-
-
Save ion-storm/90d34234e318afdf9a24b2df84f0dce5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is not my work. All credit goes to https://github.com/Neo23x0/sigma. I just used the tool to convert to graylog format, | |
| # skipped over the errors, and added some carriage returns for ease of reading. If you see a blank rule, it means there was a conversion error. | |
| rules/application/appframework_django_exceptions.yml | |
| ("SuspiciousOperation" OR "DisallowedHost" OR "DisallowedModelAdminLookup" OR "DisallowedModelAdminToField" OR "DisallowedRedirect" OR "InvalidSessionKey" OR "RequestDataTooBig" OR "SuspiciousFileOperation" OR "SuspiciousMultipartForm" OR "SuspiciousSession" OR "TooManyFieldsSent" OR "PermissionDenied") | |
| rules/application/appframework_ruby_on_rails_exceptions.yml | |
| ("ActionController\:\:InvalidAuthenticityToken" OR "ActionController\:\:InvalidCrossOriginRequest" OR "ActionController\:\:MethodNotAllowed" OR "ActionController\:\:BadRequest" OR "ActionController\:\:ParameterMissing") | |
| rules/application/appframework_spring_exceptions.yml | |
| ("AccessDeniedException" OR "CsrfException" OR "InvalidCsrfTokenException" OR "MissingCsrfTokenException" OR "CookieTheftException" OR "InvalidCookieException" OR "RequestRejectedException") | |
| rules/application/app_python_sql_exceptions.yml | |
| ("DataError" OR "IntegrityError" OR "ProgrammingError" OR "OperationalError") | |
| rules/application/app_sqlinjection_errors.yml | |
| ("quoted string not properly terminated" OR "You have an error in your SQL syntax" OR "Unclosed quotation mark" OR "near \"*\"\: syntax error" OR "SELECTs to the left and right of UNION do not have the same number of result columns") | |
| rules/web/web_apache_segfault.yml | |
| ("exit signal Segmentation Fault") | |
| rules/web/web_multiple_suspicious_resp_codes_single_source.yml | |
| rules/web/web_webshell_keyword.yml | |
| ("=whoami" OR "=net%20user" OR "=cmd%20\/c%20") | |
| rules/windows/builtin/win_admin_rdp_login.yml | |
| (EventID:"4624" AND LogonType:"10" AND AuthenticationPackageName:"Negotiate" AND AccountName:"Admin\-*") | |
| rules/windows/builtin/win_admin_share_access.yml | |
| (EventID:"5140" AND ShareName:"Admin$") AND NOT (SubjectUserName:"*$") | |
| rules/windows/builtin/win_alert_active_directory_user_control.yml | |
| ((EventID:"4704") AND ("SeEnableDelegationPrivilege")) | |
| rules/windows/builtin/win_alert_ad_user_backdoors.yml | |
| ((EventID:"4738") AND NOT (NOT _exists_:AllowedToDelegateTo)) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\-AllowedToDelegateTo") OR (EventID:"5136" AND ObjectClass:"user" AND AttributeLDAPDisplayName:"servicePrincipalName") | |
| rules/windows/builtin/win_alert_enable_weak_encryption.yml | |
| (EventID:"4738") AND ("DES" OR "Preauth" OR "Encrypted") AND ("Enabled") | |
| rules/windows/builtin/win_alert_hacktool_use.yml | |
| (EventID:("4776" "4624" "4625") AND WorkstationName:"RULER") | |
| rules/windows/builtin/win_alert_mimikatz_keywords.yml | |
