Techniques
Sample rules
Fsutil Suspicious Invocation
- source: sigma
- technicques:
- t1070
- t1485
Description
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- deletejournal
- createjournal
- setZeroData
selection_img:
- Image|endswith: \fsutil.exe
- OriginalFileName: fsutil.exe
Suspicious SYSTEM User Process Creation
- source: sigma
- technicques:
- t1003
- t1027
- t1134
Description
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Detection logic
condition: all of selection* and not 1 of filter_*
filter_config_mgr:
ParentImage|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
filter_java:
CommandLine|contains: ' -ma '
Image|contains:
- :\Program Files (x86)\Java\
- :\Program Files\Java\
Image|endswith: \bin\jp2launcher.exe
ParentImage|contains:
- :\Program Files (x86)\Java\
- :\Program Files\Java\
ParentImage|endswith: \bin\javaws.exe
filter_ping:
CommandLine: ping 127.0.0.1 -n 5
filter_vs:
Image|endswith: \PING.EXE
ParentCommandLine|contains: \DismFoDInstall.cmd
selection:
IntegrityLevel: System
User|contains:
- AUTHORI
- AUTORI
selection_special:
- Image|endswith:
- \calc.exe
- \wscript.exe
- \cscript.exe
- \hh.exe
- \mshta.exe
- \forfiles.exe
- \ping.exe
- CommandLine|contains:
- ' -NoP '
- ' -W Hidden '
- ' -decode '
- ' /decode '
- ' /urlcache '
- ' -urlcache '
- ' -e* JAB'
- ' -e* SUVYI'
- ' -e* SQBFAFgA'
- ' -e* aWV4I'
- ' -e* IAB'
- ' -e* PAA'
- ' -e* aQBlAHgA'
- vssadmin delete shadows
- reg SAVE HKLM
- ' -ma '
- Microsoft\Windows\CurrentVersion\Run
- .downloadstring(
- .downloadfile(
- ' /ticket:'
- 'dpapi::'
- event::clear
- event::drop
- id::modify
- 'kerberos::'
- 'lsadump::'
- 'misc::'
- 'privilege::'
- 'rpc::'
- 'sekurlsa::'
- 'sid::'
- 'token::'
- vault::cred
- vault::list
- ' p::d '
- ;iex(
- MiniDump
- 'net user '
Whoami Utility Execution
- source: sigma
- technicques:
- t1033
Description
Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation
Detection logic
condition: selection
selection:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe
Suspicious Eventlog Clear or Configuration Change
- source: sigma
- technicques:
- t1070
- t1070.001
- t1562
- t1562.002
Description
Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
Detection logic
condition: 1 of selection_* and not 1 of filter_*
filter_msiexec:
CommandLine|contains: ' sl '
ParentImage:
- C:\Windows\SysWOW64\msiexec.exe
- C:\Windows\System32\msiexec.exe
selection_other_ps:
CommandLine|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
Image|endswith:
- \powershell.exe
- \pwsh.exe
selection_other_wmi:
CommandLine|contains: ClearEventLog
Image|endswith:
- \powershell.exe
- \pwsh.exe
- \wmic.exe
selection_wevtutil:
CommandLine|contains:
- 'clear-log '
- ' cl '
- 'set-log '
- ' sl '
- 'lfn:'
Image|endswith: \wevtutil.exe
Whoami.EXE Execution Anomaly
- source: sigma
- technicques:
- t1033
Description
Detects the execution of whoami.exe with suspicious parent processes.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_known_parents:
ParentImage|endswith:
- \cmd.exe
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
filter_main_parent_empty:
ParentImage: ''
filter_main_parent_null:
ParentImage: null
filter_optional_ms_monitoring_agent:
ParentImage|endswith: :\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
selection:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe