Created
October 9, 2024 16:13
-
-
Save pedramamini/5c98dfa1c748712a6a277d599f0ef630 to your computer and use it in GitHub Desktop.
jf https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/ | create_sigma_rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#### Sigma Rule: Initial Access via Social Engineering and RMM Tool Installation | |
```yaml | |
title: Initial Access via Social Engineering and RMM Tool Installation | |
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p | |
description: Detects the installation of Remote Monitoring and Management (RMM) utilities following social engineering attacks, which may indicate initial access by threat actors. | |
status: experimental | |
author: Your Name | |
logsource: | |
category: process_creation | |
product: windows | |
detection: | |
selection1: | |
Image|endswith: | |
- '\\msiexec.exe' | |
CommandLine|contains: | |
- '/i' | |
- 'http' | |
selection2: | |
ParentImage|endswith: | |
- '\\powershell.exe' | |
CommandLine|contains|all: | |
- 'DownloadFile' | |
- 'http' | |
condition: selection1 or selection2 | |
falsepositives: | |
- Legitimate RMM tool installations by administrators | |
level: high | |
tags: | |
- attack.initial_access | |
- attack.t1566 | |
``` | |
#### End of Sigma Rule | |
#### Sigma Rule: Enumeration and Discovery via AD Recon Tools | |
```yaml | |
title: Enumeration and Discovery via AD Recon Tools | |
id: 2b3c4d5e-6f7g-8h9i-0j1k-2l3m4n5o6p7q | |
description: Detects the use of Active Directory reconnaissance tools such as PingCastle and ADRecon, which may indicate enumeration and discovery activities by threat actors. | |
status: experimental | |
author: Your Name | |
logsource: | |
category: process_creation | |
product: windows | |
detection: | |
selection: | |
Image|endswith: | |
- '\\PingCastle.exe' | |
- '\\ADRecon.ps1' | |
condition: selection | |
falsepositives: | |
- Legitimate security assessments and audits | |
level: medium | |
tags: | |
- attack.discovery | |
- attack.t1087.002 | |
``` | |
#### End of Sigma Rule | |
#### Sigma Rule: Privilege Escalation via SIM Swap or Call Forwarding | |
```yaml | |
title: Privilege Escalation via SIM Swap or Call Forwarding for Password Reset | |
id: 3c4d5e6f-7g8h-9i0j-1k2l-3m4n5o6p7q8r | |
description: Detects changes to user multi-factor authentication settings or password resets that may indicate privilege escalation following a SIM swap or call forwarding attack. | |
status: experimental | |
author: Your Name | |
logsource: | |
category: authentication_logs | |
product: windows | |
detection: | |
selection: | |
EventID: | |
- '4724' # An attempt was made to reset an account's password. | |
- '4723' # An attempt was made to change an account's password. | |
TargetUserName|endswith: | |
- 'admin' | |
- 'administrator' | |
condition: selection | |
falsepositives: | |
- Legitimate password reset by administrators or help desk personnel | |
level: high | |
tags: | |
- attack.privilege_escalation | |
- attack.t1078 | |
``` | |
#### End of Sigma Rule | |
#### Sigma Rule: Defense Evasion by Disabling Security Products via Compromised Accounts | |
```yaml | |
title: Defense Evasion by Disabling Security Products via Compromised Accounts | |
id: 4d5e6f7g-8h9i-0j1k-2l3m-4n5o6p7q8r9s | |
description: Detects attempts to disable or impair security products using compromised security personnel accounts, which may indicate defense evasion activities by threat actors. | |
status: experimental | |
author: Your Name | |
logsource: | |
category: process_creation | |
product: windows | |
detection: | |
selection1: | |
Image|endswith: | |
- '\\powershell.exe' | |
CommandLine|contains|all: | |
- 'Set-MpPreference' | |
- '-DisableRealtimeMonitoring $true' | |
selection2: | |
Image|endswith: | |
- '\\cmd.exe' | |
CommandLine|contains: | |
- 'net stop' | |
condition: selection1 or selection2 | |
falsepositives: | |
- Legitimate security product configuration changes by administrators | |
level: critical | |
tags: | |
- attack.defense_evasion | |
- attack.t1562.001 | |
``` | |
#### End of Sigma Rule | |
#### Sigma Rule: Persistence via Federated Identity Abuse and SAML Tokens | |
```yaml | |
title: Persistence via Federated Identity Abuse and SAML Tokens | |
id: 5e6f7g8h-9i0j-1k2l-3m4n-5o6p7q8r9s0t | |
description: Detects federation changes or unusual SAML token generation activities that may indicate persistence mechanisms employed by threat actors through identity federation abuse. | |
status: experimental | |
author: Your Name | |
logsource: | |
category: authentication_logs | |
product: windows | |
detection: | |
selection1: | |
EventID: | |
- '4741' # A computer account was created. | |
- '4726' # A user account was deleted. | |
TargetDomainName|contains|all: | |
- 'federated' | |
- 'saml' | |
selection2: | |
EventID: '4769' # A Kerberos service ticket was requested. | |
TicketOptions|contains|all: | |
- 'renewable' | |
- 'forwardable' | |
ServiceName|contains: | |
- 'federated' | |
condition: selection1 or selection2 | |
falsepositives: | |
- Legitimate federation changes by administrators for business needs | |
level: high | |
tags: | |
- attack.persistence | |
- attack.t1484.002 | |
``` | |
#### End of Sigma Rule |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment