Sample rules
Suspicious Script Execution From Temp Folder
- source: sigma
- technicques:
- t1059
Description
Detects a suspicious script executions from temporary folder
Detection logic
condition: selection and not filter
filter:
CommandLine|contains:
- ' >'
- Out-File
- ConvertTo-Json
- -WindowStyle hidden -Verb runAs
- \Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\
selection:
CommandLine|contains:
- \Windows\Temp
- \Temporary Internet
- \AppData\Local\Temp
- \AppData\Roaming\Temp
- '%TEMP%'
- '%TMP%'
- '%LocalAppData%\Temp'
Image|endswith:
- \powershell.exe
- \pwsh.exe
- \mshta.exe
- \wscript.exe
- \cscript.exe
Suspicious Userinit Child Process
- source: sigma
- technicques:
- t1055
Description
Detects a suspicious child process of userinit
Detection logic
condition: selection and not 1 of filter*
filter1:
CommandLine|contains: \netlogon\
filter2:
- Image|endswith: \explorer.exe
- OriginalFileName: explorer.exe
selection:
ParentImage|endswith: \userinit.exe
PowerShell Script Run in AppData
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
Detection logic
condition: all of selection*
selection1:
CommandLine|contains:
- powershell.exe
- \powershell
- \pwsh
- pwsh.exe
selection2:
CommandLine|contains:
- Local\
- Roaming\
CommandLine|contains|all:
- '/c '
- \AppData\
Windows Shell/Scripting Processes Spawning Suspicious Programs
- source: sigma
- technicques:
- t1059
- t1059.001
- t1059.005
- t1218
Description
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta…etc.
Detection logic
condition: selection and not 1 of filter_*
filter_amazon:
ParentCommandLine|contains:
- \Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1
- \Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1
- \Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1
- \nessus_
filter_ccmcache:
CurrentDirectory|contains: \ccmcache\
filter_nessus:
CommandLine|contains: \nessus_
filter_sccm_install:
CommandLine|contains|all:
- C:\MEM_Configmgr_
- \SMSSETUP\BIN\
- \autorun.hta
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
Image|endswith: \mshta.exe
ParentCommandLine|contains|all:
- C:\MEM_Configmgr_
- \splash.hta
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
ParentImage|endswith: \mshta.exe
selection:
Image|endswith:
- \schtasks.exe
- \nslookup.exe
- \certutil.exe
- \bitsadmin.exe
- \mshta.exe
ParentImage|endswith:
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \rundll32.exe
- \cscript.exe
- \wscript.exe
- \wmiprvse.exe
- \regsvr32.exe
Copy From Or To Admin Share Or Sysvol Folder
- source: sigma
- technicques:
- t1021
- t1021.002
- t1039
- t1048
Description
Detects a copy command or a copy utility execution to or from an Admin share or remote
Detection logic
condition: selection_target and (selection_other_tools or all of selection_cmd_* or
all of selection_pwsh_*)
selection_cmd_cli:
CommandLine|contains: copy
selection_cmd_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
selection_other_tools:
- Image|endswith:
- \robocopy.exe
- \xcopy.exe
- OriginalFileName:
- robocopy.exe
- XCOPY.EXE
selection_pwsh_cli:
CommandLine|contains:
- copy-item
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- move-item
- ' mi '
- ' mv '
selection_pwsh_img:
- Image|contains:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_target:
CommandLine|contains:
- \\\\*$
- \Sysvol\
Registry Modification to Hidden File Extension
- source: sigma
- technicques:
- t1137
Description
Hides the file extension through modification of the registry
Detection logic
condition: 1 of selection_*
selection_Hidden:
Details: DWORD (0x00000002)
TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
selection_HideFileExt:
Details: DWORD (0x00000001)
TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
IE Change Domain Zone
- source: sigma
- technicques:
- t1137
Description
Hides the file extension through modification of the registry
Detection logic
condition: selection_domains and not filter
filter:
Details:
- DWORD (0x00000000)
- DWORD (0x00000001)
- (Empty)
selection_domains:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
ServiceDll Hijack
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects changes to the “ServiceDLL” value related to a service in the registry. This is often used as a method of persistence.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_domain_controller:
Details: '%%systemroot%%\system32\ntdsa.dll'
Image: C:\Windows\system32\lsass.exe
TargetObject|endswith: \Services\NTDS\Parameters\ServiceDll
filter_main_poqexec:
Image: C:\Windows\System32\poqexec.exe
filter_main_printextensionmanger:
Details: C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll
filter_optional_safetica:
Details: C:\Windows\System32\STAgent.dll
Image|endswith: \regsvr32.exe
selection:
TargetObject|contains|all:
- \System\
- ControlSet
- \Services\
TargetObject|endswith: \Parameters\ServiceDll
Psexec Execution
- source: sigma
- technicques:
- t1021
- t1569
Description
Detects user accept agreement execution in psexec commandline
Detection logic
condition: selection
selection:
- Image|endswith: \psexec.exe
- OriginalFileName: psexec.c