Neo23x0/gen_godmode_rule.yml

## gen_godmode_rule.yml
# ################################################################################
# IMPORTANT NOTE
# The most recent version of this POC rule can now be found in the main repository
# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
# ################################################################################
#    _____        __  __  ___        __
#   / ___/__  ___/ / /  |/  /__  ___/ /__
#  / (_ / _ \/ _  / / /|_/ / _ \/ _  / -_)
#  \___/\___/\_,_/ /_/  /_/\___/\_,_/\__/_
#    / __(_)__ ___ _  ___ _  / _ \__ __/ /__
#   _\ \/ / _ `/  ' \/ _ `/ / , _/ // / / -_)
#  /___/_/\_, /_/_/_/\_,_/ /_/|_|\_,_/_/\__/
#        /___/
#
#  Florian Roth
#  December 2019
#  v0.2
#
#  A Proof-of-Concept with the most effective search queries

title: Godmode Sigma Rule
id: def6caac-a999-4fc9-8800-cfeff700ba98
description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?'
status: experimental
author: Florian Roth
date: 2019/12/22
level: high
action: global
---
logsource:
    category: process_creation
    product: windows
detection:
    # Different suspicious or malicious command line parameters
    selection_plain:
        CommandLine|contains:
            - ' -NoP '  # Often used in malicious PowerShell commands
            - ' -W Hidden '  # Often used in malicious PowerShell commands
            - ' -decode '  # Used with certutil
            - ' /decode '  # Used with certutil
            - ' -e* JAB'  # PowerShell encoded commands
            - ' -e* SUVYI'  # PowerShell encoded commands
            - ' -e* SQBFAFgA'  # PowerShell encoded commands
            - ' -e* aWV4I'  # PowerShell encoded commands
            - ' -e* aQBlAHgA'  # PowerShell encoded commands
            - 'vssadmin delete shadows'  # Ransomware
            - 'reg SAVE HKLM\SAM'  # save registry SAM - syskey extraction
            - ' -ma '  # ProcDump
            - 'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD
            - '.downloadstring('  # PowerShell download command
            - '.downloadfile('  # PowerShell download command
            - ' /ticket:'  # Rubeus
            - ' sekurlsa'  # Mimikatz
            - ' p::d '  # Mimikatz
            - ';iex('  # PowerShell IEX
            - 'schtasks* /create *AppData'  # Scheduled task creation pointing to AppData
    selection_parent_child:
        ParentImage|contains:
            # Office Dropper Detection
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.exe'
            - '\MSPUB.exe'
            - '\VISIO.exe'
            - '\OUTLOOK.EXE'
        Image|contains:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\schtasks.exe'
            - '\regsvr32.exe'
            - '\hh.exe'
            - '\wmic.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\forfiles.exe'
    selection_webshells:
        Image|contains:
            - '\apache*'
            - '\tomcat*'
            - '\w3wp.exe'
            - '\php-cgi.exe'
            - '\nginx.exe'
            - '\httpd.exe'
        CommandLine|contains:
            - 'whoami'
            - 'net user '
            - 'ping -n '
            - 'systeminfo'
            - '&cd&echo'
            - 'cd /d '  # https://www.computerhope.com/cdhlp.htm
    # Running whoami as LOCAL_SYSTEM (usually after privilege escalation)
    selection_whoami:
        Image|contains: '\whoami.exe'
        User: 'NT AUTHORITY\SYSTEM'
    condition: 1 of them
---
logsource:
    product: windows
    service: sysmon
detection:
    selection_file_creation:
        EventID: 11
        TargetFileName|contains:
            - '.dmp'  # dump process memory
            - 'Desktop\how'  # Ransomware
            - 'Desktop\decrypt'  # Ransomware
    selection_registry_modifications:
        EventID:
            - 12
            - 13
        TargetObject|contains:
            - 'UserInitMprLogonScript'  # persistence
            - '\CurrentVersion\Image File Execution Options\'  # persistence
    selection_registry_run:
        EventID:
            - 12
            - 13
        TargetObject|contains:
            - '\Microsoft\Windows\CurrentVersion\Run\'  # persistence
            - '\Microsoft\Windows\CurrentVersion\RunOnce\'   # persistence
        Details|contains:
            - 'AppData'
            - '\Users\Public\'
            - '\Temp\'
            - 'powershell'
            - 'wscript'
            - 'cscript'
    condition: 1 of them
---
logsource:
    product: windows
    service: system
detection:
    # Malicious service installs
    selection:
        EventID: 7045
        ServiceName|contains:
            - 'WCESERVICE'
            - 'WCE SERVICE'
            - 'winexesvc'
            - 'DumpSvc'
            - 'pwdump'
            - 'gsecdump'
            - 'cachedump'
    condition:
        1 of them
	# ################################################################################
	# IMPORTANT NOTE
	# The most recent version of this POC rule can now be found in the main repository
	# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
	# ################################################################################
	# _____ __ __ ___ __
	# / ___/__ ___/ / / \|/ /__ ___/ /__
	# / (_ / _ \/ _ / / /\|_/ / _ \/ _ / -_)
	# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
	# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
	# _\ \/ / _ `/ ' \/ _ `/ / , _/ // / / -_)
	# /___/_/\_, /_/_/_/\_,_/ /_/\|_\|\_,_/_/\__/
	# /___/
	#
	# Florian Roth
	# December 2019
	# v0.2
	#
	# A Proof-of-Concept with the most effective search queries

	title: Godmode Sigma Rule
	id: def6caac-a999-4fc9-8800-cfeff700ba98
	description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?'
	status: experimental
	author: Florian Roth
	date: 2019/12/22
	level: high
	action: global
	---
	logsource:
	category: process_creation
	product: windows
	detection:
	# Different suspicious or malicious command line parameters
	selection_plain:
	CommandLine\|contains:
	- ' -NoP ' # Often used in malicious PowerShell commands
	- ' -W Hidden ' # Often used in malicious PowerShell commands
	- ' -decode ' # Used with certutil
	- ' /decode ' # Used with certutil
	- ' -e* JAB' # PowerShell encoded commands
	- ' -e* SUVYI' # PowerShell encoded commands
	- ' -e* SQBFAFgA' # PowerShell encoded commands
	- ' -e* aWV4I' # PowerShell encoded commands
	- ' -e* aQBlAHgA' # PowerShell encoded commands
	- 'vssadmin delete shadows' # Ransomware
	- 'reg SAVE HKLM\SAM' # save registry SAM - syskey extraction
	- ' -ma ' # ProcDump
	- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
	- '.downloadstring(' # PowerShell download command
	- '.downloadfile(' # PowerShell download command
	- ' /ticket:' # Rubeus
	- ' sekurlsa' # Mimikatz
	- ' p::d ' # Mimikatz
	- ';iex(' # PowerShell IEX
	- 'schtasks* /create *AppData' # Scheduled task creation pointing to AppData
	selection_parent_child:
	ParentImage\|contains:
	# Office Dropper Detection
	- '\WINWORD.EXE'
	- '\EXCEL.EXE'
	- '\POWERPNT.exe'
	- '\MSPUB.exe'
	- '\VISIO.exe'
	- '\OUTLOOK.EXE'
	Image\|contains:
	- '\cmd.exe'
	- '\powershell.exe'
	- '\wscript.exe'
	- '\cscript.exe'
	- '\schtasks.exe'
	- '\regsvr32.exe'
	- '\hh.exe'
	- '\wmic.exe'
	- '\mshta.exe'
	- '\msiexec.exe'
	- '\forfiles.exe'
	selection_webshells:
	Image\|contains:
	- '\apache*'
	- '\tomcat*'
	- '\w3wp.exe'
	- '\php-cgi.exe'
	- '\nginx.exe'
	- '\httpd.exe'
	CommandLine\|contains:
	- 'whoami'
	- 'net user '
	- 'ping -n '
	- 'systeminfo'
	- '&cd&echo'
	- 'cd /d ' # https://www.computerhope.com/cdhlp.htm
	# Running whoami as LOCAL_SYSTEM (usually after privilege escalation)
	selection_whoami:
	Image\|contains: '\whoami.exe'
	User: 'NT AUTHORITY\SYSTEM'
	condition: 1 of them
	---
	logsource:
	product: windows
	service: sysmon
	detection:
	selection_file_creation:
	EventID: 11
	TargetFileName\|contains:
	- '.dmp' # dump process memory
	- 'Desktop\how' # Ransomware
	- 'Desktop\decrypt' # Ransomware
	selection_registry_modifications:
	EventID:
	- 12
	- 13
	TargetObject\|contains:
	- 'UserInitMprLogonScript' # persistence
	- '\CurrentVersion\Image File Execution Options\' # persistence
	selection_registry_run:
	EventID:
	- 12
	- 13
	TargetObject\|contains:
	- '\Microsoft\Windows\CurrentVersion\Run\' # persistence
	- '\Microsoft\Windows\CurrentVersion\RunOnce\' # persistence
	Details\|contains:
	- 'AppData'
	- '\Users\Public\'
	- '\Temp\'
	- 'powershell'
	- 'wscript'
	- 'cscript'
	condition: 1 of them
	---
	logsource:
	product: windows
	service: system
	detection:
	# Malicious service installs
	selection:
	EventID: 7045
	ServiceName\|contains:
	- 'WCESERVICE'
	- 'WCE SERVICE'
	- 'winexesvc'
	- 'DumpSvc'
	- 'pwdump'
	- 'gsecdump'
	- 'cachedump'
	condition:
	1 of them