Techniques
- t1003
- t1016
- t1021
- t1021.001
- t1027
- t1036
- t1053
- t1053.005
- t1059
- t1059.001
- t1059.005
- t1071
- t1071.001
- t1087
- t1087.001
- t1087.002
- t1098
- t1105
- t1133
- t1134
- t1136
- t1136.001
- t1137
- t1222
- t1222.001
- t1505
- t1505.004
- t1552
- t1552.006
- t1555
- t1555.004
- t1562
- t1562.001
- t1572
- t1615
Sample rules
Suspicious Interactive PowerShell as SYSTEM
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
Detection logic
condition: selection
selection:
TargetFilename:
- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
- C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Suspicious Recursive Takeown
- source: sigma
- technicques:
- t1222
- t1222.001
Description
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- '/f '
- /r
Image|endswith: \takeown.exe
Potential RDP Session Hijacking Activity
- source: sigma
- technicques:
Description
Detects potential RDP Session Hijacking activity on Windows systems
Detection logic
condition: all of selection_*
selection_img:
- Image|endswith: \tscon.exe
- OriginalFileName: tscon.exe
selection_integrity:
IntegrityLevel:
- System
- S-1-16-16384
User Added to Remote Desktop Users Group
- source: sigma
- technicques:
- t1021
- t1021.001
- t1133
- t1136
- t1136.001
Description
Detects addition of users to the local Remote Desktop Users group via “Net” or “Add-LocalGroupMember”.
Detection logic
condition: all of selection_*
selection_group:
CommandLine|contains:
- Remote Desktop Users
- "Utilisateurs du Bureau \xE0 distance"
- Usuarios de escritorio remoto
selection_main:
- CommandLine|contains|all:
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
- 'Add-LocalGroupMember '
- ' -Group '
Suspicious IIS Module Registration
- source: sigma
- technicques:
- t1505
- t1505.004
Description
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
Detection logic
condition: selection_parent and 1 of selection_cli_*
selection_cli_1:
CommandLine|contains: appcmd.exe add module
selection_cli_2:
CommandLine|contains: ' system.enterpriseservices.internal.publish'
Image|endswith: \powershell.exe
selection_cli_3:
CommandLine|contains|all:
- gacutil
- ' /I'
selection_parent:
ParentImage|endswith: \w3wp.exe
Suspicious SYSTEM User Process Creation
- source: sigma
- technicques:
- t1003
- t1027
- t1134
Description
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Detection logic
condition: all of selection* and not 1 of filter_*
filter_config_mgr:
ParentImage|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
filter_java:
CommandLine|contains: ' -ma '
Image|contains:
- :\Program Files (x86)\Java\
- :\Program Files\Java\
Image|endswith: \bin\jp2launcher.exe
ParentImage|contains:
- :\Program Files (x86)\Java\
- :\Program Files\Java\
ParentImage|endswith: \bin\javaws.exe
filter_main_ping:
CommandLine|contains|all:
- ping
- 127.0.0.1
- ' -n '
filter_vs:
Image|endswith: \PING.EXE
ParentCommandLine|contains: \DismFoDInstall.cmd
selection:
IntegrityLevel:
- System
- S-1-16-16384
User|contains:
- AUTHORI
- AUTORI
selection_special:
- Image|endswith:
- \calc.exe
- \cscript.exe
- \forfiles.exe
- \hh.exe
- \mshta.exe
- \ping.exe
- \wscript.exe
- CommandLine|contains:
- ' -NoP '
- ' -W Hidden '
- ' -decode '
- ' /decode '
- ' /urlcache '
- ' -urlcache '
- ' -e* JAB'
- ' -e* SUVYI'
- ' -e* SQBFAFgA'
- ' -e* aWV4I'
- ' -e* IAB'
- ' -e* PAA'
- ' -e* aQBlAHgA'
- vssadmin delete shadows
- reg SAVE HKLM
- ' -ma '
- Microsoft\Windows\CurrentVersion\Run
- .downloadstring(
- .downloadfile(
- ' /ticket:'
- 'dpapi::'
- event::clear
- event::drop
- id::modify
- 'kerberos::'
- 'lsadump::'
- 'misc::'
- 'privilege::'
- 'rpc::'
- 'sekurlsa::'
- 'sid::'
- 'token::'
- vault::cred
- vault::list
- ' p::d '
- ;iex(
- MiniDump
- 'net user '
PUA - 3Proxy Execution
- source: sigma
- technicques:
- t1572
Description
Detects the use of 3proxy, a tiny free proxy server
Detection logic
condition: 1 of selection_*
selection_img:
Image|endswith: \3proxy.exe
selection_params:
CommandLine|contains: .exe -i127.0.0.1 -p
selection_pe:
Description: 3proxy - tiny proxy server
User Added to Local Administrators Group
- source: sigma
- technicques:
- t1098
Description
Detects addition of users to the local administrator group via “Net” or “Add-LocalGroupMember”.
Detection logic
condition: all of selection_*
selection_group:
CommandLine|contains:
- ' administrators '
- ' administrateur'
selection_main:
- CommandLine|contains|all:
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
- 'Add-LocalGroupMember '
- ' -Group '
Scheduled Task Creation Via Schtasks.EXE
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects the creation of scheduled tasks by user accounts via the “schtasks” utility.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_system_user:
User|contains:
- AUTHORI
- AUTORI
selection:
CommandLine|contains: ' /create '
Image|endswith: \schtasks.exe
Suspicious SYSVOL Domain Group Policy Access
- source: sigma
- technicques:
- t1552
- t1552.006
Description
Detects Access to Domain Group Policies stored in SYSVOL
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- \SYSVOL\
- \policies\
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
- source: sigma
- technicques:
- t1087
- t1087.001
Description
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
Detection logic
condition: all of selection_*
selection_cmdlet:
CommandLine|contains: 'Get-LocalGroupMember '
selection_group:
CommandLine|contains:
- domain admins
- ' administrator'
- ' administrateur'
- enterprise admins
- Exchange Trusted Subsystem
- Remote Desktop Users
- "Utilisateurs du Bureau \xE0 distance"
- Usuarios de escritorio remoto
Firewall Configuration Discovery Via Netsh.EXE
- source: sigma
- technicques:
- t1016
Description
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- 'config '
- 'state '
- 'rule '
- name=all
CommandLine|contains|all:
- 'netsh '
- 'show '
- 'firewall '
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe
Suspicious Key Manager Access
- source: sigma
- technicques:
- t1555
- t1555.004
Description
Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- keymgr
- KRShowKeyMgr
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
- source: sigma
- technicques:
- t1087
- t1087.001
- t1087.002
Description
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
Detection logic
condition: selection_img and ((all of selection_group_* and not filter_group_add)
or all of selection_accounts_*)
filter_group_add:
CommandLine|contains: ' /add'
selection_accounts_flags:
CommandLine|contains: ' /do'
selection_accounts_root:
CommandLine|contains: ' accounts '
selection_group_flags:
CommandLine|contains:
- domain admins
- ' administrator'
- ' administrateur'
- enterprise admins
- Exchange Trusted Subsystem
- Remote Desktop Users
- "Utilisateurs du Bureau \xE0 distance"
- Usuarios de escritorio remoto
- ' /do'
selection_group_root:
CommandLine|contains:
- ' group '
- ' localgroup '
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
- source: sigma
- technicques:
- t1059
- t1059.005
- t1615
Description
Detects execution of the built-in script located in “C:\Windows\System32\gatherNetworkInfo.vbs”. Which can be used to gather information about the target machine
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: gatherNetworkInfo.vbs
selection_img:
- Image|endswith:
- \cscript.exe
- \wscript.exe
- OriginalFileName:
- cscript.exe
- wscript.exe
New Process Created Via Taskmgr.EXE
- source: sigma
- technicques:
- t1036
Description
Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
Image|endswith:
- :\Windows\System32\mmc.exe
- :\Windows\System32\resmon.exe
- :\Windows\System32\Taskmgr.exe
selection:
ParentImage|endswith: \taskmgr.exe
Suspicious Scheduled Task Creation Involving Temp Folder
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' /create '
- ' /sc once '
- \Temp\
Image|endswith: \schtasks.exe
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects enabling of the “AllowAnonymousCallback” registry value, which allows a remote connection between computers that do not have a trust relationship.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|contains: \Microsoft\WBEM\CIMOM\AllowAnonymousCallback
Outlook Security Settings Updated - Registry
- source: sigma
- technicques:
- t1137
Description
Detects changes to the registry values related to outlook security settings
Detection logic
condition: selection
selection:
TargetObject|contains|all:
- \SOFTWARE\Microsoft\Office\
- \Outlook\Security\
Curl Usage on Linux
- source: sigma
- technicques:
- t1105
Description
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Detection logic
condition: selection
selection:
Image|endswith: /curl
Suspicious Curl Change User Agents - Linux
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects a suspicious curl process start on linux with set useragent options
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' -A '
- ' --user-agent '
Image|endswith: /curl
Privileged User Has Been Created
- source: sigma
- technicques:
- t1098
- t1136
- t1136.001
Description
Detects the addition of a new user to a privileged group such as “root” or “sudo”
Detection logic
condition: all of selection_*
selection_new_user:
- new user
selection_uids_gids:
- GID=0
- UID=0
- GID=10
- GID=27