Techniques
Sample rules
Fsutil Suspicious Invocation
- source: sigma
- technicques:
- t1070
- t1485
Description
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- deletejournal
- createjournal
- setZeroData
selection_img:
- Image|endswith: \fsutil.exe
- OriginalFileName: fsutil.exe
Whoami Utility Execution
- source: sigma
- technicques:
- t1033
Description
Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation
Detection logic
condition: selection
selection:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe
Whoami.EXE Execution Anomaly
- source: sigma
- technicques:
- t1033
Description
Detects the execution of whoami.exe with suspicious parent processes.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_known_parents:
ParentImage|endswith:
- \cmd.exe
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
filter_main_parent_empty:
ParentImage: ''
filter_main_parent_null:
ParentImage: null
filter_optional_ms_monitoring_agent:
ParentImage|endswith: :\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
selection:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe
Suspicious SYSTEM User Process Creation
- source: sigma
- technicques:
- t1003
- t1027
- t1134
Description
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Detection logic
condition: all of selection* and not 1 of filter_*
filter_config_mgr:
ParentImage|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
filter_java:
CommandLine|contains: ' -ma '
Image|contains:
- :\Program Files (x86)\Java\
- :\Program Files\Java\
Image|endswith: \bin\jp2launcher.exe
ParentImage|contains:
- :\Program Files (x86)\Java\
- :\Program Files\Java\
ParentImage|endswith: \bin\javaws.exe
filter_main_ping:
CommandLine|contains|all:
- ping
- 127.0.0.1
- ' -n '
filter_vs:
Image|endswith: \PING.EXE
ParentCommandLine|contains: \DismFoDInstall.cmd
selection:
IntegrityLevel:
- System
- S-1-16-16384
User|contains:
- AUTHORI
- AUTORI
selection_special:
- Image|endswith:
- \calc.exe
- \cscript.exe
- \forfiles.exe
- \hh.exe
- \mshta.exe
- \ping.exe
- \wscript.exe
- CommandLine|contains:
- ' -NoP '
- ' -W Hidden '
- ' -decode '
- ' /decode '
- ' /urlcache '
- ' -urlcache '
- ' -e* JAB'
- ' -e* SUVYI'
- ' -e* SQBFAFgA'
- ' -e* aWV4I'
- ' -e* IAB'
- ' -e* PAA'
- ' -e* aQBlAHgA'
- vssadmin delete shadows
- reg SAVE HKLM
- ' -ma '
- Microsoft\Windows\CurrentVersion\Run
- .downloadstring(
- .downloadfile(
- ' /ticket:'
- 'dpapi::'
- event::clear
- event::drop
- id::modify
- 'kerberos::'
- 'lsadump::'
- 'misc::'
- 'privilege::'
- 'rpc::'
- 'sekurlsa::'
- 'sid::'
- 'token::'
- vault::cred
- vault::list
- ' p::d '
- ;iex(
- MiniDump
- 'net user '
Suspicious Eventlog Clearing or Configuration Change Activity
- source: sigma
- technicques:
- t1070
- t1070.001
- t1562
- t1562.002
Description
Detects the clearing or configuration tampering of EventLog using utilities such as “wevtutil”, “powershell” and “wmic”. This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Detection logic
condition: 1 of selection_* and not 1 of filter_*
filter_msiexec:
CommandLine|contains: ' sl '
ParentImage:
- C:\Windows\SysWOW64\msiexec.exe
- C:\Windows\System32\msiexec.exe
selection_other_ps:
CommandLine|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
Image|endswith:
- \powershell.exe
- \pwsh.exe
selection_other_wmi:
CommandLine|contains: ClearEventLog
Image|endswith:
- \powershell.exe
- \pwsh.exe
- \wmic.exe
selection_wevtutil:
CommandLine|contains:
- 'clear-log '
- ' cl '
- 'set-log '
- ' sl '
- 'lfn:'
Image|endswith: \wevtutil.exe