Merge PR SigmaHQ#4527 from @sifex - Update README.md with a new descr…

…iption image chore: Update README.md --------- Co-authored-by: Alex <[email protected]> Co-authored-by: nasbench <[email protected]>
swachchhanda000 · Oct 30, 2023 · b23f909 · b23f909
1 parent fa85c19
commit b23f909
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 <br />
 <picture>
   <source media="(prefers-color-scheme: dark)" srcset="./images/sigma_logo_dark.png">
-  <img height="135" alt="Sigma Logo" src="./images/sigma_logo_light.png">
+  <img width="454" alt="Sigma Logo" src="./images/sigma_logo_light.png">
 </picture>
 </p>
 </a>
@@ -40,7 +40,10 @@ The main purpose of this project is to provide a structured form in which resear
 
 Sigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files.
 
-![sigma_description](./images/Sigma-description.png)
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="./images/Sigma_description_dark.png">
+  <img alt="Sigma Description - A diagram showing Yaml Files (Sigma Rules) moving through a Sigma Convertor, and coming out as many SIEM logos, showing how Sigma rules can be converted to many different available SIEM query languages" src="./images/Sigma_description_light.png">
+</picture>
 
 ### Why Sigma
 
@@ -116,4 +119,4 @@ This project would've never reached this hight without the help of the hundreds
 
 ## Licenses
 
-The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License)
+The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License).
diff --git a/images/Sigma-description.png b/images/Sigma-description.png
diff --git a/images/Sigma_description_dark.png b/images/Sigma_description_dark.png
diff --git a/images/Sigma_description_light.png b/images/Sigma_description_light.png
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml
@@ -0,0 +1,43 @@
+title: HackTool - WinPwn Execution
+id: d557dc06-62e8-4468-a8e8-7984124908ce
+status: experimental
+description: Detects command line parameters used by WinPwn, a tool for Windows and Active Directory reconnaissance and exploitation.
+author: Swachchhanda Shrawan Poudel
+date: 2023/10/30
+references:
+    - https://github.com/S3cur3Th1sSh1t/WinPwn
+    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
+    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
+    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
+tags:
+    - attack.discovery
+    - attack.t1046
+    - attack.t1082
+    - attack.t1518
+    - attack.credential_access
+    - attack.t1552.001
+    - attack.t1555
+    - attack.t1555.003
+    - attack.privilege_escalation
+    - attack.defense_evasion
+    - attack.t1548.002
+    - attack.execution
+    - attack.t1106
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_powershell_commandlets:
+        CommandLine|contains:
+            - '\WinPwn.ps1'
+            - '\Offline_Winpwn.ps1'
+    selection_flags:
+        CommandLine|contains:
+            - '-noninteractive'
+            - '-consoleoutput'
+            - '-command'
+    condition: all of selection_*
+falsepositives:
+     - Unknown
+level: high