net.exe" -or $_.message -match "Image.*.*\net1.exe") -and $_.message -match "CommandLine.*.*view.*") -and -not ($_.message -match "CommandLine.*.*\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_net_enum"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_net_enum"; + $detectedMessage = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*view.*") -and -not ($_.message -match "CommandLine.*.*\\\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_net_user_add.ps1 b/Rules/SIGMA/process_creation/win_net_user_add.ps1 new file mode 100644 index 00000000..29298766 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_net_user_add.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\net.exe" -or $_.message -match "Image.*.*\net1.exe") -and $_.message -match "CommandLine.*.*user.*" -and $_.message -match "CommandLine.*.*add.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_net_user_add"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_net_user_add"; + $detectedMessage = "Identifies creation of local users via the net.exe command."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*user.*" -and $_.message -match "CommandLine.*.*add.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_netsh_allow_port_rdp.ps1 b/Rules/SIGMA/process_creation/win_netsh_allow_port_rdp.ps1 new file mode 100644 index 00000000..146d4d7d --- /dev/null +++ b/Rules/SIGMA/process_creation/win_netsh_allow_port_rdp.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*netsh.*" -and (($_.message -match "CommandLine.*.*firewall add portopening.*" -and $_.message -match "CommandLine.*.*tcp 3389.*") -or ($_.message -match "CommandLine.*.*advfirewall firewall add rule.*" -and $_.message -match "CommandLine.*.*action=allow.*" -and $_.message -match "CommandLine.*.*protocol=TCP.*" -and $_.message -match "CommandLine.*.*localport=3389.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_netsh_allow_port_rdp"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_netsh_allow_port_rdp"; + $detectedMessage = "Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*netsh.*" -and (($_.message -match "CommandLine.*.*firewall add portopening.*" -and $_.message -match "CommandLine.*.*tcp 3389.*") -or ($_.message -match "CommandLine.*.*advfirewall firewall add rule.*" -and $_.message -match "CommandLine.*.*action=allow.*" -and $_.message -match "CommandLine.*.*protocol=TCP.*" -and $_.message -match "CommandLine.*.*localport=3389.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_netsh_fw_add.ps1 b/Rules/SIGMA/process_creation/win_netsh_fw_add.ps1 new file mode 100644 index 00000000..aa9b5031 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_netsh_fw_add.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\netsh.exe" -and $_.message -match "CommandLine.*.*firewall.*" -and $_.message -match "CommandLine.*.*add.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_netsh_fw_add"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_netsh_fw_add"; + $detectedMessage = "Allow Incoming Connections by Port or Application on Windows Firewall"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*firewall.*" -and $_.message -match "CommandLine.*.*add.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_netsh_fw_add_susp_image.ps1 b/Rules/SIGMA/process_creation/win_netsh_fw_add_susp_image.ps1 new file mode 100644 index 00000000..b07839cc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_netsh_fw_add_susp_image.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.ID -eq "1" -and $_.message -match "Image.*.*\netsh.exe" -and $_.message -match "CommandLine.*.*firewall.*" -and $_.message -match "CommandLine.*.*add.*" -and ($_.message -match "CommandLine.*.*allowedprogram.*" -or ($_.message -match "CommandLine.*.*advfirewall.*" -and $_.message -match "CommandLine.*.*rule.*" -and $_.message -match "CommandLine.*.*action=allow.*" -and $_.message -match "CommandLine.*.*program=.*"))) -and (($_.message -match "CommandLine.*.*%TEMP%.*" -or $_.message -match "CommandLine.*.*:\RECYCLER\.*" -or $_.message -match "CommandLine.*.*C:\$Recycle.bin\.*" -or $_.message -match "CommandLine.*.*:\SystemVolumeInformation\.*" -or $_.message -match "CommandLine.*.*C:\Windows\Temp\.*" -or $_.message -match "CommandLine.*.*C:\Temp\.*" -or $_.message -match "CommandLine.*.*C:\Users\Public\.*" -or $_.message -match "CommandLine.*.*C:\Users\Default\.*" -or $_.message -match "CommandLine.*.*C:\Users\Desktop\.*" -or $_.message -match "CommandLine.*.*\Downloads\.*" -or $_.message -match "CommandLine.*.*\Temporary Internet Files\Content.Outlook\.*" -or $_.message -match "CommandLine.*.*\Local Settings\Temporary Internet Files\.*") -or ($_.message -match "CommandLine.*C:\Windows\Tasks\.*" -or $_.message -match "CommandLine.*C:\Windows\debug\.*" -or $_.message -match "CommandLine.*C:\Windows\fonts\.*" -or $_.message -match "CommandLine.*C:\Windows\help\.*" -or $_.message -match "CommandLine.*C:\Windows\drivers\.*" -or $_.message -match "CommandLine.*C:\Windows\addins\.*" -or $_.message -match "CommandLine.*C:\Windows\cursors\.*" -or $_.message -match "CommandLine.*C:\Windows\system32\tasks\.*" -or $_.message -match "CommandLine.*%Public%\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_netsh_fw_add_susp_image"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_netsh_fw_add_susp_image"; + $detectedMessage = "Detects Netsh commands that allows a suspcious application location on Windows Firewall"; + $result = $event | where { (($_.ID -eq "1") -and ($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*firewall.*" -and $_.message -match "CommandLine.*.*add.*" -and ($_.message -match "CommandLine.*.*allowedprogram.*" -or ($_.message -match "CommandLine.*.*advfirewall.*" -and $_.message -match "CommandLine.*.*rule.*" -and $_.message -match "CommandLine.*.*action=allow.*" -and $_.message -match "CommandLine.*.*program=.*"))) -and (($_.message -match "CommandLine.*.*%TEMP%.*" -or $_.message -match "CommandLine.*.*:\\RECYCLER\\.*" -or $_.message -match "CommandLine.*.*C:\\$Recycle.bin\\.*" -or $_.message -match "CommandLine.*.*:\\SystemVolumeInformation\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\Temp\\.*" -or $_.message -match "CommandLine.*.*C:\\Temp\\.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Public\\.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Default\\.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Desktop\\.*" -or $_.message -match "CommandLine.*.*\\Downloads\\.*" -or $_.message -match "CommandLine.*.*\\Temporary Internet Files\\Content.Outlook\\.*" -or $_.message -match "CommandLine.*.*\\Local Settings\\Temporary Internet Files\\.*") -or ($_.message -match "CommandLine.*C:\\Windows\\Tasks\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\debug\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\fonts\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\help\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\drivers\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\addins\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\cursors\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\system32\\tasks\\.*" -or $_.message -match "CommandLine.*%Public%\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_netsh_packet_capture.ps1 b/Rules/SIGMA/process_creation/win_netsh_packet_capture.ps1 new file mode 100644 index 00000000..90db2035 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_netsh_packet_capture.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*netsh.*" -and $_.message -match "CommandLine.*.*trace.*" -and $_.message -match "CommandLine.*.*start.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_netsh_packet_capture"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_netsh_packet_capture"; + $detectedMessage = "Detects capture a network trace via netsh.exe trace functionality"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*netsh.*" -and $_.message -match "CommandLine.*.*trace.*" -and $_.message -match "CommandLine.*.*start.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_netsh_port_fwd.ps1 b/Rules/SIGMA/process_creation/win_netsh_port_fwd.ps1 new file mode 100644 index 00000000..582dd0f7 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_netsh_port_fwd.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\netsh.exe" -and (($_.message -match "CommandLine.*.*interface.*" -and $_.message -match "CommandLine.*.*portproxy.*" -and $_.message -match "CommandLine.*.*add.*" -and $_.message -match "CommandLine.*.*v4tov4.*") -or ($_.message -match "CommandLine.*.*connectp.*" -and $_.message -match "CommandLine.*.*listena.*" -and $_.message -match "CommandLine.*.*c=.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_netsh_port_fwd"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_netsh_port_fwd"; + $detectedMessage = "Detects netsh commands that configure a port forwarding (PortProxy)"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and (($_.message -match "CommandLine.*.*interface.*" -and $_.message -match "CommandLine.*.*portproxy.*" -and $_.message -match "CommandLine.*.*add.*" -and $_.message -match "CommandLine.*.*v4tov4.*") -or ($_.message -match "CommandLine.*.*connectp.*" -and $_.message -match "CommandLine.*.*listena.*" -and $_.message -match "CommandLine.*.*c=.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_netsh_port_fwd_3389.ps1 b/Rules/SIGMA/process_creation/win_netsh_port_fwd_3389.ps1 new file mode 100644 index 00000000..aef08d7b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_netsh_port_fwd_3389.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\netsh.exe" -and $_.message -match "CommandLine.*.*i.*" -and $_.message -match "CommandLine.*.* p.*" -and $_.message -match "CommandLine.*.*=3389.*" -and $_.message -match "CommandLine.*.* c.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_netsh_port_fwd_3389"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_netsh_port_fwd_3389"; + $detectedMessage = "Detects netsh commands that configure a port forwarding of port 3389 used for RDP"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*i.*" -and $_.message -match "CommandLine.*.* p.*" -and $_.message -match "CommandLine.*.*=3389.*" -and $_.message -match "CommandLine.*.* c.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_netsh_wifi_credential_harvesting.ps1 b/Rules/SIGMA/process_creation/win_netsh_wifi_credential_harvesting.ps1 new file mode 100644 index 00000000..1dce0dfe --- /dev/null +++ b/Rules/SIGMA/process_creation/win_netsh_wifi_credential_harvesting.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\netsh.exe" -and $_.message -match "CommandLine.*.*wlan.*" -and $_.message -match "CommandLine.*.* s.*" -and $_.message -match "CommandLine.*.* p.*" -and $_.message -match "CommandLine.*.* k.*" -and $_.message -match "CommandLine.*.*=clear.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_netsh_wifi_credential_harvesting"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_netsh_wifi_credential_harvesting"; + $detectedMessage = "Detect the harvesting of wifi credentials using netsh.exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*wlan.*" -and $_.message -match "CommandLine.*.* s.*" -and $_.message -match "CommandLine.*.* p.*" -and $_.message -match "CommandLine.*.* k.*" -and $_.message -match "CommandLine.*.*=clear.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_network_sniffing.ps1 b/Rules/SIGMA/process_creation/win_network_sniffing.ps1 new file mode 100644 index 00000000..06c0870a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_network_sniffing.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\tshark.exe" -and $_.message -match "CommandLine.*.*-i.*") -or $_.message -match "Image.*.*\windump.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_network_sniffing"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_network_sniffing"; + $detectedMessage = "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\tshark.exe" -and $_.message -match "CommandLine.*.*-i.*") -or $_.message -match "Image.*.*\\windump.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_new_service_creation.ps1 b/Rules/SIGMA/process_creation/win_new_service_creation.ps1 new file mode 100644 index 00000000..ee5f9bd6 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_new_service_creation.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\sc.exe" -and $_.message -match "CommandLine.*.*create.*" -and $_.message -match "CommandLine.*.*binpath.*") -or ($_.message -match "Image.*.*\powershell.exe" -and $_.message -match "CommandLine.*.*new-service.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_new_service_creation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_new_service_creation"; + $detectedMessage = "Detects creation of a new service."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sc.exe" -and $_.message -match "CommandLine.*.*create.*" -and $_.message -match "CommandLine.*.*binpath.*") -or ($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*new-service.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_nltest_query.ps1 b/Rules/SIGMA/process_creation/win_nltest_query.ps1 new file mode 100644 index 00000000..94aa59eb --- /dev/null +++ b/Rules/SIGMA/process_creation/win_nltest_query.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\nltest.exe" -and $_.message -match "CommandLine.*.*\\query.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_nltest_query"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_nltest_query"; + $detectedMessage = "Detects nltest query commands which may leak credential hashes"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\nltest.exe" -and $_.message -match "CommandLine.*.*\\query.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_non_interactive_powershell.ps1 b/Rules/SIGMA/process_creation/win_non_interactive_powershell.ps1 new file mode 100644 index 00000000..afccbf0d --- /dev/null +++ b/Rules/SIGMA/process_creation/win_non_interactive_powershell.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "Image.*.*\\powershell.exe" -and -not (($_.message -match "ParentImage.*.*\\explorer.exe" -or $_.message -match "ParentImage.*.*\\CompatTelRunner.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_non_interactive_powershell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_non_interactive_powershell"; + $detectedMessage = "Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent."; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "Image.*.*\\powershell.exe" -and -not (($_.message -match "ParentImage.*.*\\explorer.exe" -or $_.message -match "ParentImage.*.*\\CompatTelRunner.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_non_priv_reg_or_ps.ps1 b/Rules/SIGMA/process_creation/win_non_priv_reg_or_ps.ps1 new file mode 100644 index 00000000..a9b0280b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_non_priv_reg_or_ps.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.*add.*") -or ($_.message -match "CommandLine.*.*powershell.*" -and ($_.message -match "CommandLine.*.*set-itemproperty.*" -or $_.message -match "CommandLine.*.* sp .*" -or $_.message -match "CommandLine.*.*new-itemproperty.*"))) -and $_.message -match "CommandLine.*.*ControlSet.*" -and $_.message -match "CommandLine.*.*Services.*" -and ($_.message -match "CommandLine.*.*ImagePath.*" -or $_.message -match "CommandLine.*.*FailureCommand.*" -or $_.message -match "CommandLine.*.*ServiceDLL.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_non_priv_reg_or_ps"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_non_priv_reg_or_ps"; + $detectedMessage = "Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.*add.*") -or ($_.message -match "CommandLine.*.*powershell.*" -and ($_.message -match "CommandLine.*.*set-itemproperty.*" -or $_.message -match "CommandLine.*.* sp .*" -or $_.message -match "CommandLine.*.*new-itemproperty.*"))) -and $_.message -match "CommandLine.*.*ControlSet.*" -and $_.message -match "CommandLine.*.*Services.*" -and ($_.message -match "CommandLine.*.*ImagePath.*" -or $_.message -match "CommandLine.*.*FailureCommand.*" -or $_.message -match "CommandLine.*.*ServiceDLL.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_office_shell.ps1 b/Rules/SIGMA/process_creation/win_office_shell.ps1 new file mode 100644 index 00000000..9e91d335 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_office_shell.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\WINWORD.EXE" -or $_.message -match "ParentImage.*.*\\EXCEL.EXE" -or $_.message -match "ParentImage.*.*\\POWERPNT.exe" -or $_.message -match "ParentImage.*.*\\MSPUB.exe" -or $_.message -match "ParentImage.*.*\\VISIO.exe" -or $_.message -match "ParentImage.*.*\\OUTLOOK.EXE" -or $_.message -match "ParentImage.*.*\\MSACCESS.EXE" -or $_.message -match "ParentImage.*.*\\EQNEDT32.EXE") -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\scrcons.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\hh.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\forfiles.exe" -or $_.message -match "Image.*.*\\scriptrunner.exe" -or $_.message -match "Image.*.*\\mftrace.exe" -or $_.message -match "Image.*.*\\AppVLP.exe" -or $_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\msbuild.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_office_shell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_office_shell"; + $detectedMessage = "Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\WINWORD.EXE" -or $_.message -match "ParentImage.*.*\\EXCEL.EXE" -or $_.message -match "ParentImage.*.*\\POWERPNT.exe" -or $_.message -match "ParentImage.*.*\\MSPUB.exe" -or $_.message -match "ParentImage.*.*\\VISIO.exe" -or $_.message -match "ParentImage.*.*\\OUTLOOK.EXE" -or $_.message -match "ParentImage.*.*\\MSACCESS.EXE" -or $_.message -match "ParentImage.*.*\\EQNEDT32.EXE") -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\scrcons.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\hh.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\forfiles.exe" -or $_.message -match "Image.*.*\\scriptrunner.exe" -or $_.message -match "Image.*.*\\mftrace.exe" -or $_.message -match "Image.*.*\\AppVLP.exe" -or $_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\msbuild.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_office_spawn_exe_from_users_directory.ps1 b/Rules/SIGMA/process_creation/win_office_spawn_exe_from_users_directory.ps1 new file mode 100644 index 00000000..e2988acd --- /dev/null +++ b/Rules/SIGMA/process_creation/win_office_spawn_exe_from_users_directory.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\WINWORD.EXE" -or $_.message -match "ParentImage.*.*\\EXCEL.EXE" -or $_.message -match "ParentImage.*.*\\POWERPNT.exe" -or $_.message -match "ParentImage.*.*\\MSPUB.exe" -or $_.message -match "ParentImage.*.*\\VISIO.exe") -and $_.message -match "Image.*C:\\users\\.*" -and $_.message -match "Image.*.*.exe") -and -not ($_.message -match "Image.*.*\\Teams.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_office_spawn_exe_from_users_directory"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_office_spawn_exe_from_users_directory"; + $detectedMessage = "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\WINWORD.EXE" -or $_.message -match "ParentImage.*.*\\EXCEL.EXE" -or $_.message -match "ParentImage.*.*\\POWERPNT.exe" -or $_.message -match "ParentImage.*.*\\MSPUB.exe" -or $_.message -match "ParentImage.*.*\\VISIO.exe") -and $_.message -match "Image.*C:\\users\\.*" -and $_.message -match "Image.*.*.exe") -and -not ($_.message -match "Image.*.*\\Teams.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_plugx_susp_exe_locations.ps1 b/Rules/SIGMA/process_creation/win_plugx_susp_exe_locations.ps1 new file mode 100644 index 00000000..3e6dcbbc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_plugx_susp_exe_locations.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((((((((((((($_.ID -eq "1") -and $_.message -match "Image.*.*\\CamMute.exe" -and -not (($_.message -match "Image.*.*\\Lenovo\\Communication Utility\\.*" -or $_.message -match "Image.*.*\\Lenovo\\Communications Utility\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\chrome_frame_helper.exe" -and -not ($_.message -match "Image.*.*\\Google\\Chrome\\application\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\dvcemumanager.exe" -and -not ($_.message -match "Image.*.*\\Microsoft Device Emulator\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\Gadget.exe" -and -not ($_.message -match "Image.*.*\\Windows Media Player\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\hcc.exe" -and -not ($_.message -match "Image.*.*\\HTML Help Workshop\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\hkcmd.exe" -and -not (($_.message -match "Image.*.*\\System32\\.*" -or $_.message -match "Image.*.*\\SysNative\\.*" -or $_.message -match "Image.*.*\\SysWowo64\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\Mc.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\MsMpEng.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Security Client\\.*" -or $_.message -match "Image.*.*\\Windows Defender\\.*" -or $_.message -match "Image.*.*\\AntiMalware\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\msseces.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Security Center\\.*" -or $_.message -match "Image.*.*\\Microsoft Security Client\\.*" -or $_.message -match "Image.*.*\\Microsoft Security Essentials\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\OInfoP11.exe" -and -not ($_.message -match "Image.*.*\\Common Files\\Microsoft Shared\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\OleView.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*" -or $_.message -match "Image.*.*\\Windows Resource Kit\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\rc.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*" -or $_.message -match "Image.*.*\\Windows Resource Kit\\.*" -or $_.message -match "Image.*.*\\Microsoft.NET\\.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_plugx_susp_exe_locations"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_plugx_susp_exe_locations"; + $detectedMessage = "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location"; + $result = $event | where { (($_.ID -eq "1") -and ((((((((((((($_.ID -eq "1") -and $_.message -match "Image.*.*\\CamMute.exe" -and -not (($_.message -match "Image.*.*\\Lenovo\\Communication Utility\\.*" -or $_.message -match "Image.*.*\\Lenovo\\Communications Utility\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\chrome_frame_helper.exe" -and -not ($_.message -match "Image.*.*\\Google\\Chrome\\application\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\dvcemumanager.exe" -and -not ($_.message -match "Image.*.*\\Microsoft Device Emulator\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\Gadget.exe" -and -not ($_.message -match "Image.*.*\\Windows Media Player\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\hcc.exe" -and -not ($_.message -match "Image.*.*\\HTML Help Workshop\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\hkcmd.exe" -and -not (($_.message -match "Image.*.*\\System32\\.*" -or $_.message -match "Image.*.*\\SysNative\\.*" -or $_.message -match "Image.*.*\\SysWowo64\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\Mc.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\MsMpEng.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Security Client\\.*" -or $_.message -match "Image.*.*\\Windows Defender\\.*" -or $_.message -match "Image.*.*\\AntiMalware\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\msseces.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Security Center\\.*" -or $_.message -match "Image.*.*\\Microsoft Security Client\\.*" -or $_.message -match "Image.*.*\\Microsoft Security Essentials\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\OInfoP11.exe" -and -not ($_.message -match "Image.*.*\\Common Files\\Microsoft Shared\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\OleView.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*" -or $_.message -match "Image.*.*\\Windows Resource Kit\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\rc.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*" -or $_.message -match "Image.*.*\\Windows Resource Kit\\.*" -or $_.message -match "Image.*.*\\Microsoft.NET\\.*"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_possible_applocker_bypass.ps1 b/Rules/SIGMA/process_creation/win_possible_applocker_bypass.ps1 new file mode 100644 index 00000000..5941e1be --- /dev/null +++ b/Rules/SIGMA/process_creation/win_possible_applocker_bypass.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\msdt.exe.*" -or $_.message -match "CommandLine.*.*\\installutil.exe.*" -or $_.message -match "CommandLine.*.*\\regsvcs.exe.*" -or $_.message -match "CommandLine.*.*\\regasm.exe.*" -or $_.message -match "CommandLine.*.*\\msbuild.exe.*" -or $_.message -match "CommandLine.*.*\\ieexec.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_possible_applocker_bypass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_possible_applocker_bypass"; + $detectedMessage = "Detects execution of executables that can be used to bypass Applocker whitelisting"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\msdt.exe.*" -or $_.message -match "CommandLine.*.*\\installutil.exe.*" -or $_.message -match "CommandLine.*.*\\regsvcs.exe.*" -or $_.message -match "CommandLine.*.*\\regasm.exe.*" -or $_.message -match "CommandLine.*.*\\msbuild.exe.*" -or $_.message -match "CommandLine.*.*\\ieexec.exe.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_amsi_bypass.ps1 b/Rules/SIGMA/process_creation/win_powershell_amsi_bypass.ps1 new file mode 100644 index 00000000..d180631f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_amsi_bypass.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*System.Management.Automation.AmsiUtils.*") -and ($_.message -match "CommandLine.*.*amsiInitFailed.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_amsi_bypass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_amsi_bypass"; + $detectedMessage = "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*System.Management.Automation.AmsiUtils.*") -and ($_.message -match "CommandLine.*.*amsiInitFailed.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_audio_capture.ps1 b/Rules/SIGMA/process_creation/win_powershell_audio_capture.ps1 new file mode 100644 index 00000000..b75ea502 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_audio_capture.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*WindowsAudioDevice-Powershell-Cmdlet.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_audio_capture"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_audio_capture"; + $detectedMessage = "Detects audio capture via PowerShell Cmdlet."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*WindowsAudioDevice-Powershell-Cmdlet.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_b64_shellcode.ps1 b/Rules/SIGMA/process_creation/win_powershell_b64_shellcode.ps1 new file mode 100644 index 00000000..92a43f52 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_b64_shellcode.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*AAAAYInlM.*" -and ($_.message -match "CommandLine.*.*OiCAAAAYInlM.*" -or $_.message -match "CommandLine.*.*OiJAAAAYInlM.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_b64_shellcode"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_b64_shellcode"; + $detectedMessage = "Detects Base64 encoded Shellcode"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*AAAAYInlM.*" -and ($_.message -match "CommandLine.*.*OiCAAAAYInlM.*" -or $_.message -match "CommandLine.*.*OiJAAAAYInlM.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_bitsjob.ps1 b/Rules/SIGMA/process_creation/win_powershell_bitsjob.ps1 new file mode 100644 index 00000000..cfa68ca5 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_bitsjob.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Start-BitsTransfer.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_bitsjob"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_bitsjob"; + $detectedMessage = "Detect download by BITS jobs via PowerShell"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Start-BitsTransfer.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_defender_exclusion.ps1 b/Rules/SIGMA/process_creation/win_powershell_defender_exclusion.ps1 new file mode 100644 index 00000000..c9caf307 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_defender_exclusion.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Add-MpPreference .*" -and ($_.message -match "CommandLine.*.* -ExclusionPath .*" -or $_.message -match "CommandLine.*.* -ExclusionExtension .*" -or $_.message -match "CommandLine.*.* -ExclusionProcess .*")) -or ($_.message -match "CommandLine.*.*QWRkLU1wUHJlZmVyZW5jZ.*" -or $_.message -match "CommandLine.*.*FkZC1NcFByZWZlcmVuY2.*" -or $_.message -match "CommandLine.*.*BZGQtTXBQcmVmZXJlbmNl.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_defender_exclusion"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_defender_exclusion"; + $detectedMessage = "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets"; + $result = $event | where { (($_.ID -eq "1") -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Add-MpPreference .*" -and ($_.message -match "CommandLine.*.* -ExclusionPath .*" -or $_.message -match "CommandLine.*.* -ExclusionExtension .*" -or $_.message -match "CommandLine.*.* -ExclusionProcess .*")) -or ($_.message -match "CommandLine.*.*QWRkLU1wUHJlZmVyZW5jZ.*" -or $_.message -match "CommandLine.*.*FkZC1NcFByZWZlcmVuY2.*" -or $_.message -match "CommandLine.*.*BZGQtTXBQcmVmZXJlbmNl.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_disable_windef_av.ps1 b/Rules/SIGMA/process_creation/win_powershell_disable_windef_av.ps1 new file mode 100644 index 00000000..bb45ca1e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_disable_windef_av.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*-DisableBehaviorMonitoring $true.*" -or $_.message -match "CommandLine.*.*-DisableRuntimeMonitoring $true.*")) -or ($_.message -match "CommandLine.*.*sc.*" -and $_.message -match "CommandLine.*.*stop.*" -and $_.message -match "CommandLine.*.*WinDefend.*") -or ($_.message -match "CommandLine.*.*sc.*" -and $_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*WinDefend.*" -and $_.message -match "CommandLine.*.*start=disabled.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_disable_windef_av"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_disable_windef_av"; + $detectedMessage = "Detects attackers attempting to disable Windows Defender using Powershell"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*-DisableBehaviorMonitoring $true.*" -or $_.message -match "CommandLine.*.*-DisableRuntimeMonitoring $true.*")) -or ($_.message -match "CommandLine.*.*sc.*" -and $_.message -match "CommandLine.*.*stop.*" -and $_.message -match "CommandLine.*.*WinDefend.*") -or ($_.message -match "CommandLine.*.*sc.*" -and $_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*WinDefend.*" -and $_.message -match "CommandLine.*.*start=disabled.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_dll_execution.ps1 b/Rules/SIGMA/process_creation/win_powershell_dll_execution.ps1 new file mode 100644 index 00000000..aece6971 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_dll_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\rundll32.exe") -or ($_.message -match "Description.*.*Windows-Hostprozess (Rundll32).*")) -and ($_.message -match "CommandLine.*.*Default.GetString.*" -or $_.message -match "CommandLine.*.*FromBase64String.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_dll_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_dll_execution"; + $detectedMessage = "Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll"; + $result = $event | where { ($_.ID -eq "1" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\rundll32.exe") -or ($_.message -match "Description.*.*Windows-Hostprozess (Rundll32).*")) -and ($_.message -match "CommandLine.*.*Default.GetString.*" -or $_.message -match "CommandLine.*.*FromBase64String.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_downgrade_attack.ps1 b/Rules/SIGMA/process_creation/win_powershell_downgrade_attack.ps1 new file mode 100644 index 00000000..2fc07d58 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_downgrade_attack.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -version 2 .*" -or $_.message -match "CommandLine.*.* -versio 2 .*" -or $_.message -match "CommandLine.*.* -versi 2 .*" -or $_.message -match "CommandLine.*.* -vers 2 .*" -or $_.message -match "CommandLine.*.* -ver 2 .*" -or $_.message -match "CommandLine.*.* -ve 2 .*") -and $_.message -match "Image.*.*\\powershell.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_downgrade_attack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_downgrade_attack"; + $detectedMessage = "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -version 2 .*" -or $_.message -match "CommandLine.*.* -versio 2 .*" -or $_.message -match "CommandLine.*.* -versi 2 .*" -or $_.message -match "CommandLine.*.* -vers 2 .*" -or $_.message -match "CommandLine.*.* -ver 2 .*" -or $_.message -match "CommandLine.*.* -ve 2 .*") -and $_.message -match "Image.*.*\\powershell.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_download.ps1 b/Rules/SIGMA/process_creation/win_powershell_download.ps1 new file mode 100644 index 00000000..f57c9cfa --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_download.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*new-object.*" -and $_.message -match "CommandLine.*.*net.webclient)..*" -and $_.message -match "CommandLine.*.*download.*" -and ($_.message -match "CommandLine.*.*string(.*" -or $_.message -match "CommandLine.*.*file(.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_download"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_download"; + $detectedMessage = "Detects a Powershell process that contains download commands in its command line string"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*new-object.*" -and $_.message -match "CommandLine.*.*net.webclient)..*" -and $_.message -match "CommandLine.*.*download.*" -and ($_.message -match "CommandLine.*.*string(.*" -or $_.message -match "CommandLine.*.*file(.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_frombase64string.ps1 b/Rules/SIGMA/process_creation/win_powershell_frombase64string.ps1 new file mode 100644 index 00000000..e525cbd2 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_frombase64string.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*::FromBase64String(.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_frombase64string"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_frombase64string"; + $detectedMessage = "Detects suspicious FromBase64String expressions in command line arguments"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*::FromBase64String\(.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMesssage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_reverse_shell_connection.ps1 b/Rules/SIGMA/process_creation/win_powershell_reverse_shell_connection.ps1 new file mode 100644 index 00000000..4b5b302e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_reverse_shell_connection.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*new-object system.net.sockets.tcpclient.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_reverse_shell_connection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_reverse_shell_connection"; + $detectedMessage = "Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*new-object system.net.sockets.tcpclient.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_suspicious_parameter_variation.ps1 b/Rules/SIGMA/process_creation/win_powershell_suspicious_parameter_variation.ps1 new file mode 100644 index 00000000..de1f3378 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_suspicious_parameter_variation.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\Powershell.exe") -and ($_.message -match "CommandLine.*.* -windowstyle h .*" -or $_.message -match "CommandLine.*.* -windowstyl h.*" -or $_.message -match "CommandLine.*.* -windowsty h.*" -or $_.message -match "CommandLine.*.* -windowst h.*" -or $_.message -match "CommandLine.*.* -windows h.*" -or $_.message -match "CommandLine.*.* -windo h.*" -or $_.message -match "CommandLine.*.* -wind h.*" -or $_.message -match "CommandLine.*.* -win h.*" -or $_.message -match "CommandLine.*.* -wi h.*" -or $_.message -match "CommandLine.*.* -win h .*" -or $_.message -match "CommandLine.*.* -win hi .*" -or $_.message -match "CommandLine.*.* -win hid .*" -or $_.message -match "CommandLine.*.* -win hidd .*" -or $_.message -match "CommandLine.*.* -win hidde .*" -or $_.message -match "CommandLine.*.* -NoPr .*" -or $_.message -match "CommandLine.*.* -NoPro .*" -or $_.message -match "CommandLine.*.* -NoProf .*" -or $_.message -match "CommandLine.*.* -NoProfi .*" -or $_.message -match "CommandLine.*.* -NoProfil .*" -or $_.message -match "CommandLine.*.* -nonin .*" -or $_.message -match "CommandLine.*.* -nonint .*" -or $_.message -match "CommandLine.*.* -noninte .*" -or $_.message -match "CommandLine.*.* -noninter .*" -or $_.message -match "CommandLine.*.* -nonintera .*" -or $_.message -match "CommandLine.*.* -noninterac .*" -or $_.message -match "CommandLine.*.* -noninteract .*" -or $_.message -match "CommandLine.*.* -noninteracti .*" -or $_.message -match "CommandLine.*.* -noninteractiv .*" -or $_.message -match "CommandLine.*.* -ec .*" -or $_.message -match "CommandLine.*.* -encodedComman .*" -or $_.message -match "CommandLine.*.* -encodedComma .*" -or $_.message -match "CommandLine.*.* -encodedComm .*" -or $_.message -match "CommandLine.*.* -encodedCom .*" -or $_.message -match "CommandLine.*.* -encodedCo .*" -or $_.message -match "CommandLine.*.* -encodedC .*" -or $_.message -match "CommandLine.*.* -encoded .*" -or $_.message -match "CommandLine.*.* -encode .*" -or $_.message -match "CommandLine.*.* -encod .*" -or $_.message -match "CommandLine.*.* -enco .*" -or $_.message -match "CommandLine.*.* -en .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_suspicious_parameter_variation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_suspicious_parameter_variation"; + $detectedMessage = "Detects suspicious PowerShell invocation with a parameter substring"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\Powershell.exe") -and ($_.message -match "CommandLine.*.* -windowstyle h .*" -or $_.message -match "CommandLine.*.* -windowstyl h.*" -or $_.message -match "CommandLine.*.* -windowsty h.*" -or $_.message -match "CommandLine.*.* -windowst h.*" -or $_.message -match "CommandLine.*.* -windows h.*" -or $_.message -match "CommandLine.*.* -windo h.*" -or $_.message -match "CommandLine.*.* -wind h.*" -or $_.message -match "CommandLine.*.* -win h.*" -or $_.message -match "CommandLine.*.* -wi h.*" -or $_.message -match "CommandLine.*.* -win h .*" -or $_.message -match "CommandLine.*.* -win hi .*" -or $_.message -match "CommandLine.*.* -win hid .*" -or $_.message -match "CommandLine.*.* -win hidd .*" -or $_.message -match "CommandLine.*.* -win hidde .*" -or $_.message -match "CommandLine.*.* -NoPr .*" -or $_.message -match "CommandLine.*.* -NoPro .*" -or $_.message -match "CommandLine.*.* -NoProf .*" -or $_.message -match "CommandLine.*.* -NoProfi .*" -or $_.message -match "CommandLine.*.* -NoProfil .*" -or $_.message -match "CommandLine.*.* -nonin .*" -or $_.message -match "CommandLine.*.* -nonint .*" -or $_.message -match "CommandLine.*.* -noninte .*" -or $_.message -match "CommandLine.*.* -noninter .*" -or $_.message -match "CommandLine.*.* -nonintera .*" -or $_.message -match "CommandLine.*.* -noninterac .*" -or $_.message -match "CommandLine.*.* -noninteract .*" -or $_.message -match "CommandLine.*.* -noninteracti .*" -or $_.message -match "CommandLine.*.* -noninteractiv .*" -or $_.message -match "CommandLine.*.* -ec .*" -or $_.message -match "CommandLine.*.* -encodedComman .*" -or $_.message -match "CommandLine.*.* -encodedComma .*" -or $_.message -match "CommandLine.*.* -encodedComm .*" -or $_.message -match "CommandLine.*.* -encodedCom .*" -or $_.message -match "CommandLine.*.* -encodedCo .*" -or $_.message -match "CommandLine.*.* -encodedC .*" -or $_.message -match "CommandLine.*.* -encoded .*" -or $_.message -match "CommandLine.*.* -encode .*" -or $_.message -match "CommandLine.*.* -encod .*" -or $_.message -match "CommandLine.*.* -enco .*" -or $_.message -match "CommandLine.*.* -en .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powershell_xor_commandline.ps1 b/Rules/SIGMA/process_creation/win_powershell_xor_commandline.ps1 new file mode 100644 index 00000000..de6f3e37 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powershell_xor_commandline.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Description.*Windows PowerShell" -or $_.message -match "Product.*PowerShell Core 6") -and ($_.message -match "CommandLine.*.*bxor.*" -or $_.message -match "CommandLine.*.*join.*" -or $_.message -match "CommandLine.*.*char.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powershell_xor_commandline"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powershell_xor_commandline"; + $detectedMessage = "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands."; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Description.*Windows PowerShell" -or $_.message -match "Product.*PowerShell Core 6") -and ($_.message -match "CommandLine.*.*bxor.*" -or $_.message -match "CommandLine.*.*join.*" -or $_.message -match "CommandLine.*.*char.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_powersploit_empire_schtasks.ps1 b/Rules/SIGMA/process_creation/win_powersploit_empire_schtasks.ps1 new file mode 100644 index 00000000..ec50d351 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_powersploit_empire_schtasks.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.*/Create.*" -and $_.message -match "CommandLine.*.*/SC.*" -and ($_.message -match "CommandLine.*.*ONLOGON.*" -or $_.message -match "CommandLine.*.*DAILY.*" -or $_.message -match "CommandLine.*.*ONIDLE.*" -or $_.message -match "CommandLine.*.*Updater.*") -and $_.message -match "CommandLine.*.*/TN.*" -and $_.message -match "CommandLine.*.*Updater.*" -and $_.message -match "CommandLine.*.*/TR.*" -and $_.message -match "CommandLine.*.*powershell.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_powersploit_empire_schtasks"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_powersploit_empire_schtasks"; + $detectedMessage = "Detects the creation of a schtask via PowerSploit or Empire Default Configuration."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.*/Create.*" -and $_.message -match "CommandLine.*.*/SC.*" -and ($_.message -match "CommandLine.*.*ONLOGON.*" -or $_.message -match "CommandLine.*.*DAILY.*" -or $_.message -match "CommandLine.*.*ONIDLE.*" -or $_.message -match "CommandLine.*.*Updater.*") -and $_.message -match "CommandLine.*.*/TN.*" -and $_.message -match "CommandLine.*.*Updater.*" -and $_.message -match "CommandLine.*.*/TR.*" -and $_.message -match "CommandLine.*.*powershell.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_proc_wrong_parent.ps1 b/Rules/SIGMA/process_creation/win_proc_wrong_parent.ps1 new file mode 100644 index 00000000..2618156c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_proc_wrong_parent.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\lsm.exe" -or $_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\services.exe" -or $_.message -match "Image.*.*\\lsaiso.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\winlogon.exe") -and -not ($_.message -match "ParentImage.*.*\\SavService.exe" -or ($_.message -match "ParentImage.*.*\\System32\\.*" -or $_.message -match "ParentImage.*.*\\SysWOW64\\.*"))) -and -not (($_.message -match "ParentImage.*.*\\Windows Defender\\.*" -or $_.message -match "ParentImage.*.*\\Microsoft Security Client\\.*") -and $_.message -match "ParentImage.*.*\\MsMpEng.exe")) -and -not (-not ParentImage="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_proc_wrong_parent"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_proc_wrong_parent"; + $detectedMessage = "Detect suspicious parent processes of well-known Windows processes"; + $result = $event | where { (($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\lsm.exe" -or $_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\services.exe" -or $_.message -match "Image.*.*\\lsaiso.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\winlogon.exe") -and -not ($_.message -match "ParentImage.*.*\\SavService.exe" -or ($_.message -match "ParentImage.*.*\\System32\\.*" -or $_.message -match "ParentImage.*.*\\SysWOW64\\.*"))) -and -not (($_.message -match "ParentImage.*.*\\Windows Defender\\.*" -or $_.message -match "ParentImage.*.*\\Microsoft Security Client\\.*") -and $_.message -match "ParentImage.*.*\\MsMpEng.exe")) -and -not (-not $_message -match "ParentImage.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_process_creation_bitsadmin_download.ps1 b/Rules/SIGMA/process_creation/win_process_creation_bitsadmin_download.ps1 new file mode 100644 index 00000000..f608e378 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_process_creation_bitsadmin_download.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and ($_.message -match "Image.*.*\\bitsadmin.exe") -and ((($_.message -match "CommandLine.*.* /create .*" -or $_.message -match "CommandLine.*.* /addfile .*") -and ($_.message -match "CommandLine.*.*http.*")) -or ($_.message -match "CommandLine.*.* /transfer .*"))) -or ($_.message -match "CommandLine.*.*copy bitsadmin.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_process_creation_bitsadmin_download"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_process_creation_bitsadmin_download"; + $detectedMessage = "Detects usage of bitsadmin downloading a file"; + $result = $event | where { (($_.ID -eq "1") -and (($_.ID -eq "1" -and ($_.message -match "Image.*.*\\bitsadmin.exe") -and ((($_.message -match "CommandLine.*.* /create .*" -or $_.message -match "CommandLine.*.* /addfile .*") -and ($_.message -match "CommandLine.*.*http.*")) -or ($_.message -match "CommandLine.*.* /transfer .*"))) -or ($_.message -match "CommandLine.*.*copy bitsadmin.exe.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_process_dump_rundll32_comsvcs.ps1 b/Rules/SIGMA/process_creation/win_process_dump_rundll32_comsvcs.ps1 new file mode 100644 index 00000000..185429da --- /dev/null +++ b/Rules/SIGMA/process_creation/win_process_dump_rundll32_comsvcs.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*comsvcs.dll,#24.*" -or $_.message -match "CommandLine.*.*comsvcs.dll,MiniDump.*" -or $_.message -match "CommandLine.*.*comsvcs.dll MiniDump.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_process_dump_rundll32_comsvcs"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_process_dump_rundll32_comsvcs"; + $detectedMessage = "Detects a process memory dump performed via ordinal function 24 in comsvcs.dll"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*comsvcs.dll,#24.*" -or $_.message -match "CommandLine.*.*comsvcs.dll,MiniDump.*" -or $_.message -match "CommandLine.*.*comsvcs.dll MiniDump.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_psexesvc_start.ps1 b/Rules/SIGMA/process_creation/win_psexesvc_start.ps1 new file mode 100644 index 00000000..96985ca6 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_psexesvc_start.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*C:\\Windows\\PSEXESVC.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_psexesvc_start"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_psexesvc_start"; + $detectedMessage = "Detects a PsExec service start"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*C:\\Windows\\PSEXESVC.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_purplesharp_indicators.ps1 b/Rules/SIGMA/process_creation/win_purplesharp_indicators.ps1 new file mode 100644 index 00000000..23d05d38 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_purplesharp_indicators.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*xyz123456.exe.*" -or $_.message -match "CommandLine.*.*PurpleSharp.*") -or ($_.message -match "PurpleSharp.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_purplesharp_indicators"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_purplesharp_indicators"; + $detectedMessage = "Detect"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*xyz123456.exe.*" -or $_.message -match "CommandLine.*.*PurpleSharp.*") -or ($_.message -match "PurpleSharp.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_query_registry.ps1 b/Rules/SIGMA/process_creation/win_query_registry.ps1 new file mode 100644 index 00000000..528a9b09 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_query_registry.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and ($_.message -match "CommandLine.*.*query.*" -or $_.message -match "CommandLine.*.*save.*" -or $_.message -match "CommandLine.*.*export.*") -and ($_.message -match "CommandLine.*.*currentVersion\\windows.*" -or $_.message -match "CommandLine.*.*currentVersion\\runServicesOnce.*" -or $_.message -match "CommandLine.*.*currentVersion\\runServices.*" -or $_.message -match "CommandLine.*.*winlogon\\.*" -or $_.message -match "CommandLine.*.*currentVersion\\shellServiceObjectDelayLoad.*" -or $_.message -match "CommandLine.*.*currentVersion\\runOnce.*" -or $_.message -match "CommandLine.*.*currentVersion\\runOnceEx.*" -or $_.message -match "CommandLine.*.*currentVersion\\run.*" -or $_.message -match "CommandLine.*.*currentVersion\\policies\\explorer\\run.*" -or $_.message -match "CommandLine.*.*currentcontrolset\\services.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_query_registry"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_query_registry"; + $detectedMessage = "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and ($_.message -match "CommandLine.*.*query.*" -or $_.message -match "CommandLine.*.*save.*" -or $_.message -match "CommandLine.*.*export.*") -and ($_.message -match "CommandLine.*.*currentVersion\\windows.*" -or $_.message -match "CommandLine.*.*currentVersion\\runServicesOnce.*" -or $_.message -match "CommandLine.*.*currentVersion\\runServices.*" -or $_.message -match "CommandLine.*.*winlogon\\.*" -or $_.message -match "CommandLine.*.*currentVersion\\shellServiceObjectDelayLoad.*" -or $_.message -match "CommandLine.*.*currentVersion\\runOnce.*" -or $_.message -match "CommandLine.*.*currentVersion\\runOnceEx.*" -or $_.message -match "CommandLine.*.*currentVersion\\run.*" -or $_.message -match "CommandLine.*.*currentVersion\\policies\\explorer\\run.*" -or $_.message -match "CommandLine.*.*currentcontrolset\\services.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_rasautou_dll_execution.ps1 b/Rules/SIGMA/process_creation/win_rasautou_dll_execution.ps1 new file mode 100644 index 00000000..2122015f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_rasautou_dll_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\rasautou.exe" -or $_.message -match "OriginalFileName.*rasdlui.exe") -and ($_.message -match "CommandLine.*.*-d.*" -and $_.message -match "CommandLine.*.*-p.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_rasautou_dll_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rasautou_dll_execution"; + $detectedMessage = "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. "; + $result = $event | where { ($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\rasautou.exe" -or $_.message -match "OriginalFileName.*rasdlui.exe") -and ($_.message -match "CommandLine.*.*-d.*" -and $_.message -match "CommandLine.*.*-p.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_rdp_hijack_shadowing.ps1 b/Rules/SIGMA/process_creation/win_rdp_hijack_shadowing.ps1 new file mode 100644 index 00000000..37e2e311 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_rdp_hijack_shadowing.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*noconsentprompt.*" -and $_.message -match "CommandLine.*.*shadow:.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_rdp_hijack_shadowing"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rdp_hijack_shadowing"; + $detectedMessage = "Detects RDP session hijacking by using MSTSC shadowing"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*noconsentprompt.*" -and $_.message -match "CommandLine.*.*shadow:.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_redmimicry_winnti_proc.ps1 b/Rules/SIGMA/process_creation/win_redmimicry_winnti_proc.ps1 new file mode 100644 index 00000000..7136b350 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_redmimicry_winnti_proc.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*rundll32.exe.*" -or $_.message -match "Image.*.*cmd.exe.*") -and ($_.message -match "CommandLine.*.*gthread-3.6.dll.*" -or $_.message -match "CommandLine.*.*\\Windows\\Temp\\tmp.bat.*" -or $_.message -match "CommandLine.*.*sigcmm-2.4.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_redmimicry_winnti_proc"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_redmimicry_winnti_proc"; + $detectedMessage = "Detects actions caused by the RedMimicry Winnti playbook"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*rundll32.exe.*" -or $_.message -match "Image.*.*cmd.exe.*") -and ($_.message -match "CommandLine.*.*gthread-3.6.dll.*" -or $_.message -match "CommandLine.*.*\\Windows\\Temp\\tmp.bat.*" -or $_.message -match "CommandLine.*.*sigcmm-2.4.dll.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_reg_add_run_key.ps1 b/Rules/SIGMA/process_creation/win_reg_add_run_key.ps1 new file mode 100644 index 00000000..1379e4ef --- /dev/null +++ b/Rules/SIGMA/process_creation/win_reg_add_run_key.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.* ADD .*" -and $_.message -match "CommandLine.*.*Software\\Microsoft\\Windows\\CurrentVersion\\Run.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_reg_add_run_key"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_reg_add_run_key"; + $detectedMessage = "Detects suspicious command line reg.exe tool adding key to RUN key in Registry"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.* ADD .*" -and $_.message -match "CommandLine.*.*Software\\Microsoft\\Windows\\CurrentVersion\\Run.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_regedit_export_critical_keys.ps1 b/Rules/SIGMA/process_creation/win_regedit_export_critical_keys.ps1 new file mode 100644 index 00000000..7b0d1851 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_regedit_export_critical_keys.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\regedit.exe" -and $_.message -match "CommandLine.*.* /E .*" -and ($_.message -match "CommandLine.*.*hklm.*" -or $_.message -match "CommandLine.*.*hkey_local_machine.*") -and ($_.message -match "CommandLine.*.*\\system" -or $_.message -match "CommandLine.*.*\\sam" -or $_.message -match "CommandLine.*.*\\security")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_regedit_export_critical_keys"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_regedit_export_critical_keys"; + $detectedMessage = "Detects the export of a crital Registry key to a file."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\regedit.exe" -and $_.message -match "CommandLine.*.* /E .*" -and ($_.message -match "CommandLine.*.*hklm.*" -or $_.message -match "CommandLine.*.*hkey_local_machine.*") -and ($_.message -match "CommandLine.*.*\\system" -or $_.message -match "CommandLine.*.*\\sam" -or $_.message -match "CommandLine.*.*\\security")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_regedit_export_keys.ps1 b/Rules/SIGMA/process_creation/win_regedit_export_keys.ps1 new file mode 100644 index 00000000..b8f82eca --- /dev/null +++ b/Rules/SIGMA/process_creation/win_regedit_export_keys.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\regedit.exe" -and $_.message -match "CommandLine.*.* /E .*") -and -not (($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*hklm.*" -or $_.message -match "CommandLine.*.*hkey_local_machine.*") -and ($_.message -match "CommandLine.*.*\\system" -or $_.message -match "CommandLine.*.*\\sam" -or $_.message -match "CommandLine.*.*\\security")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_regedit_export_keys"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_regedit_export_keys"; + $detectedMessage = "Detects the export of the target Registry key to a file."; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\regedit.exe" -and $_.message -match "CommandLine.*.* /E .*") -and -not (($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*hklm.*" -or $_.message -match "CommandLine.*.*hkey_local_machine.*") -and ($_.message -match "CommandLine.*.*\\system" -or $_.message -match "CommandLine.*.*\\sam" -or $_.message -match "CommandLine.*.*\\security")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_remote_powershell_session_process.ps1 b/Rules/SIGMA/process_creation/win_remote_powershell_session_process.ps1 new file mode 100644 index 00000000..1061c668 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_remote_powershell_session_process.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\wsmprovhost.exe" -or $_.message -match "ParentImage.*.*\\wsmprovhost.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_remote_powershell_session_process"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_remote_powershell_session_process"; + $detectedMessage = "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session)."; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\wsmprovhost.exe" -or $_.message -match "ParentImage.*.*\\wsmprovhost.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_remote_time_discovery.ps1 b/Rules/SIGMA/process_creation/win_remote_time_discovery.ps1 new file mode 100644 index 00000000..f61cb645 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_remote_time_discovery.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*time.*") -or ($_.message -match "Image.*.*\\w32tm.exe" -and $_.message -match "CommandLine.*.*tz.*") -or ($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Get-Date.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_remote_time_discovery"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_remote_time_discovery"; + $detectedMessage = "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system."; + $result = $event | where { (($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*time.*") -or ($_.message -match "Image.*.*\\w32tm.exe" -and $_.message -match "CommandLine.*.*tz.*") -or ($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Get-Date.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_renamed_binary.ps1 b/Rules/SIGMA/process_creation/win_renamed_binary.ps1 new file mode 100644 index 00000000..4400fd15 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_renamed_binary.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "cmd.exe" -or $_.message -match "powershell.exe" -or $_.message -match "powershell_ise.exe" -or $_.message -match "psexec.exe" -or $_.message -match "psexec.c" -or $_.message -match "cscript.exe" -or $_.message -match "wscript.exe" -or $_.message -match "mshta.exe" -or $_.message -match "regsvr32.exe" -or $_.message -match "wmic.exe" -or $_.message -match "certutil.exe" -or $_.message -match "rundll32.exe" -or $_.message -match "cmstp.exe" -or $_.message -match "msiexec.exe" -or $_.message -match "7z.exe" -or $_.message -match "winrar.exe" -or $_.message -match "wevtutil.exe" -or $_.message -match "net.exe" -or $_.message -match "net1.exe" -or $_.message -match "netsh.exe") -and -not (($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\psexec.exe" -or $_.message -match "Image.*.*\\psexec64.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\cmstp.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\7z.exe" -or $_.message -match "Image.*.*\\winrar.exe" -or $_.message -match "Image.*.*\\wevtutil.exe" -or $_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe" -or $_.message -match "Image.*.*\\netsh.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_renamed_binary"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_renamed_binary"; + $detectedMessage = "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint."; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "cmd.exe" -or $_.message -match "powershell.exe" -or $_.message -match "powershell_ise.exe" -or $_.message -match "psexec.exe" -or $_.message -match "psexec.c" -or $_.message -match "cscript.exe" -or $_.message -match "wscript.exe" -or $_.message -match "mshta.exe" -or $_.message -match "regsvr32.exe" -or $_.message -match "wmic.exe" -or $_.message -match "certutil.exe" -or $_.message -match "rundll32.exe" -or $_.message -match "cmstp.exe" -or $_.message -match "msiexec.exe" -or $_.message -match "7z.exe" -or $_.message -match "winrar.exe" -or $_.message -match "wevtutil.exe" -or $_.message -match "net.exe" -or $_.message -match "net1.exe" -or $_.message -match "netsh.exe") -and -not (($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\psexec.exe" -or $_.message -match "Image.*.*\\psexec64.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\cmstp.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\7z.exe" -or $_.message -match "Image.*.*\\winrar.exe" -or $_.message -match "Image.*.*\\wevtutil.exe" -or $_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe" -or $_.message -match "Image.*.*\\netsh.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_renamed_binary_highly_relevant.ps1 b/Rules/SIGMA/process_creation/win_renamed_binary_highly_relevant.ps1 new file mode 100644 index 00000000..f4a515df --- /dev/null +++ b/Rules/SIGMA/process_creation/win_renamed_binary_highly_relevant.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "powershell.exe" -or $_.message -match "powershell_ise.exe" -or $_.message -match "psexec.exe" -or $_.message -match "psexec.c" -or $_.message -match "cscript.exe" -or $_.message -match "wscript.exe" -or $_.message -match "mshta.exe" -or $_.message -match "regsvr32.exe" -or $_.message -match "wmic.exe" -or $_.message -match "certutil.exe" -or $_.message -match "rundll32.exe" -or $_.message -match "cmstp.exe" -or $_.message -match "msiexec.exe") -and -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\psexec.exe" -or $_.message -match "Image.*.*\\psexec64.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\cmstp.exe" -or $_.message -match "Image.*.*\\msiexec.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_renamed_binary_highly_relevant"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_renamed_binary_highly_relevant"; + $detectedMessage = "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint."; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "powershell.exe" -or $_.message -match "powershell_ise.exe" -or $_.message -match "psexec.exe" -or $_.message -match "psexec.c" -or $_.message -match "cscript.exe" -or $_.message -match "wscript.exe" -or $_.message -match "mshta.exe" -or $_.message -match "regsvr32.exe" -or $_.message -match "wmic.exe" -or $_.message -match "certutil.exe" -or $_.message -match "rundll32.exe" -or $_.message -match "cmstp.exe" -or $_.message -match "msiexec.exe") -and -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\psexec.exe" -or $_.message -match "Image.*.*\\psexec64.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\cmstp.exe" -or $_.message -match "Image.*.*\\msiexec.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_renamed_jusched.ps1 b/Rules/SIGMA/process_creation/win_renamed_jusched.ps1 new file mode 100644 index 00000000..0e83c655 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_renamed_jusched.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1") -and ($_.message -match "Description.*Java Update Scheduler" -or $_.message -match "Description.*Java(TM) Update Scheduler")) -and -not (($_.message -match "Image.*.*\\jusched.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_renamed_jusched"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_renamed_jusched"; + $detectedMessage = "Detects renamed jusched.exe used by cobalt group "; + $result = $event | where { (($_.ID -eq "1") -and (($_.ID -eq "1") -and ($_.message -match "Description.*Java Update Scheduler" -or $_.message -match "Description.*Java(TM) Update Scheduler")) -and -not (($_.message -match "Image.*.*\\jusched.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_renamed_megasync.ps1 b/Rules/SIGMA/process_creation/win_renamed_megasync.ps1 new file mode 100644 index 00000000..93239382 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_renamed_megasync.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\explorer.exe" -and $_.message -match "CommandLine.*.*C:\\Windows\\Temp\\meg.exe.*") -or (($_.ID -eq "1") -and $_.message -match "OriginalFileName.*meg.exe" -and -not ($_.message -match "Image.*.*\\meg.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_renamed_megasync"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_renamed_megasync"; + $detectedMessage = "Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\explorer.exe" -and $_.message -match "CommandLine.*.*C:\\Windows\\Temp\\meg.exe.*") -or (($_.ID -eq "1") -and $_.message -match "OriginalFileName.*meg.exe" -and -not ($_.message -match "Image.*.*\\meg.exe")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_renamed_paexec.ps1 b/Rules/SIGMA/process_creation/win_renamed_paexec.ps1 new file mode 100644 index 00000000..8e547662 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_renamed_paexec.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.ID -eq "1" -and ($_.message -match "Product.*.*PAExec.*") -and ($_.message -match "11D40A7B7876288F919AB819CC2D9802" -or $_.message -match "6444f8a34e99b8f7d9647de66aabe516" -or $_.message -match "dfd6aa3f7b2b1035b76b718f1ddc689f" -or $_.message -match "1a6cca4d5460b1710a12dea39e4a592c")) -and -not ($_.message -match "Image.*.*paexec.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_renamed_paexec"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_renamed_paexec"; + $detectedMessage = "Detects execution of renamed paexec via imphash and executable product string"; + $result = $event | where { (($_.ID -eq "1") -and ($_.ID -eq "1" -and ($_.message -match "Product.*.*PAExec.*") -and ($_.message -match "11D40A7B7876288F919AB819CC2D9802" -or $_.message -match "6444f8a34e99b8f7d9647de66aabe516" -or $_.message -match "dfd6aa3f7b2b1035b76b718f1ddc689f" -or $_.message -match "1a6cca4d5460b1710a12dea39e4a592c")) -and -not ($_.message -match "Image.*.*paexec.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_renamed_powershell.ps1 b/Rules/SIGMA/process_creation/win_renamed_powershell.ps1 new file mode 100644 index 00000000..dbc34491 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_renamed_powershell.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Description.*Windows PowerShell.*" -or $_.message -match "Description.*pwsh.*") -and $_.message -match "Company.*Microsoft Corporation") -and -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\pwsh.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_renamed_powershell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_renamed_powershell"; + $detectedMessage = "Detects the execution of a renamed PowerShell often used by attackers or malware"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Description.*Windows PowerShell.*" -or $_.message -match "Description.*pwsh.*") -and $_.message -match "Company.*Microsoft Corporation") -and -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\pwsh.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_renamed_procdump.ps1 b/Rules/SIGMA/process_creation/win_renamed_procdump.ps1 new file mode 100644 index 00000000..bd54fc61 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_renamed_procdump.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.ID -eq "1") -and $_.message -match "OriginalFileName.*procdump" -and -not (($_.message -match "Image.*.*\\procdump.exe" -or $_.message -match "Image.*.*\\procdump64.exe"))) -or (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.* -ma .*" -and $_.message -match "CommandLine.*.* -accepteula .*") -and -not (($_.message -match "CommandLine.*.*\\procdump.exe.*" -or $_.message -match "CommandLine.*.*\\procdump64.exe.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_renamed_procdump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_renamed_procdump"; + $detectedMessage = "Detects the execution of a renamed ProcDump executable often used by attackers or malware"; + $result = $event | where { (($_.ID -eq "1") -and ((($_.ID -eq "1") -and $_.message -match "OriginalFileName.*procdump" -and -not (($_.message -match "Image.*.*\\procdump.exe" -or $_.message -match "Image.*.*\\procdump64.exe"))) -or (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.* -ma .*" -and $_.message -match "CommandLine.*.* -accepteula .*") -and -not (($_.message -match "CommandLine.*.*\\procdump.exe.*" -or $_.message -match "CommandLine.*.*\\procdump64.exe.*"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_renamed_psexec.ps1 b/Rules/SIGMA/process_creation/win_renamed_psexec.ps1 new file mode 100644 index 00000000..6dd6e9d1 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_renamed_psexec.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Description.*Execute processes remotely" -and $_.message -match "Product.*Sysinternals PsExec") -and -not (($_.message -match "Image.*.*\\PsExec.exe" -or $_.message -match "Image.*.*\\PsExec64.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_renamed_psexec"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_renamed_psexec"; + $detectedMessage = "Detects the execution of a renamed PsExec often used by attackers or malware"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Description.*Execute processes remotely" -and $_.message -match "Product.*Sysinternals PsExec") -and -not (($_.message -match "Image.*.*\\PsExec.exe" -or $_.message -match "Image.*.*\\PsExec64.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_run_powershell_script_from_ads.ps1 b/Rules/SIGMA/process_creation/win_run_powershell_script_from_ads.ps1 new file mode 100644 index 00000000..8b004774 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_run_powershell_script_from_ads.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Get-Content.*" -and $_.message -match "CommandLine.*.*-Stream.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_run_powershell_script_from_ads"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_run_powershell_script_from_ads"; + $detectedMessage = "Detects PowerShell script execution from Alternate Data Stream (ADS)"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Get-Content.*" -and $_.message -match "CommandLine.*.*-Stream.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_run_virtualbox.ps1 b/Rules/SIGMA/process_creation/win_run_virtualbox.ps1 new file mode 100644 index 00000000..f8f2e17a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_run_virtualbox.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*VBoxRT.dll,RTR3Init.*" -or $_.message -match "CommandLine.*.*VBoxC.dll.*" -or $_.message -match "CommandLine.*.*VBoxDrv.sys.*") -or ($_.message -match "CommandLine.*.*startvm.*" -or $_.message -match "CommandLine.*.*controlvm.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_run_virtualbox"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_run_virtualbox"; + $detectedMessage = "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*VBoxRT.dll,RTR3Init.*" -or $_.message -match "CommandLine.*.*VBoxC.dll.*" -or $_.message -match "CommandLine.*.*VBoxDrv.sys.*") -or ($_.message -match "CommandLine.*.*startvm.*" -or $_.message -match "CommandLine.*.*controlvm.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_rundll32_without_parameters.ps1 b/Rules/SIGMA/process_creation/win_rundll32_without_parameters.ps1 new file mode 100644 index 00000000..794bff56 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_rundll32_without_parameters.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*rundll32.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_rundll32_without_parameters"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_rundll32_without_parameters"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*rundll32.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_script_event_consumer_spawn.ps1 b/Rules/SIGMA/process_creation/win_script_event_consumer_spawn.ps1 new file mode 100644 index 00000000..3486a12a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_script_event_consumer_spawn.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\scrcons.exe") -and ($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\dllhost.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\msbuild.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_script_event_consumer_spawn"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_script_event_consumer_spawn"; + $detectedMessage = "Detects a suspicious child process of Script Event Consumer (scrcons.exe)."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\scrcons.exe") -and ($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\dllhost.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\msbuild.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_sdbinst_shim_persistence.ps1 b/Rules/SIGMA/process_creation/win_sdbinst_shim_persistence.ps1 new file mode 100644 index 00000000..f74b182b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_sdbinst_shim_persistence.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sdbinst.exe") -and ($_.message -match "CommandLine.*.*.sdb.*")) -and -not (($_.message -match "CommandLine.*.*iisexpressshim.sdb.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_sdbinst_shim_persistence"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_sdbinst_shim_persistence"; + $detectedMessage = "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sdbinst.exe") -and ($_.message -match "CommandLine.*.*.sdb.*")) -and -not (($_.message -match "CommandLine.*.*iisexpressshim.sdb.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_service_execution.ps1 b/Rules/SIGMA/process_creation/win_service_execution.ps1 new file mode 100644 index 00000000..1e236f1e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_service_execution.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.* start .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_service_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_service_execution"; + $detectedMessage = "Detects manual service execution (start) via system utilities."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.* start .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_service_stop.ps1 b/Rules/SIGMA/process_creation/win_service_stop.ps1 new file mode 100644 index 00000000..33010fc4 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_service_stop.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sc.exe" -or $_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*stop.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_service_stop"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_service_stop"; + $detectedMessage = "Detects a windows service to be stopped"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sc.exe" -or $_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*stop.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_shadow_copies_access_symlink.ps1 b/Rules/SIGMA/process_creation/win_shadow_copies_access_symlink.ps1 new file mode 100644 index 00000000..2dceb4f9 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_shadow_copies_access_symlink.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*mklink.*" -and $_.message -match "CommandLine.*.*HarddiskVolumeShadowCopy.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_shadow_copies_access_symlink"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_shadow_copies_access_symlink"; + $detectedMessage = ""; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*mklink.*" -and $_.message -match "CommandLine.*.*HarddiskVolumeShadowCopy.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_shadow_copies_creation.ps1 b/Rules/SIGMA/process_creation/win_shadow_copies_creation.ps1 new file mode 100644 index 00000000..5d18c3f5 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_shadow_copies_creation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\vssadmin.exe") -and $_.message -match "CommandLine.*.*shadow.*" -and $_.message -match "CommandLine.*.*create.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_shadow_copies_creation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_shadow_copies_creation"; + $detectedMessage = "Shadow Copies creation using operating systems utilities, possible credential access"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\vssadmin.exe") -and $_.message -match "CommandLine.*.*shadow.*" -and $_.message -match "CommandLine.*.*create.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_shadow_copies_deletion.ps1 b/Rules/SIGMA/process_creation/win_shadow_copies_deletion.ps1 new file mode 100644 index 00000000..d221c6cf --- /dev/null +++ b/Rules/SIGMA/process_creation/win_shadow_copies_deletion.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*delete.*" -and ((($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\vssadmin.exe" -or $_.message -match "Image.*.*\\diskshadow.exe") -and $_.message -match "CommandLine.*.*shadow.*") -or (($_.message -match "Image.*.*\\wbadmin.exe") -and $_.message -match "CommandLine.*.*catalog.*" -and $_.message -match "CommandLine.*.*quiet.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_shadow_copies_deletion"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_shadow_copies_deletion"; + $detectedMessage = "Shadow Copies deletion using operating systems utilities"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*delete.*" -and ((($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\vssadmin.exe" -or $_.message -match "Image.*.*\\diskshadow.exe") -and $_.message -match "CommandLine.*.*shadow.*") -or (($_.message -match "Image.*.*\\wbadmin.exe") -and $_.message -match "CommandLine.*.*catalog.*" -and $_.message -match "CommandLine.*.*quiet.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_shell_spawn_mshta.ps1 b/Rules/SIGMA/process_creation/win_shell_spawn_mshta.ps1 new file mode 100644 index 00000000..9bc38dd3 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_shell_spawn_mshta.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\mshta.exe" -and ($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\WScript.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_shell_spawn_mshta"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_shell_spawn_mshta"; + $detectedMessage = "Detects a suspicious child process of a mshta.exe process"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\mshta.exe" -and ($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\WScript.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_shell_spawn_susp_program.ps1 b/Rules/SIGMA/process_creation/win_shell_spawn_susp_program.ps1 new file mode 100644 index 00000000..b8a21002 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_shell_spawn_susp_program.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\mshta.exe" -or $_.message -match "ParentImage.*.*\\powershell.exe" -or $_.message -match "ParentImage.*.*\\rundll32.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe" -or $_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\wmiprvse.exe") -and ($_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\nslookup.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe" -or $_.message -match "Image.*.*\\mshta.exe")) -and -not ($_.message -match "CurrentDirectory.*.*\\ccmcache\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_shell_spawn_susp_program"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_shell_spawn_susp_program"; + $detectedMessage = "Detects a suspicious child process of a Windows shell"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\mshta.exe" -or $_.message -match "ParentImage.*.*\\powershell.exe" -or $_.message -match "ParentImage.*.*\\rundll32.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe" -or $_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\wmiprvse.exe") -and ($_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\nslookup.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe" -or $_.message -match "Image.*.*\\mshta.exe")) -and -not ($_.message -match "CurrentDirectory.*.*\\ccmcache\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_silenttrinity_stage_use.ps1 b/Rules/SIGMA/process_creation/win_silenttrinity_stage_use.ps1 new file mode 100644 index 00000000..5b8b6231 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_silenttrinity_stage_use.ps1 @@ -0,0 +1,41 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and $_.message -match "Description.*.*st2stager.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "7" -and $_.message -match "Description.*.*st2stager.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_silenttrinity_stage_use"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_silenttrinity_stage_use"; + $detectedMessage = "Detects SILENTTRINITY stager use"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "Description.*.*st2stager.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "7" -and $_.message -match "Description.*.*st2stager.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_soundrec_audio_capture.ps1 b/Rules/SIGMA/process_creation/win_soundrec_audio_capture.ps1 new file mode 100644 index 00000000..62ae6dce --- /dev/null +++ b/Rules/SIGMA/process_creation/win_soundrec_audio_capture.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\SoundRecorder.exe" -and $_.message -match "CommandLine.*.*/FILE.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_soundrec_audio_capture"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_soundrec_audio_capture"; + $detectedMessage = "Detect attacker collecting audio via SoundRecorder application."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\SoundRecorder.exe" -and $_.message -match "CommandLine.*.*/FILE.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_spn_enum.ps1 b/Rules/SIGMA/process_creation/win_spn_enum.ps1 new file mode 100644 index 00000000..bdc8dd2f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_spn_enum.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\setspn.exe" -or ($_.message -match "Description.*.*Query or reset the computer.*" -and $_.message -match "Description.*.*SPN attribute.*")) -and $_.message -match "CommandLine.*.*-q.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_spn_enum"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_spn_enum"; + $detectedMessage = "Detects Service Principal Name Enumeration used for Kerberoasting"; + $result = $event | where { ($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\setspn.exe" -or ($_.message -match "Description.*.*Query or reset the computer.*" -and $_.message -match "Description.*.*SPN attribute.*")) -and $_.message -match "CommandLine.*.*-q.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.ps1 b/Rules/SIGMA/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.ps1 new file mode 100644 index 00000000..b1a25b3b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_sticky_keys_unauthenticated_privileged_console_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_sticky_keys_unauthenticated_privileged_console_access"; + $detectedMessage = "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are ""activated"" the privilleged shell is launched."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_sus_auditpol_usage.ps1 b/Rules/SIGMA/process_creation/win_sus_auditpol_usage.ps1 new file mode 100644 index 00000000..f00e155b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_sus_auditpol_usage.ps1 @@ -0,0 +1,30 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\auditpol.exe" -and ($_.message -match "CommandLine.*.*disable.*" -or $_.message -match "CommandLine.*.*clear.*" -or $_.message -match "CommandLine.*.*remove.*" -or $_.message -match "CommandLine.*.*restore.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_sus_auditpol_usage"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_sus_auditpol_usage"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\auditpol.exe" -and ($_.message -match "CommandLine.*.*disable.*" -or $_.message -match "CommandLine.*.*clear.*" -or $_.message -match "CommandLine.*.*remove.*" -or $_.message -match "CommandLine.*.*restore.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_adfind.ps1 b/Rules/SIGMA/process_creation/win_susp_adfind.ps1 new file mode 100644 index 00000000..74cea3f1 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_adfind.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*objectcategory.*" -or $_.message -match "CommandLine.*.*trustdmp.*" -or $_.message -match "CommandLine.*.*dcmodes.*" -or $_.message -match "CommandLine.*.*dclist.*" -or $_.message -match "CommandLine.*.*computers_pwdnotreqd.*") -and $_.message -match "Image.*.*\\adfind.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_adfind"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_adfind"; + $detectedMessage = "Detects the execution of a AdFind for Active Directory enumeration "; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*objectcategory.*" -or $_.message -match "CommandLine.*.*trustdmp.*" -or $_.message -match "CommandLine.*.*dcmodes.*" -or $_.message -match "CommandLine.*.*dclist.*" -or $_.message -match "CommandLine.*.*computers_pwdnotreqd.*") -and $_.message -match "Image.*.*\\adfind.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_atbroker.ps1 b/Rules/SIGMA/process_creation/win_susp_atbroker.ps1 new file mode 100644 index 00000000..833b841e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_atbroker.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*AtBroker.exe" -and $_.message -match "CommandLine.*.*start.*") -and -not (($_.message -match "CommandLine.*.*animations.*" -or $_.message -match "CommandLine.*.*audiodescription.*" -or $_.message -match "CommandLine.*.*caretbrowsing.*" -or $_.message -match "CommandLine.*.*caretwidth.*" -or $_.message -match "CommandLine.*.*colorfiltering.*" -or $_.message -match "CommandLine.*.*cursorscheme.*" -or $_.message -match "CommandLine.*.*filterkeys.*" -or $_.message -match "CommandLine.*.*focusborderheight.*" -or $_.message -match "CommandLine.*.*focusborderwidth.*" -or $_.message -match "CommandLine.*.*highcontrast.*" -or $_.message -match "CommandLine.*.*keyboardcues.*" -or $_.message -match "CommandLine.*.*keyboardpref.*" -or $_.message -match "CommandLine.*.*magnifierpane.*" -or $_.message -match "CommandLine.*.*messageduration.*" -or $_.message -match "CommandLine.*.*minimumhitradius.*" -or $_.message -match "CommandLine.*.*mousekeys.*" -or $_.message -match "CommandLine.*.*Narrator.*" -or $_.message -match "CommandLine.*.*osk.*" -or $_.message -match "CommandLine.*.*overlappedcontent.*" -or $_.message -match "CommandLine.*.*showsounds.*" -or $_.message -match "CommandLine.*.*soundsentry.*" -or $_.message -match "CommandLine.*.*stickykeys.*" -or $_.message -match "CommandLine.*.*togglekeys.*" -or $_.message -match "CommandLine.*.*windowarranging.*" -or $_.message -match "CommandLine.*.*windowtracking.*" -or $_.message -match "CommandLine.*.*windowtrackingtimeout.*" -or $_.message -match "CommandLine.*.*windowtrackingzorder.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_atbroker"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_atbroker"; + $detectedMessage = "Atbroker executing non-deafualt Assistive Technology applications"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*AtBroker.exe" -and $_.message -match "CommandLine.*.*start.*") -and -not (($_.message -match "CommandLine.*.*animations.*" -or $_.message -match "CommandLine.*.*audiodescription.*" -or $_.message -match "CommandLine.*.*caretbrowsing.*" -or $_.message -match "CommandLine.*.*caretwidth.*" -or $_.message -match "CommandLine.*.*colorfiltering.*" -or $_.message -match "CommandLine.*.*cursorscheme.*" -or $_.message -match "CommandLine.*.*filterkeys.*" -or $_.message -match "CommandLine.*.*focusborderheight.*" -or $_.message -match "CommandLine.*.*focusborderwidth.*" -or $_.message -match "CommandLine.*.*highcontrast.*" -or $_.message -match "CommandLine.*.*keyboardcues.*" -or $_.message -match "CommandLine.*.*keyboardpref.*" -or $_.message -match "CommandLine.*.*magnifierpane.*" -or $_.message -match "CommandLine.*.*messageduration.*" -or $_.message -match "CommandLine.*.*minimumhitradius.*" -or $_.message -match "CommandLine.*.*mousekeys.*" -or $_.message -match "CommandLine.*.*Narrator.*" -or $_.message -match "CommandLine.*.*osk.*" -or $_.message -match "CommandLine.*.*overlappedcontent.*" -or $_.message -match "CommandLine.*.*showsounds.*" -or $_.message -match "CommandLine.*.*soundsentry.*" -or $_.message -match "CommandLine.*.*stickykeys.*" -or $_.message -match "CommandLine.*.*togglekeys.*" -or $_.message -match "CommandLine.*.*windowarranging.*" -or $_.message -match "CommandLine.*.*windowtracking.*" -or $_.message -match "CommandLine.*.*windowtrackingtimeout.*" -or $_.message -match "CommandLine.*.*windowtrackingzorder.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_bcdedit.ps1 b/Rules/SIGMA/process_creation/win_susp_bcdedit.ps1 new file mode 100644 index 00000000..b930809b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_bcdedit.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\bcdedit.exe" -and ($_.message -match "CommandLine.*.*delete.*" -or $_.message -match "CommandLine.*.*deletevalue.*" -or $_.message -match "CommandLine.*.*import.*" -or $_.message -match "CommandLine.*.*safeboot.*" -or $_.message -match "CommandLine.*.*network.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_bcdedit"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_bcdedit"; + $detectedMessage = "Detects, possibly, malicious unauthorized usage of bcdedit.exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\bcdedit.exe" -and ($_.message -match "CommandLine.*.*delete.*" -or $_.message -match "CommandLine.*.*deletevalue.*" -or $_.message -match "CommandLine.*.*import.*" -or $_.message -match "CommandLine.*.*safeboot.*" -or $_.message -match "CommandLine.*.*network.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_bginfo.ps1 b/Rules/SIGMA/process_creation/win_susp_bginfo.ps1 new file mode 100644 index 00000000..a2c68936 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_bginfo.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\bginfo.exe" -and $_.message -match "CommandLine.*.*/popup.*" -and $_.message -match "CommandLine.*.*/nolicprompt.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_bginfo"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_bginfo"; + $detectedMessage = "Execute VBscript code that is referenced within the *.bgi file."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\bginfo.exe" -and $_.message -match "CommandLine.*.*/popup.*" -and $_.message -match "CommandLine.*.*/nolicprompt.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_calc.ps1 b/Rules/SIGMA/process_creation/win_susp_calc.ps1 new file mode 100644 index 00000000..2ab9ba06 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_calc.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\calc.exe .*" -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\calc.exe" -and -not ($_.message -match "Image.*.*\\Windows\\Sys.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_calc"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_calc"; + $detectedMessage = "Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\calc.exe .*" -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\calc.exe" -and -not ($_.message -match "Image.*.*\\Windows\\Sys.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_cdb.ps1 b/Rules/SIGMA/process_creation/win_susp_cdb.ps1 new file mode 100644 index 00000000..0e34b844 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_cdb.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cdb.exe" -and $_.message -match "CommandLine.*.*-cf.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_cdb"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_cdb"; + $detectedMessage = "Launch 64-bit shellcode from a debugger script file using cdb.exe."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cdb.exe" -and $_.message -match "CommandLine.*.*-cf.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_certutil_command.ps1 b/Rules/SIGMA/process_creation/win_susp_certutil_command.ps1 new file mode 100644 index 00000000..07ae1370 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_certutil_command.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.* -decode .*" -or $_.message -match "CommandLine.*.* -decodehex .*" -or $_.message -match "CommandLine.*.* -urlcache .*" -or $_.message -match "CommandLine.*.* -verifyctl .*" -or $_.message -match "CommandLine.*.* -encode .*" -or $_.message -match "CommandLine.*.* /decode .*" -or $_.message -match "CommandLine.*.* /decodehex .*" -or $_.message -match "CommandLine.*.* /urlcache .*" -or $_.message -match "CommandLine.*.* /verifyctl .*" -or $_.message -match "CommandLine.*.* /encode .*") -or ($_.message -match "Image.*.*\\certutil.exe" -and ($_.message -match "CommandLine.*.*URL.*" -or $_.message -match "CommandLine.*.*ping.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_certutil_command"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_certutil_command"; + $detectedMessage = "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.* -decode .*" -or $_.message -match "CommandLine.*.* -decodehex .*" -or $_.message -match "CommandLine.*.* -urlcache .*" -or $_.message -match "CommandLine.*.* -verifyctl .*" -or $_.message -match "CommandLine.*.* -encode .*" -or $_.message -match "CommandLine.*.* /decode .*" -or $_.message -match "CommandLine.*.* /decodehex .*" -or $_.message -match "CommandLine.*.* /urlcache .*" -or $_.message -match "CommandLine.*.* /verifyctl .*" -or $_.message -match "CommandLine.*.* /encode .*") -or ($_.message -match "Image.*.*\\certutil.exe" -and ($_.message -match "CommandLine.*.*URL.*" -or $_.message -match "CommandLine.*.*ping.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_certutil_encode.ps1 b/Rules/SIGMA/process_creation/win_susp_certutil_encode.ps1 new file mode 100644 index 00000000..5ad0dfb8 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_certutil_encode.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\certutil.exe" -and $_.message -match "CommandLine.*.*-f.*" -and $_.message -match "CommandLine.*.*-encode.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_certutil_encode"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_certutil_encode"; + $detectedMessage = "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\certutil.exe" -and $_.message -match "CommandLine.*.*-f.*" -and $_.message -match "CommandLine.*.*-encode.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_cli_escape.ps1 b/Rules/SIGMA/process_creation/win_susp_cli_escape.ps1 new file mode 100644 index 00000000..5d22ed4e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_cli_escape.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*h^t^t^p.*" -or $_.message -match "CommandLine.*.*h"t"t"p.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_cli_escape"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_cli_escape"; + $detectedMessage = "Detects suspicious process that use escape characters"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*h^t^t^p.*" -or $_.message -match "CommandLine.*.*h""t""t""p.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_cmd_http_appdata.ps1 b/Rules/SIGMA/process_creation/win_susp_cmd_http_appdata.ps1 new file mode 100644 index 00000000..ba714f3a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_cmd_http_appdata.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*http.*" -and $_.message -match "CommandLine.*.*://.*" -and $_.message -match "CommandLine.*.*%AppData%.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_cmd_http_appdata"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_cmd_http_appdata"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*http.*" -and $_.message -match "CommandLine.*.*://.*" -and $_.message -match "CommandLine.*.*%AppData%.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_codepage_switch.ps1 b/Rules/SIGMA/process_creation/win_susp_codepage_switch.ps1 new file mode 100644 index 00000000..a5646bfa --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_codepage_switch.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\chcp.com" -and ($_.message -match "CommandLine.*.* 936" -or $_.message -match "CommandLine.*.* 1258")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_codepage_switch"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_codepage_switch"; + $detectedMessage = "Detects a code page switch in command line or batch scripts to a rare language"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\chcp.com" -and ($_.message -match "CommandLine.*.* 936" -or $_.message -match "CommandLine.*.* 1258")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_commands_recon_activity.ps1 b/Rules/SIGMA/process_creation/win_susp_commands_recon_activity.ps1 new file mode 100644 index 00000000..8b1a816e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_commands_recon_activity.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "tasklist" -or $_.message -match "net time" -or $_.message -match "systeminfo" -or $_.message -match "whoami" -or $_.message -match "nbtstat" -or $_.message -match "net start" -or $_.message -match "qprocess" -or $_.message -match "nslookup" -or $_.message -match "hostname.exe" -or $_.message -match "netstat -an") -or ($_.message -match "CommandLine.*.*\\net1 start" -or $_.message -match "CommandLine.*.*\\net1 user /domain" -or $_.message -match "CommandLine.*.*\\net1 group /domain" -or $_.message -match "CommandLine.*.*\\net1 group "domain admins" /domain" -or $_.message -match "CommandLine.*.*\\net1 group "Exchange Trusted Subsystem" /domain" -or $_.message -match "CommandLine.*.*\\net1 accounts /domain" -or $_.message -match "CommandLine.*.*\\net1 user net localgroup administrators"))) } | group-object CommandLine | where { $_.count -gt 4 } | select name,count | sort -desc + +function Add-Rule { + + $ruleName = "win_susp_commands_recon_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_commands_recon_activity"; + $detectedMessage = "Detects a set of commands often used in recon stages by different attack groups"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "tasklist" -or $_.message -match "net time" -or $_.message -match "systeminfo" -or $_.message -match "whoami" -or $_.message -match "nbtstat" -or $_.message -match "net start" -or $_.message -match "qprocess" -or $_.message -match "nslookup" -or $_.message -match "hostname.exe" -or $_.message -match "netstat -an") -or ($_.message -match "CommandLine.*.*\\net1 start" -or $_.message -match "CommandLine.*.*\\net1 user /domain" -or $_.message -match "CommandLine.*.*\\net1 group /domain" -or $_.message -match "CommandLine.*.*\\net1 group ""domain admins"" /domain" -or $_.message -match "CommandLine.*.*\\net1 group ""Exchange Trusted Subsystem"" /domain" -or $_.message -match "CommandLine.*.*\\net1 accounts /domain" -or $_.message -match "CommandLine.*.*\\net1 user net localgroup administrators"))) } | group-object CommandLine | where { $_.count -gt 4 } | select name, count | sort -desc; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_compression_params.ps1 b/Rules/SIGMA/process_creation/win_susp_compression_params.ps1 new file mode 100644 index 00000000..7ffbb1a1 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_compression_params.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "OriginalFileName.*7z.*.exe" -or $_.message -match "OriginalFileName.*.*rar.exe" -or $_.message -match "OriginalFileName.*.*Command.*Line.*RAR.*") -and ($_.message -match "CommandLine.*.* -p.*" -or $_.message -match "CommandLine.*.* -ta.*" -or $_.message -match "CommandLine.*.* -tb.*" -or $_.message -match "CommandLine.*.* -sdel.*" -or $_.message -match "CommandLine.*.* -dw.*" -or $_.message -match "CommandLine.*.* -hp.*")) -and -not ($_.message -match "ParentImage.*C:\\Program.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_compression_params"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_compression_params"; + $detectedMessage = "Detects suspicious command line arguments of common data compression tools"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "OriginalFileName.*7z.*.exe" -or $_.message -match "OriginalFileName.*.*rar.exe" -or $_.message -match "OriginalFileName.*.*Command.*Line.*RAR.*") -and ($_.message -match "CommandLine.*.* -p.*" -or $_.message -match "CommandLine.*.* -ta.*" -or $_.message -match "CommandLine.*.* -tb.*" -or $_.message -match "CommandLine.*.* -sdel.*" -or $_.message -match "CommandLine.*.* -dw.*" -or $_.message -match "CommandLine.*.* -hp.*")) -and -not ($_.message -match "ParentImage.*C:\\Program.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_comsvcs_procdump.ps1 b/Rules/SIGMA/process_creation/win_susp_comsvcs_procdump.ps1 new file mode 100644 index 00000000..18518c74 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_comsvcs_procdump.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "OriginalFileName.*RUNDLL32.EXE") -and ($_.message -match "CommandLine.*.*comsvcs.*" -and $_.message -match "CommandLine.*.*MiniDump.*" -and $_.message -match "CommandLine.*.*full.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_comsvcs_procdump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_comsvcs_procdump"; + $detectedMessage = "Detects process memory dump via comsvcs.dll and rundll32"; + $result = $event | where { ($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "OriginalFileName.*RUNDLL32.EXE") -and ($_.message -match "CommandLine.*.*comsvcs.*" -and $_.message -match "CommandLine.*.*MiniDump.*" -and $_.message -match "CommandLine.*.*full.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_conhost.ps1 b/Rules/SIGMA/process_creation/win_susp_conhost.ps1 new file mode 100644 index 00000000..1cd8e5ac --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_conhost.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\conhost.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_conhost"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_conhost"; + $detectedMessage = "Detects the conhost execution as parent process. Can be used to evaded defense mechanism."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\conhost.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_control_dll_load.ps1 b/Rules/SIGMA/process_creation/win_susp_control_dll_load.ps1 new file mode 100644 index 00000000..b615240e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_control_dll_load.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\System32\\control.exe" -and $_.message -match "Image.*.*\\rundll32.exe ") -and -not ($_.message -match "CommandLine.*.*Shell32.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_control_dll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_control_dll_load"; + $detectedMessage = "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\System32\\control.exe" -and $_.message -match "Image.*.*\\rundll32.exe ") -and -not ($_.message -match "CommandLine.*.*Shell32.dll.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_copy_lateral_movement.ps1 b/Rules/SIGMA/process_creation/win_susp_copy_lateral_movement.ps1 new file mode 100644 index 00000000..ed542aa4 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_copy_lateral_movement.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\robocopy.exe" -or $_.message -match "Image.*.*\\xcopy.exe") -or ($_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*copy.*")) -or ($_.message -match "Image.*.*\\powershell.*" -and ($_.message -match "CommandLine.*.*copy-item.*" -or $_.message -match "CommandLine.*.*copy.*" -or $_.message -match "CommandLine.*.*cpi .*" -or $_.message -match "CommandLine.*.* cp .*"))) -and ($_.message -match "CommandLine.*.*\\\\.*" -and $_.message -match "CommandLine.*.*$.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_copy_lateral_movement"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_copy_lateral_movement"; + $detectedMessage = "Detects a suspicious copy command to or from an Admin share"; + $result = $event | where { ($_.ID -eq "1" -and ($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\robocopy.exe" -or $_.message -match "Image.*.*\\xcopy.exe") -or ($_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*copy.*")) -or ($_.message -match "Image.*.*\\powershell.*" -and ($_.message -match "CommandLine.*.*copy-item.*" -or $_.message -match "CommandLine.*.*copy.*" -or $_.message -match "CommandLine.*.*cpi .*" -or $_.message -match "CommandLine.*.* cp .*"))) -and ($_.message -match "CommandLine.*.*\\\\.*" -and $_.message -match "CommandLine.*.*$.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_copy_system32.ps1 b/Rules/SIGMA/process_creation/win_susp_copy_system32.ps1 new file mode 100644 index 00000000..e709fe86 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_copy_system32.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* /c copy.*" -or $_.message -match "CommandLine.*.*xcopy.*") -and $_.message -match "CommandLine.*.*\\System32\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_copy_system32"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_copy_system32"; + $detectedMessage = "Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* /c copy.*" -or $_.message -match "CommandLine.*.*xcopy.*") -and $_.message -match "CommandLine.*.*\\System32\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + ; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_covenant.ps1 b/Rules/SIGMA/process_creation/win_susp_covenant.ps1 new file mode 100644 index 00000000..1e2b1c28 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_covenant.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*-Sta.*" -and $_.message -match "CommandLine.*.*-Nop.*" -and $_.message -match "CommandLine.*.*-Window.*" -and $_.message -match "CommandLine.*.*Hidden.*" -and ($_.message -match "CommandLine.*.*-Command.*" -or $_.message -match "CommandLine.*.*-EncodedCommand.*")) -or ($_.message -match "CommandLine.*.*sv o (New-Object IO.MemorySteam);sv d .*" -or $_.message -match "CommandLine.*.*mshta file.hta.*" -or $_.message -match "CommandLine.*.*GruntHTTP.*" -or $_.message -match "CommandLine.*.*-EncodedCommand cwB2ACAAbwAgA.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_covenant"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_covenant"; + $detectedMessage = "Detects suspicious command lines used in Covenant luanchers"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*-Sta.*" -and $_.message -match "CommandLine.*.*-Nop.*" -and $_.message -match "CommandLine.*.*-Window.*" -and $_.message -match "CommandLine.*.*Hidden.*" -and ($_.message -match "CommandLine.*.*-Command.*" -or $_.message -match "CommandLine.*.*-EncodedCommand.*")) -or ($_.message -match "CommandLine.*.*sv o (New-Object IO.MemorySteam);sv d .*" -or $_.message -match "CommandLine.*.*mshta file.hta.*" -or $_.message -match "CommandLine.*.*GruntHTTP.*" -or $_.message -match "CommandLine.*.*-EncodedCommand cwB2ACAAbwAgA.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_crackmapexec_execution.ps1 b/Rules/SIGMA/process_creation/win_susp_crackmapexec_execution.ps1 new file mode 100644 index 00000000..3fae54c7 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_crackmapexec_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*cmd.exe /Q /c .* 1> \\\\.*\\.*\\.* 2>&1" -or $_.message -match "CommandLine.*.*cmd.exe /C .* > \\\\.*\\.*\\.* 2>&1" -or $_.message -match "CommandLine.*.*cmd.exe /C .* > .*\\Temp\\.* 2>&1") -and ($_.message -match "CommandLine.*.*powershell.exe -exec bypass -noni -nop -w 1 -C ".*" -or $_.message -match "CommandLine.*.*powershell.exe -noni -nop -w 1 -enc .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_crackmapexec_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_crackmapexec_execution"; + $detectedMessage = "Detect various execution methods of the CrackMapExec pentesting framework"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*cmd.exe /Q /c .* 1> \\\\.*\\.*\\.* 2>&1" -or $_.message -match "CommandLine.*.*cmd.exe /C .* > \\\\.*\\.*\\.* 2>&1" -or $_.message -match "CommandLine.*.*cmd.exe /C .* > .*\\Temp\\.* 2>&1") -and ($_.message -match "CommandLine.*.*powershell.exe -exec bypass -noni -nop -w 1 -C "".*"" -or $_.message -match ""CommandLine.*.*powershell.exe -noni -nop -w 1 -enc .*""")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_crackmapexec_powershell_obfuscation.ps1 b/Rules/SIGMA/process_creation/win_susp_crackmapexec_powershell_obfuscation.ps1 new file mode 100644 index 00000000..4224e60e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_crackmapexec_powershell_obfuscation.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*powershell.exe.*" -and ($_.message -match "CommandLine.*.*join.*split.*" -or $_.message -match "CommandLine.*.*( $ShellId[1]+$ShellId[13]+'x').*" -or $_.message -match "CommandLine.*.*( $PSHome[.*]+$PSHOME[.*]+.*" -or $_.message -match "CommandLine.*.*( $env:Public[13]+$env:Public[5]+'x').*" -or $_.message -match "CommandLine.*.*( $env:ComSpec[4,.*,25]-Join'').*" -or $_.message -match "CommandLine.*.*[1,3]+'x'-Join'').*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_crackmapexec_powershell_obfuscation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_crackmapexec_powershell_obfuscation"; + $detectedMessage = "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*powershell.exe.*" -and ($_.message -match "CommandLine.*.*join.*split.*" -or $_.message -match "CommandLine.*.*( $ShellId[1]+$ShellId[13]+'x').*" -or $_.message -match "CommandLine.*.*( $PSHome[.*]+$PSHOME[.*]+.*" -or $_.message -match "CommandLine.*.*( $env:Public[13]+$env:Public[5]+'x').*" -or $_.message -match "CommandLine.*.*( $env:ComSpec[4,.*,25]-Join'').*" -or $_.message -match "CommandLine.*.*[1,3]+'x'-Join'').*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_csc.ps1 b/Rules/SIGMA/process_creation/win_susp_csc.ps1 new file mode 100644 index 00000000..23243ba0 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_csc.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\csc.exe" -and ($_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe" -or $_.message -match "ParentImage.*.*\\mshta.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_csc"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_csc"; + $detectedMessage = "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\csc.exe" -and ($_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe" -or $_.message -match "ParentImage.*.*\\mshta.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_csc_folder.ps1 b/Rules/SIGMA/process_creation/win_susp_csc_folder.ps1 new file mode 100644 index 00000000..4705e6c2 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_csc_folder.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\csc.exe" -and ($_.message -match "CommandLine.*.*\\AppData\\.*" -or $_.message -match "CommandLine.*.*\\Windows\\Temp\\.*")) -and -not ($_.message -match "ParentImage.*C:\\Program Files.*" -or ($_.message -match "ParentImage.*.*\\sdiagnhost.exe" -or $_.message -match "ParentImage.*.*\\w3wp.exe") -or ($_.message -match "ParentCommandLine.*.*\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_csc_folder"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_csc_folder"; + $detectedMessage = "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\csc.exe" -and ($_.message -match "CommandLine.*.*\\AppData\\.*" -or $_.message -match "CommandLine.*.*\\Windows\\Temp\\.*")) -and -not ($_.message -match "ParentImage.*C:\\Program Files.*" -or ($_.message -match "ParentImage.*.*\\sdiagnhost.exe" -or $_.message -match "ParentImage.*.*\\w3wp.exe") -or ($_.message -match "ParentCommandLine.*.*\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_csi.ps1 b/Rules/SIGMA/process_creation/win_susp_csi.ps1 new file mode 100644 index 00000000..ce309b2a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_csi.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\csi.exe" -or $_.message -match "Image.*.*\\rcsi.exe" -or $_.message -match "OriginalFileName.*csi.exe" -or $_.message -match "OriginalFileName.*rcsi.exe") -and $_.message -match "Company.*Microsoft Corporation") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_csi"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_csi"; + $detectedMessage = "Csi.exe is a signed binary from Micosoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “"Roslyn”" Community Technology Preview was named 'rcsi.exe'"; + $result = $event | where { ($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\csi.exe" -or $_.message -match "Image.*.*\\rcsi.exe" -or $_.message -match "OriginalFileName.*csi.exe" -or $_.message -match "OriginalFileName.*rcsi.exe") -and $_.message -match "Company.*Microsoft Corporation") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_curl_download.ps1 b/Rules/SIGMA/process_creation/win_susp_curl_download.ps1 new file mode 100644 index 00000000..d8e03c94 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_curl_download.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\curl.exe" -or $_.message -match "Product.*The curl executable") -and $_.message -match "CommandLine.*.* -O .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_curl_download"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_curl_download"; + $detectedMessage = "Detects a suspicious curl process start on Windows and outputs the requested document to a local file"; + $result = $event | where { ($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\curl.exe" -or $_.message -match "Product.*The curl executable") -and $_.message -match "CommandLine.*.* -O .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_curl_fileupload.ps1 b/Rules/SIGMA/process_creation/win_susp_curl_fileupload.ps1 new file mode 100644 index 00000000..3c1616b8 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_curl_fileupload.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\curl.exe" -and $_.message -match "CommandLine.*.* -F .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_curl_fileupload"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_curl_fileupload"; + $detectedMessage = "Detects a suspicious curl process start the adds a file to a web request"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\curl.exe" -and $_.message -match "CommandLine.*.* -F .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_curl_start_combo.ps1 b/Rules/SIGMA/process_creation/win_susp_curl_start_combo.ps1 new file mode 100644 index 00000000..e811f0ad --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_curl_start_combo.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*curl.*" -and $_.message -match "CommandLine.*.* start .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_curl_start_combo"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_curl_start_combo"; + $detectedMessage = "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*curl.*" -and $_.message -match "CommandLine.*.* start .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_dctask64_proc_inject.ps1 b/Rules/SIGMA/process_creation/win_susp_dctask64_proc_inject.ps1 new file mode 100644 index 00000000..a88ed45e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_dctask64_proc_inject.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\dctask64.exe") -and -not (($_.message -match "CommandLine.*.*DesktopCentral_Agent\\agent.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_dctask64_proc_inject"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_dctask64_proc_inject"; + $detectedMessage = "Detects suspicious process injection using ZOHO's dctask64.exe"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\dctask64.exe") -and -not (($_.message -match "CommandLine.*.*DesktopCentral_Agent\\agent.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_desktopimgdownldr.ps1 b/Rules/SIGMA/process_creation/win_susp_desktopimgdownldr.ps1 new file mode 100644 index 00000000..c52e7aff --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_desktopimgdownldr.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.ID -eq "1") -and $_.message -match "CommandLine.*.* /lockscreenurl:.*" -and -not (($_.message -match "CommandLine.*.*.jpg.*" -or $_.message -match "CommandLine.*.*.jpeg.*" -or $_.message -match "CommandLine.*.*.png.*"))) -or ($_.message -match "CommandLine.*.*reg delete.*" -and $_.message -match "CommandLine.*.*\\PersonalizationCSP.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_desktopimgdownldr"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_desktopimgdownldr"; + $detectedMessage = "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet"; + $result = $event | where { (($_.ID -eq "1") -and ((($_.ID -eq "1") -and $_.message -match "CommandLine.*.* /lockscreenurl:.*" -and -not (($_.message -match "CommandLine.*.*.jpg.*" -or $_.message -match "CommandLine.*.*.jpeg.*" -or $_.message -match "CommandLine.*.*.png.*"))) -or ($_.message -match "CommandLine.*.*reg delete.*" -and $_.message -match "CommandLine.*.*\\PersonalizationCSP.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_devtoolslauncher.ps1 b/Rules/SIGMA/process_creation/win_susp_devtoolslauncher.ps1 new file mode 100644 index 00000000..4f6f558a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_devtoolslauncher.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\devtoolslauncher.exe" -and $_.message -match "CommandLine.*.*LaunchForDeploy.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_devtoolslauncher"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_devtoolslauncher"; + $detectedMessage = "The Devtoolslauncher.exe executes other binary"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\devtoolslauncher.exe" -and $_.message -match "CommandLine.*.*LaunchForDeploy.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_direct_asep_reg_keys_modification.ps1 b/Rules/SIGMA/process_creation/win_susp_direct_asep_reg_keys_modification.ps1 new file mode 100644 index 00000000..431df515 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_direct_asep_reg_keys_modification.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and $_.message -match "CommandLine.*.*add.*" -and ($_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\Run.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders.*" -or $_.message -match "CommandLine.*.*\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_direct_asep_reg_keys_modification"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_direct_asep_reg_keys_modification"; + $detectedMessage = "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and $_.message -match "CommandLine.*.*add.*" -and ($_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\Run.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders.*" -or $_.message -match "CommandLine.*.*\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_disable_eventlog.ps1 b/Rules/SIGMA/process_creation/win_susp_disable_eventlog.ps1 new file mode 100644 index 00000000..570e7c5c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_disable_eventlog.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*logman .*") -and ($_.message -match "CommandLine.*.*stop .*" -or $_.message -match "CommandLine.*.*delete .*") -and ($_.message -match "CommandLine.*.*EventLog-System.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_disable_eventlog"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_disable_eventlog"; + $detectedMessage = "Detects command that is used to disable or delete Windows eventlog via logman Windows utility"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*logman .*") -and ($_.message -match "CommandLine.*.*stop .*" -or $_.message -match "CommandLine.*.*delete .*") -and ($_.message -match "CommandLine.*.*EventLog-System.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_disable_ie_features.ps1 b/Rules/SIGMA/process_creation/win_susp_disable_ie_features.ps1 new file mode 100644 index 00000000..f094f2d9 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_disable_ie_features.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.* -name IEHarden .*" -and $_.message -match "CommandLine.*.* -value 0 .*") -or ($_.message -match "CommandLine.*.* -name DEPOff .*" -and $_.message -match "CommandLine.*.* -value 1 .*") -or ($_.message -match "CommandLine.*.* -name DisableFirstRunCustomize .*" -and $_.message -match "CommandLine.*.* -value 2 .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_disable_ie_features"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_disable_ie_features"; + $detectedMessage = "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.* -name IEHarden .*" -and $_.message -match "CommandLine.*.* -value 0 .*") -or ($_.message -match "CommandLine.*.* -name DEPOff .*" -and $_.message -match "CommandLine.*.* -value 1 .*") -or ($_.message -match "CommandLine.*.* -name DisableFirstRunCustomize .*" -and $_.message -match "CommandLine.*.* -value 2 .*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_disable_raccine.ps1 b/Rules/SIGMA/process_creation/win_susp_disable_raccine.ps1 new file mode 100644 index 00000000..53fc7ba0 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_disable_raccine.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*taskkill .*" -and $_.message -match "CommandLine.*.*RaccineSettings.exe.*") -or ($_.message -match "CommandLine.*.*reg.exe.*" -and $_.message -match "CommandLine.*.*delete.*" -and $_.message -match "CommandLine.*.*Raccine Tray.*") -or ($_.message -match "CommandLine.*.*schtasks.*" -and $_.message -match "CommandLine.*.*/DELETE.*" -and $_.message -match "CommandLine.*.*Raccine Rules Updater.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_disable_raccine"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_disable_raccine"; + $detectedMessage = "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. "; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*taskkill .*" -and $_.message -match "CommandLine.*.*RaccineSettings.exe.*") -or ($_.message -match "CommandLine.*.*reg.exe.*" -and $_.message -match "CommandLine.*.*delete.*" -and $_.message -match "CommandLine.*.*Raccine Tray.*") -or ($_.message -match "CommandLine.*.*schtasks.*" -and $_.message -match "CommandLine.*.*/DELETE.*" -and $_.message -match "CommandLine.*.*Raccine Rules Updater.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_diskshadow.ps1 b/Rules/SIGMA/process_creation/win_susp_diskshadow.ps1 new file mode 100644 index 00000000..3dac671c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_diskshadow.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\diskshadow.exe" -and ($_.message -match "CommandLine.*.*/s.*" -or $_.message -match "CommandLine.*.*-s.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_diskshadow"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_diskshadow"; + $detectedMessage = "Detects using Diskshadow.exe to execute arbitrary code in text file"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\diskshadow.exe" -and ($_.message -match "CommandLine.*.*/s.*" -or $_.message -match "CommandLine.*.*-s.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_ditsnap.ps1 b/Rules/SIGMA/process_creation/win_susp_ditsnap.ps1 new file mode 100644 index 00000000..7c114fd6 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_ditsnap.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\ditsnap.exe") -or ($_.message -match "CommandLine.*.*ditsnap.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_ditsnap"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_ditsnap"; + $detectedMessage = "Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\ditsnap.exe") -or ($_.message -match "CommandLine.*.*ditsnap.exe.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_dnx.ps1 b/Rules/SIGMA/process_creation/win_susp_dnx.ps1 new file mode 100644 index 00000000..3af02139 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_dnx.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\dnx.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_dnx"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_dnx"; + $detectedMessage = "Execute C# code located in the consoleapp folder"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\dnx.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_double_extension.ps1 b/Rules/SIGMA/process_creation/win_susp_double_extension.ps1 new file mode 100644 index 00000000..74719afc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_double_extension.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*.doc.exe" -or $_.message -match "Image.*.*.docx.exe" -or $_.message -match "Image.*.*.xls.exe" -or $_.message -match "Image.*.*.xlsx.exe" -or $_.message -match "Image.*.*.ppt.exe" -or $_.message -match "Image.*.*.pptx.exe" -or $_.message -match "Image.*.*.rtf.exe" -or $_.message -match "Image.*.*.pdf.exe" -or $_.message -match "Image.*.*.txt.exe" -or $_.message -match "Image.*.* .exe" -or $_.message -match "Image.*.*______.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_double_extension"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_double_extension"; + $detectedMessage = "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*.doc.exe" -or $_.message -match "Image.*.*.docx.exe" -or $_.message -match "Image.*.*.xls.exe" -or $_.message -match "Image.*.*.xlsx.exe" -or $_.message -match "Image.*.*.ppt.exe" -or $_.message -match "Image.*.*.pptx.exe" -or $_.message -match "Image.*.*.rtf.exe" -or $_.message -match "Image.*.*.pdf.exe" -or $_.message -match "Image.*.*.txt.exe" -or $_.message -match "Image.*.* .exe" -or $_.message -match "Image.*.*______.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_dxcap.ps1 b/Rules/SIGMA/process_creation/win_susp_dxcap.ps1 new file mode 100644 index 00000000..495b5212 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_dxcap.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\dxcap.exe" -and $_.message -match "CommandLine.*.*-c.*" -and $_.message -match "CommandLine.*.*.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_dxcap"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_dxcap"; + $detectedMessage = "Detects execution of of Dxcap.exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\dxcap.exe" -and $_.message -match "CommandLine.*.*-c.*" -and $_.message -match "CommandLine.*.*.exe.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_emotet_rudll32_execution.ps1 b/Rules/SIGMA/process_creation/win_susp_emotet_rudll32_execution.ps1 new file mode 100644 index 00000000..b050c1c1 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_emotet_rudll32_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\rundll32.exe") -and ($_.message -match "CommandLine.*.*,RunDLL")) -and -not (($_.message -match "ParentImage.*.*\\tracker.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_emotet_rudll32_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_emotet_rudll32_execution"; + $detectedMessage = "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,#1"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\rundll32.exe") -and ($_.message -match "CommandLine.*.*,RunDLL")) -and -not (($_.message -match "ParentImage.*.*\\tracker.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_eventlog_clear.ps1 b/Rules/SIGMA/process_creation/win_susp_eventlog_clear.ps1 new file mode 100644 index 00000000..a7515e05 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_eventlog_clear.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*Clear-EventLog.*" -or $_.message -match "CommandLine.*.*Remove-EventLog.*" -or $_.message -match "CommandLine.*.*Limit-EventLog.*")) -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.* ClearEventLog .*")) -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\\wevtutil.exe" -and ($_.message -match "CommandLine.*.*clear-log.*" -or $_.message -match "CommandLine.*.* cl .*" -or $_.message -match "CommandLine.*.*set-log.*" -or $_.message -match "CommandLine.*.* sl .*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_eventlog_clear"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_eventlog_clear"; + $detectedMessage = "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)."; + $result = $event | where { (($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*Clear-EventLog.*" -or $_.message -match "CommandLine.*.*Remove-EventLog.*" -or $_.message -match "CommandLine.*.*Limit-EventLog.*")) -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.* ClearEventLog .*")) -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\\wevtutil.exe" -and ($_.message -match "CommandLine.*.*clear-log.*" -or $_.message -match "CommandLine.*.* cl .*" -or $_.message -match "CommandLine.*.*set-log.*" -or $_.message -match "CommandLine.*.* sl .*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_execution_path.ps1 b/Rules/SIGMA/process_creation/win_susp_execution_path.ps1 new file mode 100644 index 00000000..0310df95 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_execution_path.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\$Recycle.bin\\.*" -or $_.message -match "Image.*.*\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Intel\\Logs\\.*" -or $_.message -match "Image.*.*\\RSA\\MachineKeys\\.*" -or $_.message -match "Image.*.*\\Users\\All Users\\.*" -or $_.message -match "Image.*.*\\Users\\Default\\.*" -or $_.message -match "Image.*.*\\Users\\NetworkService\\.*" -or $_.message -match "Image.*.*\\Users\\Public\\.*" -or $_.message -match "Image.*.*\\Windows\\addins\\.*" -or $_.message -match "Image.*.*\\Windows\\debug\\.*" -or $_.message -match "Image.*.*\\Windows\\Fonts\\.*" -or $_.message -match "Image.*.*\\Windows\\Help\\.*" -or $_.message -match "Image.*.*\\Windows\\IME\\.*" -or $_.message -match "Image.*.*\\Windows\\Media\\.*" -or $_.message -match "Image.*.*\\Windows\\repair\\.*" -or $_.message -match "Image.*.*\\Windows\\security\\.*" -or $_.message -match "Image.*.*\\Windows\\system32\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Windows\\System32\\Tasks\\.*" -or $_.message -match "Image.*.*\\Windows\\Tasks\\.*") -or $_.message -match "Image.*C:\\Perflogs\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_execution_path"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_execution_path"; + $detectedMessage = "Detects a suspicious execution from an uncommon folder"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\\$Recycle.bin\\.*" -or $_.message -match "Image.*.*\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Intel\\Logs\\.*" -or $_.message -match "Image.*.*\\RSA\\MachineKeys\\.*" -or $_.message -match "Image.*.*\\Users\\All Users\\.*" -or $_.message -match "Image.*.*\\Users\\Default\\.*" -or $_.message -match "Image.*.*\\Users\\NetworkService\\.*" -or $_.message -match "Image.*.*\\Users\\Public\\.*" -or $_.message -match "Image.*.*\\Windows\\addins\\.*" -or $_.message -match "Image.*.*\\Windows\\debug\\.*" -or $_.message -match "Image.*.*\\Windows\\Fonts\\.*" -or $_.message -match "Image.*.*\\Windows\\Help\\.*" -or $_.message -match "Image.*.*\\Windows\\IME\\.*" -or $_.message -match "Image.*.*\\Windows\\Media\\.*" -or $_.message -match "Image.*.*\\Windows\\repair\\.*" -or $_.message -match "Image.*.*\\Windows\\security\\.*" -or $_.message -match "Image.*.*\\Windows\\system32\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Windows\\System32\\Tasks\\.*" -or $_.message -match "Image.*.*\\Windows\\Tasks\\.*") -or $_.message -match "Image.*C:\\Perflogs\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_execution_path_webserver.ps1 b/Rules/SIGMA/process_creation/win_susp_execution_path_webserver.ps1 new file mode 100644 index 00000000..ba15d4bc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_execution_path_webserver.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\wwwroot\\.*" -or $_.message -match "Image.*.*\\wmpub\\.*" -or $_.message -match "Image.*.*\\htdocs\\.*") -and -not (($_.message -match "Image.*.*bin\\.*" -or $_.message -match "Image.*.*\\Tools\\.*" -or $_.message -match "Image.*.*\\SMSComponent\\.*") -and ($_.message -match "ParentImage.*.*\\services.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_execution_path_webserver"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_execution_path_webserver"; + $detectedMessage = "Detects a suspicious program execution in a web service root folder (filter out false positives)"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\wwwroot\\.*" -or $_.message -match "Image.*.*\\wmpub\\.*" -or $_.message -match "Image.*.*\\htdocs\\.*") -and -not (($_.message -match "Image.*.*bin\\.*" -or $_.message -match "Image.*.*\\Tools\\.*" -or $_.message -match "Image.*.*\\SMSComponent\\.*") -and ($_.message -match "ParentImage.*.*\\services.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_explorer.ps1 b/Rules/SIGMA/process_creation/win_susp_explorer.ps1 new file mode 100644 index 00000000..4170559c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_explorer.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\explorer.exe") -and ($_.message -match "ParentImage.*.*\\cmd.exe") -and ($_.message -match "CommandLine.*.*explorer.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_explorer"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_explorer"; + $detectedMessage = "Attackers can use explorer.exe for evading defense mechanisms"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\explorer.exe") -and ($_.message -match "ParentImage.*.*\\cmd.exe") -and ($_.message -match "CommandLine.*.*explorer.exe.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_explorer_break_proctree.ps1 b/Rules/SIGMA/process_creation/win_susp_explorer_break_proctree.ps1 new file mode 100644 index 00000000..c68ccad8 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_explorer_break_proctree.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*explorer.exe.*" -and $_.message -match "CommandLine.*.* /root,.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_explorer_break_proctree"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_explorer_break_proctree"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*explorer.exe.*" -and $_.message -match "CommandLine.*.* /root,.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_file_characteristics.ps1 b/Rules/SIGMA/process_creation/win_susp_file_characteristics.ps1 new file mode 100644 index 00000000..8370d884 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_file_characteristics.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Description.*?" -and ($_.message -match "FileVersion.*?" -or $_.message -match "Product.*?" -or $_.message -match "Company.*?") -and $_.message -match "Image.*.*\\Downloads\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_file_characteristics"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_file_characteristics"; + $detectedMessage = "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Description.*?" -and ($_.message -match "FileVersion.*?" -or $_.message -match "Product.*?" -or $_.message -match "Company.*?") -and $_.message -match "Image.*.*\\Downloads\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_file_download_via_gfxdownloadwrapper.ps1 b/Rules/SIGMA/process_creation/win_susp_file_download_via_gfxdownloadwrapper.ps1 new file mode 100644 index 00000000..e7a284b8 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_file_download_via_gfxdownloadwrapper.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\GfxDownloadWrapper.exe" -and -not ($_.message -match "CommandLine.*.*gameplayapi.intel.com.*")) -and -not ($_.message -match "ParentImage.*.*\\GfxDownloadWrapper.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_file_download_via_gfxdownloadwrapper"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_file_download_via_gfxdownloadwrapper"; + $detectedMessage = "Detects when GfxDownloadWrapper.exe downloads file from non standard URL"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\GfxDownloadWrapper.exe" -and -not ($_.message -match "CommandLine.*.*gameplayapi.intel.com.*")) -and -not ($_.message -match "ParentImage.*.*\\GfxDownloadWrapper.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_findstr.ps1 b/Rules/SIGMA/process_creation/win_susp_findstr.ps1 new file mode 100644 index 00000000..5c60ee58 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_findstr.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*findstr.*") -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*/V.*" -and $_.message -match "CommandLine.*.*/L.*") -or ($_.message -match "CommandLine.*.*/S.*" -and $_.message -match "CommandLine.*.*/I.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_findstr"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_findstr"; + $detectedMessage = "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*findstr.*") -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*/V.*" -and $_.message -match "CommandLine.*.*/L.*") -or ($_.message -match "CommandLine.*.*/S.*" -and $_.message -match "CommandLine.*.*/I.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_findstr_lnk.ps1 b/Rules/SIGMA/process_creation/win_susp_findstr_lnk.ps1 new file mode 100644 index 00000000..e9d5f54b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_findstr_lnk.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\findstr.exe" -and $_.message -match "CommandLine.*.*.lnk") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_findstr_lnk"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_findstr_lnk"; + $detectedMessage = "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\findstr.exe" -and $_.message -match "CommandLine.*.*.lnk") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_finger_usage.ps1 b/Rules/SIGMA/process_creation/win_susp_finger_usage.ps1 new file mode 100644 index 00000000..7ec70644 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_finger_usage.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\finger.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_finger_usage"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_finger_usage"; + $detectedMessage = "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\finger.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_firewall_disable.ps1 b/Rules/SIGMA/process_creation/win_susp_firewall_disable.ps1 new file mode 100644 index 00000000..ac9539c8 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_firewall_disable.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "netsh firewall set opmode mode=disable" -or $_.message -match "CommandLine.*netsh advfirewall set .* state off")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_firewall_disable"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_firewall_disable"; + $detectedMessage = "Detects netsh commands that turns off the Windows firewall"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "netsh firewall set opmode mode=disable" -or $_.message -match "CommandLine.*netsh advfirewall set . .. state off")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_fsutil_usage.ps1 b/Rules/SIGMA/process_creation/win_susp_fsutil_usage.ps1 new file mode 100644 index 00000000..32029d15 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_fsutil_usage.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\fsutil.exe" -or $_.message -match "OriginalFileName.*fsutil.exe") -and ($_.message -match "CommandLine.*.*deletejournal.*" -or $_.message -match "CommandLine.*.*createjournal.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_fsutil_usage"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_fsutil_usage"; + $detectedMessage = "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others)."; + $result = $event | where { ($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\fsutil.exe" -or $_.message -match "OriginalFileName.*fsutil.exe") -and ($_.message -match "CommandLine.*.*deletejournal.*" -or $_.message -match "CommandLine.*.*createjournal.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_ftp.ps1 b/Rules/SIGMA/process_creation/win_susp_ftp.ps1 new file mode 100644 index 00000000..48ea6933 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_ftp.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.*-s:.*" -and ($_.message -match "Image.*.*ftp.exe" -or $_.message -match "OriginalFileName.*.*ftp.exe.*")) -or (($_.ID -eq "1") -and $_.message -match "OriginalFileName.*.*ftp.exe.*" -and -not ($_.message -match "Image.*.*ftp.exe")) -or $_.message -match "ParentImage.*.*ftp.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_ftp"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_ftp"; + $detectedMessage = "Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe"; + $result = $event | where { (($_.ID -eq "1") -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.*-s:.*" -and ($_.message -match "Image.*.*ftp.exe" -or $_.message -match "OriginalFileName.*.*ftp.exe.*")) -or (($_.ID -eq "1") -and $_.message -match "OriginalFileName.*.*ftp.exe.*" -and -not ($_.message -match "Image.*.*ftp.exe")) -or $_.message -match "ParentImage.*.*ftp.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_gup.ps1 b/Rules/SIGMA/process_creation/win_susp_gup.ps1 new file mode 100644 index 00000000..539ffb59 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_gup.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "Image.*.*\\GUP.exe" -and -not (($_.message -match "Image.*.*\\Users\\.*\\AppData\\Local\\Notepad++\\updater\\GUP.exe" -or $_.message -match "Image.*.*\\Users\\.*\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe" -or $_.message -match "Image.*.*\\Program Files\\Notepad++\\updater\\GUP.exe" -or $_.message -match "Image.*.*\\Program Files (x86)\\Notepad++\\updater\\GUP.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_gup"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_gup"; + $detectedMessage = "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "Image.*.*\\GUP.exe" -and -not (($_.message -match "Image.*.*\\Users\\.*\\AppData\\Local\\Notepad++\\updater\\GUP.exe" -or $_.message -match "Image.*.*\\Users\\.*\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe" -or $_.message -match "Image.*.*\\Program Files\\Notepad++\\updater\\GUP.exe" -or $_.message -match "Image.*.*\\Program Files (x86)\\Notepad++\\updater\\GUP.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_iss_module_install.ps1 b/Rules/SIGMA/process_creation/win_susp_iss_module_install.ps1 new file mode 100644 index 00000000..367a5754 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_iss_module_install.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\appcmd.exe" -and $_.message -match "CommandLine.*.*install.*" -and $_.message -match "CommandLine.*.*module.*" -and $_.message -match "CommandLine.*.*/name:.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_iss_module_install"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_iss_module_install"; + $detectedMessage = "Detects suspicious IIS native-code module installations via command line"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\appcmd.exe" -and $_.message -match "CommandLine.*.*install.*" -and $_.message -match "CommandLine.*.*module.*" -and $_.message -match "CommandLine.*.*/name:.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_mounted_share_deletion.ps1 b/Rules/SIGMA/process_creation/win_susp_mounted_share_deletion.ps1 new file mode 100644 index 00000000..86557b52 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_mounted_share_deletion.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\net.exe" -and $_.message -match "Image.*.*\\net1.exe" -and $_.message -match "CommandLine.*.*share.*" -and $_.message -match "CommandLine.*.*/delete.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_mounted_share_deletion"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_mounted_share_deletion"; + $detectedMessage = "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\net.exe" -and $_.message -match "Image.*.*\\net1.exe" -and $_.message -match "CommandLine.*.*share.*" -and $_.message -match "CommandLine.*.*/delete.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_mpcmdrun_download.ps1 b/Rules/SIGMA/process_creation/win_susp_mpcmdrun_download.ps1 new file mode 100644 index 00000000..a8bac9e8 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_mpcmdrun_download.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*MpCmdRun.exe.*" -or $_.message -match "Description.*Microsoft Malware Protection Command Line Utility") -and ($_.message -match "CommandLine.*.*DownloadFile.*" -and $_.message -match "CommandLine.*.*url.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_mpcmdrun_download"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_mpcmdrun_download"; + $detectedMessage = "Detect the use of Windows Defender to download payloads "; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*MpCmdRun.exe.*" -or $_.message -match "Description.*Microsoft Malware Protection Command Line Utility") -and ($_.message -match "CommandLine.*.*DownloadFile.*" -and $_.message -match "CommandLine.*.*url.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_mshta_pattern.ps1 b/Rules/SIGMA/process_creation/win_susp_mshta_pattern.ps1 new file mode 100644 index 00000000..8b32294e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_mshta_pattern.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\mhsta.exe" -and (((($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\cmd.exe" -or $_.message -match "ParentImage.*.*\\powershell.exe") -or ($_.message -match "CommandLine.*.*\\AppData\\Local.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\Temp.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Public.*"))) -or (($_.ID -eq "1") -and -not (($_.message -match "Image.*.*C:\\Windows\\System32.*" -or $_.message -match "Image.*.*C:\\Windows\\SysWOW64.*")))) -or (($_.ID -eq "1") -and -not (($_.message -match "CommandLine.*.*.htm.*" -or $_.message -match "CommandLine.*.*.hta.*") -and ($_.message -match "CommandLine.*.*mshta.exe" -or $_.message -match "CommandLine.*.*mshta"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_mshta_pattern"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_mshta_pattern"; + $detectedMessage = "Detects suspicious mshta process patterns"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\mhsta.exe" -and (((($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\cmd.exe" -or $_.message -match "ParentImage.*.*\\powershell.exe") -or ($_.message -match "CommandLine.*.*\\AppData\\Local.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\Temp.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Public.*"))) -or (($_.ID -eq "1") -and -not (($_.message -match "Image.*.*C:\\Windows\\System32.*" -or $_.message -match "Image.*.*C:\\Windows\\SysWOW64.*")))) -or (($_.ID -eq "1") -and -not (($_.message -match "CommandLine.*.*.htm.*" -or $_.message -match "CommandLine.*.*.hta.*") -and ($_.message -match "CommandLine.*.*mshta.exe" -or $_.message -match "CommandLine.*.*mshta"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_msiexec_cwd.ps1 b/Rules/SIGMA/process_creation/win_susp_msiexec_cwd.ps1 new file mode 100644 index 00000000..b23b180c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_msiexec_cwd.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "Image.*.*\\msiexec.exe" -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_msiexec_cwd"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_msiexec_cwd"; + $detectedMessage = "Detects suspicious msiexec process starts in an uncommon directory"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "Image.*.*\\msiexec.exe" -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_msiexec_web_install.ps1 b/Rules/SIGMA/process_creation/win_susp_msiexec_web_install.ps1 new file mode 100644 index 00000000..a73a9036 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_msiexec_web_install.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* msiexec.*" -and $_.message -match "CommandLine.*.*://.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_msiexec_web_install"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_msiexec_web_install"; + $detectedMessage = "Detects suspicious msiexec process starts with web addresses as parameter"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.* msiexec.*" -and $_.message -match "CommandLine.*.*://.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_msoffice.ps1 b/Rules/SIGMA/process_creation/win_susp_msoffice.ps1 new file mode 100644 index 00000000..30674e64 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_msoffice.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\excel.exe") -and $_.message -match "CommandLine.*.*http.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_msoffice"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_msoffice"; + $detectedMessage = "Downloads payload from remote server"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\excel.exe") -and $_.message -match "CommandLine.*.*http.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_net_execution.ps1 b/Rules/SIGMA/process_creation/win_susp_net_execution.ps1 new file mode 100644 index 00000000..ae905f7f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_net_execution.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and ($_.message -match "CommandLine.*.* group.*" -or $_.message -match "CommandLine.*.* localgroup.*" -or $_.message -match "CommandLine.*.* user.*" -or $_.message -match "CommandLine.*.* view.*" -or $_.message -match "CommandLine.*.* share.*" -or $_.message -match "CommandLine.*.* accounts.*" -or $_.message -match "CommandLine.*.* stop .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_net_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_net_execution"; + $detectedMessage = "Detects execution of Net.exe, whether suspicious or benign."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and ($_.message -match "CommandLine.*.* group.*" -or $_.message -match "CommandLine.*.* localgroup.*" -or $_.message -match "CommandLine.*.* user.*" -or $_.message -match "CommandLine.*.* view.*" -or $_.message -match "CommandLine.*.* share.*" -or $_.message -match "CommandLine.*.* accounts.*" -or $_.message -match "CommandLine.*.* stop .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_netsh_dll_persistence.ps1 b/Rules/SIGMA/process_creation/win_susp_netsh_dll_persistence.ps1 new file mode 100644 index 00000000..c0a2c467 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_netsh_dll_persistence.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*add.*" -and $_.message -match "CommandLine.*.*helper.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_netsh_dll_persistence"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_netsh_dll_persistence"; + $detectedMessage = "Detects persitence via netsh helper"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*add.*" -and $_.message -match "CommandLine.*.*helper.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_ngrok_pua.ps1 b/Rules/SIGMA/process_creation/win_susp_ngrok_pua.ps1 new file mode 100644 index 00000000..84d265fc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_ngrok_pua.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.* tcp 139.*" -or $_.message -match "CommandLine.*.* tcp 445.*" -or $_.message -match "CommandLine.*.* tcp 3389.*" -or $_.message -match "CommandLine.*.* tcp 5985.*" -or $_.message -match "CommandLine.*.* tcp 5986.*") -or ($_.message -match "CommandLine.*.* start .*" -and $_.message -match "CommandLine.*.*--all.*" -and $_.message -match "CommandLine.*.*--config.*" -and $_.message -match "CommandLine.*.*.yml.*") -or (($_.message -match "Image.*.*ngrok.exe") -and ($_.message -match "CommandLine.*.* tcp .*" -or $_.message -match "CommandLine.*.* http .*" -or $_.message -match "CommandLine.*.* authtoken .*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_ngrok_pua"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_ngrok_pua"; + $detectedMessage = "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.* tcp 139.*" -or $_.message -match "CommandLine.*.* tcp 445.*" -or $_.message -match "CommandLine.*.* tcp 3389.*" -or $_.message -match "CommandLine.*.* tcp 5985.*" -or $_.message -match "CommandLine.*.* tcp 5986.*") -or ($_.message -match "CommandLine.*.* start .*" -and $_.message -match "CommandLine.*.*--all.*" -and $_.message -match "CommandLine.*.*--config.*" -and $_.message -match "CommandLine.*.*.yml.*") -or (($_.message -match "Image.*.*ngrok.exe") -and ($_.message -match "CommandLine.*.* tcp .*" -or $_.message -match "CommandLine.*.* http .*" -or $_.message -match "CommandLine.*.* authtoken .*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_ntdsutil.ps1 b/Rules/SIGMA/process_creation/win_susp_ntdsutil.ps1 new file mode 100644 index 00000000..7908e00c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_ntdsutil.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\ntdsutil.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_ntdsutil"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_ntdsutil"; + $detectedMessage = "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\ntdsutil.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_odbcconf.ps1 b/Rules/SIGMA/process_creation/win_susp_odbcconf.ps1 new file mode 100644 index 00000000..605acd34 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_odbcconf.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\odbcconf.exe" -and ($_.message -match "CommandLine.*.*-f.*" -or $_.message -match "CommandLine.*.*regsvr.*")) -or ($_.message -match "ParentImage.*.*\\odbcconf.exe" -and $_.message -match "Image.*.*\\rundll32.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_odbcconf"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_odbcconf"; + $detectedMessage = "Detects defence evasion attempt via odbcconf.exe execution to load DLL"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\odbcconf.exe" -and ($_.message -match "CommandLine.*.*-f.*" -or $_.message -match "CommandLine.*.*regsvr.*")) -or ($_.message -match "ParentImage.*.*\\odbcconf.exe" -and $_.message -match "Image.*.*\\rundll32.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_openwith.ps1 b/Rules/SIGMA/process_creation/win_susp_openwith.ps1 new file mode 100644 index 00000000..fc95bc52 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_openwith.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\OpenWith.exe" -and $_.message -match "CommandLine.*.*/c.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_openwith"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_openwith"; + $detectedMessage = "The OpenWith.exe executes other binary"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\OpenWith.exe" -and $_.message -match "CommandLine.*.*/c.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_outlook.ps1 b/Rules/SIGMA/process_creation/win_susp_outlook.ps1 new file mode 100644 index 00000000..d565d89d --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_outlook.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*EnableUnsafeClientMailRules.*" -or ($_.message -match "ParentImage.*.*\\outlook.exe" -and $_.message -match "CommandLine.*.*\\\\.*" -and $_.message -match "CommandLine.*.*\\.*" -and $_.message -match "CommandLine.*.*.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_outlook"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_outlook"; + $detectedMessage = "Detects EnableUnsafeClientMailRules used for Script Execution from Outlook"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*EnableUnsafeClientMailRules.*" -or ($_.message -match "ParentImage.*.*\\outlook.exe" -and $_.message -match "CommandLine.*.*\\\\.*" -and $_.message -match "CommandLine.*.*\\.*" -and $_.message -match "CommandLine.*.*.exe.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_outlook_temp.ps1 b/Rules/SIGMA/process_creation/win_susp_outlook_temp.ps1 new file mode 100644 index 00000000..4c925058 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_outlook_temp.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\Temporary Internet Files\\Content.Outlook\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_outlook_temp"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_outlook_temp"; + $detectedMessage = "Detects a suspicious program execution in Outlook temp folder"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\Temporary Internet Files\\Content.Outlook\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_pcwutl.ps1 b/Rules/SIGMA/process_creation/win_susp_pcwutl.ps1 new file mode 100644 index 00000000..7509feae --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_pcwutl.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*pcwutl.*" -and $_.message -match "CommandLine.*.*LaunchApplication.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_pcwutl"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_pcwutl"; + $detectedMessage = "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*pcwutl.*" -and $_.message -match "CommandLine.*.*LaunchApplication.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_pester.ps1 b/Rules/SIGMA/process_creation/win_susp_pester.ps1 new file mode 100644 index 00000000..8696349e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_pester.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Pester.*" -and $_.message -match "CommandLine.*.*Get-Help.*") -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*pester.*" -and $_.message -match "CommandLine.*.*;.*" -and ($_.message -match "CommandLine.*.*help.*" -or $_.message -match "CommandLine.*.*?.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_pester"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_pester"; + $detectedMessage = "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) "; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Pester.*" -and $_.message -match "CommandLine.*.*Get-Help.*") -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*pester.*" -and $_.message -match "CommandLine.*.*;.*" -and ($_.message -match "CommandLine.*.*help.*" -or $_.message -match "CommandLine.*.*?.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_ping_hex_ip.ps1 b/Rules/SIGMA/process_creation/win_susp_ping_hex_ip.ps1 new file mode 100644 index 00000000..7d753f87 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_ping_hex_ip.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\ping.exe" -and $_.message -match "CommandLine.*.*0x.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_ping_hex_ip"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_ping_hex_ip"; + $detectedMessage = "Detects a ping command that uses a hex encoded IP address"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\ping.exe" -and $_.message -match "CommandLine.*.*0x.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_powershell_empire_launch.ps1 b/Rules/SIGMA/process_creation/win_susp_powershell_empire_launch.ps1 new file mode 100644 index 00000000..0a628a68 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_powershell_empire_launch.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -NoP -sta -NonI -W Hidden -Enc .*" -or $_.message -match "CommandLine.*.* -noP -sta -w 1 -enc .*" -or $_.message -match "CommandLine.*.* -NoP -NonI -W Hidden -enc .*" -or $_.message -match "CommandLine.*.* -noP -sta -w 1 -enc.*" -or $_.message -match "CommandLine.*.* -enc SQB.*" -or $_.message -match "CommandLine.*.* -nop -exec bypass -EncodedCommand .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_powershell_empire_launch"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_powershell_empire_launch"; + $detectedMessage = "Detects suspicious powershell command line parameters used in Empire"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -NoP -sta -NonI -W Hidden -Enc .*" -or $_.message -match "CommandLine.*.* -noP -sta -w 1 -enc .*" -or $_.message -match "CommandLine.*.* -NoP -NonI -W Hidden -enc .*" -or $_.message -match "CommandLine.*.* -noP -sta -w 1 -enc.*" -or $_.message -match "CommandLine.*.* -enc SQB.*" -or $_.message -match "CommandLine.*.* -nop -exec bypass -EncodedCommand .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_powershell_empire_uac_bypass.ps1 b/Rules/SIGMA/process_creation/win_susp_powershell_empire_uac_bypass.ps1 new file mode 100644 index 00000000..221ffd54 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_powershell_empire_uac_bypass.ps1 @@ -0,0 +1,37 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update).*" -or $_.message -match "CommandLine.*.* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_powershell_empire_uac_bypass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_powershell_empire_uac_bypass"; + $detectedMessage = "Detects some Empire PowerShell UAC bypass methods"; + $updateregistory = Get-ItemProperty "HKCU:Software\\Microsoft\\Windows Update" -ErrorAction SilentlyContinue + # if registory data is not exist, Getada + if (!$updateregistory) { + return + } + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -NoP -NonI -w Hidden -c $x=$($updateregistory.Update).*" -or $_.message -match "CommandLine.*.* -NoP -NonI -c $x=$($updateregistory.Update);.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_powershell_enc_cmd.ps1 b/Rules/SIGMA/process_creation/win_susp_powershell_enc_cmd.ps1 new file mode 100644 index 00000000..f6197ab1 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_powershell_enc_cmd.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1") -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -e.*" -and $_.message -match "CommandLine.*.* JAB.*" -and $_.message -match "CommandLine.*.* -w.*" -and $_.message -match "CommandLine.*.* hidden .*") -or ($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -e.*" -and ($_.message -match "CommandLine.*.* BA^J.*" -or $_.message -match "CommandLine.*.* SUVYI.*" -or $_.message -match "CommandLine.*.* SQBFAFgA.*" -or $_.message -match "CommandLine.*.* aQBlAHgA.*" -or $_.message -match "CommandLine.*.* aWV4I.*" -or $_.message -match "CommandLine.*.* IAA.*" -or $_.message -match "CommandLine.*.* IAB.*" -or $_.message -match "CommandLine.*.* UwB.*" -or $_.message -match "CommandLine.*.* cwB.*")) -or ($_.message -match "CommandLine.*.*.exe -ENCOD .*"))) -and -not ($_.message -match "CommandLine.*.* -ExecutionPolicy.*" -and $_.message -match "CommandLine.*.*remotesigned .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_powershell_enc_cmd"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_powershell_enc_cmd"; + $detectedMessage = "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)"; + $result = $event | where { (($_.ID -eq "1") -and (($_.ID -eq "1") -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -e.*" -and $_.message -match "CommandLine.*.* JAB.*" -and $_.message -match "CommandLine.*.* -w.*" -and $_.message -match "CommandLine.*.* hidden .*") -or ($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -e.*" -and ($_.message -match "CommandLine.*.* BA^J.*" -or $_.message -match "CommandLine.*.* SUVYI.*" -or $_.message -match "CommandLine.*.* SQBFAFgA.*" -or $_.message -match "CommandLine.*.* aQBlAHgA.*" -or $_.message -match "CommandLine.*.* aWV4I.*" -or $_.message -match "CommandLine.*.* IAA.*" -or $_.message -match "CommandLine.*.* IAB.*" -or $_.message -match "CommandLine.*.* UwB.*" -or $_.message -match "CommandLine.*.* cwB.*")) -or ($_.message -match "CommandLine.*.*.exe -ENCOD .*"))) -and -not ($_.message -match "CommandLine.*.* -ExecutionPolicy.*" -and $_.message -match "CommandLine.*.*remotesigned .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_powershell_encoded_param.ps1 b/Rules/SIGMA/process_creation/win_susp_powershell_encoded_param.ps1 new file mode 100644 index 00000000..a8514297 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_powershell_encoded_param.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*(WCHAR)0x.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_powershell_encoded_param"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_powershell_encoded_param"; + $detectedMessage = "Detects suspicious encoded character syntax often used for defense evasion"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*(WCHAR)0x.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_powershell_getprocess_lsass.ps1 b/Rules/SIGMA/process_creation/win_susp_powershell_getprocess_lsass.ps1 new file mode 100644 index 00000000..a1a96316 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_powershell_getprocess_lsass.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Get-Process lsass.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_powershell_getprocess_lsass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_powershell_getprocess_lsass"; + $detectedMessage = "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Get-Process lsass.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_powershell_hidden_b64_cmd.ps1 b/Rules/SIGMA/process_creation/win_susp_powershell_hidden_b64_cmd.ps1 new file mode 100644 index 00000000..04575782 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_powershell_hidden_b64_cmd.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.* hidden .*" -and ($_.message -match "CommandLine.*.*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA.*" -or $_.message -match "CommandLine.*.*aXRzYWRtaW4gL3RyYW5zZmVy.*" -or $_.message -match "CommandLine.*.*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA.*" -or $_.message -match "CommandLine.*.*JpdHNhZG1pbiAvdHJhbnNmZX.*" -or $_.message -match "CommandLine.*.*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg.*" -or $_.message -match "CommandLine.*.*Yml0c2FkbWluIC90cmFuc2Zlc.*" -or $_.message -match "CommandLine.*.*AGMAaAB1AG4AawBfAHMAaQB6AGUA.*" -or $_.message -match "CommandLine.*.*JABjAGgAdQBuAGsAXwBzAGkAegBlA.*" -or $_.message -match "CommandLine.*.*JGNodW5rX3Npem.*" -or $_.message -match "CommandLine.*.*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ.*" -or $_.message -match "CommandLine.*.*RjaHVua19zaXpl.*" -or $_.message -match "CommandLine.*.*Y2h1bmtfc2l6Z.*" -or $_.message -match "CommandLine.*.*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A.*" -or $_.message -match "CommandLine.*.*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg.*" -or $_.message -match "CommandLine.*.*lPLkNvbXByZXNzaW9u.*" -or $_.message -match "CommandLine.*.*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA.*" -or $_.message -match "CommandLine.*.*SU8uQ29tcHJlc3Npb2.*" -or $_.message -match "CommandLine.*.*Ty5Db21wcmVzc2lvb.*" -or $_.message -match "CommandLine.*.*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ.*" -or $_.message -match "CommandLine.*.*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA.*" -or $_.message -match "CommandLine.*.*lPLk1lbW9yeVN0cmVhb.*" -or $_.message -match "CommandLine.*.*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A.*" -or $_.message -match "CommandLine.*.*SU8uTWVtb3J5U3RyZWFt.*" -or $_.message -match "CommandLine.*.*Ty5NZW1vcnlTdHJlYW.*" -or $_.message -match "CommandLine.*.*4ARwBlAHQAQwBoAHUAbgBrA.*" -or $_.message -match "CommandLine.*.*5HZXRDaHVua.*" -or $_.message -match "CommandLine.*.*AEcAZQB0AEMAaAB1AG4Aaw.*" -or $_.message -match "CommandLine.*.*LgBHAGUAdABDAGgAdQBuAGsA.*" -or $_.message -match "CommandLine.*.*LkdldENodW5r.*" -or $_.message -match "CommandLine.*.*R2V0Q2h1bm.*" -or $_.message -match "CommandLine.*.*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A.*" -or $_.message -match "CommandLine.*.*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA.*" -or $_.message -match "CommandLine.*.*RIUkVBRF9JTkZPNj.*" -or $_.message -match "CommandLine.*.*SFJFQURfSU5GTzY0.*" -or $_.message -match "CommandLine.*.*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA.*" -or $_.message -match "CommandLine.*.*VEhSRUFEX0lORk82N.*" -or $_.message -match "CommandLine.*.*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA.*" -or $_.message -match "CommandLine.*.*cmVhdGVSZW1vdGVUaHJlYW.*" -or $_.message -match "CommandLine.*.*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA.*" -or $_.message -match "CommandLine.*.*NyZWF0ZVJlbW90ZVRocmVhZ.*" -or $_.message -match "CommandLine.*.*Q3JlYXRlUmVtb3RlVGhyZWFk.*" -or $_.message -match "CommandLine.*.*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA.*" -or $_.message -match "CommandLine.*.*0AZQBtAG0AbwB2AGUA.*" -or $_.message -match "CommandLine.*.*1lbW1vdm.*" -or $_.message -match "CommandLine.*.*AGUAbQBtAG8AdgBlA.*" -or $_.message -match "CommandLine.*.*bQBlAG0AbQBvAHYAZQ.*" -or $_.message -match "CommandLine.*.*bWVtbW92Z.*" -or $_.message -match "CommandLine.*.*ZW1tb3Zl.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_powershell_hidden_b64_cmd"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_powershell_hidden_b64_cmd"; + $detectedMessage = "Detects base64 encoded strings used in hidden malicious PowerShell command lines"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.* hidden .*" -and ($_.message -match "CommandLine.*.*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA.*" -or $_.message -match "CommandLine.*.*aXRzYWRtaW4gL3RyYW5zZmVy.*" -or $_.message -match "CommandLine.*.*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA.*" -or $_.message -match "CommandLine.*.*JpdHNhZG1pbiAvdHJhbnNmZX.*" -or $_.message -match "CommandLine.*.*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg.*" -or $_.message -match "CommandLine.*.*Yml0c2FkbWluIC90cmFuc2Zlc.*" -or $_.message -match "CommandLine.*.*AGMAaAB1AG4AawBfAHMAaQB6AGUA.*" -or $_.message -match "CommandLine.*.*JABjAGgAdQBuAGsAXwBzAGkAegBlA.*" -or $_.message -match "CommandLine.*.*JGNodW5rX3Npem.*" -or $_.message -match "CommandLine.*.*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ.*" -or $_.message -match "CommandLine.*.*RjaHVua19zaXpl.*" -or $_.message -match "CommandLine.*.*Y2h1bmtfc2l6Z.*" -or $_.message -match "CommandLine.*.*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A.*" -or $_.message -match "CommandLine.*.*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg.*" -or $_.message -match "CommandLine.*.*lPLkNvbXByZXNzaW9u.*" -or $_.message -match "CommandLine.*.*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA.*" -or $_.message -match "CommandLine.*.*SU8uQ29tcHJlc3Npb2.*" -or $_.message -match "CommandLine.*.*Ty5Db21wcmVzc2lvb.*" -or $_.message -match "CommandLine.*.*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ.*" -or $_.message -match "CommandLine.*.*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA.*" -or $_.message -match "CommandLine.*.*lPLk1lbW9yeVN0cmVhb.*" -or $_.message -match "CommandLine.*.*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A.*" -or $_.message -match "CommandLine.*.*SU8uTWVtb3J5U3RyZWFt.*" -or $_.message -match "CommandLine.*.*Ty5NZW1vcnlTdHJlYW.*" -or $_.message -match "CommandLine.*.*4ARwBlAHQAQwBoAHUAbgBrA.*" -or $_.message -match "CommandLine.*.*5HZXRDaHVua.*" -or $_.message -match "CommandLine.*.*AEcAZQB0AEMAaAB1AG4Aaw.*" -or $_.message -match "CommandLine.*.*LgBHAGUAdABDAGgAdQBuAGsA.*" -or $_.message -match "CommandLine.*.*LkdldENodW5r.*" -or $_.message -match "CommandLine.*.*R2V0Q2h1bm.*" -or $_.message -match "CommandLine.*.*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A.*" -or $_.message -match "CommandLine.*.*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA.*" -or $_.message -match "CommandLine.*.*RIUkVBRF9JTkZPNj.*" -or $_.message -match "CommandLine.*.*SFJFQURfSU5GTzY0.*" -or $_.message -match "CommandLine.*.*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA.*" -or $_.message -match "CommandLine.*.*VEhSRUFEX0lORk82N.*" -or $_.message -match "CommandLine.*.*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA.*" -or $_.message -match "CommandLine.*.*cmVhdGVSZW1vdGVUaHJlYW.*" -or $_.message -match "CommandLine.*.*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA.*" -or $_.message -match "CommandLine.*.*NyZWF0ZVJlbW90ZVRocmVhZ.*" -or $_.message -match "CommandLine.*.*Q3JlYXRlUmVtb3RlVGhyZWFk.*" -or $_.message -match "CommandLine.*.*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA.*" -or $_.message -match "CommandLine.*.*0AZQBtAG0AbwB2AGUA.*" -or $_.message -match "CommandLine.*.*1lbW1vdm.*" -or $_.message -match "CommandLine.*.*AGUAbQBtAG8AdgBlA.*" -or $_.message -match "CommandLine.*.*bQBlAG0AbQBvAHYAZQ.*" -or $_.message -match "CommandLine.*.*bWVtbW92Z.*" -or $_.message -match "CommandLine.*.*ZW1tb3Zl.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_powershell_parent_combo.ps1 b/Rules/SIGMA/process_creation/win_susp_powershell_parent_combo.ps1 new file mode 100644 index 00000000..2f86aac6 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_powershell_parent_combo.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe") -and $_.message -match "Image.*.*\\powershell.exe") -and -not ($_.message -match "CurrentDirectory.*.*\\Health Service State\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_powershell_parent_combo"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_powershell_parent_combo"; + $detectedMessage = "Detects suspicious powershell invocations from interpreters or unusual programs"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe") -and $_.message -match "Image.*.*\\powershell.exe") -and -not ($_.message -match "CurrentDirectory.*.*\\Health Service State\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_powershell_parent_process.ps1 b/Rules/SIGMA/process_creation/win_susp_powershell_parent_process.ps1 new file mode 100644 index 00000000..4937b1dc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_powershell_parent_process.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\mshta.exe" -or $_.message -match "ParentImage.*.*\\rundll32.exe" -or $_.message -match "ParentImage.*.*\\regsvr32.exe" -or $_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\winword.exe" -or $_.message -match "ParentImage.*.*\\wmiprvse.exe" -or $_.message -match "ParentImage.*.*\\powerpnt.exe" -or $_.message -match "ParentImage.*.*\\excel.exe" -or $_.message -match "ParentImage.*.*\\msaccess.exe" -or $_.message -match "ParentImage.*.*\\mspub.exe" -or $_.message -match "ParentImage.*.*\\visio.exe" -or $_.message -match "ParentImage.*.*\\outlook.exe" -or $_.message -match "ParentImage.*.*\\amigo.exe" -or $_.message -match "ParentImage.*.*\\chrome.exe" -or $_.message -match "ParentImage.*.*\\firefox.exe" -or $_.message -match "ParentImage.*.*\\iexplore.exe" -or $_.message -match "ParentImage.*.*\\microsoftedgecp.exe" -or $_.message -match "ParentImage.*.*\\microsoftedge.exe" -or $_.message -match "ParentImage.*.*\\browser.exe" -or $_.message -match "ParentImage.*.*\\vivaldi.exe" -or $_.message -match "ParentImage.*.*\\safari.exe" -or $_.message -match "ParentImage.*.*\\sqlagent.exe" -or $_.message -match "ParentImage.*.*\\sqlserver.exe" -or $_.message -match "ParentImage.*.*\\sqlservr.exe" -or $_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\jbosssvc.exe" -or $_.message -match "ParentImage.*.*MicrosoftEdgeSH.exe") -or $_.message -match "ParentImage.*.*tomcat.*") -and (($_.message -match "CommandLine.*.*powershell.*" -or $_.message -match "CommandLine.*.*pwsh.*") -or $_.message -match "Description.*Windows PowerShell" -or $_.message -match "Product.*PowerShell Core 6")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_powershell_parent_process"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_powershell_parent_process"; + $detectedMessage = "Detects a suspicious parents of powershell.exe"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\mshta.exe" -or $_.message -match "ParentImage.*.*\\rundll32.exe" -or $_.message -match "ParentImage.*.*\\regsvr32.exe" -or $_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\winword.exe" -or $_.message -match "ParentImage.*.*\\wmiprvse.exe" -or $_.message -match "ParentImage.*.*\\powerpnt.exe" -or $_.message -match "ParentImage.*.*\\excel.exe" -or $_.message -match "ParentImage.*.*\\msaccess.exe" -or $_.message -match "ParentImage.*.*\\mspub.exe" -or $_.message -match "ParentImage.*.*\\visio.exe" -or $_.message -match "ParentImage.*.*\\outlook.exe" -or $_.message -match "ParentImage.*.*\\amigo.exe" -or $_.message -match "ParentImage.*.*\\chrome.exe" -or $_.message -match "ParentImage.*.*\\firefox.exe" -or $_.message -match "ParentImage.*.*\\iexplore.exe" -or $_.message -match "ParentImage.*.*\\microsoftedgecp.exe" -or $_.message -match "ParentImage.*.*\\microsoftedge.exe" -or $_.message -match "ParentImage.*.*\\browser.exe" -or $_.message -match "ParentImage.*.*\\vivaldi.exe" -or $_.message -match "ParentImage.*.*\\safari.exe" -or $_.message -match "ParentImage.*.*\\sqlagent.exe" -or $_.message -match "ParentImage.*.*\\sqlserver.exe" -or $_.message -match "ParentImage.*.*\\sqlservr.exe" -or $_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\jbosssvc.exe" -or $_.message -match "ParentImage.*.*MicrosoftEdgeSH.exe") -or $_.message -match "ParentImage.*.*tomcat.*") -and (($_.message -match "CommandLine.*.*powershell.*" -or $_.message -match "CommandLine.*.*pwsh.*") -or $_.message -match "Description.*Windows PowerShell" -or $_.message -match "Product.*PowerShell Core 6")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_powershell_sam_access.ps1 b/Rules/SIGMA/process_creation/win_susp_powershell_sam_access.ps1 new file mode 100644 index 00000000..4d142e76 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_powershell_sam_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\HarddiskVolumeShadowCopy.*" -and $_.message -match "CommandLine.*.*ystem32\\config\\sam.*" -and ($_.message -match "CommandLine.*.*Copy-Item.*" -or $_.message -match "CommandLine.*.*cp $_..*" -or $_.message -match "CommandLine.*.*cpi $_..*" -or $_.message -match "CommandLine.*.*copy $_..*" -or $_.message -match "CommandLine.*.*.File]::Copy(.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_powershell_sam_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_powershell_sam_access"; + $detectedMessage = "Detects suspicious PowerShell scripts accessing SAM hives"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\HarddiskVolumeShadowCopy.*" -and $_.message -match "CommandLine.*.*ystem32\\config\\sam.*" -and ($_.message -match "CommandLine.*.*Copy-Item.*" -or $_.message -match "CommandLine.*.*cp $_..*" -or $_.message -match "CommandLine.*.*cpi $_..*" -or $_.message -match "CommandLine.*.*copy $_..*" -or $_.message -match "CommandLine.*.*.File]::Copy(.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_print.ps1 b/Rules/SIGMA/process_creation/win_susp_print.ps1 new file mode 100644 index 00000000..1ad004c3 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_print.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\print.exe") -and ($_.message -match "CommandLine.*print.*") -and ($_.message -match "CommandLine.*.*/D.*") -and ($_.message -match "CommandLine.*.*.exe.*")) -and -not (($_.message -match "CommandLine.*.*print.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_print"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_print"; + $detectedMessage = "Attackers can use print.exe for remote file copy"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\print.exe") -and ($_.message -match "CommandLine.*print.*") -and ($_.message -match "CommandLine.*.*/D.*") -and ($_.message -match "CommandLine.*.*.exe.*")) -and -not (($_.message -match "CommandLine.*.*print.exe.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_procdump.ps1 b/Rules/SIGMA/process_creation/win_susp_procdump.ps1 new file mode 100644 index 00000000..98ed76dc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_procdump.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -ma .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_procdump"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_procdump"; + $detectedMessage = "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma '. This way we're also able to catch cases in which the attacker has renamed the procdump executable."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -ma .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_procdump_lsass.ps1 b/Rules/SIGMA/process_creation/win_susp_procdump_lsass.ps1 new file mode 100644 index 00000000..80d68239 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_procdump_lsass.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -ma .*" -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.* lsass.*") -or $_.message -match "CommandLine.*.* ls.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_procdump_lsass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_procdump_lsass"; + $detectedMessage = "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable."; + $result = $event | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -ma .*" -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.* lsass.*") -or $_.message -match "CommandLine.*.* ls.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_procs_req_dlls.ps1 b/Rules/SIGMA/process_creation/win_susp_procs_req_dlls.ps1 new file mode 100644 index 00000000..a91a9b5e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_procs_req_dlls.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\rundll32.exe" -or $_.message -match "CommandLine.*.*\\regsvcs.exe" -or $_.message -match "CommandLine.*.*\\regasm.exe" -or $_.message -match "CommandLine.*.*\\regsvr32.exe") -and -not (($_.message -match "ParentImage.*.*\\AppData\\Local\\.*" -or $_.message -match "ParentImage.*.*\\Microsoft\\Edge\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_procs_req_dlls"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_procs_req_dlls"; + $detectedMessage = "Detects suspicious start of program that usually requires a DLL as parameter, which can be a sign of process injection or hollowing activity"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\rundll32.exe" -or $_.message -match "CommandLine.*.*\\regsvcs.exe" -or $_.message -match "CommandLine.*.*\\regasm.exe" -or $_.message -match "CommandLine.*.*\\regsvr32.exe") -and -not (($_.message -match "ParentImage.*.*\\AppData\\Local\\.*" -or $_.message -match "ParentImage.*.*\\Microsoft\\Edge\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_ps_appdata.ps1 b/Rules/SIGMA/process_creation/win_susp_ps_appdata.ps1 new file mode 100644 index 00000000..e7898331 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_ps_appdata.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*powershell.*" -and $_.message -match "CommandLine.*.*\\AppData\\.*" -and ($_.message -match "CommandLine.*.*Local\\.*" -or $_.message -match "CommandLine.*.*Roaming\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_ps_appdata"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_ps_appdata"; + $detectedMessage = "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*powershell.*" -and $_.message -match "CommandLine.*.*\\AppData\\.*" -and ($_.message -match "CommandLine.*.*Local\\.*" -or $_.message -match "CommandLine.*.*Roaming\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_ps_downloadfile.ps1 b/Rules/SIGMA/process_creation/win_susp_ps_downloadfile.ps1 new file mode 100644 index 00000000..f10b42b1 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_ps_downloadfile.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*powershell.*" -and $_.message -match "CommandLine.*.*.DownloadFile.*" -and $_.message -match "CommandLine.*.*System.Net.WebClient.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_ps_downloadfile"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_ps_downloadfile"; + $detectedMessage = "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*powershell.*" -and $_.message -match "CommandLine.*.*.DownloadFile.*" -and $_.message -match "CommandLine.*.*System.Net.WebClient.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_psexec_eula.ps1 b/Rules/SIGMA/process_creation/win_susp_psexec_eula.ps1 new file mode 100644 index 00000000..ddba85e0 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_psexec_eula.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\psexec.exe" -and $_.message -match "CommandLine.*.*accepteula.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_psexec_eula"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_psexec_eula"; + $detectedMessage = "Detect ed user accept agreement execution in psexec commandline"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\psexec.exe" -and $_.message -match "CommandLine.*.*accepteula.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_psexex_paexec_flags.ps1 b/Rules/SIGMA/process_creation/win_susp_psexex_paexec_flags.ps1 new file mode 100644 index 00000000..fb527241 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_psexex_paexec_flags.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\127.0.0.1.*" -and $_.message -match "CommandLine.*.* -s .*" -and $_.message -match "CommandLine.*.*cmd.exe.*") -or ($_.message -match "CommandLine.*.* /accepteula .*" -and $_.message -match "CommandLine.*.*cmd /c .*" -and $_.message -match "CommandLine.*.* -u .*" -and $_.message -match "CommandLine.*.* -p .*"))) -and -not (($_.message -match "CommandLine.*.*paexec.*" -or $_.message -match "CommandLine.*.*PsExec.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_psexex_paexec_flags"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_psexex_paexec_flags"; + $detectedMessage = "Detects suspicious flags used by PsExec and PAExec but no usual program name in command line"; + $result = $event | where { (($_.ID -eq "1") -and (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\127.0.0.1.*" -and $_.message -match "CommandLine.*.* -s .*" -and $_.message -match "CommandLine.*.*cmd.exe.*") -or ($_.message -match "CommandLine.*.* /accepteula .*" -and $_.message -match "CommandLine.*.*cmd /c .*" -and $_.message -match "CommandLine.*.* -u .*" -and $_.message -match "CommandLine.*.* -p .*"))) -and -not (($_.message -match "CommandLine.*.*paexec.*" -or $_.message -match "CommandLine.*.*PsExec.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_psr_capture_screenshots.ps1 b/Rules/SIGMA/process_creation/win_susp_psr_capture_screenshots.ps1 new file mode 100644 index 00000000..68d9dba7 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_psr_capture_screenshots.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\Psr.exe" -and $_.message -match "CommandLine.*.*/start.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_psr_capture_screenshots"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_psr_capture_screenshots"; + $detectedMessage = "The psr.exe captures desktop screenshots and saves them on the local machine"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\Psr.exe" -and $_.message -match "CommandLine.*.*/start.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_rar_flags.ps1 b/Rules/SIGMA/process_creation/win_susp_rar_flags.ps1 new file mode 100644 index 00000000..77c62d31 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_rar_flags.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -hp.*") -and ($_.message -match "CommandLine.*.* -m.*" -or $_.message -match "CommandLine.*.* a .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rar_flags"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rar_flags"; + $detectedMessage = "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions."; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -hp.*") -and ($_.message -match "CommandLine.*.* -m.*" -or $_.message -match "CommandLine.*.* a .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_rasdial_activity.ps1 b/Rules/SIGMA/process_creation/win_susp_rasdial_activity.ps1 new file mode 100644 index 00000000..95870627 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_rasdial_activity.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*rasdial.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rasdial_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rasdial_activity"; + $detectedMessage = "Detects suspicious process related to rasdial.exe"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*rasdial.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_rclone_exec.ps1 b/Rules/SIGMA/process_creation/win_susp_rclone_exec.ps1 new file mode 100644 index 00000000..0fa5baea --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_rclone_exec.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* pass .*" -or $_.message -match "CommandLine.*.* user .*" -or $_.message -match "CommandLine.*.* copy .*" -or $_.message -match "CommandLine.*.* mega .*" -or $_.message -match "CommandLine.*.* sync .*" -or $_.message -match "CommandLine.*.* config .*" -or $_.message -match "CommandLine.*.* lsd .*" -or $_.message -match "CommandLine.*.* remote .*" -or $_.message -match "CommandLine.*.* ls .*") -and ($_.ID -eq "1") -and ($_.message -match "Description.*Rsync for cloud storage" -or ($_.message -match "Image.*.*\\rclone.exe" -and ($_.message -match "ParentImage.*.*\\PowerShell.exe" -or $_.message -match "ParentImage.*.*\\cmd.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rclone_exec"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rclone_exec"; + $detectedMessage = "Detects Rclone which is commonly used by ransomware groups for exfiltration"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* pass .*" -or $_.message -match "CommandLine.*.* user .*" -or $_.message -match "CommandLine.*.* copy .*" -or $_.message -match "CommandLine.*.* mega .*" -or $_.message -match "CommandLine.*.* sync .*" -or $_.message -match "CommandLine.*.* config .*" -or $_.message -match "CommandLine.*.* lsd .*" -or $_.message -match "CommandLine.*.* remote .*" -or $_.message -match "CommandLine.*.* ls .*") -and ($_.ID -eq "1") -and ($_.message -match "Description.*Rsync for cloud storage" -or ($_.message -match "Image.*.*\\rclone.exe" -and ($_.message -match "ParentImage.*.*\\PowerShell.exe" -or $_.message -match "ParentImage.*.*\\cmd.exe")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_recon_activity.ps1 b/Rules/SIGMA/process_creation/win_susp_recon_activity.ps1 new file mode 100644 index 00000000..798772f1 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_recon_activity.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "net group "domain admins" /domain" -or $_.message -match "net localgroup administrators" -or $_.message -match "net group "enterprise admins" /domain")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_recon_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_recon_activity"; + $detectedMessage = "Detects suspicious command line activity on Windows systems"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "net group ""domain admins"" /domain" -or $_.message -match "net localgroup administrators" -or $_.message -match "net group ""enterprise admins"" /domain")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_reg_disable_sec_services.ps1 b/Rules/SIGMA/process_creation/win_susp_reg_disable_sec_services.ps1 new file mode 100644 index 00000000..9598b808 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_reg_disable_sec_services.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.*add.*" -and $_.message -match "CommandLine.*.* /d 4.*" -and $_.message -match "CommandLine.*.* /v Start.*" -and ($_.message -match "CommandLine.*.*\\Sense .*" -or $_.message -match "CommandLine.*.*\\WinDefend.*" -or $_.message -match "CommandLine.*.*\\MsMpSvc.*" -or $_.message -match "CommandLine.*.*\\NisSrv.*" -or $_.message -match "CommandLine.*.*\\WdBoot .*" -or $_.message -match "CommandLine.*.*\\WdNisDrv.*" -or $_.message -match "CommandLine.*.*\\WdNisSvc.*" -or $_.message -match "CommandLine.*.*\\wscsvc .*" -or $_.message -match "CommandLine.*.*\\SecurityHealthService.*" -or $_.message -match "CommandLine.*.*\\wuauserv.*" -or $_.message -match "CommandLine.*.*\\UsoSvc .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_reg_disable_sec_services"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_reg_disable_sec_services"; + $detectedMessage = "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.*add.*" -and $_.message -match "CommandLine.*.* /d 4.*" -and $_.message -match "CommandLine.*.* /v Start.*" -and ($_.message -match "CommandLine.*.*\\Sense .*" -or $_.message -match "CommandLine.*.*\\WinDefend.*" -or $_.message -match "CommandLine.*.*\\MsMpSvc.*" -or $_.message -match "CommandLine.*.*\\NisSrv.*" -or $_.message -match "CommandLine.*.*\\WdBoot .*" -or $_.message -match "CommandLine.*.*\\WdNisDrv.*" -or $_.message -match "CommandLine.*.*\\WdNisSvc.*" -or $_.message -match "CommandLine.*.*\\wscsvc .*" -or $_.message -match "CommandLine.*.*\\SecurityHealthService.*" -or $_.message -match "CommandLine.*.*\\wuauserv.*" -or $_.message -match "CommandLine.*.*\\UsoSvc .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_regedit_trustedinstaller.ps1 b/Rules/SIGMA/process_creation/win_susp_regedit_trustedinstaller.ps1 new file mode 100644 index 00000000..eb49c781 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_regedit_trustedinstaller.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\regedit.exe" -and ($_.message -match "ParentImage.*.*\\TrustedInstaller.exe" -or $_.message -match "ParentImage.*.*\\ProcessHacker.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_regedit_trustedinstaller"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_regedit_trustedinstaller"; + $detectedMessage = "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\regedit.exe" -and ($_.message -match "ParentImage.*.*\\TrustedInstaller.exe" -or $_.message -match "ParentImage.*.*\\ProcessHacker.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_register_cimprovider.ps1 b/Rules/SIGMA/process_creation/win_susp_register_cimprovider.ps1 new file mode 100644 index 00000000..648e34fc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_register_cimprovider.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\register-cimprovider.exe" -and $_.message -match "CommandLine.*.*-path.*" -and $_.message -match "CommandLine.*.*dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_register_cimprovider"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_register_cimprovider"; + $detectedMessage = "Detects using register-cimprovider.exe to execute arbitrary dll file."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\register-cimprovider.exe" -and $_.message -match "CommandLine.*.*-path.*" -and $_.message -match "CommandLine.*.*dll.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_regsvr32_anomalies.ps1 b/Rules/SIGMA/process_creation/win_susp_regsvr32_anomalies.ps1 new file mode 100644 index 00000000..1ac217f1 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_regsvr32_anomalies.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "CommandLine.*.*\\Temp\\.*") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "ParentImage.*.*\\powershell.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "ParentImage.*.*\\cmd.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "CommandLine.*.*/i:.*" -and ($_.message -match "CommandLine.*.*http.*" -or $_.message -match "CommandLine.*.*ftp.*") -and $_.message -match "CommandLine.*.*scrobj.dll") -or ($_.message -match "Image.*.*\\wscript.exe" -and $_.message -match "ParentImage.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\EXCEL.EXE" -and $_.message -match "CommandLine.*.*..\\..\\..\\Windows\\System32\\regsvr32.exe .*") -or ($_.message -match "ParentImage.*.*\\mshta.exe" -and $_.message -match "Image.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and ($_.message -match "CommandLine.*.*\\AppData\\Local.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Public.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_regsvr32_anomalies"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_regsvr32_anomalies"; + $detectedMessage = "Detects various anomalies in relation to regsvr32.exe"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "CommandLine.*.*\\Temp\\.*") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "ParentImage.*.*\\powershell.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "ParentImage.*.*\\cmd.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "CommandLine.*.*/i:.*" -and ($_.message -match "CommandLine.*.*http.*" -or $_.message -match "CommandLine.*.*ftp.*") -and $_.message -match "CommandLine.*.*scrobj.dll") -or ($_.message -match "Image.*.*\\wscript.exe" -and $_.message -match "ParentImage.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\EXCEL.EXE" -and $_.message -match "CommandLine.*.*..\\..\\..\\Windows\\System32\\regsvr32.exe .*") -or ($_.message -match "ParentImage.*.*\\mshta.exe" -and $_.message -match "Image.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and ($_.message -match "CommandLine.*.*\\AppData\\Local.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Public.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_regsvr32_flags_anomaly.ps1 b/Rules/SIGMA/process_creation/win_susp_regsvr32_flags_anomaly.ps1 new file mode 100644 index 00000000..8472c507 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_regsvr32_flags_anomaly.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "CommandLine.*.* /i:.*") -and -not ($_.message -match "CommandLine.*.* /n .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_regsvr32_flags_anomaly"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_regsvr32_flags_anomaly"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "CommandLine.*.* /i:.*") -and -not ($_.message -match "CommandLine.*.* /n .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_regsvr32_no_dll.ps1 b/Rules/SIGMA/process_creation/win_susp_regsvr32_no_dll.ps1 new file mode 100644 index 00000000..2add5736 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_regsvr32_no_dll.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\regsvr32.exe" -and -not (($_.message -match "CommandLine.*.*.dll.*" -or $_.message -match "CommandLine.*.*.ocx.*" -or $_.message -match "CommandLine.*.*.cpl.*" -or $_.message -match "CommandLine.*.*.ax.*" -or $_.message -match "CommandLine.*.*.bav.*" -or $_.message -match "CommandLine.*.*.ppl.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_regsvr32_no_dll"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_regsvr32_no_dll"; + $detectedMessage = "Detects a regsvr.exe execution that doesn't contain a DLL in the command line"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\regsvr32.exe" -and -not (($_.message -match "CommandLine.*.*.dll.*" -or $_.message -match "CommandLine.*.*.ocx.*" -or $_.message -match "CommandLine.*.*.cpl.*" -or $_.message -match "CommandLine.*.*.ax.*" -or $_.message -match "CommandLine.*.*.bav.*" -or $_.message -match "CommandLine.*.*.ppl.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_renamed_dctask64.ps1 b/Rules/SIGMA/process_creation/win_susp_renamed_dctask64.ps1 new file mode 100644 index 00000000..68483e5f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_renamed_dctask64.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "Imphash.*6834B1B94E49701D77CCB3C0895E1AFD" -and -not ($_.message -match "Image.*.*\\dctask64.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_renamed_dctask64"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_renamed_dctask64"; + $detectedMessage = "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "Imphash.*6834B1B94E49701D77CCB3C0895E1AFD" -and -not ($_.message -match "Image.*.*\\dctask64.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_renamed_debugview.ps1 b/Rules/SIGMA/process_creation/win_susp_renamed_debugview.ps1 new file mode 100644 index 00000000..bc43d56c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_renamed_debugview.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Sysinternals DebugView" -or $_.message -match "Sysinternals Debugview") -and -not ($_.message -match "OriginalFileName.*Dbgview.exe" -and $_.message -match "Image.*.*\\Dbgview.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_renamed_debugview"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_renamed_debugview"; + $detectedMessage = "Detects suspicious renamed SysInternals DebugView execution"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Sysinternals DebugView" -or $_.message -match "Sysinternals Debugview") -and -not ($_.message -match "OriginalFileName.*Dbgview.exe" -and $_.message -match "Image.*.*\\Dbgview.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_renamed_paexec.ps1 b/Rules/SIGMA/process_creation/win_susp_renamed_paexec.ps1 new file mode 100644 index 00000000..c76d8874 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_renamed_paexec.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1") -and ($_.message -match "Description.*PAExec Application" -or $_.message -match "OriginalFileName.*PAExec.exe")) -and -not (($_.message -match "Image.*.*\\PAexec.exe" -or $_.message -match "Image.*.*\\paexec.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_renamed_paexec"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_renamed_paexec"; + $detectedMessage = "Detects suspicious renamed PAExec execution as often used by attackers"; + $result = $event | where { (($_.ID -eq "1") -and (($_.ID -eq "1") -and ($_.message -match "Description.*PAExec Application" -or $_.message -match "OriginalFileName.*PAExec.exe")) -and -not (($_.message -match "Image.*.*\\PAexec.exe" -or $_.message -match "Image.*.*\\paexec.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_rpcping.ps1 b/Rules/SIGMA/process_creation/win_susp_rpcping.ps1 new file mode 100644 index 00000000..f66fa434 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_rpcping.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\rpcping.exe" -and ($_.message -match "CommandLine.*.*-s.*" -or $_.message -match "CommandLine.*.*/s.*")) -and (($_.message -match "CommandLine.*.*-u.*" -and $_.message -match "CommandLine.*.*NTLM.*") -or ($_.message -match "CommandLine.*.*/u.*" -and $_.message -match "CommandLine.*.*NTLM.*") -or ($_.message -match "CommandLine.*.*-t.*" -and $_.message -match "CommandLine.*.*ncacn_np.*") -or ($_.message -match "CommandLine.*.*/t.*" -and $_.message -match "CommandLine.*.*ncacn_np.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rpcping"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rpcping"; + $detectedMessage = "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process."; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\rpcping.exe" -and ($_.message -match "CommandLine.*.*-s.*" -or $_.message -match "CommandLine.*.*/s.*")) -and (($_.message -match "CommandLine.*.*-u.*" -and $_.message -match "CommandLine.*.*NTLM.*") -or ($_.message -match "CommandLine.*.*/u.*" -and $_.message -match "CommandLine.*.*NTLM.*") -or ($_.message -match "CommandLine.*.*-t.*" -and $_.message -match "CommandLine.*.*ncacn_np.*") -or ($_.message -match "CommandLine.*.*/t.*" -and $_.message -match "CommandLine.*.*ncacn_np.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_run_locations.ps1 b/Rules/SIGMA/process_creation/win_susp_run_locations.ps1 new file mode 100644 index 00000000..b5ac1c44 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_run_locations.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*:\\RECYCLER\\.*" -or $_.message -match "Image.*.*:\\SystemVolumeInformation\\.*") -or ($_.message -match "Image.*C:\\Windows\\Tasks\\.*" -or $_.message -match "Image.*C:\\Windows\\debug\\.*" -or $_.message -match "Image.*C:\\Windows\\fonts\\.*" -or $_.message -match "Image.*C:\\Windows\\help\\.*" -or $_.message -match "Image.*C:\\Windows\\drivers\\.*" -or $_.message -match "Image.*C:\\Windows\\addins\\.*" -or $_.message -match "Image.*C:\\Windows\\cursors\\.*" -or $_.message -match "Image.*C:\\Windows\\system32\\tasks\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_run_locations"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_run_locations"; + $detectedMessage = "Detects suspicious process run from unusual locations"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*:\\RECYCLER\\.*" -or $_.message -match "Image.*.*:\\SystemVolumeInformation\\.*") -or ($_.message -match "Image.*C:\\Windows\\Tasks\\.*" -or $_.message -match "Image.*C:\\Windows\\debug\\.*" -or $_.message -match "Image.*C:\\Windows\\fonts\\.*" -or $_.message -match "Image.*C:\\Windows\\help\\.*" -or $_.message -match "Image.*C:\\Windows\\drivers\\.*" -or $_.message -match "Image.*C:\\Windows\\addins\\.*" -or $_.message -match "Image.*C:\\Windows\\cursors\\.*" -or $_.message -match "Image.*C:\\Windows\\system32\\tasks\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_rundll32_activity.ps1 b/Rules/SIGMA/process_creation/win_susp_rundll32_activity.ps1 new file mode 100644 index 00000000..03b4f9a4 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_rundll32_activity.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*javascript:.*" -or $_.message -match "CommandLine.*.*.RegisterXLL.*") -or ($_.message -match "CommandLine.*.*url.dll.*" -and $_.message -match "CommandLine.*.*OpenURL.*") -or ($_.message -match "CommandLine.*.*url.dll.*" -and $_.message -match "CommandLine.*.*OpenURLA.*") -or ($_.message -match "CommandLine.*.*url.dll.*" -and $_.message -match "CommandLine.*.*FileProtocolHandler.*") -or ($_.message -match "CommandLine.*.*zipfldr.dll.*" -and $_.message -match "CommandLine.*.*RouteTheCall.*") -or ($_.message -match "CommandLine.*.*shell32.dll.*" -and $_.message -match "CommandLine.*.*Control_RunDLL.*") -or ($_.message -match "CommandLine.*.*shell32.dll.*" -and $_.message -match "CommandLine.*.*ShellExec_RunDLL.*") -or ($_.message -match "CommandLine.*.*mshtml.dll.*" -and $_.message -match "CommandLine.*.*PrintHTML.*") -or ($_.message -match "CommandLine.*.*advpack.dll.*" -and $_.message -match "CommandLine.*.*LaunchINFSection.*") -or ($_.message -match "CommandLine.*.*advpack.dll.*" -and $_.message -match "CommandLine.*.*RegisterOCX.*") -or ($_.message -match "CommandLine.*.*ieadvpack.dll.*" -and $_.message -match "CommandLine.*.*LaunchINFSection.*") -or ($_.message -match "CommandLine.*.*ieadvpack.dll.*" -and $_.message -match "CommandLine.*.*RegisterOCX.*") -or ($_.message -match "CommandLine.*.*ieframe.dll.*" -and $_.message -match "CommandLine.*.*OpenURL.*") -or ($_.message -match "CommandLine.*.*shdocvw.dll.*" -and $_.message -match "CommandLine.*.*OpenURL.*") -or ($_.message -match "CommandLine.*.*syssetup.dll.*" -and $_.message -match "CommandLine.*.*SetupInfObjectInstallAction'.*") -or ($_.message -match "CommandLine.*.*setupapi.dll.*" -and $_.message -match "CommandLine.*.*InstallHinfSection.*") -or ($_.message -match "CommandLine.*.*pcwutl.dll.*" -and $_.message -match "CommandLine.*.*LaunchApplication.*") -or ($_.message -match "CommandLine.*.*dfshim.dll.*" -and $_.message -match "CommandLine.*.*ShOpenVerbApplication.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rundll32_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rundll32_activity"; + $detectedMessage = "Detects suspicious process related to rundll32 based on arguments"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*javascript:.*" -or $_.message -match "CommandLine.*.*.RegisterXLL.*") -or ($_.message -match "CommandLine.*.*url.dll.*" -and $_.message -match "CommandLine.*.*OpenURL.*") -or ($_.message -match "CommandLine.*.*url.dll.*" -and $_.message -match "CommandLine.*.*OpenURLA.*") -or ($_.message -match "CommandLine.*.*url.dll.*" -and $_.message -match "CommandLine.*.*FileProtocolHandler.*") -or ($_.message -match "CommandLine.*.*zipfldr.dll.*" -and $_.message -match "CommandLine.*.*RouteTheCall.*") -or ($_.message -match "CommandLine.*.*shell32.dll.*" -and $_.message -match "CommandLine.*.*Control_RunDLL.*") -or ($_.message -match "CommandLine.*.*shell32.dll.*" -and $_.message -match "CommandLine.*.*ShellExec_RunDLL.*") -or ($_.message -match "CommandLine.*.*mshtml.dll.*" -and $_.message -match "CommandLine.*.*PrintHTML.*") -or ($_.message -match "CommandLine.*.*advpack.dll.*" -and $_.message -match "CommandLine.*.*LaunchINFSection.*") -or ($_.message -match "CommandLine.*.*advpack.dll.*" -and $_.message -match "CommandLine.*.*RegisterOCX.*") -or ($_.message -match "CommandLine.*.*ieadvpack.dll.*" -and $_.message -match "CommandLine.*.*LaunchINFSection.*") -or ($_.message -match "CommandLine.*.*ieadvpack.dll.*" -and $_.message -match "CommandLine.*.*RegisterOCX.*") -or ($_.message -match "CommandLine.*.*ieframe.dll.*" -and $_.message -match "CommandLine.*.*OpenURL.*") -or ($_.message -match "CommandLine.*.*shdocvw.dll.*" -and $_.message -match "CommandLine.*.*OpenURL.*") -or ($_.message -match "CommandLine.*.*syssetup.dll.*" -and $_.message -match "CommandLine.*.*SetupInfObjectInstallAction'.*") -or ($_.message -match "CommandLine.*.*setupapi.dll.*" -and $_.message -match "CommandLine.*.*InstallHinfSection.*") -or ($_.message -match "CommandLine.*.*pcwutl.dll.*" -and $_.message -match "CommandLine.*.*LaunchApplication.*") -or ($_.message -match "CommandLine.*.*dfshim.dll.*" -and $_.message -match "CommandLine.*.*ShOpenVerbApplication.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_rundll32_by_ordinal.ps1 b/Rules/SIGMA/process_creation/win_susp_rundll32_by_ordinal.ps1 new file mode 100644 index 00000000..badea5dc --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_rundll32_by_ordinal.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\rundll32.exe.*" -and $_.message -match "CommandLine.*.*,#.*") -and -not ($_.message -match "CommandLine.*.*EDGEHTML.dll.*" -and $_.message -match "CommandLine.*.*#141.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rundll32_by_ordinal"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rundll32_by_ordinal"; + $detectedMessage = "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\rundll32.exe.*" -and $_.message -match "CommandLine.*.*,#.*") -and -not ($_.message -match "CommandLine.*.*EDGEHTML.dll.*" -and $_.message -match "CommandLine.*.*#141.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_rundll32_inline_vbs.ps1 b/Rules/SIGMA/process_creation/win_susp_rundll32_inline_vbs.ps1 new file mode 100644 index 00000000..1cac434f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_rundll32_inline_vbs.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*Execute.*" -and $_.message -match "CommandLine.*.*RegRead.*" -and $_.message -match "CommandLine.*.*window.close.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rundll32_inline_vbs"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rundll32_inline_vbs"; + $detectedMessage = "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*Execute.*" -and $_.message -match "CommandLine.*.*RegRead.*" -and $_.message -match "CommandLine.*.*window.close.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_rundll32_no_params.ps1 b/Rules/SIGMA/process_creation/win_susp_rundll32_no_params.ps1 new file mode 100644 index 00000000..b57f291f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_rundll32_no_params.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\rundll32.exe" -and -not ($_.message -match "ParentImage.*.*\\svchost.exe")) -and -not (($_.message -match "ParentImage.*.*\\AppData\\Local\\.*" -or $_.message -match "ParentImage.*.*\\Microsoft\\Edge\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rundll32_no_params"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rundll32_no_params"; + $detectedMessage = "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\rundll32.exe" -and -not ($_.message -match "ParentImage.*.*\\svchost.exe")) -and -not (($_.message -match "ParentImage.*.*\\AppData\\Local\\.*" -or $_.message -match "ParentImage.*.*\\Microsoft\\Edge\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_rundll32_setupapi_installhinfsection.ps1 b/Rules/SIGMA/process_creation/win_susp_rundll32_setupapi_installhinfsection.ps1 new file mode 100644 index 00000000..22638cf4 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_rundll32_setupapi_installhinfsection.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\runonce.exe" -and $_.message -match "ParentImage.*.*\\rundll32.exe" -and $_.message -match "ParentCommandLine.*.*setupapi.dll.*" -and $_.message -match "ParentCommandLine.*.*InstallHinfSection.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rundll32_setupapi_installhinfsection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rundll32_setupapi_installhinfsection"; + $detectedMessage = "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\runonce.exe" -and $_.message -match "ParentImage.*.*\\rundll32.exe" -and $_.message -match "ParentCommandLine.*.*setupapi.dll.*" -and $_.message -match "ParentCommandLine.*.*InstallHinfSection.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_rundll32_sys.ps1 b/Rules/SIGMA/process_creation/win_susp_rundll32_sys.ps1 new file mode 100644 index 00000000..66254d67 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_rundll32_sys.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and ($_.message -match "CommandLine.*.*.sys,.*" -or $_.message -match "CommandLine.*.*.sys .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_rundll32_sys"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_rundll32_sys"; + $detectedMessage = "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and ($_.message -match "CommandLine.*.*.sys,.*" -or $_.message -match "CommandLine.*.*.sys .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_runonce_execution.ps1 b/Rules/SIGMA/process_creation/win_susp_runonce_execution.ps1 new file mode 100644 index 00000000..18e5325c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_runonce_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\runonce.exe") -or ($_.message -match "Run Once Wrapper")) -and ($_.message -match "CommandLine.*.* /AlternateShellStartup.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_runonce_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_runonce_execution"; + $detectedMessage = "This rule detects the execution of Run Once task as configured in the registry"; + $result = $event | where { ($_.ID -eq "1" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\runonce.exe") -or ($_.message -match "Run Once Wrapper")) -and ($_.message -match "CommandLine.*.* /AlternateShellStartup.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_runscripthelper.ps1 b/Rules/SIGMA/process_creation/win_susp_runscripthelper.ps1 new file mode 100644 index 00000000..b334ea3d --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_runscripthelper.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\Runscripthelper.exe" -and $_.message -match "CommandLine.*.*surfacecheck.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_runscripthelper"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_runscripthelper"; + $detectedMessage = "Detects execution of powershell scripts via Runscripthelper.exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\Runscripthelper.exe" -and $_.message -match "CommandLine.*.*surfacecheck.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_schtask_creation.ps1 b/Rules/SIGMA/process_creation/win_susp_schtask_creation.ps1 new file mode 100644 index 00000000..744fd67a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_schtask_creation.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.* /create .*") -and -not ($_.message -match "User.*NT AUTHORITY\\SYSTEM")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_schtask_creation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_schtask_creation"; + $detectedMessage = "Detects the creation of scheduled tasks in user session"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.* /create .*") -and -not ($_.message -match "User.*NT AUTHORITY\\SYSTEM")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_schtask_creation_temp_folder.ps1 b/Rules/SIGMA/process_creation/win_susp_schtask_creation_temp_folder.ps1 new file mode 100644 index 00000000..a60e7862 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_schtask_creation_temp_folder.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.* /create .*" -and $_.message -match "CommandLine.*.* /sc once .*" -and $_.message -match "CommandLine.*.*\\Temp\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_schtask_creation_temp_folder"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_schtask_creation_temp_folder"; + $detectedMessage = "Detects the creation of scheduled tasks that involves a temporary folder and runs only once"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.* /create .*" -and $_.message -match "CommandLine.*.* /sc once .*" -and $_.message -match "CommandLine.*.*\\Temp\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_screenconnect_access.ps1 b/Rules/SIGMA/process_creation/win_susp_screenconnect_access.ps1 new file mode 100644 index 00000000..352c59bf --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_screenconnect_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*e=Access&.*" -and $_.message -match "CommandLine.*.*y=Guest&.*" -and $_.message -match "CommandLine.*.*&p=.*" -and $_.message -match "CommandLine.*.*&c=.*" -and $_.message -match "CommandLine.*.*&k=.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_screenconnect_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_screenconnect_access"; + $detectedMessage = "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*e=Access&.*" -and $_.message -match "CommandLine.*.*y=Guest&.*" -and $_.message -match "CommandLine.*.*&p=.*" -and $_.message -match "CommandLine.*.*&c=.*" -and $_.message -match "CommandLine.*.*&k=.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_script_exec_from_temp.ps1 b/Rules/SIGMA/process_creation/win_susp_script_exec_from_temp.ps1 new file mode 100644 index 00000000..be2b7d65 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_script_exec_from_temp.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe") -and ($_.message -match "CommandLine.*.*\\Windows\\Temp.*" -or $_.message -match "CommandLine.*.*\\Temporary Internet.*" -or $_.message -match "CommandLine.*.*\\AppData\\Local\\Temp.*" -or $_.message -match "CommandLine.*.*\\AppData\\Roaming\\Temp.*" -or $_.message -match "CommandLine.*.*%TEMP%.*" -or $_.message -match "CommandLine.*.*%TMP%.*" -or $_.message -match "CommandLine.*.*%LocalAppData%\\Temp.*")) -and -not ($_.message -match "CommandLine.*.* >.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_script_exec_from_temp"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_script_exec_from_temp"; + $detectedMessage = "Detects a suspicious script executions from temporary folder"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe") -and ($_.message -match "CommandLine.*.*\\Windows\\Temp.*" -or $_.message -match "CommandLine.*.*\\Temporary Internet.*" -or $_.message -match "CommandLine.*.*\\AppData\\Local\\Temp.*" -or $_.message -match "CommandLine.*.*\\AppData\\Roaming\\Temp.*" -or $_.message -match "CommandLine.*.*%TEMP%.*" -or $_.message -match "CommandLine.*.*%TMP%.*" -or $_.message -match "CommandLine.*.*%LocalAppData%\\Temp.*")) -and -not ($_.message -match "CommandLine.*.* >.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_script_execution.ps1 b/Rules/SIGMA/process_creation/win_susp_script_execution.ps1 new file mode 100644 index 00000000..d21d9db2 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_script_execution.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe") -and ($_.message -match "CommandLine.*.*.jse.*" -or $_.message -match "CommandLine.*.*.vbe.*" -or $_.message -match "CommandLine.*.*.js.*" -or $_.message -match "CommandLine.*.*.vba.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_script_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_script_execution"; + $detectedMessage = "Detects suspicious file execution by wscript and cscript"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe") -and ($_.message -match "CommandLine.*.*.jse.*" -or $_.message -match "CommandLine.*.*.vbe.*" -or $_.message -match "CommandLine.*.*.js.*" -or $_.message -match "CommandLine.*.*.vba.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_service_dacl_modification.ps1 b/Rules/SIGMA/process_creation/win_susp_service_dacl_modification.ps1 new file mode 100644 index 00000000..5a26d4f0 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_service_dacl_modification.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sc.exe") -and $_.message -match "CommandLine.*.*sdset.*" -and $_.message -match "CommandLine.*.*D;;.*" -and ($_.message -match "CommandLine.*.*;;;IU.*" -or $_.message -match "CommandLine.*.*;;;SU.*" -or $_.message -match "CommandLine.*.*;;;BA.*" -or $_.message -match "CommandLine.*.*;;;SY.*" -or $_.message -match "CommandLine.*.*;;;WD.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_service_dacl_modification"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_service_dacl_modification"; + $detectedMessage = "Detects suspicious DACL modifications that can be used to hide services or make them unstopable"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sc.exe") -and $_.message -match "CommandLine.*.*sdset.*" -and $_.message -match "CommandLine.*.*D;;.*" -and ($_.message -match "CommandLine.*.*;;;IU.*" -or $_.message -match "CommandLine.*.*;;;SU.*" -or $_.message -match "CommandLine.*.*;;;BA.*" -or $_.message -match "CommandLine.*.*;;;SY.*" -or $_.message -match "CommandLine.*.*;;;WD.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_service_dir.ps1 b/Rules/SIGMA/process_creation/win_susp_service_dir.ps1 new file mode 100644 index 00000000..1fe8a34c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_service_dir.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\Users\\Public\\.*" -or $_.message -match "Image.*.*\\$Recycle.bin.*" -or $_.message -match "Image.*.*\\Users\\All Users\\.*" -or $_.message -match "Image.*.*\\Users\\Default\\.*" -or $_.message -match "Image.*.*\\Users\\Contacts\\.*" -or $_.message -match "Image.*.*\\Users\\Searches\\.*" -or $_.message -match "Image.*.*C:\\Perflogs\\.*" -or $_.message -match "Image.*.*\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Windows\\Fonts\\.*" -or $_.message -match "Image.*.*\\Windows\\IME\\.*" -or $_.message -match "Image.*.*\\Windows\\addins\\.*") -and ($_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\svchost.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_service_dir"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_service_dir"; + $detectedMessage = "Detects a service binary running in a suspicious directory"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\Users\\Public\\.*" -or $_.message -match "Image.*.*\\$Recycle.bin.*" -or $_.message -match "Image.*.*\\Users\\All Users\\.*" -or $_.message -match "Image.*.*\\Users\\Default\\.*" -or $_.message -match "Image.*.*\\Users\\Contacts\\.*" -or $_.message -match "Image.*.*\\Users\\Searches\\.*" -or $_.message -match "Image.*.*C:\\Perflogs\\.*" -or $_.message -match "Image.*.*\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Windows\\Fonts\\.*" -or $_.message -match "Image.*.*\\Windows\\IME\\.*" -or $_.message -match "Image.*.*\\Windows\\addins\\.*") -and ($_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\svchost.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_service_path_modification.ps1 b/Rules/SIGMA/process_creation/win_susp_service_path_modification.ps1 new file mode 100644 index 00000000..4d261349 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_service_path_modification.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\sc.exe" -and $_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*binpath.*" -and ($_.message -match "CommandLine.*.*powershell.*" -or $_.message -match "CommandLine.*.*cmd.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_service_path_modification"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_service_path_modification"; + $detectedMessage = "Detects service path modification to PowerShell or cmd."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\sc.exe" -and $_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*binpath.*" -and ($_.message -match "CommandLine.*.*powershell.*" -or $_.message -match "CommandLine.*.*cmd.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_servu_exploitation_cve_2021_35211.ps1 b/Rules/SIGMA/process_creation/win_susp_servu_exploitation_cve_2021_35211.ps1 new file mode 100644 index 00000000..d879a4b0 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_servu_exploitation_cve_2021_35211.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*whoami.*" -and ($_.message -match "CommandLine.*.*./Client/Common/.*" -or $_.message -match "CommandLine.*.*.\\Client\\Common\\.*")) -or $_.message -match "CommandLine.*.*C:\\Windows\\Temp\\Serv-U.bat.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_servu_exploitation_cve_2021_35211"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_servu_exploitation_cve_2021_35211"; + $detectedMessage = "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 "; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*whoami.*" -and ($_.message -match "CommandLine.*.*./Client/Common/.*" -or $_.message -match "CommandLine.*.*.\\Client\\Common\\.*")) -or $_.message -match "CommandLine.*.*C:\\Windows\\Temp\\Serv-U.bat.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_servu_process_pattern.ps1 b/Rules/SIGMA/process_creation/win_susp_servu_process_pattern.ps1 new file mode 100644 index 00000000..52f67e27 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_servu_process_pattern.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\Serv-U.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\forfiles.exe" -or $_.message -match "Image.*.*\\scriptrunner.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_servu_process_pattern"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_servu_process_pattern"; + $detectedMessage = "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\Serv-U.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\forfiles.exe" -or $_.message -match "Image.*.*\\scriptrunner.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_shell_spawn_from_mssql.ps1 b/Rules/SIGMA/process_creation/win_susp_shell_spawn_from_mssql.ps1 new file mode 100644 index 00000000..c9986ea4 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_shell_spawn_from_mssql.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\sqlservr.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_shell_spawn_from_mssql"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_shell_spawn_from_mssql"; + $detectedMessage = "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\sqlservr.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_shimcache_flush.ps1 b/Rules/SIGMA/process_creation/win_susp_shimcache_flush.ps1 new file mode 100644 index 00000000..9200469a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_shimcache_flush.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.*" -and (($_.message -match "CommandLine.*.*apphelp.dll.*" -and ($_.message -match "CommandLine.*.*ShimFlushCache.*" -or $_.message -match "CommandLine.*.*#250.*")) -or ($_.message -match "CommandLine.*.*kernel32.dll.*" -and ($_.message -match "CommandLine.*.*BaseFlushAppcompatCache.*" -or $_.message -match "CommandLine.*.*#46.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_shimcache_flush"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_shimcache_flush"; + $detectedMessage = "Detects actions that clear the local ShimCache and remove forensic evidence"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.*" -and (($_.message -match "CommandLine.*.*apphelp.dll.*" -and ($_.message -match "CommandLine.*.*ShimFlushCache.*" -or $_.message -match "CommandLine.*.*#250.*")) -or ($_.message -match "CommandLine.*.*kernel32.dll.*" -and ($_.message -match "CommandLine.*.*BaseFlushAppcompatCache.*" -or $_.message -match "CommandLine.*.*#46.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_spoolsv_child_processes.ps1 b/Rules/SIGMA/process_creation/win_susp_spoolsv_child_processes.ps1 new file mode 100644 index 00000000..fd045b56 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_spoolsv_child_processes.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\spoolsv.exe" -and $_.message -match "IntegrityLevel.*System" -and ($_.ID -eq "1") -and (((((($_.message -match "Image.*.*\\gpupdate.exe" -or $_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "Image.*.*\\nltest.exe" -or $_.message -match "Image.*.*\\taskkill.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\taskmgr.exe" -or $_.message -match "Image.*.*\\sc.exe" -or $_.message -match "Image.*.*\\findstr.exe" -or $_.message -match "Image.*.*\\curl.exe" -or $_.message -match "Image.*.*\\wget.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe" -or $_.message -match "Image.*.*\\accesschk.exe" -or $_.message -match "Image.*.*\\wevtutil.exe" -or $_.message -match "Image.*.*\\bcdedit.exe" -or $_.message -match "Image.*.*\\fsutil.exe" -or $_.message -match "Image.*.*\\cipher.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\write.exe" -or $_.message -match "Image.*.*\\wuauclt.exe") -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\net.exe" -and -not ($_.message -match "CommandLine.*.*start.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\cmd.exe" -and -not (($_.message -match "CommandLine.*.*.spl.*" -or $_.message -match "CommandLine.*.*route add.*" -or $_.message -match "CommandLine.*.*program files.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\netsh.exe" -and -not (($_.message -match "CommandLine.*.*add portopening.*" -or $_.message -match "CommandLine.*.*rule name.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\powershell.exe" -and -not ($_.message -match "CommandLine.*.*.spl.*"))) -or ($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*rundll32.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_spoolsv_child_processes"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_spoolsv_child_processes"; + $detectedMessage = "Detects suspicious print spool service (spoolsv.exe) child processes."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\spoolsv.exe" -and $_.message -match "IntegrityLevel.*System" -and ($_.ID -eq "1") -and (((((($_.message -match "Image.*.*\\gpupdate.exe" -or $_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "Image.*.*\\nltest.exe" -or $_.message -match "Image.*.*\\taskkill.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\taskmgr.exe" -or $_.message -match "Image.*.*\\sc.exe" -or $_.message -match "Image.*.*\\findstr.exe" -or $_.message -match "Image.*.*\\curl.exe" -or $_.message -match "Image.*.*\\wget.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe" -or $_.message -match "Image.*.*\\accesschk.exe" -or $_.message -match "Image.*.*\\wevtutil.exe" -or $_.message -match "Image.*.*\\bcdedit.exe" -or $_.message -match "Image.*.*\\fsutil.exe" -or $_.message -match "Image.*.*\\cipher.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\write.exe" -or $_.message -match "Image.*.*\\wuauclt.exe") -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\net.exe" -and -not ($_.message -match "CommandLine.*.*start.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\cmd.exe" -and -not (($_.message -match "CommandLine.*.*.spl.*" -or $_.message -match "CommandLine.*.*route add.*" -or $_.message -match "CommandLine.*.*program files.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\netsh.exe" -and -not (($_.message -match "CommandLine.*.*add portopening.*" -or $_.message -match "CommandLine.*.*rule name.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\powershell.exe" -and -not ($_.message -match "CommandLine.*.*.spl.*"))) -or ($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*rundll32.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_sqldumper_activity.ps1 b/Rules/SIGMA/process_creation/win_susp_sqldumper_activity.ps1 new file mode 100644 index 00000000..c9b3169b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_sqldumper_activity.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\sqldumper.exe" -and ($_.message -match "CommandLine.*.*0x0110.*" -or $_.message -match "CommandLine.*.*0x01100:40.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_sqldumper_activity"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_sqldumper_activity"; + $detectedMessage = "Detects process dump via legitimate sqldumper.exe binary"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\sqldumper.exe" -and ($_.message -match "CommandLine.*.*0x0110.*" -or $_.message -match "CommandLine.*.*0x01100:40.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_squirrel_lolbin.ps1 b/Rules/SIGMA/process_creation/win_susp_squirrel_lolbin.ps1 new file mode 100644 index 00000000..091f4c08 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_squirrel_lolbin.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\update.exe" -and ($_.message -match "CommandLine.*.*--processStart.*" -or $_.message -match "CommandLine.*.*--processStartAndWait.*" -or $_.message -match "CommandLine.*.*--createShortcut.*") -and $_.message -match "CommandLine.*.*.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_squirrel_lolbin"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_squirrel_lolbin"; + $detectedMessage = "Detects Possible Squirrel Packages Manager as Lolbin"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\update.exe" -and ($_.message -match "CommandLine.*.*--processStart.*" -or $_.message -match "CommandLine.*.*--processStartAndWait.*" -or $_.message -match "CommandLine.*.*--createShortcut.*") -and $_.message -match "CommandLine.*.*.exe.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_svchost.ps1 b/Rules/SIGMA/process_creation/win_susp_svchost.ps1 new file mode 100644 index 00000000..4d7ebc79 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_svchost.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\svchost.exe" -and -not (($_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\MsMpEng.exe" -or $_.message -match "ParentImage.*.*\\Mrt.exe" -or $_.message -match "ParentImage.*.*\\rpcnet.exe" -or $_.message -match "ParentImage.*.*\\svchost.exe"))) -and -not (-not ParentImage="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_svchost"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_svchost"; + $detectedMessage = "Detects a suspicious svchost process start"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\svchost.exe" -and -not (($_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\MsMpEng.exe" -or $_.message -match "ParentImage.*.*\\Mrt.exe" -or $_.message -match "ParentImage.*.*\\rpcnet.exe" -or $_.message -match "ParentImage.*.*\\svchost.exe"))) -and -not (-not $_.message -match "ParentImage.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_svchost_no_cli.ps1 b/Rules/SIGMA/process_creation/win_susp_svchost_no_cli.ps1 new file mode 100644 index 00000000..ff0f32fb --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_svchost_no_cli.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*svchost.exe" -and $_.message -match "Image.*.*\\svchost.exe") -and -not (($_.message -match "ParentImage.*.*\\rpcnet.exe" -or $_.message -match "ParentImage.*.*\\rpcnetp.exe") -or -not CommandLine="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_svchost_no_cli"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_svchost_no_cli"; + $detectedMessage = "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space."; + $result = $event | where { (($_.ID -eq "1") -and ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*svchost.exe" -and $_.message -match "Image.*.*\\svchost.exe") -and -not (($_.message -match "ParentImage.*.*\\rpcnet.exe" -or $_.message -match "ParentImage.*.*\\rpcnetp.exe") -or -not $_.message -match "CommandLine.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_sysprep_appdata.ps1 b/Rules/SIGMA/process_creation/win_susp_sysprep_appdata.ps1 new file mode 100644 index 00000000..23d3509c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_sysprep_appdata.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sysprep.exe") -and ($_.message -match "CommandLine.*.*\\AppData\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_sysprep_appdata"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_sysprep_appdata"; + $detectedMessage = "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sysprep.exe") -and ($_.message -match "CommandLine.*.*\\AppData\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_sysvol_access.ps1 b/Rules/SIGMA/process_creation/win_susp_sysvol_access.ps1 new file mode 100644 index 00000000..1efc40ef --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_sysvol_access.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\SYSVOL\\.*" -and $_.message -match "CommandLine.*.*\\policies\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_sysvol_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_sysvol_access"; + $detectedMessage = "Detects Access to Domain Group Policies stored in SYSVOL"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\SYSVOL\\.*" -and $_.message -match "CommandLine.*.*\\policies\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_taskmgr_localsystem.ps1 b/Rules/SIGMA/process_creation/win_susp_taskmgr_localsystem.ps1 new file mode 100644 index 00000000..19caf478 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_taskmgr_localsystem.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\taskmgr.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_taskmgr_localsystem"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_taskmgr_localsystem"; + $detectedMessage = "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\taskmgr.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_taskmgr_parent.ps1 b/Rules/SIGMA/process_creation/win_susp_taskmgr_parent.ps1 new file mode 100644 index 00000000..ec3c0248 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_taskmgr_parent.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\taskmgr.exe" -and -not (($_.message -match "Image.*.*\\resmon.exe" -or $_.message -match "Image.*.*\\mmc.exe" -or $_.message -match "Image.*.*\\taskmgr.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_taskmgr_parent"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_taskmgr_parent"; + $detectedMessage = "Detects the creation of a process from Windows task manager"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\taskmgr.exe" -and -not (($_.message -match "Image.*.*\\resmon.exe" -or $_.message -match "Image.*.*\\mmc.exe" -or $_.message -match "Image.*.*\\taskmgr.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_tracker_execution.ps1 b/Rules/SIGMA/process_creation/win_susp_tracker_execution.ps1 new file mode 100644 index 00000000..74b52214 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_tracker_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\tracker.exe") -or ($_.message -match "Tracker")) -and ($_.message -match "CommandLine.*.* /d .*") -and ($_.message -match "CommandLine.*.* /c .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_tracker_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_tracker_execution"; + $detectedMessage = "This rule detects DLL injection and execution via LOLBAS - Tracker.exe"; + $result = $event | where { ($_.ID -eq "1" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\tracker.exe") -or ($_.message -match "Tracker")) -and ($_.message -match "CommandLine.*.* /d .*") -and ($_.message -match "CommandLine.*.* /c .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_tscon_localsystem.ps1 b/Rules/SIGMA/process_creation/win_susp_tscon_localsystem.ps1 new file mode 100644 index 00000000..ac38e23c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_tscon_localsystem.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\tscon.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_tscon_localsystem"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_tscon_localsystem"; + $detectedMessage = "Detects a tscon.exe start as LOCAL SYSTEM"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\tscon.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_tscon_rdp_redirect.ps1 b/Rules/SIGMA/process_creation/win_susp_tscon_rdp_redirect.ps1 new file mode 100644 index 00000000..145ee469 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_tscon_rdp_redirect.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /dest:rdp-tcp:.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_tscon_rdp_redirect"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_tscon_rdp_redirect"; + $detectedMessage = "Detects a suspicious RDP session redirect using tscon.exe"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /dest:rdp-tcp:.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_use_of_csharp_console.ps1 b/Rules/SIGMA/process_creation/win_susp_use_of_csharp_console.ps1 new file mode 100644 index 00000000..b1719304 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_use_of_csharp_console.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\csi.exe" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "OriginalFileName.*csi.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_use_of_csharp_console"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_use_of_csharp_console"; + $detectedMessage = "Detects the execution of CSharp interactive console by PowerShell"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\csi.exe" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "OriginalFileName.*csi.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_use_of_sqlps_bin.ps1 b/Rules/SIGMA/process_creation/win_susp_use_of_sqlps_bin.ps1 new file mode 100644 index 00000000..f83a562b --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_use_of_sqlps_bin.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sqlps.exe" -or $_.message -match "ParentImage.*.*\\sqlps.exe") -or ($_.message -match "OriginalFileName.*\\sqlps.exe" -and -not ($_.message -match "ParentImage.*.*\\sqlagent.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_use_of_sqlps_bin"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_use_of_sqlps_bin"; + $detectedMessage = "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sqlps.exe" -or $_.message -match "ParentImage.*.*\\sqlps.exe") -or ($_.message -match "OriginalFileName.*\\sqlps.exe" -and -not ($_.message -match "ParentImage.*.*\\sqlagent.exe")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_use_of_sqltoolsps_bin.ps1 b/Rules/SIGMA/process_creation/win_susp_use_of_sqltoolsps_bin.ps1 new file mode 100644 index 00000000..1de6b898 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_use_of_sqltoolsps_bin.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sqltoolsps.exe" -or $_.message -match "ParentImage.*.*\\sqltoolsps.exe") -or ($_.message -match "OriginalFileName.*\\sqltoolsps.exe" -and -not ($_.message -match "ParentImage.*.*\\smss.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_use_of_sqltoolsps_bin"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_use_of_sqltoolsps_bin"; + $detectedMessage = "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sqltoolsps.exe" -or $_.message -match "ParentImage.*.*\\sqltoolsps.exe") -or ($_.message -match "OriginalFileName.*\\sqltoolsps.exe" -and -not ($_.message -match "ParentImage.*.*\\smss.exe")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_use_of_te_bin.ps1 b/Rules/SIGMA/process_creation/win_susp_use_of_te_bin.ps1 new file mode 100644 index 00000000..997725b4 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_use_of_te_bin.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\te.exe" -or $_.message -match "ParentImage.*.*\\te.exe" -or $_.message -match "OriginalFileName.*\\te.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_use_of_te_bin"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_use_of_te_bin"; + $detectedMessage = "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\te.exe" -or $_.message -match "ParentImage.*.*\\te.exe" -or $_.message -match "OriginalFileName.*\\te.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_use_of_vsjitdebugger_bin.ps1 b/Rules/SIGMA/process_creation/win_susp_use_of_vsjitdebugger_bin.ps1 new file mode 100644 index 00000000..97e17514 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_use_of_vsjitdebugger_bin.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\vsjitdebugger.exe" -and -not ((($_.ID -eq "1") -and ($_.message -match "Image.*.*\\vsimmersiveactivatehelper.*.exe" -or $_.message -match "Image.*.*\\devenv.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_use_of_vsjitdebugger_bin"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_use_of_vsjitdebugger_bin"; + $detectedMessage = "There is an option for a MS VS Just-In-Time Debugger ""vsjitdebugger.exe"" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package."; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\vsjitdebugger.exe" -and -not ((($_.ID -eq "1") -and ($_.message -match "Image.*.*\\vsimmersiveactivatehelper.*.exe" -or $_.message -match "Image.*.*\\devenv.exe")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_userinit_child.ps1 b/Rules/SIGMA/process_creation/win_susp_userinit_child.ps1 new file mode 100644 index 00000000..cfb2a65a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_userinit_child.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\userinit.exe" -and -not ($_.message -match "CommandLine.*.*\\netlogon\\.*")) -and -not ($_.message -match "Image.*.*\\explorer.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_userinit_child"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_userinit_child"; + $detectedMessage = "Detects a suspicious child process of userinit"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\userinit.exe" -and -not ($_.message -match "CommandLine.*.*\\netlogon\\.*")) -and -not ($_.message -match "Image.*.*\\explorer.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_vboxdrvInst.ps1 b/Rules/SIGMA/process_creation/win_susp_vboxdrvInst.ps1 new file mode 100644 index 00000000..fed2e744 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_vboxdrvInst.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\VBoxDrvInst.exe" -and $_.message -match "CommandLine.*.*driver.*" -and $_.message -match "CommandLine.*.*executeinf.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_vboxdrvInst"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_vboxdrvInst"; + $detectedMessage = "Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\VBoxDrvInst.exe" -and $_.message -match "CommandLine.*.*driver.*" -and $_.message -match "CommandLine.*.*executeinf.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_vbscript_unc2452.ps1 b/Rules/SIGMA/process_creation/win_susp_vbscript_unc2452.ps1 new file mode 100644 index 00000000..4fe45fe5 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_vbscript_unc2452.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*Execute.*" -and $_.message -match "CommandLine.*.*CreateObject.*" -and $_.message -match "CommandLine.*.*RegRead.*" -and $_.message -match "CommandLine.*.*window.close.*" -and $_.message -match "CommandLine.*.*\\Microsoft\\Windows\\CurrentVersion.*") -and -not (($_.message -match "CommandLine.*.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_vbscript_unc2452"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_vbscript_unc2452"; + $detectedMessage = "Detects suspicious inline VBScript keywords as used by UNC2452"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*Execute.*" -and $_.message -match "CommandLine.*.*CreateObject.*" -and $_.message -match "CommandLine.*.*RegRead.*" -and $_.message -match "CommandLine.*.*window.close.*" -and $_.message -match "CommandLine.*.*\\Microsoft\\Windows\\CurrentVersion.*") -and -not (($_.message -match "CommandLine.*.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_volsnap_disable.ps1 b/Rules/SIGMA/process_creation/win_susp_volsnap_disable.ps1 new file mode 100644 index 00000000..a8bd2908 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_volsnap_disable.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.* add .*" -and $_.message -match "CommandLine.*.*\\Services\\VSS\\Diag.*" -and $_.message -match "CommandLine.*.*/d Disabled.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_volsnap_disable"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_volsnap_disable"; + $detectedMessage = "Detects commands that temporarily turn off Volume Snapshots"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.* add .*" -and $_.message -match "CommandLine.*.*\\Services\\VSS\\Diag.*" -and $_.message -match "CommandLine.*.*/d Disabled.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_whoami.ps1 b/Rules/SIGMA/process_creation/win_susp_whoami.ps1 new file mode 100644 index 00000000..83a3a7c4 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_whoami.ps1 @@ -0,0 +1,30 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "OriginalFileName.*whoami.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_whoami"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_whoami"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "OriginalFileName.*whoami.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_winrm_AWL_bypass.ps1 b/Rules/SIGMA/process_creation/win_susp_winrm_AWL_bypass.ps1 new file mode 100644 index 00000000..e0d34c9f --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_winrm_AWL_bypass.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*winrm.*" -and ($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*format:pretty.*" -or $_.message -match "CommandLine.*.*format:\"pretty\".*" -or $_.message -match "CommandLine.*.*format:\"text\".*" -or $_.message -match "CommandLine.*.*format:text.*") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { (($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*WsmPty.xsl" -or $_.message -match "TargetFilename.*.*WsmTxt.xsl") -and -not (($_.message -match "TargetFilename.*C:\\Windows\\System32\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\SysWOW64\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_susp_winrm_AWL_bypass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_winrm_AWL_bypass"; + $detectedMessage = "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*winrm.*" -and ($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*format:pretty.*" -or $_.message -match "CommandLine.*.*format:""pretty"".*" -or $_.message -match "CommandLine.*.*format:""text"".*" -or $_.message -match "CommandLine.*.*format:text.*") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*WsmPty.xsl" -or $_.message -match "TargetFilename.*.*WsmTxt.xsl") -and -not (($_.message -match "TargetFilename.*C:\\Windows\\System32\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\SysWOW64\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_winrm_execution.ps1 b/Rules/SIGMA/process_creation/win_susp_winrm_execution.ps1 new file mode 100644 index 00000000..308184fa --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_winrm_execution.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cscript.exe" -and $_.message -match "CommandLine.*.*winrm.*" -and $_.message -match "CommandLine.*.*invoke Create wmicimv2/Win32_.*" -and $_.message -match "CommandLine.*.*-r:http.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_winrm_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_winrm_execution"; + $detectedMessage = "Detects an attempt to execude code or create service on remote host via winrm.vbs."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cscript.exe" -and $_.message -match "CommandLine.*.*winrm.*" -and $_.message -match "CommandLine.*.*invoke Create wmicimv2/Win32_.*" -and $_.message -match "CommandLine.*.*-r:http.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_wmi_execution.ps1 b/Rules/SIGMA/process_creation/win_susp_wmi_execution.ps1 new file mode 100644 index 00000000..942662ba --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_wmi_execution.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\wmic.exe" -and (($_.message -match "CommandLine.*.*process.*" -and $_.message -match "CommandLine.*.*call.*" -and $_.message -match "CommandLine.*.*create .*") -or ($_.message -match "CommandLine.*.* path .*" -and ($_.message -match "CommandLine.*.*AntiVirus.*" -or $_.message -match "CommandLine.*.*Firewall.*") -and $_.message -match "CommandLine.*.*Product.*" -and $_.message -match "CommandLine.*.* get .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_wmi_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_wmi_execution"; + $detectedMessage = "Detects WMI executing suspicious commands"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\wmic.exe" -and (($_.message -match "CommandLine.*.*process.*" -and $_.message -match "CommandLine.*.*call.*" -and $_.message -match "CommandLine.*.*create .*") -or ($_.message -match "CommandLine.*.* path .*" -and ($_.message -match "CommandLine.*.*AntiVirus.*" -or $_.message -match "CommandLine.*.*Firewall.*") -and $_.message -match "CommandLine.*.*Product.*" -and $_.message -match "CommandLine.*.* get .*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_wmic_eventconsumer_create.ps1 b/Rules/SIGMA/process_creation/win_susp_wmic_eventconsumer_create.ps1 new file mode 100644 index 00000000..94ef92df --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_wmic_eventconsumer_create.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*ActiveScriptEventConsumer.*" -and $_.message -match "CommandLine.*.* CREATE .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_wmic_eventconsumer_create"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_wmic_eventconsumer_create"; + $detectedMessage = "Detects WMIC executions in which a event consumer gets created in order to establish persistence"; + $result = $event | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*ActiveScriptEventConsumer.*" -and $_.message -match "CommandLine.*.* CREATE .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_wmic_proc_create_rundll32.ps1 b/Rules/SIGMA/process_creation/win_susp_wmic_proc_create_rundll32.ps1 new file mode 100644 index 00000000..6bd42c93 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_wmic_proc_create_rundll32.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*process call create.*" -and $_.message -match "CommandLine.*.*rundll32.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_wmic_proc_create_rundll32"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_wmic_proc_create_rundll32"; + $detectedMessage = "Detects WMI executing rundll32"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*process call create.*" -and $_.message -match "CommandLine.*.*rundll32.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_wmic_security_product_uninstall.ps1 b/Rules/SIGMA/process_creation/win_susp_wmic_security_product_uninstall.ps1 new file mode 100644 index 00000000..127e8aeb --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_wmic_security_product_uninstall.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*wmic.*" -and $_.message -match "CommandLine.*.*product where name=.*" -and $_.message -match "CommandLine.*.*call uninstall.*" -and $_.message -match "CommandLine.*.*/nointeractive.*" -and ($_.message -match "CommandLine.*.*Antivirus.*" -or $_.message -match "CommandLine.*.*Endpoint Security.*" -or $_.message -match "CommandLine.*.*Endpoint Detection.*" -or $_.message -match "CommandLine.*.*Crowdstrike Sensor.*" -or $_.message -match "CommandLine.*.*Windows Defender.*" -or $_.message -match "CommandLine.*.*VirusScan.*" -or $_.message -match "CommandLine.*.*Threat Protection.*" -or $_.message -match "CommandLine.*.*Endpoint Sensor.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_wmic_security_product_uninstall"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_wmic_security_product_uninstall"; + $detectedMessage = "Detects deinstallation of security products using WMIC utility"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*wmic.*" -and $_.message -match "CommandLine.*.*product where name=.*" -and $_.message -match "CommandLine.*.*call uninstall.*" -and $_.message -match "CommandLine.*.*/nointeractive.*" -and ($_.message -match "CommandLine.*.*Antivirus.*" -or $_.message -match "CommandLine.*.*Endpoint Security.*" -or $_.message -match "CommandLine.*.*Endpoint Detection.*" -or $_.message -match "CommandLine.*.*Crowdstrike Sensor.*" -or $_.message -match "CommandLine.*.*Windows Defender.*" -or $_.message -match "CommandLine.*.*VirusScan.*" -or $_.message -match "CommandLine.*.*Threat Protection.*" -or $_.message -match "CommandLine.*.*Endpoint Sensor.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_wsl_lolbin.ps1 b/Rules/SIGMA/process_creation/win_susp_wsl_lolbin.ps1 new file mode 100644 index 00000000..74734408 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_wsl_lolbin.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wsl.exe") -and ($_.message -match "CommandLine.*.* -e .*" -or $_.message -match "CommandLine.*.* --exec .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_wsl_lolbin"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_wsl_lolbin"; + $detectedMessage = "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wsl.exe") -and ($_.message -match "CommandLine.*.* -e .*" -or $_.message -match "CommandLine.*.* --exec .*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_susp_wuauclt.ps1 b/Rules/SIGMA/process_creation/win_susp_wuauclt.ps1 new file mode 100644 index 00000000..75a969b7 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_susp_wuauclt.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ProcessCommandLine.*.*/UpdateDeploymentProvider.*" -and $_.message -match "ProcessCommandLine.*.*/RunHandlerComServer.*" -and ($_.message -match "Image.*.*\\wuauclt.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_susp_wuauclt"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_susp_wuauclt"; + $detectedMessage = "Detects code execution via the Windows Update client (wuauclt)"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ProcessCommandLine.*.*/UpdateDeploymentProvider.*" -and $_.message -match "ProcessCommandLine.*.*/RunHandlerComServer.*" -and ($_.message -match "Image.*.*\\wuauclt.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_syncappvpublishingserver_exe.ps1 b/Rules/SIGMA/process_creation/win_syncappvpublishingserver_exe.ps1 new file mode 100644 index 00000000..47ac424e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_syncappvpublishingserver_exe.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\SyncAppvPublishingServer.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where { ($_.message -match ".*SyncAppvPublishingServer.exe.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + +function Add-Rule { + + $ruleName = "win_syncappvpublishingserver_exe"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_syncappvpublishingserver_exe"; + $detectedMessage = "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions."; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\SyncAppvPublishingServer.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.message -match ".*SyncAppvPublishingServer.exe.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_sysmon_driver_unload.ps1 b/Rules/SIGMA/process_creation/win_sysmon_driver_unload.ps1 new file mode 100644 index 00000000..cb08bc83 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_sysmon_driver_unload.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\fltmc.exe" -and $_.message -match "CommandLine.*.*unload.*" -and $_.message -match "CommandLine.*.*sys.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_sysmon_driver_unload"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_sysmon_driver_unload"; + $detectedMessage = "Detect possible Sysmon driver unload"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\fltmc.exe" -and $_.message -match "CommandLine.*.*unload.*" -and $_.message -match "CommandLine.*.*sys.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_system_exe_anomaly.ps1 b/Rules/SIGMA/process_creation/win_system_exe_anomaly.ps1 new file mode 100644 index 00000000..104f3de9 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_system_exe_anomaly.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\services.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\spoolsv.exe" -or $_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\smss.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\conhost.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\lsm.exe" -or $_.message -match "Image.*.*\\winlogon.exe" -or $_.message -match "Image.*.*\\explorer.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\Taskmgr.exe" -or $_.message -match "Image.*.*\\sihost.exe" -or $_.message -match "Image.*.*\\RuntimeBroker.exe" -or $_.message -match "Image.*.*\\smartscreen.exe" -or $_.message -match "Image.*.*\\dllhost.exe" -or $_.message -match "Image.*.*\\audiodg.exe" -or $_.message -match "Image.*.*\\wlanext.exe") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\system32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWow64\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "Image.*C:\\Windows\\winsxs\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*" -or $_.message -match "Image.*C:\\avast! sandbox.*") -or $_.message -match "Image.*.*\\SystemRoot\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\explorer.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_system_exe_anomaly"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_system_exe_anomaly"; + $detectedMessage = "Detects a Windows program executable started in a suspicious folder"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\services.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\spoolsv.exe" -or $_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\smss.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\conhost.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\lsm.exe" -or $_.message -match "Image.*.*\\winlogon.exe" -or $_.message -match "Image.*.*\\explorer.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\Taskmgr.exe" -or $_.message -match "Image.*.*\\sihost.exe" -or $_.message -match "Image.*.*\\RuntimeBroker.exe" -or $_.message -match "Image.*.*\\smartscreen.exe" -or $_.message -match "Image.*.*\\dllhost.exe" -or $_.message -match "Image.*.*\\audiodg.exe" -or $_.message -match "Image.*.*\\wlanext.exe") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\system32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWow64\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "Image.*C:\\Windows\\winsxs\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*" -or $_.message -match "Image.*C:\\avast! sandbox.*") -or $_.message -match "Image.*.*\\SystemRoot\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\explorer.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_tap_installer_execution.ps1 b/Rules/SIGMA/process_creation/win_tap_installer_execution.ps1 new file mode 100644 index 00000000..655ad118 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_tap_installer_execution.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\tapinstall.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_tap_installer_execution"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_tap_installer_execution"; + $detectedMessage = "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\tapinstall.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_task_folder_evasion.ps1 b/Rules/SIGMA/process_creation/win_task_folder_evasion.ps1 new file mode 100644 index 00000000..e59e7f06 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_task_folder_evasion.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent | where {(($_.message -match "CommandLine.*.*echo .*" -or $_.message -match "CommandLine.*.*copy .*" -or $_.message -match "CommandLine.*.*type .*" -or $_.message -match "CommandLine.*.*file createnew.*") -and ($_.message -match "CommandLine.*.* C:\\Windows\\System32\\Tasks\\.*" -or $_.message -match "CommandLine.*.* C:\\Windows\\SysWow64\\Tasks\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_task_folder_evasion"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_task_folder_evasion"; + $detectedMessage = "The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr"; + $result = $event | where { (($_.message -match "CommandLine.*.*echo .*" -or $_.message -match "CommandLine.*.*copy .*" -or $_.message -match "CommandLine.*.*type .*" -or $_.message -match "CommandLine.*.*file createnew.*") -and ($_.message -match "CommandLine.*.* C:\\Windows\\System32\\Tasks\\.*" -or $_.message -match "CommandLine.*.* C:\\Windows\\SysWow64\\Tasks\\.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_termserv_proc_spawn.ps1 b/Rules/SIGMA/process_creation/win_termserv_proc_spawn.ps1 new file mode 100644 index 00000000..89d0b27d --- /dev/null +++ b/Rules/SIGMA/process_creation/win_termserv_proc_spawn.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "ParentCommandLine.*.*\\svchost.exe.*" -and $_.message -match "ParentCommandLine.*.*termsvcs.*") -and -not ($_.message -match "Image.*.*\\rdpclip.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_termserv_proc_spawn"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_termserv_proc_spawn"; + $detectedMessage = "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)"; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "ParentCommandLine.*.*\\svchost.exe.*" -and $_.message -match "ParentCommandLine.*.*termsvcs.*") -and -not ($_.message -match "Image.*.*\\rdpclip.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_tools_relay_attacks.ps1 b/Rules/SIGMA/process_creation/win_tools_relay_attacks.ps1 new file mode 100644 index 00000000..4282465e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_tools_relay_attacks.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*PetitPotam.*" -or $_.message -match "Image.*.*RottenPotato.*" -or $_.message -match "Image.*.*HotPotato.*" -or $_.message -match "Image.*.*JuicyPotato.*" -or $_.message -match "Image.*.*\\just_dce_.*" -or $_.message -match "Image.*.*Juicy Potato.*" -or $_.message -match "Image.*.*\\temp\\rot.exe.*" -or $_.message -match "Image.*.*\\Potato.exe.*" -or $_.message -match "Image.*.*\\SpoolSample.exe.*" -or $_.message -match "Image.*.*\\Responder.exe.*" -or $_.message -match "Image.*.*\\smbrelayx.*" -or $_.message -match "Image.*.*\\ntlmrelayx.*") -or ($_.message -match "CommandLine.*.*Invoke-Tater.*" -or $_.message -match "CommandLine.*.* smbrelay.*" -or $_.message -match "CommandLine.*.* ntlmrelay.*" -or $_.message -match "CommandLine.*.*cme smb .*" -or $_.message -match "CommandLine.*.* /ntlm:NTLMhash .*" -or $_.message -match "CommandLine.*.*Invoke-PetitPotam.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_tools_relay_attacks"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_tools_relay_attacks"; + $detectedMessage = "Detects different hacktools used for relay attacks on Windows for privilege escalation"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*PetitPotam.*" -or $_.message -match "Image.*.*RottenPotato.*" -or $_.message -match "Image.*.*HotPotato.*" -or $_.message -match "Image.*.*JuicyPotato.*" -or $_.message -match "Image.*.*\\just_dce_.*" -or $_.message -match "Image.*.*Juicy Potato.*" -or $_.message -match "Image.*.*\\temp\\rot.exe.*" -or $_.message -match "Image.*.*\\Potato.exe.*" -or $_.message -match "Image.*.*\\SpoolSample.exe.*" -or $_.message -match "Image.*.*\\Responder.exe.*" -or $_.message -match "Image.*.*\\smbrelayx.*" -or $_.message -match "Image.*.*\\ntlmrelayx.*") -or ($_.message -match "CommandLine.*.*Invoke-Tater.*" -or $_.message -match "CommandLine.*.* smbrelay.*" -or $_.message -match "CommandLine.*.* ntlmrelay.*" -or $_.message -match "CommandLine.*.*cme smb .*" -or $_.message -match "CommandLine.*.* /ntlm:NTLMhash .*" -or $_.message -match "CommandLine.*.*Invoke-PetitPotam.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_trust_discovery.ps1 b/Rules/SIGMA/process_creation/win_trust_discovery.ps1 new file mode 100644 index 00000000..14e34d83 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_trust_discovery.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\nltest.exe" -and ($_.message -match "CommandLine.*.*domain_trusts.*" -or $_.message -match "CommandLine.*.*all_trusts.*" -or $_.message -match "CommandLine.*.*/dclist.*")) -or ($_.message -match "Image.*.*\\dsquery.exe" -and $_.message -match "CommandLine.*.*trustedDomain.*") -or ($_.message -match "Image.*.*\\dsquery.exe" -and $_.message -match "CommandLine.*.*-filter.*" -and $_.message -match "CommandLine.*.*trustedDomain.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_trust_discovery"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_trust_discovery"; + $detectedMessage = "Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\nltest.exe" -and ($_.message -match "CommandLine.*.*domain_trusts.*" -or $_.message -match "CommandLine.*.*all_trusts.*" -or $_.message -match "CommandLine.*.*/dclist.*")) -or ($_.message -match "Image.*.*\\dsquery.exe" -and $_.message -match "CommandLine.*.*trustedDomain.*") -or ($_.message -match "Image.*.*\\dsquery.exe" -and $_.message -match "CommandLine.*.*-filter.*" -and $_.message -match "CommandLine.*.*trustedDomain.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_uac_cmstp.ps1 b/Rules/SIGMA/process_creation/win_uac_cmstp.ps1 new file mode 100644 index 00000000..c58426c6 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_uac_cmstp.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmstp.exe" -and ($_.message -match "CommandLine.*.*/s.*" -or $_.message -match "CommandLine.*.*/au.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_uac_cmstp"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_uac_cmstp"; + $detectedMessage = "Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe)."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmstp.exe" -and ($_.message -match "CommandLine.*.*/s.*" -or $_.message -match "CommandLine.*.*/au.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_uac_fodhelper.ps1 b/Rules/SIGMA/process_creation/win_uac_fodhelper.ps1 new file mode 100644 index 00000000..327bae39 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_uac_fodhelper.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\fodhelper.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_uac_fodhelper"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_uac_fodhelper"; + $detectedMessage = "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\fodhelper.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_uac_wsreset.ps1 b/Rules/SIGMA/process_creation/win_uac_wsreset.ps1 new file mode 100644 index 00000000..6db5114a --- /dev/null +++ b/Rules/SIGMA/process_creation/win_uac_wsreset.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\wsreset.exe" -and -not ($_.message -match "Image.*.*\\conhost.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_uac_wsreset"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_uac_wsreset"; + $detectedMessage = "Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes."; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\wsreset.exe" -and -not ($_.message -match "Image.*.*\\conhost.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.ps1 b/Rules/SIGMA/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.ps1 new file mode 100644 index 00000000..b7c9e86c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\sc.exe" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*binPath.*") -or ($_.message -match "CommandLine.*.*failure.*" -and $_.message -match "CommandLine.*.*command.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_using_sc_to_change_sevice_image_path_by_non_admin"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_using_sc_to_change_sevice_image_path_by_non_admin"; + $detectedMessage = "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\sc.exe" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*binPath.*") -or ($_.message -match "CommandLine.*.*failure.*" -and $_.message -match "CommandLine.*.*command.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_using_settingsynchost_as_lolbin.ps1 b/Rules/SIGMA/process_creation/win_using_settingsynchost_as_lolbin.ps1 new file mode 100644 index 00000000..a944d51e --- /dev/null +++ b/Rules/SIGMA/process_creation/win_using_settingsynchost_as_lolbin.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*")) -and ($_.message -match "ParentCommandLine.*.*cmd.exe /c.*" -and $_.message -match "ParentCommandLine.*.*RoamDiag.cmd.*" -and $_.message -match "ParentCommandLine.*.*-outputpath.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_using_settingsynchost_as_lolbin"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_using_settingsynchost_as_lolbin"; + $detectedMessage = "Detects using SettingSyncHost.exe to run hijacked binary"; + $result = $event | where { (($_.ID -eq "1") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*")) -and ($_.message -match "ParentCommandLine.*.*cmd.exe /c.*" -and $_.message -match "ParentCommandLine.*.*RoamDiag.cmd.*" -and $_.message -match "ParentCommandLine.*.*-outputpath.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; +Write-Output $result; +Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_verclsid_runs_com.ps1 b/Rules/SIGMA/process_creation/win_verclsid_runs_com.ps1 new file mode 100644 index 00000000..2f6be803 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_verclsid_runs_com.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\verclsid.exe" -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*/S.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_verclsid_runs_com"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_verclsid_runs_com"; + $detectedMessage = "Detects when verclsid.exe is used to run COM object via GUID"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\verclsid.exe" -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*/S.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_visual_basic_compiler.ps1 b/Rules/SIGMA/process_creation/win_visual_basic_compiler.ps1 new file mode 100644 index 00000000..312741e9 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_visual_basic_compiler.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\vbc.exe" -and $_.message -match "Image.*.*\\cvtres.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_visual_basic_compiler"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_visual_basic_compiler"; + $detectedMessage = "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\vbc.exe" -and $_.message -match "Image.*.*\\cvtres.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_vul_java_remote_debugging.ps1 b/Rules/SIGMA/process_creation/win_vul_java_remote_debugging.ps1 new file mode 100644 index 00000000..89e21724 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_vul_java_remote_debugging.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "CommandLine.*.*transport=dt_socket,address=.*" -and -not ($_.message -match "CommandLine.*.*address=127.0.0.1.*" -or $_.message -match "CommandLine.*.*address=localhost.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_vul_java_remote_debugging"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_vul_java_remote_debugging"; + $detectedMessage = "Detects a JAVA process running with remote debugging allowing more than just localhost to connect"; + $result = $event | where { (($_.ID -eq "1") -and $_.message -match "CommandLine.*.*transport=dt_socket,address=.*" -and -not ($_.message -match "CommandLine.*.*address=127.0.0.1.*" -or $_.message -match "CommandLine.*.*address=localhost.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_webshell_detection.ps1 b/Rules/SIGMA/process_creation/win_webshell_detection.ps1 new file mode 100644 index 00000000..8bfbede1 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_webshell_detection.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe") -or ($_.message -match "ParentImage.*.*\\apache.*" -or $_.message -match "ParentImage.*.*\\tomcat.*")) -and (($_.ID -eq "1") -and (((($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and ($_.message -match "CommandLine.*.* user .*" -or $_.message -match "CommandLine.*.* use .*" -or $_.message -match "CommandLine.*.* group .*")) -or ($_.message -match "Image.*.*\\ping.exe" -and $_.message -match "CommandLine.*.* -n .*") -or ($_.message -match "CommandLine.*.*&cd&echo.*" -or $_.message -match "CommandLine.*.*cd /d .*")) -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.* /node:.*") -or ($_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "Image.*.*\\systeminfo.exe" -or $_.message -match "Image.*.*\\quser.exe" -or $_.message -match "Image.*.*\\ipconfig.exe" -or $_.message -match "Image.*.*\\pathping.exe" -or $_.message -match "Image.*.*\\tracert.exe" -or $_.message -match "Image.*.*\\netstat.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\vssadmin.exe" -or $_.message -match "Image.*.*\\wevtutil.exe" -or $_.message -match "Image.*.*\\tasklist.exe") -or ($_.message -match "CommandLine.*.* Test-NetConnection .*" -or $_.message -match "CommandLine.*.*dir \\.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_webshell_detection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_webshell_detection"; + $detectedMessage = "Detects certain command line parameters often used during reconnaissance activity via web shells"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe") -or ($_.message -match "ParentImage.*.*\\apache.*" -or $_.message -match "ParentImage.*.*\\tomcat.*")) -and (($_.ID -eq "1") -and (((($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and ($_.message -match "CommandLine.*.* user .*" -or $_.message -match "CommandLine.*.* use .*" -or $_.message -match "CommandLine.*.* group .*")) -or ($_.message -match "Image.*.*\\ping.exe" -and $_.message -match "CommandLine.*.* -n .*") -or ($_.message -match "CommandLine.*.*&cd&echo.*" -or $_.message -match "CommandLine.*.*cd /d .*")) -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.* /node:.*") -or ($_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "Image.*.*\\systeminfo.exe" -or $_.message -match "Image.*.*\\quser.exe" -or $_.message -match "Image.*.*\\ipconfig.exe" -or $_.message -match "Image.*.*\\pathping.exe" -or $_.message -match "Image.*.*\\tracert.exe" -or $_.message -match "Image.*.*\\netstat.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\vssadmin.exe" -or $_.message -match "Image.*.*\\wevtutil.exe" -or $_.message -match "Image.*.*\\tasklist.exe") -or ($_.message -match "CommandLine.*.* Test-NetConnection .*" -or $_.message -match "CommandLine.*.*dir \\.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_webshell_recon_detection.ps1 b/Rules/SIGMA/process_creation/win_webshell_recon_detection.ps1 new file mode 100644 index 00000000..e927e9b9 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_webshell_recon_detection.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\apache.*" -or $_.message -match "ParentImage.*.*\\tomcat.*") -or ($_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe")) -and (($_.message -match "Image.*.*\\cmd.exe") -and ($_.message -match "CommandLine.*.*perl --help.*" -or $_.message -match "CommandLine.*.*python --help.*" -or $_.message -match "CommandLine.*.*wget --help.*" -or $_.message -match "CommandLine.*.*perl -h.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_webshell_recon_detection"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_webshell_recon_detection"; + $detectedMessage = "Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed."; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\apache.*" -or $_.message -match "ParentImage.*.*\\tomcat.*") -or ($_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe")) -and (($_.message -match "Image.*.*\\cmd.exe") -and ($_.message -match "CommandLine.*.*perl --help.*" -or $_.message -match "CommandLine.*.*python --help.*" -or $_.message -match "CommandLine.*.*wget --help.*" -or $_.message -match "CommandLine.*.*perl -h.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_webshell_spawn.ps1 b/Rules/SIGMA/process_creation/win_webshell_spawn.ps1 new file mode 100644 index 00000000..329e3d5c --- /dev/null +++ b/Rules/SIGMA/process_creation/win_webshell_spawn.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\tomcat.exe" -or $_.message -match "ParentImage.*.*\\UMWorkerProcess.exe") -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_webshell_spawn"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_webshell_spawn"; + $detectedMessage = "Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\tomcat.exe" -or $_.message -match "ParentImage.*.*\\UMWorkerProcess.exe") -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_whoami_as_system.ps1 b/Rules/SIGMA/process_creation/win_whoami_as_system.ps1 new file mode 100644 index 00000000..b5919009 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_whoami_as_system.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\whoami.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_whoami_as_system"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_whoami_as_system"; + $detectedMessage = "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation."; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\whoami.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_whoami_priv.ps1 b/Rules/SIGMA/process_creation/win_whoami_priv.ps1 new file mode 100644 index 00000000..226e91c3 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_whoami_priv.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\whoami.exe" -and $_.message -match "CommandLine.*.*/priv.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_whoami_priv"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_whoami_priv"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\whoami.exe" -and $_.message -match "CommandLine.*.*/priv.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_win10_sched_task_0day.ps1 b/Rules/SIGMA/process_creation/win_win10_sched_task_0day.ps1 new file mode 100644 index 00000000..bcefe1aa --- /dev/null +++ b/Rules/SIGMA/process_creation/win_win10_sched_task_0day.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.*/change.*" -and $_.message -match "CommandLine.*.*/TN.*" -and $_.message -match "CommandLine.*.*/RU.*" -and $_.message -match "CommandLine.*.*/RP.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_win10_sched_task_0day"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_win10_sched_task_0day"; + $detectedMessage = "Detects Task Scheduler .job import arbitrary DACL writepar"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.*/change.*" -and $_.message -match "CommandLine.*.*/TN.*" -and $_.message -match "CommandLine.*.*/RU.*" -and $_.message -match "CommandLine.*.*/RP.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_winword_dll_load.ps1 b/Rules/SIGMA/process_creation/win_winword_dll_load.ps1 new file mode 100644 index 00000000..faa30901 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_winword_dll_load.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\winword.exe" -and $_.message -match "CommandLine.*.*/l.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_winword_dll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_winword_dll_load"; + $detectedMessage = "Detects Winword.exe loading of custmom dll via /l cmd switch"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\winword.exe" -and $_.message -match "CommandLine.*.*/l.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_wmi_backdoor_exchange_transport_agent.ps1 b/Rules/SIGMA/process_creation/win_wmi_backdoor_exchange_transport_agent.ps1 new file mode 100644 index 00000000..7b439dc0 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_wmi_backdoor_exchange_transport_agent.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\EdgeTransport.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_wmi_backdoor_exchange_transport_agent"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_wmi_backdoor_exchange_transport_agent"; + $detectedMessage = "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\EdgeTransport.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_wmi_persistence_script_event_consumer.ps1 b/Rules/SIGMA/process_creation/win_wmi_persistence_script_event_consumer.ps1 new file mode 100644 index 00000000..6af2d1a5 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_wmi_persistence_script_event_consumer.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*C:\\WINDOWS\\system32\\wbem\\scrcons.exe" -and $_.message -match "ParentImage.*C:\\Windows\\System32\\svchost.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_wmi_persistence_script_event_consumer"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_wmi_persistence_script_event_consumer"; + $detectedMessage = "Detects WMI script event consumers"; + $result = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*C:\\WINDOWS\\system32\\wbem\\scrcons.exe" -and $_.message -match "ParentImage.*C:\\Windows\\System32\\svchost.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_wmi_spwns_powershell.ps1 b/Rules/SIGMA/process_creation/win_wmi_spwns_powershell.ps1 new file mode 100644 index 00000000..945e6454 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_wmi_spwns_powershell.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\\wmiprvse.exe") -and ($_.message -match "Image.*.*\\powershell.exe")) -and -not ($_.message -match "CommandLine.*null")) -and -not (-not CommandLine="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_wmi_spwns_powershell"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_wmi_spwns_powershell"; + $detectedMessage = "Detects WMI spawning PowerShell"; + $result = $event | where { (($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\\wmiprvse.exe") -and ($_.message -match "Image.*.*\\powershell.exe")) -and -not ($_.message -match "CommandLine.*null")) -and -not (-not $_.message -match "CommandLine.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_wmiprvse_spawning_process.ps1 b/Rules/SIGMA/process_creation/win_wmiprvse_spawning_process.ps1 new file mode 100644 index 00000000..cfeff2dd --- /dev/null +++ b/Rules/SIGMA/process_creation/win_wmiprvse_spawning_process.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\WmiPrvSe.exe" -and -not (($_.message -match "0x3e7" -or $_.message -match "null") -or ($_.message -match "0x3e7" -or $_.message -match "null") -or $_.message -match "User.*NT AUTHORITY\\SYSTEM" -or ($_.message -match "Image.*.*\\WmiPrvSE.exe" -or $_.message -match "Image.*.*\\WerFault.exe"))) -and -not (-not LogonId="*")) -and -not (-not SubjectLogonId="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_wmiprvse_spawning_process"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_wmiprvse_spawning_process"; + $detectedMessage = "Detects wmiprvse spawning processes"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\WmiPrvSe.exe" -and -not (($_.message -match "0x3e7" -or $_.message -match "null") -or ($_.message -match "0x3e7" -or $_.message -match "null") -or $_.message -match "User.*NT AUTHORITY\\SYSTEM" -or ($_.message -match "Image.*.*\\WmiPrvSE.exe" -or $_.message -match "Image.*.*\\WerFault.exe"))) -and -not (-not $_.message -match "LogonId.*")) -and -not (-not $_.message -match "SubjectLogonId.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_workflow_compiler.ps1 b/Rules/SIGMA/process_creation/win_workflow_compiler.ps1 new file mode 100644 index 00000000..97d37707 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_workflow_compiler.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\Microsoft.Workflow.Compiler.exe" -or ($_.message -match "OriginalFileName.*Microsoft.Workflow.Compiler.exe" -and $_.message -match "CommandLine.*.*.xml.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_workflow_compiler"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_workflow_compiler"; + $detectedMessage = "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code."; + $result = $event | where { (($_.ID -eq "1") -and ($_.message -match "Image.*.*\\Microsoft.Workflow.Compiler.exe" -or ($_.message -match "OriginalFileName.*Microsoft.Workflow.Compiler.exe" -and $_.message -match "CommandLine.*.*.xml.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_wsreset_uac_bypass.ps1 b/Rules/SIGMA/process_creation/win_wsreset_uac_bypass.ps1 new file mode 100644 index 00000000..a321cc24 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_wsreset_uac_bypass.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\WSreset.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_wsreset_uac_bypass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_wsreset_uac_bypass"; + $detectedMessage = "Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC"; + $result = $event | where { ($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\WSreset.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/process_creation/win_xsl_script_processing.ps1 b/Rules/SIGMA/process_creation/win_xsl_script_processing.ps1 new file mode 100644 index 00000000..3f9c3640 --- /dev/null +++ b/Rules/SIGMA/process_creation/win_xsl_script_processing.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*/format.*") -or $_.message -match "Image.*.*\\msxsl.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_xsl_script_processing"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_xsl_script_processing"; + $detectedMessage = "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries"; + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*/format.*") -or $_.message -match "Image.*.*\\msxsl.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if(! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.ps1 b/Rules/SIGMA/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.ps1 new file mode 100644 index 00000000..70d00f92 --- /dev/null +++ b/Rules/SIGMA/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "9") -and -not ($_.message -match "Device.*.*floppy.*") -and -not (($_.message -match "Image.*.*\\wmiprvse.exe" -or $_.message -match "Image.*.*\\sdiagnhost.exe" -or $_.message -match "Image.*.*\\searchindexer.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\defrag.exe" -or $_.message -match "Image.*.*\\smss.exe" -or $_.message -match "Image.*.*\\vssvc.exe" -or $_.message -match "Image.*.*\\compattelrunner.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\autochk.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\dfsrs.exe" -or $_.message -match "Image.*.*\\vds.exe" -or $_.message -match "Image.*.*\\lsass.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_raw_disk_access_using_illegitimate_tools"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_raw_disk_access_using_illegitimate_tools"; + $detectedMessage = "Raw disk access using illegitimate tools, possible defence evasion"; + $result = $event | where { (($_.ID -eq "9") -and -not ($_.message -match "Device.*.*floppy.*") -and -not (($_.message -match "Image.*.*\\wmiprvse.exe" -or $_.message -match "Image.*.*\\sdiagnhost.exe" -or $_.message -match "Image.*.*\\searchindexer.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\defrag.exe" -or $_.message -match "Image.*.*\\smss.exe" -or $_.message -match "Image.*.*\\vssvc.exe" -or $_.message -match "Image.*.*\\compattelrunner.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\autochk.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\dfsrs.exe" -or $_.message -match "Image.*.*\\vds.exe" -or $_.message -match "Image.*.*\\lsass.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_apt_leviathan.ps1 b/Rules/SIGMA/registry_event/sysmon_apt_leviathan.ps1 new file mode 100644 index 00000000..33bbc358 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_apt_leviathan.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_apt_leviathan"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_apt_leviathan"; + $detectedMessage = "Detects registry key used by Leviathan APT in Malaysian focused campaign"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_apt_oceanlotus_registry.ps1 b/Rules/SIGMA/registry_event/sysmon_apt_oceanlotus_registry.ps1 new file mode 100644 index 00000000..b4c1c37e --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_apt_oceanlotus_registry.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "HKCR\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model") -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon")) -or (($_.message -match "TargetObject.*HKU\\.*") -and ($_.message -match "TargetObject.*.*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\.*" -or $_.message -match "TargetObject.*.*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\.*" -or $_.message -match "TargetObject.*.*_Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\.*" -or $_.message -match "TargetObject.*.*_Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_apt_oceanlotus_registry"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_apt_oceanlotus_registry"; + $detectedMessage = "Detects registry keys created in OceanLotus (also known as APT32) attacks"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "HKCR\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model") -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon")) -or (($_.message -match "TargetObject.*HKU\\.*") -and ($_.message -match "TargetObject.*.*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\.*" -or $_.message -match "TargetObject.*.*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\.*" -or $_.message -match "TargetObject.*.*_Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\.*" -or $_.message -match "TargetObject.*.*_Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_apt_pandemic.ps1 b/Rules/SIGMA/registry_event/sysmon_apt_pandemic.ps1 new file mode 100644 index 00000000..a69faa5f --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_apt_pandemic.ps1 @@ -0,0 +1,41 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\SYSTEM\\CurrentControlSet\\services\\null\\Instance.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*loaddll -a .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + + +function Add-Rule { + + $ruleName = "sysmon_apt_pandemic"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_apt_pandemic"; + $detectedMessage = "Detects Pandemic Windows Implant"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\SYSTEM\\CurrentControlSet\\services\\null\\Instance.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*loaddll -a .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_asep_reg_keys_modification.ps1 b/Rules/SIGMA/registry_event/sysmon_asep_reg_keys_modification.ps1 new file mode 100644 index 00000000..f1e4b99c --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_asep_reg_keys_modification.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((((((((((((($_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart.*" -or $_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect.*" -or $_.message -match "TargetObject.*.*\\SYSTEM\\Setup\\CmdLine.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Ctf\\LangBarAddin.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Command Processor\\Autorun.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\Protocols\\Handler.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\Protocols\\Filter.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default).*" -or $_.message -match "TargetObject.*.*\\Environment\\UserInitMprLogonScript.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components.*" -or $_.message -match "TargetObject.*.*\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32.*" -or $_.message -match "TargetObject.*.*\\Control Panel\\Desktop\\Scrnsave.exe.*") -or ($_.message -match "TargetObject.*.*\\System\\CurrentControlSet\\Control\\Session Manager.*" -and ($_.message -match "TargetObject.*.*\\SetupExecute.*" -or $_.message -match "TargetObject.*.*\\S0InitialCommand.*" -or $_.message -match "TargetObject.*.*\\KnownDlls.*" -or $_.message -match "TargetObject.*.*\\Execute.*" -or $_.message -match "TargetObject.*.*\\BootExecute.*" -or $_.message -match "TargetObject.*.*\\AppCertDlls.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\ShellServiceObjectDelayLoad.*" -or $_.message -match "TargetObject.*.*\\Run.*" -or $_.message -match "TargetObject.*.*\\Policies\\System\\Shell.*" -or $_.message -match "TargetObject.*.*\\Policies\\Explorer\\Run.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Startup.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Shutdown.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Logon.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Logoff.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellServiceObjects.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellIconOverlayIdentifiers.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellExecuteHooks.*" -or $_.message -match "TargetObject.*.*\\Explorer\\SharedTaskScheduler.*" -or $_.message -match "TargetObject.*.*\\Explorer\\Browser Helper Objects.*" -or $_.message -match "TargetObject.*.*\\Authentication\\PLAP Providers.*" -or $_.message -match "TargetObject.*.*\\Authentication\\Credential Providers.*" -or $_.message -match "TargetObject.*.*\\Authentication\\Credential Provider Filters.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\Winlogon\\VmApplet.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\Userinit.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\Taskman.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\Shell.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\GpExtensions.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\AppSetup.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\AlternateShells\\AvailableShells.*" -or $_.message -match "TargetObject.*.*\\Windows\\IconServiceLib.*" -or $_.message -match "TargetObject.*.*\\Windows\\Appinit_Dlls.*" -or $_.message -match "TargetObject.*.*\\Image File Execution Options.*" -or $_.message -match "TargetObject.*.*\\Font Drivers.*" -or $_.message -match "TargetObject.*.*\\Drivers32.*" -or $_.message -match "TargetObject.*.*\\Windows\\Run.*" -or $_.message -match "TargetObject.*.*\\Windows\\Load.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\ShellServiceObjectDelayLoad.*" -or $_.message -match "TargetObject.*.*\\Run.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellServiceObjects.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellIconOverlayIdentifiers.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellExecuteHooks.*" -or $_.message -match "TargetObject.*.*\\Explorer\\SharedTaskScheduler.*" -or $_.message -match "TargetObject.*.*\\Explorer\\Browser Helper Objects.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\Windows\\Appinit_Dlls.*" -or $_.message -match "TargetObject.*.*\\Image File Execution Options.*" -or $_.message -match "TargetObject.*.*\\Drivers32.*"))) -or ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Microsoft\\Office.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office.*") -and ($_.message -match "TargetObject.*.*\\Word\\Addins.*" -or $_.message -match "TargetObject.*.*\\PowerPoint\\Addins.*" -or $_.message -match "TargetObject.*.*\\Outlook\\Addins.*" -or $_.message -match "TargetObject.*.*\\Onenote\\Addins.*" -or $_.message -match "TargetObject.*.*\\Excel\\Addins.*" -or $_.message -match "TargetObject.*.*\\Access\\Addins.*" -or $_.message -match "TargetObject.*.*test\\Special\\Perf.*"))) -or ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Microsoft\\Internet Explorer.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Internet Explorer.*") -and ($_.message -match "TargetObject.*.*\\Toolbar.*" -or $_.message -match "TargetObject.*.*\\Extensions.*" -or $_.message -match "TargetObject.*.*\\Explorer Bars.*"))) -or ($_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Classes.*" -and ($_.message -match "TargetObject.*.*\\Folder\\ShellEx\\ExtShellFolderViews.*" -or $_.message -match "TargetObject.*.*\\Folder\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Folder\\ShellEx\\ColumnHandlers.*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\CopyHookHandlers.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance.*" -or $_.message -match "TargetObject.*.*\\AllFileSystemObjects\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\PropertySheetHandlers.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\ContextMenuHandlers.*"))) -or ($_.message -match "TargetObject.*.*\\Software\\Classes.*" -and ($_.message -match "TargetObject.*.*\\Folder\\ShellEx\\ExtShellFolderViews.*" -or $_.message -match "TargetObject.*.*\\Folder\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Folder\\Shellex\\ColumnHandlers.*" -or $_.message -match "TargetObject.*.*\\Filter.*" -or $_.message -match "TargetObject.*.*\\Exefile\\Shell\\Open\\Command\\(Default).*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\CopyHookHandlers.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance.*" -or $_.message -match "TargetObject.*.*\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\.exe.*" -or $_.message -match "TargetObject.*.*\\.cmd.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\PropertySheetHandlers.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\ContextMenuHandlers.*"))) -or ($_.message -match "TargetObject.*.*\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts.*" -and ($_.message -match "TargetObject.*.*\\Startup.*" -or $_.message -match "TargetObject.*.*\\Shutdown.*" -or $_.message -match "TargetObject.*.*\\Logon.*" -or $_.message -match "TargetObject.*.*\\Logoff.*"))) -or ($_.message -match "TargetObject.*.*\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters.*" -and ($_.message -match "TargetObject.*.*\\Protocol_Catalog9\\Catalog_Entries.*" -or $_.message -match "TargetObject.*.*\\NameSpace_Catalog5\\Catalog_Entries.*"))) -or ($_.message -match "TargetObject.*.*\\SYSTEM\\CurrentControlSet\\Control.*" -and ($_.message -match "TargetObject.*.*\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram.*" -or $_.message -match "TargetObject.*.*\\Terminal Server\\Wds\\rdpwd\\StartupPrograms.*" -or $_.message -match "TargetObject.*.*\\SecurityProviders\\SecurityProviders.*" -or $_.message -match "TargetObject.*.*\\SafeBoot\\AlternateShell.*" -or $_.message -match "TargetObject.*.*\\Print\\Providers.*" -or $_.message -match "TargetObject.*.*\\Print\\Monitors.*" -or $_.message -match "TargetObject.*.*\\NetworkProvider\\Order.*" -or $_.message -match "TargetObject.*.*\\Lsa\\Notification Packages.*" -or $_.message -match "TargetObject.*.*\\Lsa\\Authentication Packages.*" -or $_.message -match "TargetObject.*.*\\BootVerificationProgram\\ImagePath.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_asep_reg_keys_modification"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_asep_reg_keys_modification"; + $detectedMessage = "Detects modification of autostart extensibility point (ASEP) in registry."; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((((((((((((($_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart.*" -or $_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect.*" -or $_.message -match "TargetObject.*.*\\SYSTEM\\Setup\\CmdLine.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Ctf\\LangBarAddin.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Command Processor\\Autorun.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\Protocols\\Handler.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\Protocols\\Filter.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default).*" -or $_.message -match "TargetObject.*.*\\Environment\\UserInitMprLogonScript.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components.*" -or $_.message -match "TargetObject.*.*\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32.*" -or $_.message -match "TargetObject.*.*\\Control Panel\\Desktop\\Scrnsave.exe.*") -or ($_.message -match "TargetObject.*.*\\System\\CurrentControlSet\\Control\\Session Manager.*" -and ($_.message -match "TargetObject.*.*\\SetupExecute.*" -or $_.message -match "TargetObject.*.*\\S0InitialCommand.*" -or $_.message -match "TargetObject.*.*\\KnownDlls.*" -or $_.message -match "TargetObject.*.*\\Execute.*" -or $_.message -match "TargetObject.*.*\\BootExecute.*" -or $_.message -match "TargetObject.*.*\\AppCertDlls.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\ShellServiceObjectDelayLoad.*" -or $_.message -match "TargetObject.*.*\\Run.*" -or $_.message -match "TargetObject.*.*\\Policies\\System\\Shell.*" -or $_.message -match "TargetObject.*.*\\Policies\\Explorer\\Run.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Startup.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Shutdown.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Logon.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Logoff.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellServiceObjects.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellIconOverlayIdentifiers.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellExecuteHooks.*" -or $_.message -match "TargetObject.*.*\\Explorer\\SharedTaskScheduler.*" -or $_.message -match "TargetObject.*.*\\Explorer\\Browser Helper Objects.*" -or $_.message -match "TargetObject.*.*\\Authentication\\PLAP Providers.*" -or $_.message -match "TargetObject.*.*\\Authentication\\Credential Providers.*" -or $_.message -match "TargetObject.*.*\\Authentication\\Credential Provider Filters.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\Winlogon\\VmApplet.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\Userinit.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\Taskman.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\Shell.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\GpExtensions.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\AppSetup.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\AlternateShells\\AvailableShells.*" -or $_.message -match "TargetObject.*.*\\Windows\\IconServiceLib.*" -or $_.message -match "TargetObject.*.*\\Windows\\Appinit_Dlls.*" -or $_.message -match "TargetObject.*.*\\Image File Execution Options.*" -or $_.message -match "TargetObject.*.*\\Font Drivers.*" -or $_.message -match "TargetObject.*.*\\Drivers32.*" -or $_.message -match "TargetObject.*.*\\Windows\\Run.*" -or $_.message -match "TargetObject.*.*\\Windows\\Load.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\ShellServiceObjectDelayLoad.*" -or $_.message -match "TargetObject.*.*\\Run.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellServiceObjects.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellIconOverlayIdentifiers.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellExecuteHooks.*" -or $_.message -match "TargetObject.*.*\\Explorer\\SharedTaskScheduler.*" -or $_.message -match "TargetObject.*.*\\Explorer\\Browser Helper Objects.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\Windows\\Appinit_Dlls.*" -or $_.message -match "TargetObject.*.*\\Image File Execution Options.*" -or $_.message -match "TargetObject.*.*\\Drivers32.*"))) -or ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Microsoft\\Office.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office.*") -and ($_.message -match "TargetObject.*.*\\Word\\Addins.*" -or $_.message -match "TargetObject.*.*\\PowerPoint\\Addins.*" -or $_.message -match "TargetObject.*.*\\Outlook\\Addins.*" -or $_.message -match "TargetObject.*.*\\Onenote\\Addins.*" -or $_.message -match "TargetObject.*.*\\Excel\\Addins.*" -or $_.message -match "TargetObject.*.*\\Access\\Addins.*" -or $_.message -match "TargetObject.*.*test\\Special\\Perf.*"))) -or ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Microsoft\\Internet Explorer.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Internet Explorer.*") -and ($_.message -match "TargetObject.*.*\\Toolbar.*" -or $_.message -match "TargetObject.*.*\\Extensions.*" -or $_.message -match "TargetObject.*.*\\Explorer Bars.*"))) -or ($_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Classes.*" -and ($_.message -match "TargetObject.*.*\\Folder\\ShellEx\\ExtShellFolderViews.*" -or $_.message -match "TargetObject.*.*\\Folder\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Folder\\ShellEx\\ColumnHandlers.*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\CopyHookHandlers.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance.*" -or $_.message -match "TargetObject.*.*\\AllFileSystemObjects\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\PropertySheetHandlers.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\ContextMenuHandlers.*"))) -or ($_.message -match "TargetObject.*.*\\Software\\Classes.*" -and ($_.message -match "TargetObject.*.*\\Folder\\ShellEx\\ExtShellFolderViews.*" -or $_.message -match "TargetObject.*.*\\Folder\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Folder\\Shellex\\ColumnHandlers.*" -or $_.message -match "TargetObject.*.*\\Filter.*" -or $_.message -match "TargetObject.*.*\\Exefile\\Shell\\Open\\Command\\(Default).*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\CopyHookHandlers.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance.*" -or $_.message -match "TargetObject.*.*\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\.exe.*" -or $_.message -match "TargetObject.*.*\\.cmd.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\PropertySheetHandlers.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\ContextMenuHandlers.*"))) -or ($_.message -match "TargetObject.*.*\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts.*" -and ($_.message -match "TargetObject.*.*\\Startup.*" -or $_.message -match "TargetObject.*.*\\Shutdown.*" -or $_.message -match "TargetObject.*.*\\Logon.*" -or $_.message -match "TargetObject.*.*\\Logoff.*"))) -or ($_.message -match "TargetObject.*.*\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters.*" -and ($_.message -match "TargetObject.*.*\\Protocol_Catalog9\\Catalog_Entries.*" -or $_.message -match "TargetObject.*.*\\NameSpace_Catalog5\\Catalog_Entries.*"))) -or ($_.message -match "TargetObject.*.*\\SYSTEM\\CurrentControlSet\\Control.*" -and ($_.message -match "TargetObject.*.*\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram.*" -or $_.message -match "TargetObject.*.*\\Terminal Server\\Wds\\rdpwd\\StartupPrograms.*" -or $_.message -match "TargetObject.*.*\\SecurityProviders\\SecurityProviders.*" -or $_.message -match "TargetObject.*.*\\SafeBoot\\AlternateShell.*" -or $_.message -match "TargetObject.*.*\\Print\\Providers.*" -or $_.message -match "TargetObject.*.*\\Print\\Monitors.*" -or $_.message -match "TargetObject.*.*\\NetworkProvider\\Order.*" -or $_.message -match "TargetObject.*.*\\Lsa\\Notification Packages.*" -or $_.message -match "TargetObject.*.*\\Lsa\\Authentication Packages.*" -or $_.message -match "TargetObject.*.*\\BootVerificationProgram\\ImagePath.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_bypass_via_wsreset.ps1 b/Rules/SIGMA/registry_event/sysmon_bypass_via_wsreset.ps1 new file mode 100644 index 00000000..c46adadb --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_bypass_via_wsreset.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_bypass_via_wsreset"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_bypass_via_wsreset"; + $detectedMessage = "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_cmstp_execution_by_registry.ps1 b/Rules/SIGMA/registry_event/sysmon_cmstp_execution_by_registry.ps1 new file mode 100644 index 00000000..3f917e2d --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_cmstp_execution_by_registry.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\cmmgr32.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cmstp_execution_by_registry"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cmstp_execution_by_registry"; + $detectedMessage = "Detects various indicators of Microsoft Connection Manager Profile Installer execution"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\cmmgr32.exe.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_cobaltstrike_service_installs.ps1 b/Rules/SIGMA/registry_event/sysmon_cobaltstrike_service_installs.ps1 new file mode 100644 index 00000000..87016f3f --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_cobaltstrike_service_installs.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\System\\CurrentControlSet\\Services.*" -and (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "Details.*.*ADMIN$.*" -and $_.message -match "Details.*.*.exe.*") -or ($_.message -match "Details.*.*%COMSPEC%.*" -and $_.message -match "Details.*.*start.*" -and $_.message -match "Details.*.*powershell.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cobaltstrike_service_installs"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cobaltstrike_service_installs"; + $detectedMessage = "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. "; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\System\\CurrentControlSet\\Services.*" -and (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "Details.*.*ADMIN$.*" -and $_.message -match "Details.*.*.exe.*") -or ($_.message -match "Details.*.*%COMSPEC%.*" -and $_.message -match "Details.*.*start.*" -and $_.message -match "Details.*.*powershell.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_comhijack_sdclt.ps1 b/Rules/SIGMA/registry_event/sysmon_comhijack_sdclt.ps1 new file mode 100644 index 00000000..c20c5dea --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_comhijack_sdclt.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_comhijack_sdclt"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_comhijack_sdclt"; + $detectedMessage = "Detects changes to 'HKCUSoftwareClassesFoldershellopenmmandDelegateExecute'"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_cve-2020-1048.ps1 b/Rules/SIGMA/registry_event/sysmon_cve-2020-1048.ps1 new file mode 100644 index 00000000..0f08449f --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_cve-2020-1048.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ports.*" -and ($_.message -match "Details.*.*.dll.*" -or $_.message -match "Details.*.*.exe.*" -or $_.message -match "Details.*.*.bat.*" -or $_.message -match "Details.*.*.com.*" -or $_.message -match "Details.*.*C:.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cve-2020-1048"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cve-2020-1048"; + $detectedMessage = "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ports.*" -and ($_.message -match "Details.*.*.dll.*" -or $_.message -match "Details.*.*.exe.*" -or $_.message -match "Details.*.*.bat.*" -or $_.message -match "Details.*.*.com.*" -or $_.message -match "Details.*.*C:.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_dhcp_calloutdll.ps1 b/Rules/SIGMA/registry_event/sysmon_dhcp_calloutdll.ps1 new file mode 100644 index 00000000..4545328f --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_dhcp_calloutdll.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Services\\DHCPServer\\Parameters\\CalloutDlls" -or $_.message -match "TargetObject.*.*\\Services\\DHCPServer\\Parameters\\CalloutEnabled")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_dhcp_calloutdll"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_dhcp_calloutdll"; + $detectedMessage = "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Services\\DHCPServer\\Parameters\\CalloutDlls" -or $_.message -match "TargetObject.*.*\\Services\\DHCPServer\\Parameters\\CalloutEnabled")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_disable_microsoft_office_security_features.ps1 b/Rules/SIGMA/registry_event/sysmon_disable_microsoft_office_security_features.ps1 new file mode 100644 index 00000000..10fc29d6 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_disable_microsoft_office_security_features.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Office\\.*" -and ($_.message -match "TargetObject.*.*VBAWarnings" -or $_.message -match "TargetObject.*.*DisableInternetFilesInPV" -or $_.message -match "TargetObject.*.*DisableUnsafeLocationsInPV" -or $_.message -match "TargetObject.*.*DisableAttachementsInPV") -and $_.message -match "Details.*DWORD (0x00000001)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_disable_microsoft_office_security_features"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_disable_microsoft_office_security_features"; + $detectedMessage = "Disable Microsoft Office Security Features by registry"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Office\\.*" -and ($_.message -match "TargetObject.*.*VBAWarnings" -or $_.message -match "TargetObject.*.*DisableInternetFilesInPV" -or $_.message -match "TargetObject.*.*DisableUnsafeLocationsInPV" -or $_.message -match "TargetObject.*.*DisableAttachementsInPV") -and $_.message -match "Details.*DWORD (0x00000001)") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.ps1 b/Rules/SIGMA/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.ps1 new file mode 100644 index 00000000..a01a2df1 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "TargetObject.*HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" -and $_.message -match "EventType.*CreateKey") -or $_.message -match "NewName.*HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_disable_security_events_logging_adding_reg_key_minint"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_disable_security_events_logging_adding_reg_key_minint"; + $detectedMessage = "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events."; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "TargetObject.*HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" -and $_.message -match "EventType.*CreateKey") -or $_.message -match "NewName.*HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_disable_wdigest_credential_guard.ps1 b/Rules/SIGMA/registry_event/sysmon_disable_wdigest_credential_guard.ps1 new file mode 100644 index 00000000..cc8d0303 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_disable_wdigest_credential_guard.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\IsCredGuardEnabled") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_disable_wdigest_credential_guard"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_disable_wdigest_credential_guard"; + $detectedMessage = "Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\IsCredGuardEnabled") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.ps1 b/Rules/SIGMA/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.ps1 new file mode 100644 index 00000000..35940396 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride.*" -and $_.message -match "Details.*DWORD (00000001)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender"; + $detectedMessage = "Detects disabling Windows Defender Exploit Guard Network Protection"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride.*" -and $_.message -match "Details.*DWORD (00000001)") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.ps1 b/Rules/SIGMA/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.ps1 new file mode 100644 index 00000000..382233b9 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection.*" -and $_.message -match "Details.*DWORD (0x00000000)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_disabled_pua_protection_on_microsoft_defender"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_disabled_pua_protection_on_microsoft_defender"; + $detectedMessage = "Detects disabling Windows Defender PUA protection"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection.*" -and $_.message -match "Details.*DWORD (0x00000000)") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.ps1 b/Rules/SIGMA/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.ps1 new file mode 100644 index 00000000..60641777 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection.*" -and $_.message -match "Details.*DWORD (0)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_disabled_tamper_protection_on_microsoft_defender"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_disabled_tamper_protection_on_microsoft_defender"; + $detectedMessage = "Detects disabling Windows Defender Tamper Protection"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection.*" -and $_.message -match "Details.*DWORD (0)") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_dns_serverlevelplugindll.ps1 b/Rules/SIGMA/registry_event/sysmon_dns_serverlevelplugindll.ps1 new file mode 100644 index 00000000..250a0d74 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_dns_serverlevelplugindll.ps1 @@ -0,0 +1,41 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\services\\DNS\\Parameters\\ServerLevelPluginDll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\dnscmd.exe" -and $_.message -match "CommandLine.*.*/config.*" -and $_.message -match "CommandLine.*.*/serverlevelplugindll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_dns_serverlevelplugindll"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_dns_serverlevelplugindll"; + $detectedMessage = "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server +(restart required)"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\services\\DNS\\Parameters\\ServerLevelPluginDll") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "Image.*.*\\dnscmd.exe" -and $_.message -match "CommandLine.*.*/config.*" -and $_.message -match "CommandLine.*.*/serverlevelplugindll.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_enabling_cor_profiler_env_variables.ps1 b/Rules/SIGMA/registry_event/sysmon_enabling_cor_profiler_env_variables.ps1 new file mode 100644 index 00000000..09f0848e --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_enabling_cor_profiler_env_variables.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\COR_ENABLE_PROFILING" -or $_.message -match "TargetObject.*.*\\COR_PROFILER")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_enabling_cor_profiler_env_variables"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_enabling_cor_profiler_env_variables"; + $detectedMessage = "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\COR_ENABLE_PROFILING" -or $_.message -match "TargetObject.*.*\\COR_PROFILER")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_etw_disabled.ps1 b/Rules/SIGMA/registry_event/sysmon_etw_disabled.ps1 new file mode 100644 index 00000000..7b08e0a8 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_etw_disabled.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" -and $_.message -match "Details.*DWORD (0x00000000)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_etw_disabled"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_etw_disabled"; + $detectedMessage = "Potential adversaries stopping ETW providers recording loaded .NET assemblies."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" -and $_.message -match "Details.*DWORD (0x00000000)") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_hack_wce_reg.ps1 b/Rules/SIGMA/registry_event/sysmon_hack_wce_reg.ps1 new file mode 100644 index 00000000..54a99bd6 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_hack_wce_reg.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*Services\\WCESERVICE\\Start.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_hack_wce_reg"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_hack_wce_reg"; + $detectedMessage = "Detects the use of Windows Credential Editor (WCE)"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*Services\\WCESERVICE\\Start.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_hybridconnectionmgr_svc_installation.ps1 b/Rules/SIGMA/registry_event/sysmon_hybridconnectionmgr_svc_installation.ps1 new file mode 100644 index 00000000..48fb1e31 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_hybridconnectionmgr_svc_installation.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Services\\HybridConnectionManager.*" -or $_.message -match "Details.*.*Microsoft.HybridConnectionManager.Listener.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_hybridconnectionmgr_svc_installation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_hybridconnectionmgr_svc_installation"; + $detectedMessage = "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function."; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Services\\HybridConnectionManager.*" -or $_.message -match "Details.*.*Microsoft.HybridConnectionManager.Listener.exe.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.ps1 b/Rules/SIGMA/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.ps1 new file mode 100644 index 00000000..355cccbf --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*UserInitMprLogonScript.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_logon_scripts_userinitmprlogonscript_reg"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_logon_scripts_userinitmprlogonscript_reg"; + $detectedMessage = "Detects creation or execution of UserInitMprLogonScript persistence method"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*UserInitMprLogonScript.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_modify_screensaver_binary_path.ps1 b/Rules/SIGMA/registry_event/sysmon_modify_screensaver_binary_path.ps1 new file mode 100644 index 00000000..0aec5b1b --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_modify_screensaver_binary_path.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*\\Control Panel\\Desktop\\SCRNSAVE.EXE" -and -not (($_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\explorer.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_modify_screensaver_binary_path"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_modify_screensaver_binary_path"; + $detectedMessage = "Detects value modification of registry key containing path to binary used as screensaver."; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*\\Control Panel\\Desktop\\SCRNSAVE.EXE" -and -not (($_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\explorer.exe"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_narrator_feedback_persistance.ps1 b/Rules/SIGMA/registry_event/sysmon_narrator_feedback_persistance.ps1 new file mode 100644 index 00000000..d72dfc04 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_narrator_feedback_persistance.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "EventType.*DeleteValue" -and $_.message -match "TargetObject.*.*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute") -or $_.message -match "TargetObject.*.*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_narrator_feedback_persistance"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_narrator_feedback_persistance"; + $detectedMessage = "Detects abusing Windows 10 Narrator's Feedback-Hub"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "EventType.*DeleteValue" -and $_.message -match "TargetObject.*.*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute") -or $_.message -match "TargetObject.*.*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_new_application_appcompat.ps1 b/Rules/SIGMA/registry_event/sysmon_new_application_appcompat.ps1 new file mode 100644 index 00000000..b56436e4 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_new_application_appcompat.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\AppCompatFlags\\Compatibility Assistant\\Store\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_new_application_appcompat"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_new_application_appcompat"; + $detectedMessage = "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\AppCompatFlags\\Compatibility Assistant\\Store\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.ps1 b/Rules/SIGMA/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.ps1 new file mode 100644 index 00000000..6ea10a4c --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" -or $_.message -match "NewName.*HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_new_dll_added_to_appcertdlls_registry_key"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_new_dll_added_to_appcertdlls_registry_key"; + $detectedMessage = "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" -or $_.message -match "NewName.*HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.ps1 b/Rules/SIGMA/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.ps1 new file mode 100644 index 00000000..b7c7bee7 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls") -or ($_.message -match "NewName.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" -or $_.message -match "NewName.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_new_dll_added_to_appinit_dlls_registry_key"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_new_dll_added_to_appinit_dlls_registry_key"; + $detectedMessage = "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows are loaded by user32.dll"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls") -or ($_.message -match "NewName.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" -or $_.message -match "NewName.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_office_test_regadd.ps1 b/Rules/SIGMA/registry_event/sysmon_office_test_regadd.ps1 new file mode 100644 index 00000000..65011dc2 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_office_test_regadd.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf" -or $_.message -match "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_office_test_regadd"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_office_test_regadd"; + $detectedMessage = "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed everytime an Office application is started"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf" -or $_.message -match "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_office_vsto_persistence.ps1 b/Rules/SIGMA/registry_event/sysmon_office_vsto_persistence.ps1 new file mode 100644 index 00000000..547a8d4c --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_office_vsto_persistence.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "EventType.*SetValue" -and ($_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Outlook\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Word\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Excel\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Powerpoint\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\.*")) -and -not ($_.message -match "Image.*.*\\msiexec.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_office_vsto_persistence"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_office_vsto_persistence"; + $detectedMessage = "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications."; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "EventType.*SetValue" -and ($_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Outlook\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Word\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Excel\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Powerpoint\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\.*")) -and -not ($_.message -match "Image.*.*\\msiexec.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.ps1 b/Rules/SIGMA/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.ps1 new file mode 100644 index 00000000..74efe7e8 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "IntegrityLevel.*Medium" -and $_.message -match "TargetObject.*.*\\services\\.*" -and ($_.message -match "TargetObject.*.*\\ImagePath" -or $_.message -match "TargetObject.*.*\\FailureCommand" -or $_.message -match "TargetObject.*.*\\Parameters\\ServiceDll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness"; + $detectedMessage = "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "IntegrityLevel.*Medium" -and $_.message -match "TargetObject.*.*\\services\\.*" -and ($_.message -match "TargetObject.*.*\\ImagePath" -or $_.message -match "TargetObject.*.*\\FailureCommand" -or $_.message -match "TargetObject.*.*\\Parameters\\ServiceDll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_powershell_as_service.ps1 b/Rules/SIGMA/registry_event/sysmon_powershell_as_service.ps1 new file mode 100644 index 00000000..f92043d7 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_powershell_as_service.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Services\\.*" -and $_.message -match "TargetObject.*.*\\ImagePath" -and ($_.message -match "Details.*.*powershell.*" -or $_.message -match "Details.*.*pwsh.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_powershell_as_service"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_powershell_as_service"; + $detectedMessage = "Detects that a powershell code is written to the registry as a service."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Services\\.*" -and $_.message -match "TargetObject.*.*\\ImagePath" -and ($_.message -match "Details.*.*powershell.*" -or $_.message -match "Details.*.*pwsh.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_rdp_registry_modification.ps1 b/Rules/SIGMA/registry_event/sysmon_rdp_registry_modification.ps1 new file mode 100644 index 00000000..191f6bfb --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_rdp_registry_modification.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" -or $_.message -match "TargetObject.*.*\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections") -and $_.message -match "Details.*DWORD (0x00000000)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_rdp_registry_modification"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_rdp_registry_modification"; + $detectedMessage = "Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" -or $_.message -match "TargetObject.*.*\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections") -and $_.message -match "Details.*DWORD (0x00000000)") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_rdp_settings_hijack.ps1 b/Rules/SIGMA/registry_event/sysmon_rdp_settings_hijack.ps1 new file mode 100644 index 00000000..9de4c267 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_rdp_settings_hijack.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\services\\TermService\\Parameters\\ServiceDll.*" -or $_.message -match "TargetObject.*.*\\Control\\Terminal Server\\fSingleSessionPerUser.*" -or $_.message -match "TargetObject.*.*\\Control\\Terminal Server\\fDenyTSConnections.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_rdp_settings_hijack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_rdp_settings_hijack"; + $detectedMessage = "Detects changes to RDP terminal service sensitive settings"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\services\\TermService\\Parameters\\ServiceDll.*" -or $_.message -match "TargetObject.*.*\\Control\\Terminal Server\\fSingleSessionPerUser.*" -or $_.message -match "TargetObject.*.*\\Control\\Terminal Server\\fDenyTSConnections.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_redmimicry_winnti_reg.ps1 b/Rules/SIGMA/registry_event/sysmon_redmimicry_winnti_reg.ps1 new file mode 100644 index 00000000..e485d53f --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_redmimicry_winnti_reg.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_redmimicry_winnti_reg"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_redmimicry_winnti_reg"; + $detectedMessage = "Detects actions caused by the RedMimicry Winnti playbook"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_reg_office_security.ps1 b/Rules/SIGMA/registry_event/sysmon_reg_office_security.ps1 new file mode 100644 index 00000000..85d9fd09 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_reg_office_security.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Security\\Trusted Documents\\TrustRecords" -or $_.message -match "TargetObject.*.*\\Security\\AccessVBOM" -or $_.message -match "TargetObject.*.*\\Security\\VBAWarnings")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_reg_office_security"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_reg_office_security"; + $detectedMessage = "Detects registry changes to Office macro settings"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Security\\Trusted Documents\\TrustRecords" -or $_.message -match "TargetObject.*.*\\Security\\AccessVBOM" -or $_.message -match "TargetObject.*.*\\Security\\VBAWarnings")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_reg_silentprocessexit.ps1 b/Rules/SIGMA/registry_event/sysmon_reg_silentprocessexit.ps1 new file mode 100644 index 00000000..04082714 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_reg_silentprocessexit.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit.*" -and $_.message -match "Details.*.*MonitorProcess.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_reg_silentprocessexit"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_reg_silentprocessexit"; + $detectedMessage = "Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit.*" -and $_.message -match "Details.*.*MonitorProcess.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_reg_silentprocessexit_lsass.ps1 b/Rules/SIGMA/registry_event/sysmon_reg_silentprocessexit_lsass.ps1 new file mode 100644 index 00000000..1d02b5a1 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_reg_silentprocessexit_lsass.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_reg_silentprocessexit_lsass"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_reg_silentprocessexit_lsass"; + $detectedMessage = "Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_reg_vbs_payload_stored.ps1 b/Rules/SIGMA/registry_event/sysmon_reg_vbs_payload_stored.ps1 new file mode 100644 index 00000000..3bea6d5f --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_reg_vbs_payload_stored.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows\\CurrentVersion.*" -and ($_.message -match "Details.*.*vbscript.*" -or $_.message -match "Details.*.*jscript.*" -or $_.message -match "Details.*.*mshtml.*" -or $_.message -match "Details.*.*mshtml,.*" -or $_.message -match "Details.*.*mshtml .*" -or $_.message -match "Details.*.*RunHTMLApplication.*" -or $_.message -match "Details.*.*Execute(.*" -or $_.message -match "Details.*.*CreateObject.*" -or $_.message -match "Details.*.*RegRead.*" -or $_.message -match "Details.*.*window.close.*")) -and -not ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows\\CurrentVersion\\Run.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_reg_vbs_payload_stored"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_reg_vbs_payload_stored"; + $detectedMessage = "Detects VBScript content stored into registry keys as seen being used by UNC2452 group"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows\\CurrentVersion.*" -and ($_.message -match "Details.*.*vbscript.*" -or $_.message -match "Details.*.*jscript.*" -or $_.message -match "Details.*.*mshtml.*" -or $_.message -match "Details.*.*mshtml,.*" -or $_.message -match "Details.*.*mshtml .*" -or $_.message -match "Details.*.*RunHTMLApplication.*" -or $_.message -match "Details.*.*Execute(.*" -or $_.message -match "Details.*.*CreateObject.*" -or $_.message -match "Details.*.*RegRead.*" -or $_.message -match "Details.*.*window.close.*")) -and -not ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows\\CurrentVersion\\Run.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_registry_add_local_hidden_user.ps1 b/Rules/SIGMA/registry_event/sysmon_registry_add_local_hidden_user.ps1 new file mode 100644 index 00000000..4ebd903a --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_registry_add_local_hidden_user.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\.*" -and $_.message -match "TargetObject.*.*$" -and $_.message -match "Image.*.*lsass.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_registry_add_local_hidden_user"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_registry_add_local_hidden_user"; + $detectedMessage = "Sysmon registry detection of a local hidden user account."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\.*" -and $_.message -match "TargetObject.*.*$" -and $_.message -match "Image.*.*lsass.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_registry_persistence_key_linking.ps1 b/Rules/SIGMA/registry_event/sysmon_registry_persistence_key_linking.ps1 new file mode 100644 index 00000000..4ba7852d --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_registry_persistence_key_linking.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*CreateKey" -and $_.message -match "TargetObject.*.*HKU\\.*" -and $_.message -match "TargetObject.*.*_Classes\\CLSID\\.*" -and $_.message -match "TargetObject.*.*\\TreatAs.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_registry_persistence_key_linking"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_registry_persistence_key_linking"; + $detectedMessage = "Detects COM object hijacking via TreatAs subkey"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*CreateKey" -and $_.message -match "TargetObject.*.*HKU\\.*" -and $_.message -match "TargetObject.*.*_Classes\\CLSID\\.*" -and $_.message -match "TargetObject.*.*\\TreatAs.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_registry_persistence_search_order.ps1 b/Rules/SIGMA/registry_event/sysmon_registry_persistence_search_order.ps1 new file mode 100644 index 00000000..29447cbc --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_registry_persistence_search_order.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*HKU\\.*" -and $_.message -match "TargetObject.*.*_Classes\\CLSID\\.*" -and $_.message -match "TargetObject.*.*\\InProcServer32\\(Default).*") -and -not (((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "Details.*.*%%systemroot%%\\system32\\.*" -or $_.message -match "Details.*.*%%systemroot%%\\SysWow64\\.*") -or (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "Details.*.*\\AppData\\Local\\Microsoft\\OneDrive\\.*" -and ($_.message -match "Details.*.*\\FileCoAuthLib64.dll.*" -or $_.message -match "Details.*.*\\FileSyncShell64.dll.*" -or $_.message -match "Details.*.*\\FileSyncApi64.dll.*"))) -or ($_.message -match "Details.*.*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\.*" -and $_.message -match "Details.*.*\\Microsoft.Teams.AddinLoader.dll.*") -or ($_.message -match "Details.*.*\\AppData\\Roaming\\Dropbox\\.*" -and $_.message -match "Details.*.*\\DropboxExt64..*.dll.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_registry_persistence_search_order"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_registry_persistence_search_order"; + $detectedMessage = "Detects potential COM object hijacking leveraging the COM Search Order"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*HKU\\.*" -and $_.message -match "TargetObject.*.*_Classes\\CLSID\\.*" -and $_.message -match "TargetObject.*.*\\InProcServer32\\(Default).*") -and -not (((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "Details.*.*%%systemroot%%\\system32\\.*" -or $_.message -match "Details.*.*%%systemroot%%\\SysWow64\\.*") -or (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "Details.*.*\\AppData\\Local\\Microsoft\\OneDrive\\.*" -and ($_.message -match "Details.*.*\\FileCoAuthLib64.dll.*" -or $_.message -match "Details.*.*\\FileSyncShell64.dll.*" -or $_.message -match "Details.*.*\\FileSyncApi64.dll.*"))) -or ($_.message -match "Details.*.*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\.*" -and $_.message -match "Details.*.*\\Microsoft.Teams.AddinLoader.dll.*") -or ($_.message -match "Details.*.*\\AppData\\Roaming\\Dropbox\\.*" -and $_.message -match "Details.*.*\\DropboxExt64..*.dll.*"))))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_registry_susp_printer_driver.ps1 b/Rules/SIGMA/registry_event/sysmon_registry_susp_printer_driver.ps1 new file mode 100644 index 00000000..7655e219 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_registry_susp_printer_driver.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows x64\\Drivers.*" -and $_.message -match "TargetObject.*.*\\Manufacturer.*" -and $_.message -match "Details.*(Empty)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_registry_susp_printer_driver"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_registry_susp_printer_driver"; + $detectedMessage = "Detects a suspicious printer driver installation with an empty Manufacturer value"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows x64\\Drivers.*" -and $_.message -match "TargetObject.*.*\\Manufacturer.*" -and $_.message -match "Details.*(Empty)") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_registry_trust_record_modification.ps1 b/Rules/SIGMA/registry_event/sysmon_registry_trust_record_modification.ps1 new file mode 100644 index 00000000..1f327a92 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_registry_trust_record_modification.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*TrustRecords.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_registry_trust_record_modification"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_registry_trust_record_modification"; + $detectedMessage = "Alerts on trust record modification within the registry, indicating usage of macros"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*TrustRecords.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_removal_amsi_registry_key.ps1 b/Rules/SIGMA/registry_event/sysmon_removal_amsi_registry_key.ps1 new file mode 100644 index 00000000..58d8292d --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_removal_amsi_registry_key.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*DeleteKey" -and ($_.message -match "TargetObject.*.*{2781761E-28E0-4109-99FE-B9D127C57AFE}" -or $_.message -match "TargetObject.*.*{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_removal_amsi_registry_key"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_removal_amsi_registry_key"; + $detectedMessage = "Remove the AMSI Provider registry key in HKLMSoftwareMicrosoftAMSI to disable AMSI inspection"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*DeleteKey" -and ($_.message -match "TargetObject.*.*{2781761E-28E0-4109-99FE-B9D127C57AFE}" -or $_.message -match "TargetObject.*.*{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_removal_com_hijacking_registry_key.ps1 b/Rules/SIGMA/registry_event/sysmon_removal_com_hijacking_registry_key.ps1 new file mode 100644 index 00000000..83e71fa9 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_removal_com_hijacking_registry_key.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*DeleteKey" -and $_.message -match "TargetObject.*.*\\shell\\open\\command") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_removal_com_hijacking_registry_key"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_removal_com_hijacking_registry_key"; + $detectedMessage = "A General detection to trigger for processes removing .*shellopenmmand registry keys. Registry keys that might have been used for COM hijacking activities."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*DeleteKey" -and $_.message -match "TargetObject.*.*\\shell\\open\\command") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_runkey_winekey.ps1 b/Rules/SIGMA/registry_event/sysmon_runkey_winekey.ps1 new file mode 100644 index 00000000..64241a09 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_runkey_winekey.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_runkey_winekey"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_runkey_winekey"; + $detectedMessage = "Detects potential malicious modification of run keys by winekey or team9 backdoor"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_runonce_persistence.ps1 b/Rules/SIGMA/registry_event/sysmon_runonce_persistence.ps1 new file mode 100644 index 00000000..6b4d0900 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_runonce_persistence.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components.*" -and $_.message -match "TargetObject.*.*\\StubPath") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_runonce_persistence"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_runonce_persistence"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components.*" -and $_.message -match "TargetObject.*.*\\StubPath") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_ssp_added_lsa_config.ps1 b/Rules/SIGMA/registry_event/sysmon_ssp_added_lsa_config.ps1 new file mode 100644 index 00000000..db9355e6 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_ssp_added_lsa_config.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages" -or $_.message -match "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages") -and -not ($_.message -match "Image.*C:\\Windows\\system32\\msiexec.exe" -or $_.message -match "Image.*C:\\Windows\\syswow64\\MsiExec.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_ssp_added_lsa_config"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_ssp_added_lsa_config"; + $detectedMessage = "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows."; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages" -or $_.message -match "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages") -and -not ($_.message -match "Image.*C:\\Windows\\system32\\msiexec.exe" -or $_.message -match "Image.*C:\\Windows\\syswow64\\MsiExec.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_stickykey_like_backdoor.ps1 b/Rules/SIGMA/registry_event/sysmon_stickykey_like_backdoor.ps1 new file mode 100644 index 00000000..74d597a5 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_stickykey_like_backdoor.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\winlogon.exe" -and $_.message -match "Image.*.*\\cmd.exe" -and ($_.message -match "CommandLine.*.*sethc.exe.*" -or $_.message -match "CommandLine.*.*utilman.exe.*" -or $_.message -match "CommandLine.*.*osk.exe.*" -or $_.message -match "CommandLine.*.*Magnify.exe.*" -or $_.message -match "CommandLine.*.*Narrator.exe.*" -or $_.message -match "CommandLine.*.*DisplaySwitch.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_stickykey_like_backdoor"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_stickykey_like_backdoor"; + $detectedMessage = "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\winlogon.exe" -and $_.message -match "Image.*.*\\cmd.exe" -and ($_.message -match "CommandLine.*.*sethc.exe.*" -or $_.message -match "CommandLine.*.*utilman.exe.*" -or $_.message -match "CommandLine.*.*osk.exe.*" -or $_.message -match "CommandLine.*.*Magnify.exe.*" -or $_.message -match "CommandLine.*.*Narrator.exe.*" -or $_.message -match "CommandLine.*.*DisplaySwitch.exe.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_susp_atbroker_change.ps1 b/Rules/SIGMA/registry_event/sysmon_susp_atbroker_change.ps1 new file mode 100644 index 00000000..5ff517d7 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_susp_atbroker_change.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs.*" -or $_.message -match "TargetObject.*.*Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_atbroker_change"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_atbroker_change"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs.*" -or $_.message -match "TargetObject.*.*Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_susp_download_run_key.ps1 b/Rules/SIGMA/registry_event/sysmon_susp_download_run_key.ps1 new file mode 100644 index 00000000..94cc5f5c --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_susp_download_run_key.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "Image.*.*\\Downloads\\.*" -or $_.message -match "Image.*.*\\Temporary Internet Files\\Content.Outlook\\.*" -or $_.message -match "Image.*.*\\Local Settings\\Temporary Internet Files\\.*") -and $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_download_run_key"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_download_run_key"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "Image.*.*\\Downloads\\.*" -or $_.message -match "Image.*.*\\Temporary Internet Files\\Content.Outlook\\.*" -or $_.message -match "Image.*.*\\Local Settings\\Temporary Internet Files\\.*") -and $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_susp_lsass_dll_load.ps1 b/Rules/SIGMA/registry_event/sysmon_susp_lsass_dll_load.ps1 new file mode 100644 index 00000000..e49dbde3 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_susp_lsass_dll_load.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt.*" -or $_.message -match "TargetObject.*.*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_lsass_dll_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_lsass_dll_load"; + $detectedMessage = "Detects a method to load DLL via LSASS process using an undocumented Registry key"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt.*" -or $_.message -match "TargetObject.*.*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_susp_mic_cam_access.ps1 b/Rules/SIGMA/registry_event/sysmon_susp_mic_cam_access.ps1 new file mode 100644 index 00000000..1875c496 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_susp_mic_cam_access.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\.*" -and $_.message -match "TargetObject.*.*\\NonPackaged.*" -and ($_.message -match "TargetObject.*.*microphone.*" -or $_.message -match "TargetObject.*.*webcam.*") -and ($_.message -match "TargetObject.*.*#C:#Windows#Temp#.*" -or $_.message -match "TargetObject.*.*#C:#$Recycle.bin#.*" -or $_.message -match "TargetObject.*.*#C:#Temp#.*" -or $_.message -match "TargetObject.*.*#C:#Users#Public#.*" -or $_.message -match "TargetObject.*.*#C:#Users#Default#.*" -or $_.message -match "TargetObject.*.*#C:#Users#Desktop#.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_mic_cam_access"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_mic_cam_access"; + $detectedMessage = "Detects Processes accessing the camera and microphone from suspicious folder"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\.*" -and $_.message -match "TargetObject.*.*\\NonPackaged.*" -and ($_.message -match "TargetObject.*.*microphone.*" -or $_.message -match "TargetObject.*.*webcam.*") -and ($_.message -match "TargetObject.*.*#C:#Windows#Temp#.*" -or $_.message -match "TargetObject.*.*#C:#$Recycle.bin#.*" -or $_.message -match "TargetObject.*.*#C:#Temp#.*" -or $_.message -match "TargetObject.*.*#C:#Users#Public#.*" -or $_.message -match "TargetObject.*.*#C:#Users#Default#.*" -or $_.message -match "TargetObject.*.*#C:#Users#Desktop#.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_susp_reg_persist_explorer_run.ps1 b/Rules/SIGMA/registry_event/sysmon_susp_reg_persist_explorer_run.ps1 new file mode 100644 index 00000000..14a93b82 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_susp_reg_persist_explorer_run.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" -and (($_.message -match "Details.*C:\\Windows\\Temp\\.*" -or $_.message -match "Details.*C:\\ProgramData\\.*" -or $_.message -match "Details.*C:\\$Recycle.bin\\.*" -or $_.message -match "Details.*C:\\Temp\\.*" -or $_.message -match "Details.*C:\\Users\\Public\\.*" -or $_.message -match "Details.*C:\\Users\\Default\\.*") -or ($_.message -match "Details.*.*\\AppData\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_reg_persist_explorer_run"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_reg_persist_explorer_run"; + $detectedMessage = "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" -and (($_.message -match "Details.*C:\\Windows\\Temp\\.*" -or $_.message -match "Details.*C:\\ProgramData\\.*" -or $_.message -match "Details.*C:\\\$Recycle.bin\\.*" -or $_.message -match "Details.*C:\\Temp\\.*" -or $_.message -match "Details.*C:\\Users\\Public\\.*" -or $_.message -match "Details.*C:\\Users\\Default\\.*") -or ($_.message -match "Details.*.*\\AppData\\.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_susp_run_key_img_folder.ps1 b/Rules/SIGMA/registry_event/sysmon_susp_run_key_img_folder.ps1 new file mode 100644 index 00000000..6d617cd4 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_susp_run_key_img_folder.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\.*") -and (($_.message -match "Details.*.*C:\\Windows\\Temp\\.*" -or $_.message -match "Details.*.*C:\\$Recycle.bin\\.*" -or $_.message -match "Details.*.*C:\\Temp\\.*" -or $_.message -match "Details.*.*C:\\Users\\Public\\.*" -or $_.message -match "Details.*.*C:\\Users\\Default\\.*" -or $_.message -match "Details.*.*C:\\Users\\Desktop\\.*") -or ($_.message -match "Details.*%Public%\\.*" -or $_.message -match "Details.*wscript.*" -or $_.message -match "Details.*cscript.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_run_key_img_folder"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_run_key_img_folder"; + $detectedMessage = "Detects suspicious new RUN key element pointing to an executable in a suspicious folder"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\.*") -and (($_.message -match "Details.*.*C:\\Windows\\Temp\\.*" -or $_.message -match "Details.*.*C:\\\$Recycle.bin\\.*" -or $_.message -match "Details.*.*C:\\Temp\\.*" -or $_.message -match "Details.*.*C:\\Users\\Public\\.*" -or $_.message -match "Details.*.*C:\\Users\\Default\\.*" -or $_.message -match "Details.*.*C:\\Users\\Desktop\\.*") -or ($_.message -match "Details.*%Public%\\.*" -or $_.message -match "Details.*wscript.*" -or $_.message -match "Details.*cscript.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_susp_service_installed.ps1 b/Rules/SIGMA/registry_event/sysmon_susp_service_installed.ps1 new file mode 100644 index 00000000..b6cf1003 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_susp_service_installed.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath" -or $_.message -match "HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath") -and -not (($_.message -match "Image.*.*\\procexp64.exe" -or $_.message -match "Image.*.*\\procexp.exe" -or $_.message -match "Image.*.*\\procmon64.exe" -or $_.message -match "Image.*.*\\procmon.exe"))) -and -not (($_.message -match "Details.*.*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_susp_service_installed"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_susp_service_installed"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath" -or $_.message -match "HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath") -and -not (($_.message -match "Image.*.*\\procexp64.exe" -or $_.message -match "Image.*.*\\procexp.exe" -or $_.message -match "Image.*.*\\procmon64.exe" -or $_.message -match "Image.*.*\\procmon.exe"))) -and -not (($_.message -match "Details.*.*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_suspicious_keyboard_layout_load.ps1 b/Rules/SIGMA/registry_event/sysmon_suspicious_keyboard_layout_load.ps1 new file mode 100644 index 00000000..a36f457b --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_suspicious_keyboard_layout_load.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Keyboard Layout\\Preload\\.*" -or $_.message -match "TargetObject.*.*\\Keyboard Layout\\Substitutes\\.*") -and ($_.message -match "Details.*.*00000429.*" -or $_.message -match "Details.*.*00050429.*" -or $_.message -match "Details.*.*0000042a.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_suspicious_keyboard_layout_load"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_suspicious_keyboard_layout_load"; + $detectedMessage = "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Keyboard Layout\\Preload\\.*" -or $_.message -match "TargetObject.*.*\\Keyboard Layout\\Substitutes\\.*") -and ($_.message -match "Details.*.*00000429.*" -or $_.message -match "Details.*.*00050429.*" -or $_.message -match "Details.*.*0000042a.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_sysinternals_eula_accepted.ps1 b/Rules/SIGMA/registry_event/sysmon_sysinternals_eula_accepted.ps1 new file mode 100644 index 00000000..9869de5b --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_sysinternals_eula_accepted.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\EulaAccepted") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -accepteula.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_sysinternals_eula_accepted"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_sysinternals_eula_accepted"; + $detectedMessage = "Detects the usage of Sysinternals Tools due to accepteula key being added to Registry"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\EulaAccepted") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -accepteula.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_sysinternals_sdelete_registry_keys.ps1 b/Rules/SIGMA/registry_event/sysmon_sysinternals_sdelete_registry_keys.ps1 new file mode 100644 index 00000000..f1026ece --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_sysinternals_sdelete_registry_keys.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Software\\Sysinternals\\SDelete.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_sysinternals_sdelete_registry_keys"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_sysinternals_sdelete_registry_keys"; + $detectedMessage = "A General detection to trigger for the creation or modification of .*SoftwareSysinternalsSDelete registry keys. Indicators of the use of Sysinternals SDelete tool."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Software\\Sysinternals\\SDelete.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_taskcache_entry.ps1 b/Rules/SIGMA/registry_event/sysmon_taskcache_entry.ps1 new file mode 100644 index 00000000..27ccbfe2 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_taskcache_entry.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_taskcache_entry"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_taskcache_entry"; + $detectedMessage = "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + result; + Write-Output $detectedMessage; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_uac_bypass_eventvwr.ps1 b/Rules/SIGMA/registry_event/sysmon_uac_bypass_eventvwr.ps1 new file mode 100644 index 00000000..d26fdac4 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_uac_bypass_eventvwr.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKU\\.*" -and $_.message -match "TargetObject.*.*\\mscfile\\shell\\open\\command") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\eventvwr.exe" -and -not ($_.message -match "Image.*.*\\mmc.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_uac_bypass_eventvwr"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_uac_bypass_eventvwr"; + $detectedMessage = "Detects UAC bypass method using Windows event viewer"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKU\\.*" -and $_.message -match "TargetObject.*.*\\mscfile\\shell\\open\\command") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { (($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\eventvwr.exe" -and -not ($_.message -match "Image.*.*\\mmc.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_uac_bypass_sdclt.ps1 b/Rules/SIGMA/registry_event/sysmon_uac_bypass_sdclt.ps1 new file mode 100644 index 00000000..556a012d --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_uac_bypass_sdclt.ps1 @@ -0,0 +1,35 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKU\.*" -and $_.message -match "TargetObject.*.*_Classes\exefile\shell\runas\command\isolatedCommand") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_uac_bypass_sdclt"; + $detectedMessage = "Detects changes to HKCU:SoftwareClassesexefileshell +unasmmandisolatedCommand" + + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_uac_bypass_sdclt"; + $detectedMessage = "Detects changes to HKCU:SoftwareClassesexefileshell" + $result = $event | where { ($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKU\\.*" -and $_.message -match "TargetObject.*.*_Classes\\exefile\\shell\\runas\\command\\isolatedCommand" } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMesssage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_volume_shadow_copy_service_keys.ps1 b/Rules/SIGMA/registry_event/sysmon_volume_shadow_copy_service_keys.ps1 new file mode 100644 index 00000000..2165c889 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_volume_shadow_copy_service_keys.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*System\\CurrentControlSet\\Services\\VSS.*" -and -not ($_.message -match "TargetObject.*.*System\\CurrentControlSet\\Services\\VSS\\Start.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_volume_shadow_copy_service_keys"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_volume_shadow_copy_service_keys"; + $detectedMessage = "Detects the volume shadow copy service initialization and processing. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured."; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*System\\CurrentControlSet\\Services\\VSS.*" -and -not ($_.message -match "TargetObject.*.*System\\CurrentControlSet\\Services\\VSS\\Start.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + result; + Write-Output $detectedMessage; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_wab_dllpath_reg_change.ps1 b/Rules/SIGMA/registry_event/sysmon_wab_dllpath_reg_change.ps1 new file mode 100644 index 00000000..02a3c74f --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_wab_dllpath_reg_change.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*\\Software\\Microsoft\\WAB\\DLLPath" -and -not ($_.message -match "Details.*%CommonProgramFiles%\\System\\wab32.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wab_dllpath_reg_change"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wab_dllpath_reg_change"; + $detectedMessage = "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry."; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*\\Software\\Microsoft\\WAB\\DLLPath" -and -not ($_.message -match "Details.*%CommonProgramFiles%\\System\\wab32.dll")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_wdigest_enable_uselogoncredential.ps1 b/Rules/SIGMA/registry_event/sysmon_wdigest_enable_uselogoncredential.ps1 new file mode 100644 index 00000000..7e0bec90 --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_wdigest_enable_uselogoncredential.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*WDigest\\UseLogonCredential") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wdigest_enable_uselogoncredential"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wdigest_enable_uselogoncredential"; + $detectedMessage = "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest to enable clear-text credentials"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*WDigest\\UseLogonCredential") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_win_reg_persistence.ps1 b/Rules/SIGMA/registry_event/sysmon_win_reg_persistence.ps1 new file mode 100644 index 00000000..a62e4afc --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_win_reg_persistence.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion.*") -and (($_.message -match "TargetObject.*.*\\Image File Execution Options\\.*" -and $_.message -match "TargetObject.*.*\\GlobalFlag.*") -or ($_.message -match "TargetObject.*.*SilentProcessExit\\.*" -and $_.message -match "TargetObject.*.*\\ReportingMode.*") -or ($_.message -match "TargetObject.*.*SilentProcessExit\\.*" -and $_.message -match "TargetObject.*.*\\MonitorProcess.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_win_reg_persistence"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_win_reg_persistence"; + $detectedMessage = "Detects persistence registry keys"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion.*") -and (($_.message -match "TargetObject.*.*\\Image File Execution Options\\.*" -and $_.message -match "TargetObject.*.*\\GlobalFlag.*") -or ($_.message -match "TargetObject.*.*SilentProcessExit\\.*" -and $_.message -match "TargetObject.*.*\\ReportingMode.*") -or ($_.message -match "TargetObject.*.*SilentProcessExit\\.*" -and $_.message -match "TargetObject.*.*\\MonitorProcess.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + result; + Write-Output $detectedMessage; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/sysmon_win_reg_telemetry_persistence.ps1 b/Rules/SIGMA/registry_event/sysmon_win_reg_telemetry_persistence.ps1 new file mode 100644 index 00000000..911b333d --- /dev/null +++ b/Rules/SIGMA/registry_event/sysmon_win_reg_telemetry_persistence.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\.*" -and $_.message -match "TargetObject.*.*\\Command.*" -and $_.message -match "Details.*.*.exe.*") -and -not (($_.message -match "Details.*.*\\system32\\CompatTelRunner.exe.*" -or $_.message -match "Details.*.*\\system32\\DeviceCensus.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_win_reg_telemetry_persistence"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_win_reg_telemetry_persistence"; + $detectedMessage = "Detects persistence method using windows telemetry "; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\.*" -and $_.message -match "TargetObject.*.*\\Command.*" -and $_.message -match "Details.*.*.exe.*") -and -not (($_.message -match "Details.*.*\\system32\\CompatTelRunner.exe.*" -or $_.message -match "Details.*.*\\system32\\DeviceCensus.exe.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + result; + Write-Output $detectedMessage; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/win_outlook_c2_registry_key.ps1 b/Rules/SIGMA/registry_event/win_outlook_c2_registry_key.ps1 new file mode 100644 index 00000000..bf2da95f --- /dev/null +++ b/Rules/SIGMA/registry_event/win_outlook_c2_registry_key.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Security\\Level" -and $_.message -match "Details.*.*0x00000001.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_outlook_c2_registry_key"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_outlook_c2_registry_key"; + $detectedMessage = "Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Security\\Level" -and $_.message -match "Details.*.*0x00000001.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/win_outlook_registry_todaypage.ps1 b/Rules/SIGMA/registry_event/win_outlook_registry_todaypage.ps1 new file mode 100644 index 00000000..3617159b --- /dev/null +++ b/Rules/SIGMA/registry_event/win_outlook_registry_todaypage.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Office\\.*" -or $_.message -match "TargetObject.*.*\\Outlook\\Today\\.*") -and (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "TargetObject.*.*Stamp") -and $_.message -match "Details.*DWORD (0x00000001)") -or ($_.message -match "TargetObject.*.*UserDefinedUrl"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_outlook_registry_todaypage"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_outlook_registry_todaypage"; + $detectedMessage = "Detects the manipulation of persistant URLs which could execute malicious code"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Office\\.*" -or $_.message -match "TargetObject.*.*\\Outlook\\Today\\.*") -and (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "TargetObject.*.*Stamp") -and $_.message -match "Details.*DWORD (0x00000001)") -or ($_.message -match "TargetObject.*.*UserDefinedUrl"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/win_outlook_registry_webview.ps1 b/Rules/SIGMA/registry_event/win_outlook_registry_webview.ps1 new file mode 100644 index 00000000..2bf278be --- /dev/null +++ b/Rules/SIGMA/registry_event/win_outlook_registry_webview.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Office\\.*" -or $_.message -match "TargetObject.*.*Outlook\\WebView\\.*") -and $_.message -match "TargetObject.*.*URL" -and ($_.message -match "TargetObject.*.*Calendar.*" -or $_.message -match "TargetObject.*.*Inbox.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_outlook_registry_webview"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_outlook_registry_webview"; + $detectedMessage = "Detects the manipulation of persistant URLs which can be malicious"; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Office\\.*" -or $_.message -match "TargetObject.*.*Outlook\\WebView\\.*") -and $_.message -match "TargetObject.*.*URL" -and ($_.message -match "TargetObject.*.*Calendar.*" -or $_.message -match "TargetObject.*.*Inbox.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/win_portproxy_registry_key.ps1 b/Rules/SIGMA/registry_event/win_portproxy_registry_key.ps1 new file mode 100644 index 00000000..0813fed2 --- /dev/null +++ b/Rules/SIGMA/registry_event/win_portproxy_registry_key.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_portproxy_registry_key"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_portproxy_registry_key"; + $detectedMessage = "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml."; + $result = $event | where { (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/registry_event/win_registry_mimikatz_printernightmare.ps1 b/Rules/SIGMA/registry_event/win_registry_mimikatz_printernightmare.ps1 new file mode 100644 index 00000000..6ce0d7b5 --- /dev/null +++ b/Rules/SIGMA/registry_event/win_registry_mimikatz_printernightmare.ps1 @@ -0,0 +1,32 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\.*" -or $_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz.*") -or ($_.message -match "TargetObject.*.*legitprinter.*" -and $_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows.*")) -or (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Control\\Print\\Environments.*" -or $_.message -match "TargetObject.*.*\\CurrentVersion\\Print\\Printers.*") -and ($_.message -match "TargetObject.*.*Gentil Kiwi.*" -or $_.message -match "TargetObject.*.*mimikatz printer.*" -or $_.message -match "TargetObject.*.*Kiwi Legit Printer.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "win_registry_mimikatz_printernightmare"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "win_registry_mimikatz_printernightmare"; + $detectedMessage = "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527"; + $result = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\.*" -or $_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz.*") -or ($_.message -match "TargetObject.*.*legitprinter.*" -and $_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows.*")) -or (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Control\\Print\\Environments.*" -or $_.message -match "TargetObject.*.*\\CurrentVersion\\Print\\Printers.*") -and ($_.message -match "TargetObject.*.*Gentil Kiwi.*" -or $_.message -match "TargetObject.*.*mimikatz printer.*" -or $_.message -match "TargetObject.*.*Kiwi Legit Printer.*")))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.ps1 b/Rules/SIGMA/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.ps1 new file mode 100644 index 00000000..5d84ed16 --- /dev/null +++ b/Rules/SIGMA/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "8" -or $_.ID -eq "10") -and $_.message -match "SourceImage.*.*\\powershell.exe" -and $_.message -match "TargetImage.*.*\\lsass.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_accessing_winapi_in_powershell_credentials_dumping"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_accessing_winapi_in_powershell_credentials_dumping"; + $detectedMessage = "Detects Accessing to lsass.exe by Powershell"; + $result = $event | where { (($_.ID -eq "8" -or $_.ID -eq "10") -and $_.message -match "SourceImage.*.*\\powershell.exe" -and $_.message -match "TargetImage.*.*\\lsass.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/sysmon/sysmon_config_modification.ps1 b/Rules/SIGMA/sysmon/sysmon_config_modification.ps1 new file mode 100644 index 00000000..deb7926e --- /dev/null +++ b/Rules/SIGMA/sysmon/sysmon_config_modification.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "4" -or $_.ID -eq "16")) -and ($_.message -match "State.*Stopped" -or ($_.message -match "Sysmon config state changed.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "255" -and ($_.message -match "Description.*.*Failed to open service configuration with error.*" -or $_.message -match "Description.*.*Failed to connect to the driver to update configuration.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_config_modification"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_config_modification"; + $detectedMessage = "Someone try to hide from Sysmon"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ((($_.ID -eq "4" -or $_.ID -eq "16")) -and ($_.message -match "State.*Stopped" -or ($_.message -match "Sysmon config state changed.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "255" -and ($_.message -match "Description.*.*Failed to open service configuration with error.*" -or $_.message -match "Description.*.*Failed to connect to the driver to update configuration.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMesssage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.ps1 b/Rules/SIGMA/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.ps1 new file mode 100644 index 00000000..ec39b351 --- /dev/null +++ b/Rules/SIGMA/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*C:\\Windows\\system32\\physmem.sys.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\config\\config\\startwus.dat.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Software\\Classes\\CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32.*") -and $_.message -match "IMJPUEXP.DLL") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_cve_2021_31979_cve_2021_33771_exploits"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_cve_2021_31979_cve_2021_33771_exploits"; + $detectedMessage = "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*C:\\Windows\\system32\\physmem.sys.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\config\\config\\startwus.dat.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Software\\Classes\\CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32.*") -and $_.message -match "IMJPUEXP.DLL") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/sysmon/sysmon_dcom_iertutil_dll_hijack.ps1 b/Rules/SIGMA/sysmon/sysmon_dcom_iertutil_dll_hijack.ps1 new file mode 100644 index 00000000..553656e1 --- /dev/null +++ b/Rules/SIGMA/sysmon/sysmon_dcom_iertutil_dll_hijack.ps1 @@ -0,0 +1,33 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "11" -and $_.message -match "Image.*System" -and $_.message -match "TargetFilename.*.*\\Internet Explorer\\iertutil.dll") -or ($_.ID -eq "7" -and $_.message -match "Image.*.*\\Internet Explorer\\iexplore.exe" -and $_.message -match "ImageLoaded.*.*\\Internet Explorer\\iertutil.dll"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_dcom_iertutil_dll_hijack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_dcom_iertutil_dll_hijack"; + $detectedMessage = "Detects a threat actor creating a file named `iertutil.dll` in the `C:Program FilesInternet Explorer` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario."; + $result = $event | where { ((($_.ID -eq "11" -and $_.message -match "Image.*System" -and $_.message -match "TargetFilename.*.*\\Internet Explorer\\iertutil.dll") -or ($_.ID -eq "7" -and $_.message -match "Image.*.*\\Internet Explorer\\iexplore.exe" -and $_.message -match "ImageLoaded.*.*\\Internet Explorer\\iertutil.dll"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.ps1 b/Rules/SIGMA/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.ps1 new file mode 100644 index 00000000..519dbda6 --- /dev/null +++ b/Rules/SIGMA/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "22" -and $_.message -match "QueryName.*.*servicebus.windows.net.*" -and $_.message -match "Image.*.*HybridConnectionManager.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_dns_hybridconnectionmgr_servicebus"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_dns_hybridconnectionmgr_servicebus"; + $detectedMessage = "Detects Azure Hybrid Connection Manager services querying the Azure service bus service"; + $result = $event | where { ($_.ID -eq "22" -and $_.message -match "QueryName.*.*servicebus.windows.net.*" -and $_.message -match "Image.*.*HybridConnectionManager.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + result; + Write-Output $detectedMessage; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/sysmon/sysmon_pingback_backdoor.ps1 b/Rules/SIGMA/sysmon/sysmon_pingback_backdoor.ps1 new file mode 100644 index 00000000..17bed9b5 --- /dev/null +++ b/Rules/SIGMA/sysmon/sysmon_pingback_backdoor.ps1 @@ -0,0 +1,43 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "Image.*.*updata.exe" -and $_.message -match "TargetFilename.*C:\\Windows\\oci.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*.*msdtc.exe" -and $_.message -match "ImageLoaded.*C:\\Windows\\oci.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*updata.exe" -and $_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*msdtc.*" -and $_.message -match "CommandLine.*.*start.*" -and $_.message -match "CommandLine.*.*auto.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_pingback_backdoor"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_pingback_backdoor"; + $detectedMessage = "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report"; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "11" -and $_.message -match "Image.*.*updata.exe" -and $_.message -match "TargetFilename.*C:\\Windows\\oci.dll") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "7" -and $_.message -match "Image.*.*msdtc.exe" -and $_.message -match "ImageLoaded.*C:\\Windows\\oci.dll") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "1" -and $_.message -match "ParentImage.*.*updata.exe" -and $_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*msdtc.*" -and $_.message -match "CommandLine.*.*start.*" -and $_.message -match "CommandLine.*.*auto.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.ps1 b/Rules/SIGMA/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.ps1 new file mode 100644 index 00000000..8ead7d6d --- /dev/null +++ b/Rules/SIGMA/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.ps1 @@ -0,0 +1,40 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "Image.*System" -and $_.message -match "TargetFilename.*.*\\wbem\\wbemcomn.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*.*\\wmiprvse.exe" -and $_.message -match "ImageLoaded.*.*\\wbem\\wbemcomn.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wmiprvse_wbemcomn_dll_hijack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wmiprvse_wbemcomn_dll_hijack"; + $detectedMessage = "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario."; + $results = [System.Collections.ArrayList] @(); + $tmp = $event | where { ($_.ID -eq "11" -and $_.message -match "Image.*System" -and $_.message -match "TargetFilename.*.*\\wbem\\wbemcomn.dll") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + $tmp = $event | where { ($_.ID -eq "7" -and $_.message -match "Image.*.*\\wmiprvse.exe" -and $_.message -match "ImageLoaded.*.*\\wbem\\wbemcomn.dll") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + [void]$results.Add($tmp); + + foreach ($result in $results) { + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/wmi_event/sysmon_wmi_event_subscription.ps1 b/Rules/SIGMA/wmi_event/sysmon_wmi_event_subscription.ps1 new file mode 100644 index 00000000..22de9791 --- /dev/null +++ b/Rules/SIGMA/wmi_event/sysmon_wmi_event_subscription.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "19" -or $_.ID -eq "20" -or $_.ID -eq "21")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wmi_event_subscription"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wmi_event_subscription"; + $detectedMessage = "Detects creation of WMI event subscription persistence method"; + $result = $event | where { (($_.ID -eq "19" -or $_.ID -eq "20" -or $_.ID -eq "21")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $result; + Write-Output $detectedMesssage; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/SIGMA/wmi_event/sysmon_wmi_susp_scripting.ps1 b/Rules/SIGMA/wmi_event/sysmon_wmi_susp_scripting.ps1 new file mode 100644 index 00000000..b5292697 --- /dev/null +++ b/Rules/SIGMA/wmi_event/sysmon_wmi_susp_scripting.ps1 @@ -0,0 +1,31 @@ +# Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "19" -or $_.ID -eq "20" -or $_.ID -eq "21")) -and $_.ID -eq "20" -and (($_.message -match "Destination.*.*new-object.*" -and $_.message -match "Destination.*.*net.webclient.*" -and $_.message -match "Destination.*.*.downloadstring.*") -or ($_.message -match "Destination.*.*new-object.*" -and $_.message -match "Destination.*.*net.webclient.*" -and $_.message -match "Destination.*.*.downloadfile.*") -or ($_.message -match "Destination.*.* iex(.*" -or $_.message -match "Destination.*.*WScript.shell.*" -or $_.message -match "Destination.*.* -nop .*" -or $_.message -match "Destination.*.* -noprofile .*" -or $_.message -match "Destination.*.* -decode .*" -or $_.message -match "Destination.*.* -enc .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + + $ruleName = "sysmon_wmi_susp_scripting"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "sysmon_wmi_susp_scripting"; + $detectedMessage = "Detects suspicious scripting in WMI Event Consumers"; + $result = $event | where { ((($_.ID -eq "19" -or $_.ID -eq "20" -or $_.ID -eq "21")) -and $_.ID -eq "20" -and (($_.message -match "Destination.*.*new-object.*" -and $_.message -match "Destination.*.*net.webclient.*" -and $_.message -match "Destination.*.*.downloadstring.*") -or ($_.message -match "Destination.*.*new-object.*" -and $_.message -match "Destination.*.*net.webclient.*" -and $_.message -match "Destination.*.*.downloadfile.*") -or ($_.message -match "Destination.*.* iex\(.*" -or $_.message -match "Destination.*.*WScript.shell.*" -or $_.message -match "Destination.*.* -nop .*" -or $_.message -match "Destination.*.* -noprofile .*" -or $_.message -match "Destination.*.* -decode .*" -or $_.message -match "Destination.*.* -enc .*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result -and $result.Count -ne 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + result; + Write-Output $detectedMessage; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} diff --git a/Rules/WELA-Rules/Application/2-EMETBlocked.ps1 b/Rules/WELA-Rules/Application/2-EMETBlocked.ps1 new file mode 100644 index 00000000..65082e08 --- /dev/null +++ b/Rules/WELA-Rules/Application/2-EMETBlocked.ps1 @@ -0,0 +1,45 @@ + +function Add-Rule { + $ruleName = "2-EMETBlocked"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $target = $event | where { $_.ID -eq 2 -and $_.LogName -eq "Application" } + $ruleName = "2-EMETBlocked"; + $detectedMessage = "detected EMET blocked on DeepBlueCLI Rule"; + foreach ($record in $target) { + if ($record.message) { + $result = Create-Obj $record $LogFile + $array = $record.message -split '\n' # Split each line of the message into an array + $text = $array[0] + $application = Remove-Spaces($array[3]) + $command = $application -Replace "^Application: ", "" + $username = Remove-Spaces($array[4]) + $result.Message = $detectedMessage + $result.Command = "$command" + $result.Results = "$text`n" + $result.Results += "$username`n" + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + else { + Write-Output "Warning: EMET Message field is blank. Install EMET locally to see full details of this alert" + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Applocker/8003-ApplockerWarning.ps1 b/Rules/WELA-Rules/Applocker/8003-ApplockerWarning.ps1 new file mode 100644 index 00000000..2bb635d5 --- /dev/null +++ b/Rules/WELA-Rules/Applocker/8003-ApplockerWarning.ps1 @@ -0,0 +1,37 @@ + +function Add-Rule { + $ruleName = "8003-ApplockerWarning"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $ruleName = "8003-ApplockerWarning"; + $detectedMessage = "detected Applocker warning on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 8003 -and $_.LogName -eq "Microsoft-Windows-AppLocker/EXE and DLL" } + + if ($target) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + } + foreach ($record in $target) { + $result = Create-Obj $record $LogFile + $result.Message = $detectedMessage + $command = $event.message -Replace " was .*$", "" + $result.Command = $command + $result.Results = $record.message + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Applocker/8004-ApplockerBlock.ps1 b/Rules/WELA-Rules/Applocker/8004-ApplockerBlock.ps1 new file mode 100644 index 00000000..877434db --- /dev/null +++ b/Rules/WELA-Rules/Applocker/8004-ApplockerBlock.ps1 @@ -0,0 +1,38 @@ + +function Add-Rule { + $ruleName = "8004-ApplockerBlock"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $ruleName = "8004-ApplockerBlock"; + $detectedMessage = "detected Applocker block on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 8004 -and $_.LogName -eq "Microsoft-Windows-AppLocker/EXE and DLL" } + + if ($target) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + } + foreach ($record in $target) { + $result = Create-Obj $record $LogFile + $result.Message = $detectedMessage + $command = $event.message -Replace " was .*$", "" + $result.Command = $command + $result.Result = $record.message + + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/PowerShell/4103-PowerShellExecute.ps1 b/Rules/WELA-Rules/PowerShell/4103-PowerShellExecute.ps1 new file mode 100644 index 00000000..d6cfca67 --- /dev/null +++ b/Rules/WELA-Rules/PowerShell/4103-PowerShellExecute.ps1 @@ -0,0 +1,42 @@ + +function Add-Rule { + $ruleName = "4103-PowerShellExecute"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $ruleName = "4103-PowerShellExecute"; + $detectedMessage = "detected PowerShell execute on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 4103 -and $_.LogName -eq "Microsoft-Windows-PowerShell/Operational" } + + foreach ($record in $target) { + $eventXML = [xml] $record.ToXml() + $commandline = $eventXML.Event.EventData.Data[2]."#text" + if ($commandline -Match "Host Application") { + # Multiline replace, remove everything before "Host Application = " + $commandline = $commandline -Replace "(?ms)^.*Host.Application = ", "" + # Remove every line after the "Host Application = " line. + $commandline = $commandline -Replace "(?ms)`n.*$", "" + if ($commandline) { + $obj = Create-Obj -event $record $LogFile + $result = Check-Command -EventID 4103 -commandline $commandline -obj $obj + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/PowerShell/4104-PowerShellScriptBlockCreate.ps1 b/Rules/WELA-Rules/PowerShell/4104-PowerShellScriptBlockCreate.ps1 new file mode 100644 index 00000000..2e850b34 --- /dev/null +++ b/Rules/WELA-Rules/PowerShell/4104-PowerShellScriptBlockCreate.ps1 @@ -0,0 +1,39 @@ + +function Add-Rule { + $ruleName = "4104-PowerShellScriptBlockCreate"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $ruleName = "4104-PowerShellScriptBlockCreate"; + $detectedMessage = "detected PowerShell script block created on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 4104 -and $_.LogName -eq "Microsoft-Windows-PowerShell/Operational" } + foreach ($record in $target) { + $eventXML = [xml] $record.ToXml() + + if (-not ($eventxml.Event.EventData.Data[4]."#text")) { + $commandline = $eventXML.Event.EventData.Data[2]."#text" + if ($commandline) { + $obj = Create-Obj -event $record + $result = Check-Command -EventID 4104 -commandline $commandline -obj $obj + if ($result) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName" + Write-Output $detectedMessage + Write-Output $result + } + } + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/RuleTemplate.template_ps1 b/Rules/WELA-Rules/RuleTemplate.template_ps1 new file mode 100644 index 00000000..cfe20151 --- /dev/null +++ b/Rules/WELA-Rules/RuleTemplate.template_ps1 @@ -0,0 +1,30 @@ + + +function Add-Rule { + param ( + [bool] $isLiveAnalysis + ) + $ruleName = "DeepBlue"; + $detectedMessage = "!detection!" + + $detectRule = { + function Search-DetectableEvents { + param ( + $event + ) + $results = @(); + $results += $event !firstpipe!; + foreach ($result in $results) { + if ($result.Count -ne 0) { + Write-Host + Write-Host "Detected! RuleName:$ruleName"; + Write-Host $result + Write-Host $detectedMessage; + } + } + + }; + Search-DetectableEvents $args[0]; + }; + $Global:ruleStack.Add($ruleName, $detectRule); +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Security/1102-AuditLogFileClear.ps1 b/Rules/WELA-Rules/Security/1102-AuditLogFileClear.ps1 new file mode 100644 index 00000000..69285dd8 --- /dev/null +++ b/Rules/WELA-Rules/Security/1102-AuditLogFileClear.ps1 @@ -0,0 +1,39 @@ + +function Add-Rule { + $ruleName = "1102_AuditLogFileClear"; + + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $ruleName = "1102_AuditLogFileClear"; + $detectedMessage = "The Audit log was cleared on DeepBlueCLI Rule"; + + $target = $event | where { $_.LogName -eq "Security" -and $_.id -eq 1102 } + if ($target) { + foreach ($record in $target) { + $result = Create-Obj $record $LogFile + $array = $record.message -split '\n' # Split each line of the message into an array + $user = Remove-Spaces($array[3]) + $result.Message = $detectedMessage + $eventTimestampString = $record.TimeCreated.ToString($DateFormat) + $result.Results = "User:$user" + Write-Output ""; + Write-Output "$eventTimestampString Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Security/4625-FailedLogonAndPasswordSpray.ps1 b/Rules/WELA-Rules/Security/4625-FailedLogonAndPasswordSpray.ps1 new file mode 100644 index 00000000..42577352 --- /dev/null +++ b/Rules/WELA-Rules/Security/4625-FailedLogonAndPasswordSpray.ps1 @@ -0,0 +1,74 @@ + +function Add-Rule { + $ruleName = "4625_FailedLogonAndPasswordSpray"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $maxfailedlogons = 5 + $ruleName = "4625_FailedLogonAndPasswordSpray"; + $detectedMessage = "High number of logon failures for one /multi account on DeepBlueCLI Rule"; + + $target = $event | where { $_.LogName -eq "Security" -and $_.id -eq 4625 } + if ($target) { + $totalfailedaccounts = 0; + $failedlogons = @{} + $failedLogonTriedTimeRecord = @{} + foreach ($record in $target) { + $eventXML = [xml]$record.ToXml(); + $username = $eventXML.Event.EventData.Data[5]."#text" + if ($failedlogons.ContainsKey($username)) { + $failedlogons[$username] += 1; + } + else { + $failedlogons[$username] = 1 + $totalfailedaccounts += 1 + } + $totalfailedlogons += 1 + $failedLogonTriedTimeRecord[$username] = $record + } + $detectcount = 0 + foreach ($username in $failedlogons.Keys) { + if ($failedlogons[$username] -gt $maxfailedlogons) { + if ($detectcount -eq 0) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + } + $cnt = $failedlogons[$username] + $result = Create-Obj $failedLogonTriedTimeRecord[$username] $LogFile + $result.Message = $detectedMessage + $result.Results = "Username: $username`n" + $result.Results += "Total logon failures: $cnt" + Write-Output $result; + Write-Output ""; + } + $detectcount += 1 + } + # Password spraying: + if (($target.Count -gt $maxfailedlogons) -and ($target.Count -gt 1)) { + $result = Create-Obj -logname $LogFile; + $result.Message = $detectedMessage + $result.EventID = 4625 + $result.Results = "Total accounts: $totalfailedaccounts`n" + $result.Results += "Total logon failures: $totalfailedlogons`n" + + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Security/4625_4648-PassSprayAttack.ps1 b/Rules/WELA-Rules/Security/4625_4648-PassSprayAttack.ps1 new file mode 100644 index 00000000..ba26d681 --- /dev/null +++ b/Rules/WELA-Rules/Security/4625_4648-PassSprayAttack.ps1 @@ -0,0 +1,99 @@ + +function Add-Rule { + $ruleName = "4625_4648-PassSprayAttack"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "4625_4648-PassSprayAttack"; + $detectedMessage = "Distributed Account Explicit Credential Use (Password Spray Attack) in timeframe on WELA"; + $target = $event | where { $_.LogName -eq "Security" -and ($_.id -eq 4648 -or $_.id -eq 4625) } + + $PasswordGuessDetection = @{ FirstDetect = $null ; Count = 0 } + $PasswordGuessTimeframeMinutes = 1 + $PasswordGuessCount = 3 + $DBCPassSprayTrack = @{}; + $DBCpasssprayuniqusermax = 6 + $DBCpasssprayloginmax = 6 + $DBCpasssprayuniquser = 0 + + foreach ($record in $target) { + $eventXML = [xml]$record.ToXml() + $username = $eventXML.Event.EventData.Data[1]."#text" + $hostname = $eventXML.Event.EventData.Data[2]."#text" + $targetusername = $eventXML.Event.EventData.Data[5]."#text" + $sourceip = "" + if ($record.id -eq 4648) { + $sourceip = $eventXML.Event.EventData.Data[12]."#text" + # DeepBlueCLI passspary logic + $DBCPassSprayTrack[$targetusername] += 1; + if ($DBCPassSprayTrack[$targetusername] -gt $DBCpasssprayloginmax) { + foreach ($key in $DBCpassspraytrack.keys) { + if ($DBCpassspraytrack[$key] -gt $DBCpasssprayloginmax) { + $DBCpasssprayuniquser += 1 + } + } + if ($DBCpasssprayuniquser -gt $DBCpasssprayuniqusermax) { + $usernames = "" + foreach ($key in $DBCpassspraytrack.keys) { + $usernames += $key + $usernames += " " + } + $result = Create-Obj $record $LogFile + $result.EventID = 4648 + $result.Message = "Distributed Account Explicit Credential Use (Password Spray Attack)" + $result.Results = "The use of multiple user account access attempts with explicit credentials is " + $result.Results += "an indicator of a password spray attack.`n" + $result.Results += "Target Usernames: $usernames`n" + $result.Results += "Accessing Username: $username`n" + $result.Results += "Accessing Host Name: $hostname`n" + Write-Output "" + Write-Output "Detected!RuleName:$ruleName(DeepBlueCLI Rule)" + Write-Output $result + $DBCpassspraytrack = @{} # Reset + } + } + } + else { + $sourceip = $eventXML.Event.EventData.Data[19]."#text" + } + $EventTimestampString = $record.TimeCreated.ToString($DateFormat) + $EventTimestampDateTime = [datetime]::ParseExact($EventTimestampString, $DateFormat, $null) + if (!$PasswordGuessDetection.FirstDetect) { + $PasswordGuessDetection.FirstDetect = [datetime]::ParseExact($EventTimestampString, $DateFormat, $null); + $PasswordGuessDetection.Count++; + } + else { + $TimeBetweenEvents = ( $EventTimestampDateTime - $PasswordGuessDetection.FirstDetect ).TotalMinutes + if ($TimeBetweenEvents -gt $PasswordGuessTimeframeMinutes) { + $PasswordGuessDetection.FirstDetect = $null + $PasswordGuessDetection.Count = 0 + } + else { + $PasswordGuessDetection.Count++; + if ( $PasswordGuessDetection.Count -ge $PasswordGuessCount -and $TimeBetweenEvents -gt 0 ) { + $result = Create-Obj $record $LogFile + $result.Message = $detectedMessage + $result.Results = "Target User: $targetusername`nIP Address: $sourceip (Threshold: $PasswordGuessCount times in $PasswordGuessTimeframeMinutes minutes.)" + Write-Output "" + Write-Output "Detected!RuleName:$ruleName(WELA Rule)" + Write-Output $result + $PasswordGuessDetection.FirstDetect = $PasswordGuessDetection.FirstDetect.Addminutes($PasswordGuessTimeframeMinutes) + $PasswordGuessDetection.Count = 0 + } + } + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Security/4672-AdminAccountAccessAllAlerts.ps1 b/Rules/WELA-Rules/Security/4672-AdminAccountAccessAllAlerts.ps1 new file mode 100644 index 00000000..6c450da8 --- /dev/null +++ b/Rules/WELA-Rules/Security/4672-AdminAccountAccessAllAlerts.ps1 @@ -0,0 +1,63 @@ + +function Add-Rule { + $ruleName = "4672-AdminAccountAccessAllAlerts"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $ruleName = "4672-AdminAccountAccessAllAlerts"; + $detectedMessage = "Logon with SeDebugPrivilege (admin access)`nSpecial privileges assgned to new logons on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 4672 -and $_.LogName -eq "Security" } + $RecentLogonTimeRecord = @{} + $multipleadminlogons = @{} + $adminlogons = @{} + if ($target) { + foreach ($record in $target) { + $eventXML = [xml]$record.ToXml(); + $username = $eventXML.Event.EventData.Data[1]."#text" + $domain = $eventXML.Event.EventData.Data[2]."#text" + $securityid = $eventXML.Event.EventData.Data[3]."#text" + $privileges = $eventXML.Event.EventData.Data[4]."#text" + if ($adminlogons.ContainsKey($username)) { + $string = $adminlogons.$username + if (!($string -Match $securityid)) { + $multipleadminlogons.Set_Item($username, 1) + $string += " $securityid" + $adminlogons.Set_Item($username, $string) + } + } + else { + $adminlogons.add($username, $securityid) + } + # evtx file read is Oldest in WELA. but Latest in DeepBlueCLI + if (! $RecentLogonTimeRecord.containsKey($username)) { + $RecentLogonTimeRecord[$username] = $record + } + } + foreach ($usernameKey in $adminlogons.Keys) { + $securityid = $adminlogons.Get_Item($usernameKey) + if ($multipleadminlogons.$usernameKey) { + $result = Create-Obj $RecentLogonTimeRecord[$usernameKey] $LogFile + $result.Message = $detectedMessage + $result.Results = "Multiple admin logons for one account" + $result.Results += "Username: $usernameKey`n" + $result.Results += "User SID Access Count: " + $securityid.split().Count + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + } + } + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Security/4673-IndicativeOfMimikatz.ps1 b/Rules/WELA-Rules/Security/4673-IndicativeOfMimikatz.ps1 new file mode 100644 index 00000000..aa74370a --- /dev/null +++ b/Rules/WELA-Rules/Security/4673-IndicativeOfMimikatz.ps1 @@ -0,0 +1,48 @@ + +function Add-Rule { + $ruleName = "4673_IndicativeOfMimikatz"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "4673_IndicativeOfMimikatz"; + $detectedMessage = "Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made on DeepBlueCLI Rule()"; + $target = $event | where { $_.LogName -eq "Security" -and ($_.id -eq 4673) } + $maxtotalsensprivuse = 4 + $resultoutput = @{} + $cnt = 1; + foreach ($record in $target) { + $eventXML = [xml]$record.ToXml(); + $username = $eventXML.Event.EventData.Data[1]."#text" + $domainname = $eventXML.Event.EventData.Data[2]."#text" + $key = "$username\\$domainname" + $result = Create-Obj $record $LogFile + $result.Results = "Username: $username`nDomain Name:$domainname`n" + if (!$resultoutput.ContainsKey($key)) { + $resultoutput.Add($key, $result) + } + # Newest sort in DeepBlueCLI. but Oldest Sort in WELA for log + if ($target.Count - $cnt + 1 -eq $maxtotalsensprivuse) { + $result.Message = "Sensititive Privilege Use Exceeds Threshold" + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + break; + } + $cnt += 1; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Security/4674-HiddenServiceAttempt.ps1 b/Rules/WELA-Rules/Security/4674-HiddenServiceAttempt.ps1 new file mode 100644 index 00000000..cbdd0795 --- /dev/null +++ b/Rules/WELA-Rules/Security/4674-HiddenServiceAttempt.ps1 @@ -0,0 +1,44 @@ + +function Add-Rule { + $ruleName = "4674_HiddenServiceAttempt"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "4674_HiddenServiceAttempt"; + $detectedMessage = "User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view on DeepBlueCLI Rule"; + $target = $event | where { $_.LogName -eq "Security" -and ($_.id -eq 4674) } + if ($target) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + } + foreach ($record in $target) { + $array = $record.message -split '\n' # Split each line of the message into an array + $user = Remove-Spaces(($array[4] -split ':')[1]) + $service = Remove-Spaces(($array[11] -split ':')[1]) + $application = Remove-Spaces(($array[16] -split ': ')[1]) + $accessreq = Remove-Spaces(($array[19] -split ':')[1]) + if ($application.ToUpper() -eq "C:\WINDOWS\SYSTEM32\SERVICES.EXE" -and $accessreq.ToUpper() -eq "WRITE_DAC") { + $result = Create-Obj $record $LogFile + $result.message = $detectedMessage + $result.results = "User: $user`n" + $result.results += "Target service: $service`n" + $result.results += "Desired Access: $accessreq`n" + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Security/4688-ProcessCreate.ps1 b/Rules/WELA-Rules/Security/4688-ProcessCreate.ps1 new file mode 100644 index 00000000..daea0994 --- /dev/null +++ b/Rules/WELA-Rules/Security/4688-ProcessCreate.ps1 @@ -0,0 +1,41 @@ +# Get-WinEvent -LogName Security where {($_.ID -eq "4688" | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message + +function Add-Rule { + $ruleName = "4688-ProcessCreate"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + $ruleName = "4688-ProcessCreate"; + $detectedMessage = "detected ProcessCreate on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 4688 -and $_.LogName -eq "Security" } + + foreach ($record in $target) { + $eventXML = [xml]$record.ToXml(); + $commandline = $eventXML.Event.EventData.Data[8]."#text" + $creator = $eventXML.Event.EventData.Data[13]."#text" + + if ($commandline) { + $obj = Create-Obj -event $record $LogFile + $result = Check-Command -EventID 4688 $commandline $creator -obj $obj + if ($result) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Security/4720-UserAccountCreate.ps1 b/Rules/WELA-Rules/Security/4720-UserAccountCreate.ps1 new file mode 100644 index 00000000..f19f1979 --- /dev/null +++ b/Rules/WELA-Rules/Security/4720-UserAccountCreate.ps1 @@ -0,0 +1,41 @@ + +function Add-Rule { + $ruleName = "4720-UserAccountCreate"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "4720-UserAccountCreate"; + $detectedMessage = "User account create on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 4720 -and $_.LogName -eq "Security" } + + if ($target) { + foreach ($record in $target) { + $result = Create-Obj $record $LogFile + $eventXML = [xml]$record.ToXml(); + $username = $eventXML.Event.EventData.Data[0]."#text" + $securityid = $eventXML.Event.EventData.Data[2]."#text" + $result.Message = $detectedMessage + $result.Results = "New User Created" + $result.Results += "Username: $username`n" + $result.Results += "User SID: $securityid`n" + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Security/4728_4732_4756-AddedUserAdministratorsGroup.ps1 b/Rules/WELA-Rules/Security/4728_4732_4756-AddedUserAdministratorsGroup.ps1 new file mode 100644 index 00000000..a9a9a583 --- /dev/null +++ b/Rules/WELA-Rules/Security/4728_4732_4756-AddedUserAdministratorsGroup.ps1 @@ -0,0 +1,48 @@ + +function Add-Rule { + $ruleName = "4728_4732_4756-AddedUserAdministratorsGroup"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "4728_4732_4756-AddedUserAdministratorsGroup"; + $detectedMessage = "User account added to Administrators group on DeepBlueCLI Rule"; + $target = $event | where { $_.LogName -eq "Security" -and ($_.id -eq 4728 -or $_.id -eq 4732 -or $_.id -eq 4756) } + if ($target) { + foreach ($record in $target) { + $eventXML = [xml]$record.ToXml(); + $groupname = $eventXML.Event.EventData.Data[2]."#text" + if ($groupname -eq "Administrators") { + $result = Create-Obj $record $LogFile + $username = $eventXML.Event.EventData.Data[0]."#text" + $securityid = $eventXML.Event.EventData.Data[1]."#text" + $result.Message = $detectedMessage + switch ($record.id) { + 4728 { $result.Results = "User added to global $groupname group`n" } + 4732 { $result.Results = "User added to local $groupname group`n" } + 4756 { $result.Results = "User added to universal $groupname group`n" } + } + $result.Results += "Username: $username`n" + $result.Results += "User SID: $securityid`n" + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Sysmon/1-ProcessCreation.ps1 b/Rules/WELA-Rules/Sysmon/1-ProcessCreation.ps1 new file mode 100644 index 00000000..7bc1dc4a --- /dev/null +++ b/Rules/WELA-Rules/Sysmon/1-ProcessCreation.ps1 @@ -0,0 +1,38 @@ + +function Add-Rule { + $ruleName = "1-ProcessCreation"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "1-ProcessCreation"; + $detectedMessage = "detected Sysmon process creation on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 1 -and $_.LogName -eq "Microsoft-Windows-Sysmon/Operational" } + + foreach ($record in $target) { + $eventXML = [xml] $record.ToXml() + $creator = $eventXML.Event.EventData.Data[14]."#text" + $commandline = $eventXML.Event.EventData.Data[4]."#text" + $obj = Create-Obj -event $record + if ($commandline) { + $result = Check-Command -EventID 1 -creator $creator -obj $obj + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/Sysmon/7-UnsignedDLLImage.ps1 b/Rules/WELA-Rules/Sysmon/7-UnsignedDLLImage.ps1 new file mode 100644 index 00000000..7ab4ae53 --- /dev/null +++ b/Rules/WELA-Rules/Sysmon/7-UnsignedDLLImage.ps1 @@ -0,0 +1,38 @@ + +function Add-Rule { + $ruleName = "7-UnsignedDLLImage"; + # This can be very chatty, so Recommend disabled. + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "7-UnsignedDLLImage"; + $detectedMessage = "detected Sysmon Unsigned Image(DLL) on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 7 -and $_.LogName -eq "Microsoft-Windows-Sysmon/Operational" } + + foreach ($record in $target) { + $eventXML = [xml] $record.ToXml() + if ($eventXML.Event.EventData.Data[6]."#text" -eq "false") { + $image = $eventXML.Event.EventData.Data[3]."#text" + $result = Create-Obj $record $LogFile + $result.Message = $detectedMessage + $result.Results = "Loaded by: $image" + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/System/104-SystemLogClear.ps1 b/Rules/WELA-Rules/System/104-SystemLogClear.ps1 new file mode 100644 index 00000000..3f626877 --- /dev/null +++ b/Rules/WELA-Rules/System/104-SystemLogClear.ps1 @@ -0,0 +1,35 @@ + +function Add-Rule { + $ruleName = "104-SystemLogClear"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "104-SystemLogClear"; + $detectedMessage = "detected system log cleared on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 104 -and $_.LogName -eq "System" } + + if ($target) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + } + foreach ($record in $target) { + $result = Create-Obj $record $LogFile + $result.Message = $record.message + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/System/7030-InteractiveServiceWarning.ps1 b/Rules/WELA-Rules/System/7030-InteractiveServiceWarning.ps1 new file mode 100644 index 00000000..4f45aa3e --- /dev/null +++ b/Rules/WELA-Rules/System/7030-InteractiveServiceWarning.ps1 @@ -0,0 +1,40 @@ + +function Add-Rule { + $ruleName = "7030-InteractiveServiceWarning"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "7030-InteractiveServiceWarning"; + $detectedMessage = "detected Interactive service warning on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 7030 -and $_.LogName -eq "System" } + + if ($target) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + } + foreach ($record in $target) { + $eventXML = [xml]$record.ToXml(); + $servicename = $eventXML.Event.EventData.Data."#text" + $result = Create-Obj $record $Logfile + $result.Results = "Service name: $servicename`n" + $result.Results += "Malware (and some third party software) trigger this warning" + # Check for suspicious service name + $result.Results += (Check-Regex $servicename 1) + Write-Output $result; + Write-Output ""; + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/System/7036-SuspiciousServiceName.ps1 b/Rules/WELA-Rules/System/7036-SuspiciousServiceName.ps1 new file mode 100644 index 00000000..9ba84485 --- /dev/null +++ b/Rules/WELA-Rules/System/7036-SuspiciousServiceName.ps1 @@ -0,0 +1,40 @@ + +function Add-Rule { + $ruleName = "7036-SuspiciousServiceName"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "7036-SuspiciousServiceName"; + $detectedMessage = "detected Suspicious Service on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 7036 -and $_.LogName -eq "System" } + + foreach ($record in $target) { + $eventXML = [xml]$record.ToXml(); + $servicename = $eventXML.Event.EventData.Data[0]."#text" + $text = (Check-Regex $servicename 1) + if ($text) { + $result = Create-Obj $record $LogFile + $result.Message = $detectedMessage + $result.Results = "Service name: $servicename`n" + $result.Results += $text + + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/System/7040-EventLogServiceStopped_Started.ps1 b/Rules/WELA-Rules/System/7040-EventLogServiceStopped_Started.ps1 new file mode 100644 index 00000000..ee2bfe42 --- /dev/null +++ b/Rules/WELA-Rules/System/7040-EventLogServiceStopped_Started.ps1 @@ -0,0 +1,43 @@ + +function Add-Rule { + $ruleName = "7040-EventLogServiceStopped/Started"; + $detectRule = { + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "7040-EventLogServiceStopped/Started"; + $detectedMessage = "detected event log serice stopped/started on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 7040 -and $_.LogName -match "System" } + foreach ($record in $target) { + $eventXML = [xml]$record.ToXml(); + $servicename = $eventXML.Event.EventData.Data[0]."#text" + $action = $eventXML.Event.EventData.Data[1]."#text" + if ($servicename -ccontains "Windows Event Log") { + $result = Create-Obj $record $LogFile + $result.Results = "Service name: $servicename`n" + $result.Results += $text + if ($action -eq "disabled") { + $result.Message += "Selective event log manipulation may follow this event." + } + elseIf ($action -eq "auto start") { + $result.Message += "Selective event log manipulation may precede this event." + } + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/Rules/WELA-Rules/System/7045-ServiceCreated.ps1 b/Rules/WELA-Rules/System/7045-ServiceCreated.ps1 new file mode 100644 index 00000000..7764cc23 --- /dev/null +++ b/Rules/WELA-Rules/System/7045-ServiceCreated.ps1 @@ -0,0 +1,58 @@ + +function Add-Rule { + $ruleName = "7045-ServiceCreated"; + $detectRule = { + + function Search-DetectableEvents { + param ( + $event + ) + + $ruleName = "7045-ServiceCreated"; + $detectedMessage = "detected Service Create on DeepBlueCLI Rule"; + $target = $event | where { $_.ID -eq 7045 -and $_.LogName -eq "System" } + + foreach ($record in $target) { + $eventXML = [xml]$record.ToXml(); + # A service was installed in the system. + $servicename = $eventXML.Event.EventData.Data[0]."#text" + $commandline = $eventXML.Event.EventData.Data[1]."#text" + # Check for suspicious service name + $text = (Check-Regex $servicename 1) + if ($text) { + $result = Create-Obj $record $LogFile + $result.Command = $commandline + $result.Results = "Service name: $servicename`n" + $result.Results += $text + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + # Check for suspicious cmd + if ($commandline) { + $servicecmd = 1 # CLIs via service creation get extra checks + $ruleName = "7045-ServiceCreated"; + $detectedMessage = "detected Service Create on DeepBlueCLI Rule"; + $obj = Create-Obj -event $record + $result = Check-Command -EventID 7045 -commandline $commandline -servicecmd $servicecmd -obj $obj + if ($result) { + Write-Output ""; + Write-Output "Detected! RuleName:$ruleName"; + Write-Output $detectedMessage; + Write-Output $result; + Write-Output ""; + } + } + } + }; + . Search-DetectableEvents $args; + }; + if (! $ruleStack[$ruleName]) { + $ruleStack.Add($ruleName, $detectRule); + } + else { + Write-Host "Rule Import Error" -Foreground Yellow; + } +} \ No newline at end of file diff --git a/WELA.ps1 b/WELA.ps1 index 1ddecd2f..f66d1c84 100755 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -91,6 +91,7 @@ param ( [switch]$IsDC, [switch]$ShowLogonID, [switch]$LiveAnalysis, + [switch]$RemoteLiveAnalysis, [string]$LogFile = "", [string]$LogDirectory = "", [switch]$ShowContributors, @@ -103,10 +104,12 @@ param ( [switch]$UTC, [switch]$HideTimezone, [switch]$QuietLogo, + [string]$UseDetectRules = "0", [switch]$AnalyzeNTLM_UsageBasic, [switch]$AnalyzeNTLM_UsageDetailed ) +$ruleStack = @{}; #Global variables $YEAVersion = "1.0" $AnalyzersPath = $PSScriptRoot + "\Analyzers\" @@ -119,6 +122,35 @@ if (!$QuietLogo) { Invoke-Expression './Config/splashlogos.ps1' } +$ProgramStartTime = Get-Date + +Import-Module './Config/util.ps1' -Force ; + +$exectionpolicy = Get-ExecutionPolicy + +# Read Rules +switch ($UseDetectRules.toupper()) { + "0" { break; } + "1" { + Get-ChildItem -Path './Rules/WELA-Rules' -Recurse -Filter *.ps1 | Foreach-Object { Import-Module $_.FullName -Force; . Add-Rule } + break; + } + "2" { + Write-Host $Confirm_DefConfirm_ExecutionPolicy_Bypassed -ForegroundColor Black -BackgroundColor Yellow + if ($exectionpolicy.ToString().ToUpper() -ne "BYPASS") { + Write-Host $Error_ExecutionPolicy_Bypassed -ForegroundColor White -BackgroundColor Red + } + Get-ChildItem -Path './Rules/SIGMA' -Recurse -Filter *.ps1 | Foreach-Object { Import-Module $_.FullName -Force; . Add-Rule } + break; + } + "ALL" { + Get-ChildItem -Path './Rules' -Recurse -Filter *.ps1 | Foreach-Object { Import-Module $_.FullName -Force; . Add-Rule } + break; + } + Default {} +} +#Functions: + #Set the language: English or Japanese if ( $HostLanguage.Name -eq "ja-JP" -and $English -eq $true ) { Import-Module './Config/Language/en.ps1' -Force; @@ -198,8 +230,8 @@ if ( $ShowContributors -eq $true ) { exit } -#Stop people from doing live analysis on DCs -if ( $LiveAnalysis -eq $true -and $IsDC -eq $true ) { + +if ( ($LiveAnalysis -eq $true -or $RemoteLiveAnalysis -eq $true ) -and $IsDC -eq $true ) { Write-Host Write-Host $Warn_DC_LiveAnalysis -ForegroundColor Black -BackgroundColor Yellow #Warning: You probably should not be doing live analysis on a Domain Controller. Please copy log files offline for analysis. Write-Host @@ -214,14 +246,8 @@ if ( $LiveAnalysis -eq $true -and ($LogFile -ne "" -or $LogDirectory -ne "")) { exit } -# Show-Help if nothing specified -if ( $LiveAnalysis -eq $false -and - $LogFile -eq "" -and - $SecurityEventID_Statistics -eq $false -and - $SecurityLogonTimeline -eq $false -and - $AccountInformation -eq $false -and - $AnalyzeNTLM_UsageBasic -eq $false -and - $AnalyzeNTLM_UsageDetailed -eq $false) { +# Show-Helpは各言語のModuleに移動したためShow-Help関数は既に指定済みの言語の内容となっているため言語設定等の参照は行わない +if ( $LiveAnalysis -eq $false -and $RemoteLiveAnalysis -eq $false -and $LogFile -eq "" -and $EventID_Statistics -eq $false -and $LogonTimeline -eq $false -and $AccountInformation -eq $false -and $AnalyzeNTLM_UsageBasic -eq $false -and $AnalyzeNTLM_UsageDetailed -eq $false) { Show-Help exit @@ -230,9 +256,9 @@ if ( $LiveAnalysis -eq $false -and #No analysis source was specified if ( $SecurityEventID_Statistics -eq $true -or - $SecurityLogonTimeline -eq $true -or - $AnalyzeNTLM_UsageBasic -eq $true -or - $AnalyzeNTLM_UsageDetailed -eq $true ) { + $SecurityLogonTimeline -eq $true -or + $AnalyzeNTLM_UsageBasic -eq $true -or + $AnalyzeNTLM_UsageDetailed -eq $true ) { if ( $LiveAnalysis -ne $true -and $LogFile -eq "" -and $LogDirectory -eq "") { @@ -251,7 +277,7 @@ if ($LogFile -ne "") { [void]$evtxFiles.Add($LogFile) } -if ( $LiveAnalysis -eq $true ) { +if ( $LiveAnalysis -eq $true -or $RemoteLiveAnalysis -eq $true ) { Perform-LiveAnalysisChecks if ($AnalyzeNTLM -eq $true) { @@ -271,6 +297,11 @@ if ( $LiveAnalysis -eq $true ) { "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" ) } + + if ( $RemoteLiveAnalysis -eq $true ) { + $RemoteComputerInfo = Get-RemoteComputerInfo #Get credential and computername + } + } # -LogDirectory elseif ( $LogDirectory -ne "" ) { @@ -320,5 +351,31 @@ foreach ( $LogFile in $evtxFiles ) { Analyze-NTLMOperationalDetailed } +} + +$progcnt = 0; +$maxprogcnt = $evtxFiles.Count * $ruleStack.Count +$interval = $maxprogcnt * 0.1 +if ($ruleStack.Count -ne 0) { + foreach ($LogFile in $evtxFiles) { + $WineventFilter = @{} + $WineventFilter.Add( "Path", $LogFile ) + write-host "execute rule to $LogFile" + $logs = Get-WinEventWithFilter -WinEventFilter $WineventFilter -RemoteComputerInfo $RemoteComputerInfo + foreach ($rule in $ruleStack.keys) { + write-host "execute rule:$rule" + Invoke-Command -scriptblock $ruleStack[$rule] -ArgumentList @($logs) + } + $progcnt += 1; + if ($progcnt % $interval -eq 0) { + Write-Host "Check Detect Rule... Checked File($progcnt of $maxprogcnt)" -ForegroundColor Black -BackgroundColor Green + } + } +} +Remove-Variable ruleStack +$isAdmin = Check-Administrator +if ( $isAdmin -eq $true -and ($UseDetectRules -eq "2" -or $UseDetectRules.toupper() -eq "all")) { + Set-MpPreference -DisableRealTimeMonitoring $false; } +Set-ExecutionPolicy $exectionpolicy -scope Process \ No newline at end of file diff --git a/testfiles/AS-REP Roasting.evtx b/testfiles/AS-REP Roasting.evtx new file mode 100644 index 00000000..9b34ff50 Binary files /dev/null and b/testfiles/AS-REP Roasting.evtx differ diff --git a/testfiles/Kerberoasting&ASREP_Roasting/Kerberoasting&ASREP_Roasting.pptx b/testfiles/Kerberoasting&ASREP_Roasting/Kerberoasting&ASREP_Roasting.pptx new file mode 100644 index 00000000..7ef3a419 Binary files /dev/null and b/testfiles/Kerberoasting&ASREP_Roasting/Kerberoasting&ASREP_Roasting.pptx differ diff --git a/testfiles/Kerberoasting&ASREP_Roasting/Logs/AS-REP Roasting.evtx b/testfiles/Kerberoasting&ASREP_Roasting/Logs/AS-REP Roasting.evtx new file mode 100644 index 00000000..9b34ff50 Binary files /dev/null and b/testfiles/Kerberoasting&ASREP_Roasting/Logs/AS-REP Roasting.evtx differ diff --git a/testfiles/Kerberoasting&ASREP_Roasting/Logs/Kerberoasting.evtx b/testfiles/Kerberoasting&ASREP_Roasting/Logs/Kerberoasting.evtx new file mode 100644 index 00000000..3dae16bd Binary files /dev/null and b/testfiles/Kerberoasting&ASREP_Roasting/Logs/Kerberoasting.evtx differ diff --git a/testfiles/Kerberoasting.evtx b/testfiles/Kerberoasting.evtx new file mode 100644 index 00000000..3dae16bd Binary files /dev/null and b/testfiles/Kerberoasting.evtx differ diff --git "a/testfiles/T1197_BITS Jobs_transfer\343\202\271\343\202\244\343\203\203\343\203\201\343\202\222\345\210\251\347\224\250\343\201\227\343\201\237\343\203\252\343\203\242\343\203\274\343\203\210\343\203\225\343\202\241\343\202\244\343\203\253\343\201\256\343\203\200\343\202\246\343\203\263\343\203\255\343\203\274\343\203\211.evtx" "b/testfiles/T1197_BITS Jobs_transfer\343\202\271\343\202\244\343\203\203\343\203\201\343\202\222\345\210\251\347\224\250\343\201\227\343\201\237\343\203\252\343\203\242\343\203\274\343\203\210\343\203\225\343\202\241\343\202\244\343\203\253\343\201\256\343\203\200\343\202\246\343\203\263\343\203\255\343\203\274\343\203\211.evtx" new file mode 100644 index 00000000..75c19630 Binary files /dev/null and "b/testfiles/T1197_BITS Jobs_transfer\343\202\271\343\202\244\343\203\203\343\203\201\343\202\222\345\210\251\347\224\250\343\201\227\343\201\237\343\203\252\343\203\242\343\203\274\343\203\210\343\203\225\343\202\241\343\202\244\343\203\253\343\201\256\343\203\200\343\202\246\343\203\263\343\203\255\343\203\274\343\203\211.evtx" differ diff --git a/testfiles/T1197_BITS Jobs_v1.pptx b/testfiles/T1197_BITS Jobs_v1.pptx new file mode 100644 index 00000000..c67cb762 Binary files /dev/null and b/testfiles/T1197_BITS Jobs_v1.pptx differ diff --git a/testfiles/kerberos_pwd_spray_4771.evtx b/testfiles/kerberos_pwd_spray_4771.evtx new file mode 100644 index 00000000..631e2c5b Binary files /dev/null and b/testfiles/kerberos_pwd_spray_4771.evtx differ diff --git a/testfiles/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx b/testfiles/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx new file mode 100644 index 00000000..db9a9fcd Binary files /dev/null and b/testfiles/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx differ