likely | LoFP

Techniques

Sample rules

File And SubFolder Enumeration Via Dir Command

source: sigma
technicques:
- t1217

Description

Detects usage of the “dir” command part of Widows CMD with the “/S” command line flag in order to enumerate files in a specified directory and all subdirectories.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|windash: dir*-s
selection_cmd:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe

Compressed File Creation Via Tar.EXE

source: sigma
technicques:
- t1560
- t1560.001

Description

Detects execution of “tar.exe” in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

Detection logic

condition: all of selection_*
selection_create:
  CommandLine|contains:
  - -c
  - -r
  - -u
selection_img:
- Image|endswith: \tar.exe
- OriginalFileName: bsdtar

Compressed File Extraction Via Tar.EXE

source: sigma
technicques:
- t1560
- t1560.001

Description

Detects execution of “tar.exe” in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.

Detection logic

condition: all of selection_*
selection_extract:
  CommandLine|contains: -x
selection_img:
- Image|endswith: \tar.exe
- OriginalFileName: bsdtar

PowerShell Module File Created

source: sigma
technicques:

Description

Detects the creation of a new PowerShell module “.psm1”, “.psd1”, “.dll”, “.ps1”, etc.

Detection logic

condition: selection
selection:
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  TargetFilename|contains:
  - \WindowsPowerShell\Modules\
  - \PowerShell\7\Modules\

New ODBC Driver Registered

source: sigma
technicques:

Description

Detects the registration of a new ODBC driver.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_sqlserver:
  Details: '%WINDIR%\System32\SQLSRV32.dll'
  TargetObject|contains: \SQL Server\
filter_optional_office_access:
  Details|endswith: \ACEODBC.DLL
  Details|startswith: C:\Progra
  TargetObject|contains: '\Microsoft Access '
filter_optional_office_excel:
  Details|endswith: \ACEODBC.DLL
  Details|startswith: C:\Progra
  TargetObject|contains: \Microsoft Excel Driver
selection:
  TargetObject|contains: \SOFTWARE\ODBC\ODBCINST.INI\
  TargetObject|endswith: \Driver

PowerShell Script Execution Policy Enabled

source: sigma
technicques:

Description

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000001)
  TargetObject|endswith: \Policies\Microsoft\Windows\PowerShell\EnableScripts

Potential Defense Evasion Via Raw Disk Access By Uncommon Tools

source: sigma
technicques:
- t1006

Description

Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts

Detection logic

condition: not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_floppy:
  Device|contains: floppy
filter_main_generic:
  Image|contains:
  - :\$WINDOWS.~BT\
  - :\Program Files (x86)\
  - :\Program Files\
  - :\Windows\CCM\
  - :\Windows\explorer.exe
  - :\Windows\servicing\
  - :\Windows\SoftwareDistribution\
  - :\Windows\System32\
  - :\Windows\SystemApps\
  - :\Windows\uus\
  - :\Windows\WinSxS\
filter_main_microsoft_appdata:
  Image|contains|all:
  - :\Users\
  - \AppData\
  - \Microsoft\
filter_main_null:
  Image: null
filter_main_ssd_nvme:
  Image|contains: :\Windows\Temp\
  Image|endswith:
  - \Executables\SSDUpdate.exe
  - \HostMetadata\NVMEHostmetadata.exe
filter_main_system_images:
  Image:
  - Registry
  - System
filter_main_systemsettings:
  Image|endswith: :\Windows\ImmersiveControlPanel\SystemSettings.exe
filter_main_windefender:
  Image|contains: :\ProgramData\Microsoft\Windows Defender\Platform\
  Image|endswith: \MsMpEng.exe
filter_optional_Keybase:
  Image|contains: \AppData\Local\Keybase\upd.exe
filter_optional_github_desktop:
  Image|contains: \AppData\Local\GitHubDesktop\app-
  Image|endswith: \resources\app\git\mingw64\bin\git.exe
filter_optional_nextron:
  Image|contains: :\Windows\Temp\asgard2-agent\
  Image|endswith: \thor.exe

External Disk Drive Or USB Storage Device Was Recognized By The System

source: sigma
technicques:
- t1091
- t1200

Description

Detects external disk drives or plugged-in USB devices.

Detection logic

condition: all of selection_*
selection_eid:
  EventID: 6416
selection_field:
- ClassName: DiskDrive
- DeviceDescription: USB Mass Storage Device

Locked Workstation

source: sigma
technicques:

Description

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Detection logic

condition: selection
selection:
  EventID: 4800

DNS Server Discovery Via LDAP Query

source: sigma
technicques:
- t1482

Description

Detects DNS server discovery via LDAP query requests from uncommon applications

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_defender:
  Image|contains: :\ProgramData\Microsoft\Windows Defender\Platform\
  Image|endswith: \MsMpEng.exe
filter_main_generic:
  Image|contains:
  - :\Program Files\
  - :\Program Files (x86)\
  - :\Windows\
filter_main_null:
  Image: null
filter_main_unknown:
  Image: <unknown process>
filter_optional_azure:
  Image|startswith: C:\WindowsAzure\GuestAgent
filter_optional_browsers:
  Image|endswith:
  - \chrome.exe
  - \firefox.exe
  - \opera.exe
selection:
  QueryName|startswith: _ldap.

New PowerShell Instance Created

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects the execution of PowerShell via the creation of a named pipe starting with PSHost

Detection logic

condition: selection
selection:
  PipeName|startswith: \PSHost

Terminate Linux Process Via Kill

source: sigma
technicques:
- t1562

Description

Detects usage of command line tools such as “kill”, “pkill” or “killall” to terminate or signal a running process.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /kill
  - /pkill
  - /killall

System Information Discovery - Auditd

source: sigma
technicques:
- t1082

Description

Detects System Information Discovery commands

Detection logic

condition: 1 of selection_*
selection_1:
  name:
  - /etc/lsb-release
  - /etc/redhat-release
  - /etc/issue
  type: PATH
selection_2:
  a0:
  - uname
  - uptime
  - lsmod
  - hostname
  - env
  type: EXECVE
selection_3:
  a0: grep
  a1|contains:
  - vbox
  - vm
  - xen
  - virtio
  - hv
  type: EXECVE
selection_4:
  a0: kmod
  a1: list
  type: EXECVE