| ("mimikatz" OR "mimilib" OR "<3 eo.oe" OR "eo.oe.kiwi" OR "privilege\:\:debug" OR "sekurlsa\:\:logonpasswords" OR "lsadump\:\:sam" OR "mimidrv.sys") | |
| rules/windows/builtin/win_av_relevant_match.yml | |
| ("HTool" OR "Hacktool" OR "ASP\/Backdoor" OR "JSP\/Backdoor" OR "PHP\/Backdoor" OR "Backdoor.ASP" OR "Backdoor.JSP" OR "Backdoor.PHP" OR "Webshell" OR "Portscan" OR "Mimikatz" OR "WinCred" OR "PlugX" OR "Korplug" OR "Pwdump" OR "Chopper" OR "WmiExec" OR "Xscan" OR "Clearlog" OR "ASPXSpy") AND NOT ("Keygen" OR "Crack") | |
| rules/windows/builtin/win_dcsync.yml | |
| (EventID:"4662" AND Properties:("*Replicating Directory Changes All*" "*1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2*")) | |
| rules/windows/builtin/win_disable_event_logging.yml | |
| (EventID:"4719" AND AuditPolicyChanges:"removed") | |
| rules/windows/builtin/win_eventlog_cleared.yml | |
| (EventID:"104" AND Source:"Eventlog") | |
| rules/windows/builtin/win_hack_smbexec.yml | |
| (EventID:"7045" AND ServiceName:"BTOBTO" AND ServiceFileName:"*\\execute.bat") | |
| rules/windows/builtin/win_mal_creddumper.yml | |
| ((EventID:("7045" "4697")) AND ("WCE SERVICE" OR "WCESERVICE" OR "DumpSvc")) OR (EventID:"16" AND HiveName:"*\\AppData\\Local\\Temp\\SAM*.dmp") | |
| rules/windows/builtin/win_mal_service_installs.yml | |
| (EventID:"7045") AND ((ServiceName:("WCESERVICE" "WCE SERVICE")) OR (ServiceFileName:"*\\PAExec*") OR (ServiceFileName:"winexesvc.exe*") OR (ServiceFileName:"*\\DumpSvc.exe") OR (ServiceName:"mssecsvc2.0") OR (ServiceFileName:"* net user *") OR (ServiceName:("pwdump*" "gsecdump*" "cachedump*"))) | |
| rules/windows/builtin/win_mal_wceaux_dll.yml | |
| (EventID:("4656" "4658" "4660" "4663") AND ObjectName:"*\\wceaux.dll") | |
| rules/windows/builtin/win_multiple_suspicious_cli.yml | |
| rules/windows/builtin/win_net_ntlm_downgrade.yml | |
| ((EventID:"13" AND TargetObject:("*SYSTEM\*ControlSet*\\Control\\Lsa\\lmcompatibilitylevel" "*SYSTEM\*ControlSet*\\Control\\Lsa\\NtlmMinClientSec" "*SYSTEM\*ControlSet*\\Control\\Lsa\\RestrictSendingNTLMTraffic") AND EventType:"SetValue")) | |
| ((EventID:"4657" AND ObjectName:"\\REGISTRY\\MACHINE\\SYSTEM\*ControlSet*\\Control\\Lsa" AND ObjectValueName:("LmCompatibilityLevel" "NtlmMinClientSec" "RestrictSendingNTLMTraffic"))) | |
| rules/windows/builtin/win_overpass_the_hash.yml | |
| (EventID:"4624" AND LogonType:"9" AND LogonProcessName:"seclogo" AND AuthenticationPackageName:"Negotiate") | |
| rules/windows/builtin/win_pass_the_hash.yml | |
| (EventID:"4624" AND LogonType:"3" AND LogonProcessName:"NtLmSsp" AND WorkstationName:"%Workstations%" AND ComputerName:"%Workstations%" OR EventID:"4625" AND LogonType:"3" AND LogonProcessName:"NtLmSsp" AND WorkstationName:"%Workstations%" AND ComputerName:"%Workstations%") AND NOT (AccountName:"ANONYMOUS LOGON") | |
| rules/windows/builtin/win_plugx_susp_exe_locations.yml | |
| ((EventID:"4688" AND CommandLine:"*\\CamMute.exe") AND NOT (EventID:"4688" AND CommandLine:"*\\Lenovo\\Communication Utility\*")) OR ((EventID:"4688" AND CommandLine:"*\\chrome_frame_helper.exe") AND NOT (EventID:"4688" AND CommandLine:"*\\Google\\Chrome\\application\*")) OR ((EventID:"4688" AND CommandLine:"*\\dvcemumanager.exe") AND NOT (EventID:"4688" AND CommandLine:"*\\Microsoft Device Emulator\*")) OR ((EventID:"4688" AND CommandLine:"*\\Gadget.exe") AND NOT (EventID:"4688" AND CommandLine:"*\\Windows Media Player\*")) OR ((EventID:"4688" AND CommandLine:"*\\hcc.exe") AND NOT (EventID:"4688" AND CommandLine:"*\\HTML Help Workshop\*")) OR ((EventID:"4688" AND CommandLine:"*\\hkcmd.exe") AND NOT (EventID:"4688" AND CommandLine:("*\\System32\*" "*\\SysNative\*" "*\\SysWowo64\*"))) OR ((EventID:"4688" AND CommandLine:"*\\Mc.exe") AND NOT (EventID:"4688" AND CommandLine:("*\\Microsoft Visual Studio*" "*\\Microsoft SDK*" "*\\Windows Kit*"))) OR ((EventID:"4688" AND CommandLine:"*\\MsMpEng.exe") AND NOT (EventID:"4688" AND CommandLine:("*\\Microsoft Security Client\*" "*\\Windows Defender\*" "*\\AntiMalware\*"))) OR ((EventID:"4688" AND CommandLine:"*\\msseces.exe") AND NOT (EventID:"4688" AND CommandLine:"*\\Microsoft Security Center\*")) OR ((EventID:"4688" AND CommandLine:"*\\OInfoP11.exe") AND NOT (EventID:"4688" AND CommandLine:"*\\Common Files\\Microsoft Shared\*")) OR ((EventID:"4688" AND CommandLine:"*\\OleView.exe") AND NOT (EventID:"4688" AND CommandLine:("*\\Microsoft Visual Studio*" "*\\Microsoft SDK*" "*\\Windows Kit*" "*\\Windows Resource Kit\*"))) OR ((EventID:"4688" AND CommandLine:"*\\OleView.exe") AND NOT (EventID:"4688" AND CommandLine:("*\\Microsoft Visual Studio*" "*\\Microsoft SDK*" "*\\Windows Kit*" "*\\Windows Resource Kit\*" "*\\Microsoft.NET\*"))) | |
| rules/windows/builtin/win_possible_applocker_bypass.yml | |
| (EventID:"4688" AND CommandLine:("*\\msdt.exe*" "*\\installutil.exe*" "*\\regsvcs.exe*" "*\\regasm.exe*" "*\\regsvr32.exe*" "*\\msbuild.exe*" "*\\ieexec.exe*" "*\\mshta.exe*")) | |
| (EventID:"1" AND CommandLine:("*\\msdt.exe*" "*\\installutil.exe*" "*\\regsvcs.exe*" "*\\regasm.exe*" "*\\regsvr32.exe*" "*\\msbuild.exe*" "*\\ieexec.exe*" "*\\mshta.exe*")) | |
| rules/windows/builtin/win_psexesvc_start.yml | |
| ((EventID:"4688" AND CommandLine:"C\:\\Windows\\PSEXESVC.exe")) | |
| rules/windows/builtin/win_rare_schtasks_creations.yml | |
| rules/windows/builtin/win_rare_service_installs.yml | |
| rules/windows/builtin/win_susp_add_sid_history.yml | |
| (EventID:("4765" "4766")) | |
| rules/windows/builtin/win_susp_backup_delete.yml | |
| (EventID:"524" AND Source:"Backup") | |
| rules/windows/builtin/win_susp_cli_escape.yml | |
| (EventID:"4688" AND CommandLine:("<TAB>" "\^h\^t\^t\^p" "h\"t\"t\"p")) | |
| (EventID:"1" AND CommandLine:("<TAB>" "\^h\^t\^t\^p" "h\"t\"t\"p")) | |
| rules/windows/builtin/win_susp_commands_recon_activity.yml | |
| rules/windows/builtin/win_susp_dhcp_config_failed.yml | |
| (EventID:("1031" "1032" "1034")) | |
| rules/windows/builtin/win_susp_dhcp_config.yml | |
| (EventID:"1033") | |
| rules/windows/builtin/win_susp_dns_config.yml | |
| (EventID:("150" "770")) | |
| rules/windows/builtin/win_susp_dsrm_password_change.yml | |
| (EventID:"4794") | |
| rules/windows/builtin/win_susp_eventlog_cleared.yml | |
| (EventID:"104") | |
| rules/windows/builtin/win_susp_failed_logon_reasons.yml | |
| (EventID:("4625" "4776") AND Status:("0xC0000072" "0xC000006F" "0xC0000070" "0xC0000413" "0xC000018C")) | |
| rules/windows/builtin/win_susp_failed_logons_single_source.yml | |
| rules/windows/builtin/win_susp_interactive_logons.yml | |
| (EventID:("528" "529" "4624" "4625") AND LogonType:"2" AND ComputerName:("%ServerSystems%" "%DomainControllers%")) AND NOT (LogonProcessName:"Advapi" AND ComputerName:"%Workstations%") | |
| rules/windows/builtin/win_susp_iss_module_install.yml | |
| (EventID:"1" AND CommandLine:("*\\APPCMD.EXE install module \/name\:*")) | |
| (EventID:"4688" AND CommandLine:("*\\APPCMD.EXE install module \/name\:*")) | |
| rules/windows/builtin/win_susp_kerberos_manipulation.yml | |
| (EventID:("675" "4768" "4769" "4771") AND FailureCode:("0x9" "0xA" "0xB" "0xF" "0x10" "0x11" "0x13" "0x14" "0x1A" "0x1F" "0x21" "0x22" "0x23" "0x24" "0x26" "0x27" "0x28" "0x29" "0x2C" "0x2D" "0x2E" "0x2F" "0x31" "0x32" "0x3E" "0x3F" "0x40" "0x41" "0x43" "0x44")) | |
| rules/windows/builtin/win_susp_lsass_dump.yml | |
| (EventID:"4656" AND ProcessName:"C\:\\Windows\\System32\\lsass.exe" AND AccessMask:"0x705" AND ObjectType:"SAM_DOMAIN") | |
| rules/windows/builtin/win_susp_msiexec_web_install.yml | |
| (EventID:"1" AND CommandLine:("* msiexec*\:\\\/\\\/*")) | |
| (EventID:"4688" AND CommandLine:("* msiexec*\:\\\/\\\/*")) | |
| rules/windows/builtin/win_susp_msmpeng_crash.yml | |
| ((Source:"Application Error" AND EventID:"1000") OR (Source:"Windows Error Reporting" AND EventID:"1001")) AND ("MsMpEng.exe" AND "mpengine.dll") | |
| rules/windows/builtin/win_susp_net_recon_activity.yml | |
| (EventID:"4661" AND ObjectType:"SAM_USER" AND ObjectName:"S\-1\-5\-21\-*\-500" AND AccessMask:"0x2d" OR EventID:"4661" AND ObjectType:"SAM_GROUP" AND ObjectName:"S\-1\-5\-21\-*\-512" AND AccessMask:"0x2d") | |
| rules/windows/builtin/win_susp_ntdsutil.yml | |
| (EventID:"1" AND CommandLine:"*\\ntdsutil.exe *") | |
| (EventID:"4688" AND CommandLine:"*\\ntdsutil.exe *") | |
| rules/windows/builtin/win_susp_ntlm_auth.yml | |
| (EventID:"8002" AND CallingProcessName:"*") | |
| rules/windows/builtin/win_susp_process_creations.yml | |
| (EventID:"1" AND CommandLine:("vssadmin.exe delete shadows*" "vssadmin delete shadows*" "vssadmin create shadow \/for=C\:*" "copy \\\?\\GLOBALROOT\\Device\*\\windows\\ntds\\ntds.dit*" "copy \\\?\\GLOBALROOT\\Device\*\\config\\SAM*" "reg SAVE HKLM\\SYSTEM *" "* sekurlsa\:*" "net localgroup adminstrators * \/add" "net group \"Domain Admins\" * \/ADD \/DOMAIN" "certutil.exe *\-urlcache* http*" "certutil.exe *\-urlcache* ftp*" "netsh advfirewall firewall *\\AppData\*" "attrib \+S \+H \+R *\\AppData\*" "schtasks* \/create *\\AppData\*" "schtasks* \/sc minute*" "*\\Regasm.exe *\\AppData\*" "*\\Regasm *\\AppData\*" "*\\bitsadmin* \/transfer*" "*\\certutil.exe * \-decode *" "*\\certutil.exe * \-decodehex *" "*\\certutil.exe \-ping *" "icacls * \/grant Everyone\:F \/T \/C \/Q" "* wmic shadowcopy delete *" "* wbadmin.exe delete catalog \-quiet*" "*\\wscript.exe *.jse" "*\\wscript.exe *.js" "*\\wscript.exe *.vba" "*\\wscript.exe *.vbe" "*\\cscript.exe *.jse" "*\\cscript.exe *.js" "*\\cscript.exe *.vba" "*\\cscript.exe *.vbe" "*\\fodhelper.exe" "*waitfor*\/s*" "*waitfor*\/si persist*" "*remote*\/s*" "*remote*\/c*" "*remote*\/q*" "*AddInProcess*" "*msbuild*")) | |
| (EventID:"4688" AND CommandLine:("vssadmin.exe delete shadows*" "vssadmin delete shadows*" "vssadmin create shadow \/for=C\:*" "copy \\\?\\GLOBALROOT\\Device\*\\windows\\ntds\\ntds.dit*" "copy \\\?\\GLOBALROOT\\Device\*\\config\\SAM*" "reg SAVE HKLM\\SYSTEM *" "* sekurlsa\:*" "net localgroup adminstrators * \/add" "net group \"Domain Admins\" * \/ADD \/DOMAIN" "certutil.exe *\-urlcache* http*" "certutil.exe *\-urlcache* ftp*" "netsh advfirewall firewall *\\AppData\*" "attrib \+S \+H \+R *\\AppData\*" "schtasks* \/create *\\AppData\*" "schtasks* \/sc minute*" "*\\Regasm.exe *\\AppData\*" "*\\Regasm *\\AppData\*" "*\\bitsadmin* \/transfer*" "*\\certutil.exe * \-decode *" "*\\certutil.exe * \-decodehex *" "*\\certutil.exe \-ping *" "icacls * \/grant Everyone\:F \/T \/C \/Q" "* wmic shadowcopy delete *" "* wbadmin.exe delete catalog \-quiet*" "*\\wscript.exe *.jse" "*\\wscript.exe *.js" "*\\wscript.exe *.vba" "*\\wscript.exe *.vbe" "*\\cscript.exe *.jse" "*\\cscript.exe *.js" "*\\cscript.exe *.vba" "*\\cscript.exe *.vbe" "*\\fodhelper.exe" "*waitfor*\/s*" "*waitfor*\/si persist*" "*remote*\/s*" "*remote*\/c*" "*remote*\/q*" "*AddInProcess*" "*msbuild*")) | |
| rules/windows/builtin/win_susp_rasdial_activity.yml | |
| (EventID:"4688" AND CommandLine:("rasdial")) | |
| (EventID:"1" AND CommandLine:("rasdial")) | |
| rules/windows/builtin/win_susp_rc4_kerberos.yml | |
| (EventID:"4769" AND TicketOptions:"0x40810000" AND TicketEncryptionType:"0x17") AND NOT (ServiceName:"$*") | |
| rules/windows/builtin/win_susp_rundll32_activity.yml | |
| (EventID:"4688" AND CommandLine:("*\\rundll32.exe* url.dll,*OpenURL *" "*\\rundll32.exe* url.dll,*OpenURLA *" "*\\rundll32.exe* url.dll,*FileProtocolHandler *" "*\\rundll32.exe* zipfldr.dll,*RouteTheCall *" "*\\rundll32.exe* Shell32.dll,*Control_RunDLL *" "*\\rundll32.exe javascript\:*" "* url.dll,*OpenURL *" "* url.dll,*OpenURLA *" "* url.dll,*FileProtocolHandler *" "* zipfldr.dll,*RouteTheCall *" "* Shell32.dll,*Control_RunDLL *" "* javascript\:*" "*.RegisterXLL*")) | |
| (EventID:"1" AND CommandLine:("*\\rundll32.exe* url.dll,*OpenURL *" "*\\rundll32.exe* url.dll,*OpenURLA *" "*\\rundll32.exe* url.dll,*FileProtocolHandler *" "*\\rundll32.exe* zipfldr.dll,*RouteTheCall *" "*\\rundll32.exe* Shell32.dll,*Control_RunDLL *" "*\\rundll32.exe javascript\:*" "* url.dll,*OpenURL *" "* url.dll,*OpenURLA *" "* url.dll,*FileProtocolHandler *" "* zipfldr.dll,*RouteTheCall *" "* Shell32.dll,*Control_RunDLL *" "* javascript\:*" "*.RegisterXLL*")) | |
| rules/windows/builtin/win_susp_run_locations.yml | |
| (EventID:"4688" AND CommandLine:("*\:\\RECYCLER\*" "*\:\\SystemVolumeInformation\*" "%windir%\\Tasks\*" "%systemroot%\\debug\*")) | |
| (EventID:"1" AND CommandLine:("*\:\\RECYCLER\*" "*\:\\SystemVolumeInformation\*" "%windir%\\Tasks\*" "%systemroot%\\debug\*")) | |
| rules/windows/builtin/win_susp_sam_dump.yml | |
| ((EventID:"16") AND ("*\\AppData\\Local\\Temp\\SAM\-*.dmp *")) | |
| rules/windows/builtin/win_susp_samr_pwset.yml | |
| rules/windows/builtin/win_susp_sdelete.yml | |
| (EventID:("4656" "4663" "4658") AND ObjectName:("*.AAA" "*.ZZZ")) | |
| rules/windows/builtin/win_susp_security_eventlog_cleared.yml | |
| (EventID:("517" "1102")) | |
| rules/windows/builtin/win_susp_sysprep_appdata.yml | |
| (EventID:"1" AND CommandLine:("*\\sysprep.exe *\\AppData\*" "sysprep.exe *\\AppData\*")) | |
| (EventID:"4688" AND CommandLine:("*\\sysprep.exe *\\AppData\*" "sysprep.exe *\\AppData\*")) | |
| rules/windows/builtin/win_susp_whoami.yml | |
| (EventID:"1" AND CommandLine:"whoami") | |
| (EventID:"4688" AND NewProcessName:"*\\whoami.exe") | |
| rules/windows/builtin/win_usb_device_plugged.yml | |
| (EventID:("2003" "2100" "2102")) | |
| rules/windows/builtin/win_user_added_to_local_administrators.yml | |
| (EventID:"4732" AND GroupName:"Administrators") AND NOT (SubjectUserName:"*$") | |
| rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml | |
| (EventID:"1" AND Image:"C\:\\WINDOWS\\system32\\wbem\\scrcons.exe" AND ParentImage:"C\:\\Windows\\System32\\svchost.exe") | |
| (EventID:"4688" AND Image:"C\:\\WINDOWS\\system32\\wbem\\scrcons.exe" AND ParentImage:"C\:\\Windows\\System32\\svchost.exe") | |
| rules/windows/malware/sysmon_malware_notpetya.yml | |
| ((EventID:"1" AND Image:"*\\fsutil.exe" AND CommandLine:"* deletejournal *") OR (EventID:"1" AND CommandLine:"*\\AppData\\Local\\Temp\* \\\\.\\pipe\*") OR (EventID:"1" AND Image:"*\\wevtutil.exe" AND CommandLine:"* cl *") OR (EventID:"1" AND Image:"*\\rundll32.exe" AND CommandLine:"*.dat,#1") OR ("*\\perfc.dat*")) | |
| rules/windows/malware/sysmon_malware_wannacry.yml | |
| ((EventID:"1" AND Image:("*\\tasksche.exe" "*\\mssecsvc.exe" "*\\taskdl.exe" "*\\@WanaDecryptor@*" "*\\taskhsvc.exe" "*\\taskse.exe" "*\\111.exe" "*\\lhdfrgui.exe" "*\\diskpart.exe" "*\\linuxnew.exe" "*\\wannacry.exe")) OR (EventID:"1" AND CommandLine:("*vssadmin delete shadows*" "*icacls * \/grant Everyone\:F \/T \/C \/Q*" "*bcdedit \/set \{default\} recoveryenabled no*" "*wbadmin delete catalog \-quiet*" "*@Please_Read_Me@.txt*"))) | |
| rules/windows/malware/win_mal_adwind.yml | |
| (EventID:"4688" AND CommandLine:("*\\AppData\\Roaming\\Oracle*\\java*.exe *" "*cscript.exe *Retrive*.vbs *")) | |
| (EventID:"1" AND Image:"*\\AppData\\Roaming\\Oracle\\bin\\java*.exe") | |
| (EventID:"11" AND TargetFilename:("*\\AppData\\Roaming\\Oracle\\bin\\java*.exe" "*\\Retrive*.vbs")) | |
| (EventID:"13" AND TargetObject:"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*" AND Details:"%AppData%\\Oracle\\bin\*") | |
| rules/windows/malware/win_mal_wannacry.yml | |
| ((EventID:"4688" AND CommandLine:("*vssadmin delete shadows*" "*icacls * \/grant Everyone\:F \/T \/C \/Q*" "*bcdedit \/set \{default\} recoveryenabled no*" "*wbadmin delete catalog \-quiet*")) OR (EventID:"4688" AND NewProcessName:("*\\tasksche.exe" "*\\mssecsvc.exe" "*\\taskdl.exe" "*\\WanaDecryptor*" "*\\taskhsvc.exe" "*\\taskse.exe" "*\\111.exe" "*\\lhdfrgui.exe" "*\\diskpart.exe" "*\\linuxnew.exe" "*\\wannacry.exe"))) | |
| ((EventID:"1" AND CommandLine:("*vssadmin delete shadows*" "*icacls * \/grant Everyone\:F \/T \/C \/Q*" "*bcdedit \/set \{default\} recoveryenabled no*" "*wbadmin delete catalog \-quiet*")) OR (EventID:"1" AND Image:("*\\tasksche.exe" "*\\mssecsvc.exe" "*\\taskdl.exe" "*\\WanaDecryptor*" "*\\taskhsvc.exe" "*\\taskse.exe" "*\\111.exe" "*\\lhdfrgui.exe" "*\\diskpart.exe" "*\\linuxnew.exe" "*\\wannacry.exe"))) | |
| rules/windows/other/win_rare_schtask_creation.yml | |
| rules/windows/other/win_wmi_persistence.yml | |
| (EventID:"5861") AND ("ActiveScriptEventConsumer" OR "CommandLineEventConsumer" OR "CommandLineTemplate" OR "Binding EventFilter") OR (EventID:"5859") | |
| rules/windows/powershell/powershell_downgrade_attack.yml | |
| (EventID:"400" AND EngineVersion:"2.*") AND NOT (HostVersion:"2.*") | |
| rules/windows/powershell/powershell_exe_calling_ps.yml | |
| (EventID:"400" AND EngineVersion:("2.*" "4.*" "5.*") AND HostVersion:"3.*") | |
| rules/windows/powershell/powershell_malicious_commandlets.yml | |
| ("Invoke\-DllInjection" OR "Invoke\-Shellcode" OR "Invoke\-WmiCommand" OR "Get\-GPPPassword" OR "Get\-Keystrokes" OR "Get\-TimedScreenshot" OR "Get\-VaultCredential" OR "Invoke\-CredentialInjection" OR "Invoke\-Mimikatz" OR "Invoke\-NinjaCopy" OR "Invoke\-TokenManipulation" OR "Out\-Minidump" OR "VolumeShadowCopyTools" OR "Invoke\-ReflectivePEInjection" OR "Invoke\-UserHunter" OR "Find\-GPOLocation" OR "Invoke\-ACLScanner" OR "Invoke\-DowngradeAccount" OR "Get\-ServiceUnquoted" OR "Get\-ServiceFilePermission" OR "Get\-ServicePermission" OR "Invoke\-ServiceAbuse" OR "Install\-ServiceBinary" OR "Get\-RegAutoLogon" OR "Get\-VulnAutoRun" OR "Get\-VulnSchTask" OR "Get\-UnattendedInstallFile" OR "Get\-WebConfig" OR "Get\-ApplicationHost" OR "Get\-RegAlwaysInstallElevated" OR "Get\-Unconstrained" OR "Add\-RegBackdoor" OR "Add\-ScrnSaveBackdoor" OR "Gupt\-Backdoor" OR "Invoke\-ADSBackdoor" OR "Enabled\-DuplicateToken" OR "Invoke\-PsUaCme" OR "Remove\-Update" OR "Check\-VM" OR "Get\-LSASecret" OR "Get\-PassHashes" OR "Invoke\-Mimikatz" OR "Show\-TargetScreen" OR "Port\-Scan" OR "Invoke\-PoshRatHttp" OR "Invoke\-PowerShellTCP" OR "Invoke\-PowerShellWMI" OR "Add\-Exfiltration" OR "Add\-Persistence" OR "Do\-Exfiltration" OR "Start\-CaptureServer" OR "Invoke\-DllInjection" OR "Invoke\-ReflectivePEInjection" OR "Invoke\-ShellCode" OR "Get\-ChromeDump" OR "Get\-ClipboardContents" OR "Get\-FoxDump" OR "Get\-IndexedItem" OR "Get\-Keystrokes" OR "Get\-Screenshot" OR "Invoke\-Inveigh" OR "Invoke\-NetRipper" OR "Invoke\-NinjaCopy" OR "Out\-Minidump" OR "Invoke\-EgressCheck" OR "Invoke\-PostExfil" OR "Invoke\-PSInject" OR "Invoke\-RunAs" OR "MailRaider" OR "New\-HoneyHash" OR "Set\-MacAttribute" OR "Get\-VaultCredential" OR "Invoke\-DCSync" OR "Invoke\-Mimikatz" OR "Invoke\-PowerDump" OR "Invoke\-TokenManipulation" OR "Exploit\-Jboss" OR "Invoke\-ThunderStruck" OR "Invoke\-VoiceTroll" OR "Set\-Wallpaper" OR "Invoke\-InveighRelay" OR "Invoke\-PsExec" OR "Invoke\-SSHCommand" OR "Get\-SecurityPackages" OR "Install\-SSP" OR "Invoke\-BackdoorLNK" OR "PowerBreach" OR "Get\-GPPPassword" OR "Get\-SiteListPassword" OR "Get\-System" OR "Invoke\-BypassUAC" OR "Invoke\-Tater" OR "Invoke\-WScriptBypassUAC" OR "PowerUp" OR "PowerView" OR "Get\-RickAstley" OR "Find\-Fruit" OR "HTTP\-Login" OR "Find\-TrustedDocuments" OR "Invoke\-Paranoia" OR "Invoke\-WinEnum" OR "Invoke\-ARPScan" OR "Invoke\-PortScan" OR "Invoke\-ReverseDNSLookup" OR "Invoke\-SMBScanner" OR "Invoke\-Mimikittenz") | |
| rules/windows/powershell/powershell_malicious_keywords.yml | |
| ("AdjustTokenPrivileges" OR "IMAGE_NT_OPTIONAL_HDR64_MAGIC" OR "Management.Automation.RuntimeException" OR "Microsoft.Win32.UnsafeNativeMethods" OR "ReadProcessMemory.Invoke" OR "Runtime.InteropServices" OR "SE_PRIVILEGE_ENABLED" OR "System.Security.Cryptography" OR "System.Runtime.InteropServices" OR "LSA_UNICODE_STRING" OR "MiniDumpWriteDump" OR "PAGE_EXECUTE_READ" OR "Net.Sockets.SocketFlags" OR "Reflection.Assembly" OR "SECURITY_DELEGATION" OR "TOKEN_ADJUST_PRIVILEGES" OR "TOKEN_ALL_ACCESS" OR "TOKEN_ASSIGN_PRIMARY" OR "TOKEN_DUPLICATE" OR "TOKEN_ELEVATION" OR "TOKEN_IMPERSONATE" OR "TOKEN_INFORMATION_CLASS" OR "TOKEN_PRIVILEGES" OR "TOKEN_QUERY" OR "Metasploit" OR "Mimikatz") | |
| rules/windows/powershell/powershell_prompt_credentials.yml | |
| ((EventID:"4104") AND ("PromptForCredential")) | |
| rules/windows/powershell/powershell_psattack.yml | |
| ((EventID:"4103") AND ("PS ATTACK\!\!\!")) | |
| rules/windows/powershell/powershell_suspicious_download.yml | |
| ("System.Net.WebClient\).DownloadString\(" OR "system.net.webclient\).downloadfile\(") | |
| rules/windows/powershell/powershell_suspicious_invocation_generic.yml | |
| ((" \-enc " OR " \-EncodedCommand ") AND (" \-w hidden " OR " \-window hidden " OR " \- windowstyle hidden ") AND (" \-noni " OR " \-noninteractive ")) | |
| rules/windows/powershell/powershell_suspicious_invocation_specific.yml | |
| (" \-nop \-w hidden \-c * \[Convert\]\:\:FromBase64String" OR " \-w hidden \-noni \-nop \-c \"iex\(New\-Object" OR " \-w hidden \-ep bypass \-Enc" OR "powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run" OR "bypass \-noprofile \-windowstyle hidden \(new\-object system.net.webclient\).download" OR "iex\(New\-Object Net.WebClient\).Download") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment