Techniques
Sample rules
PUA - RemCom Default Named Pipe
- source: sigma
- technicques:
- t1021
- t1021.002
- t1569
- t1569.002
Description
Detects default RemCom pipe creation
Detection logic
condition: selection
selection:
PipeName|contains: \RemCom
PUA - CSExec Default Named Pipe
- source: sigma
- technicques:
- t1021
- t1021.002
- t1569
- t1569.002
Description
Detects default CSExec pipe creation
Detection logic
condition: selection
selection:
PipeName|contains: \csexecsvc
PUA - Nmap/Zenmap Execution
- source: sigma
- technicques:
- t1046
Description
Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
Detection logic
condition: selection
selection:
- Image|endswith:
- \nmap.exe
- \zennmap.exe
- OriginalFileName:
- nmap.exe
- zennmap.exe
PUA - SoftPerfect Netscan Execution
- source: sigma
- technicques:
- t1046
Description
Detects usage of SoftPerfect’s “netscan.exe”. An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
Detection logic
condition: selection
selection:
- Image|endswith: \netscan.exe
- Product: Network Scanner
- Description: Application for scanning networks
Previously Installed IIS Module Was Removed
- source: sigma
- technicques:
- t1505
- t1505.004
- t1562
- t1562.002
Description
Detects the removal of a previously installed IIS module.
Detection logic
condition: selection
selection:
Configuration|contains: /system.webServer/modules/remove
EventID: 29
New Module Module Added To IIS Server
- source: sigma
- technicques:
- t1505
- t1505.004
- t1562
- t1562.002
Description
Detects the addition of a new module to an IIS server.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_builtin:
NewValue:
- AnonymousAuthenticationModule
- CustomErrorModule
- DefaultDocumentModule
- DirectoryListingModule
- FileCacheModule
- HttpCacheModule
- HttpLoggingModule
- ProtocolSupportModule
- RequestFilteringModule
- StaticCompressionModule
- StaticFileModule
- TokenCacheModule
- UriCacheModule
filter_main_remove:
NewValue: ''
selection:
Configuration|contains: /system.webServer/modules/add
EventID: 29
ETW Logging/Processing Option Disabled On IIS Server
- source: sigma
- technicques:
- t1505
- t1505.004
- t1562
- t1562.002
Description
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_etw_added:
NewValue|contains: ETW
selection:
Configuration|endswith: '@logTargetW3C'
EventID: 29
OldValue|contains: ETW
OpenSSH Server Listening On Socket
- source: sigma
- technicques:
- t1021
- t1021.004
Description
Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
Detection logic
condition: selection
selection:
EventID: 4
payload|startswith: 'Server listening on '
process: sshd
Time Machine Backup Disabled Via Tmutil - MacOS
- source: sigma
- technicques:
- t1490
Description
Detects disabling of Time Machine (Apple’s automated backup utility software) via the native macOS backup utility “tmutil”. An attacker can use this to prevent backups from occurring.
Detection logic
condition: all of selection_*
selection_cmd:
CommandLine|contains: disable
selection_img:
- Image|endswith: /tmutil
- CommandLine|contains: tmutil
New File Exclusion Added To Time Machine Via Tmutil - MacOS
- source: sigma
- technicques:
- t1490
Description
Detects the addition of a new file or path exclusion to MacOS Time Machine via the “tmutil” utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
Detection logic
condition: all of selection_*
selection_cmd:
CommandLine|contains: addexclusion
selection_img:
- Image|endswith: /tmutil
- CommandLine|contains: tmutil