From 112a0939d7ee66a47f3f069854357ccc52dab873 Mon Sep 17 00:00:00 2001 From: SherifEldeeb Date: Sun, 28 Jan 2018 02:12:19 +0300 Subject: [PATCH 1/3] Change "reference" to "references" to match new schema --- rules/application/app_python_sql_exceptions.yml | 2 +- rules/application/app_sqlinjection_errors.yml | 2 +- rules/application/appframework_django_exceptions.yml | 2 +- rules/application/appframework_ruby_on_rails_exceptions.yml | 2 +- rules/application/appframework_spring_exceptions.yml | 2 +- rules/apt/apt_apt29_tor.yml | 2 +- rules/apt/apt_carbonpaper_turla.yml | 2 +- rules/apt/apt_cloudhopper.yml | 2 +- rules/apt/apt_equationgroup_c2.yml | 2 +- rules/apt/apt_equationgroup_lnx.yml | 2 +- rules/apt/apt_pandemic.yml | 2 +- rules/apt/apt_stonedrill.yml | 2 +- rules/apt/apt_ta17_293a_ps.yml | 2 +- rules/apt/apt_turla_commands.yml | 2 +- rules/apt/apt_turla_namedpipes.yml | 2 +- rules/apt/apt_zxshell.yml | 2 +- rules/apt/crime_fireball.yml | 2 +- rules/linux/auditd/lnx_auditd_susp_cmds.yml | 2 +- rules/linux/auditd/lnx_auditd_susp_exe_folders.yml | 2 +- rules/linux/lnx_buffer_overflows.yml | 2 +- rules/linux/lnx_clamav.yml | 2 +- rules/linux/lnx_shell_susp_commands.yml | 2 +- rules/linux/lnx_shellshock.yml | 2 +- rules/linux/lnx_susp_ssh.yml | 2 +- rules/linux/lnx_susp_vsftp.yml | 2 +- rules/proxy/proxy_download_susp_dyndns.yml | 2 +- rules/proxy/proxy_download_susp_tlds_blacklist.yml | 2 +- rules/proxy/proxy_empty_ua.yml | 2 +- rules/proxy/proxy_powershell_ua.yml | 2 +- rules/proxy/proxy_susp_flash_download_loc.yml | 2 +- rules/proxy/proxy_ua_apt.yml | 2 +- rules/proxy/proxy_ua_frameworks.yml | 2 +- rules/proxy/proxy_ua_hacktool.yml | 2 +- rules/proxy/proxy_ua_malware.yml | 2 +- rules/proxy/proxy_ua_suspicious.yml | 2 +- rules/web/web_apache_segfault.yml | 2 +- rules/windows/builtin/win_admin_rdp_login.yml | 2 +- .../windows/builtin/win_alert_active_directory_user_control.yml | 2 +- rules/windows/builtin/win_alert_ad_user_backdoors.yml | 2 +- rules/windows/builtin/win_alert_enable_weak_encryption.yml | 2 +- rules/windows/builtin/win_disable_event_logging.yml | 2 +- rules/windows/builtin/win_eventlog_cleared.yml | 2 +- rules/windows/builtin/win_mal_wceaux_dll.yml | 2 +- rules/windows/builtin/win_multiple_suspicious_cli.yml | 2 +- rules/windows/builtin/win_pass_the_hash.yml | 2 +- rules/windows/builtin/win_plugx_susp_exe_locations.yml | 2 +- rules/windows/builtin/win_possible_applocker_bypass.yml | 2 +- rules/windows/builtin/win_susp_add_sid_history.yml | 2 +- rules/windows/builtin/win_susp_backup_delete.yml | 2 +- rules/windows/builtin/win_susp_cli_escape.yml | 2 +- rules/windows/builtin/win_susp_commands_recon_activity.yml | 2 +- rules/windows/builtin/win_susp_dhcp_config.yml | 2 +- rules/windows/builtin/win_susp_dhcp_config_failed.yml | 2 +- rules/windows/builtin/win_susp_dns_config.yml | 2 +- rules/windows/builtin/win_susp_dsrm_password_change.yml | 2 +- rules/windows/builtin/win_susp_eventlog_cleared.yml | 2 +- rules/windows/builtin/win_susp_iss_module_install.yml | 2 +- rules/windows/builtin/win_susp_lsass_dump.yml | 2 +- rules/windows/builtin/win_susp_msmpeng_crash.yml | 2 +- rules/windows/builtin/win_susp_net_recon_activity.yml | 2 +- rules/windows/builtin/win_susp_phantom_dll.yml | 2 +- rules/windows/builtin/win_susp_process_creations.yml | 2 +- rules/windows/builtin/win_susp_rasdial_activity.yml | 2 +- rules/windows/builtin/win_susp_rc4_kerberos.yml | 2 +- rules/windows/builtin/win_susp_run_locations.yml | 2 +- rules/windows/builtin/win_susp_rundll32_activity.yml | 2 +- rules/windows/builtin/win_susp_sdelete.yml | 2 +- rules/windows/builtin/win_usb_device_plugged.yml | 2 +- rules/windows/malware/sysmon_malware_notpetya.yml | 2 +- rules/windows/malware/sysmon_malware_wannacry.yml | 2 +- rules/windows/malware/win_mal_adwind.yml | 2 +- rules/windows/malware/win_mal_wannacry.yml | 2 +- rules/windows/other/win_tool_psexec.yml | 2 +- rules/windows/other/win_wmi_persistence.yml | 2 +- rules/windows/powershell/powershell_downgrade_attack.yml | 2 +- rules/windows/powershell/powershell_exe_calling_ps.yml | 2 +- rules/windows/powershell/powershell_malicious_commandlets.yml | 2 +- rules/windows/powershell/powershell_malicious_keywords.yml | 2 +- rules/windows/powershell/powershell_prompt_credentials.yml | 2 +- rules/windows/powershell/powershell_psattack.yml | 2 +- rules/windows/sysmon/sysmon_bitsadmin_download.yml | 2 +- rules/windows/sysmon/sysmon_dhcp_calloutdll.yml | 2 +- rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml | 2 +- rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml | 2 +- rules/windows/sysmon/sysmon_mal_namedpipes.yml | 2 +- rules/windows/sysmon/sysmon_malware_backconnect_ports.yml | 2 +- rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml | 2 +- rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml | 2 +- rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml | 2 +- rules/windows/sysmon/sysmon_mshta_spawn_shell.yml | 2 +- rules/windows/sysmon/sysmon_office_macro_cmd.yml | 2 +- rules/windows/sysmon/sysmon_office_shell.yml | 2 +- rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml | 2 +- rules/windows/sysmon/sysmon_powershell_network_connection.yml | 2 +- .../sysmon/sysmon_powershell_suspicious_parameter_variation.yml | 2 +- rules/windows/sysmon/sysmon_rundll32_net_connections.yml | 2 +- rules/windows/sysmon/sysmon_susp_certutil_command.yml | 2 +- rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml | 2 +- rules/windows/sysmon/sysmon_susp_control_dll_load.yml | 2 +- rules/windows/sysmon/sysmon_susp_exec_folder.yml | 2 +- rules/windows/sysmon/sysmon_susp_mmc_source.yml | 2 +- rules/windows/sysmon/sysmon_susp_net_execution.yml | 2 +- rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml | 2 +- .../sysmon/sysmon_susp_prog_location_network_connection.yml | 2 +- rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml | 2 +- rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml | 2 +- rules/windows/sysmon/sysmon_susp_wmi_execution.yml | 2 +- rules/windows/sysmon/sysmon_system_exe_anomaly.yml | 2 +- rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml | 2 +- rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml | 2 +- rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml | 2 +- rules/windows/sysmon/sysmon_win_binary_github_com.yml | 2 +- 112 files changed, 112 insertions(+), 112 deletions(-) diff --git a/rules/application/app_python_sql_exceptions.yml b/rules/application/app_python_sql_exceptions.yml index 220471d64a7..fe516908592 100644 --- a/rules/application/app_python_sql_exceptions.yml +++ b/rules/application/app_python_sql_exceptions.yml @@ -1,7 +1,7 @@ title: Python SQL Exceptions description: Generic rule for SQL exceptions in Python according to PEP 249 author: Thomas Patzke -reference: +references: - https://www.python.org/dev/peps/pep-0249/#exceptions logsource: category: application diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/app_sqlinjection_errors.yml index 46e2d648e54..f16f47cc550 100644 --- a/rules/application/app_sqlinjection_errors.yml +++ b/rules/application/app_sqlinjection_errors.yml @@ -2,7 +2,7 @@ title: Suspicious SQL Error Messages status: experimental description: Detects SQL error messages that indicate probing for an injection attack author: Bjoern Kimminich -reference: http://www.sqlinjection.net/errors +references: http://www.sqlinjection.net/errors logsource: category: application product: sql diff --git a/rules/application/appframework_django_exceptions.yml b/rules/application/appframework_django_exceptions.yml index cb974de8cd1..fd5302b4bfa 100644 --- a/rules/application/appframework_django_exceptions.yml +++ b/rules/application/appframework_django_exceptions.yml @@ -1,7 +1,7 @@ title: Django framework exceptions description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts author: Thomas Patzke -reference: +references: - https://docs.djangoproject.com/en/1.11/ref/exceptions/ - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security logsource: diff --git a/rules/application/appframework_ruby_on_rails_exceptions.yml b/rules/application/appframework_ruby_on_rails_exceptions.yml index c827fa186bb..06513dfefeb 100644 --- a/rules/application/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/appframework_ruby_on_rails_exceptions.yml @@ -1,7 +1,7 @@ title: Ruby on Rails framework exceptions description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts author: Thomas Patzke -reference: +references: - http://edgeguides.rubyonrails.org/security.html - http://guides.rubyonrails.org/action_controller_overview.html - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception diff --git a/rules/application/appframework_spring_exceptions.yml b/rules/application/appframework_spring_exceptions.yml index 0a2adfdf914..c3931636df9 100644 --- a/rules/application/appframework_spring_exceptions.yml +++ b/rules/application/appframework_spring_exceptions.yml @@ -1,7 +1,7 @@ title: Spring framework exceptions description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts author: Thomas Patzke -reference: +references: - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html logsource: category: application diff --git a/rules/apt/apt_apt29_tor.yml b/rules/apt/apt_apt29_tor.yml index a5e9aae007d..b8640948ddb 100644 --- a/rules/apt/apt_apt29_tor.yml +++ b/rules/apt/apt_apt29_tor.yml @@ -1,7 +1,7 @@ action: global title: APT29 Google Update Service Install description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' -reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html +references: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html logsource: product: windows detection: diff --git a/rules/apt/apt_carbonpaper_turla.yml b/rules/apt/apt_carbonpaper_turla.yml index 458b151b85f..df615aa3280 100644 --- a/rules/apt/apt_carbonpaper_turla.yml +++ b/rules/apt/apt_carbonpaper_turla.yml @@ -1,6 +1,6 @@ title: Turla Service Install description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' -reference: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ +references: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ logsource: product: windows service: system diff --git a/rules/apt/apt_cloudhopper.yml b/rules/apt/apt_cloudhopper.yml index ca077f4c207..0d63e4c7070 100644 --- a/rules/apt/apt_cloudhopper.yml +++ b/rules/apt/apt_cloudhopper.yml @@ -1,7 +1,7 @@ title: WMIExec VBS Script description: Detects suspicious file execution by wscript and cscript author: Florian Roth -reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf +references: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf logsource: product: windows service: sysmon diff --git a/rules/apt/apt_equationgroup_c2.yml b/rules/apt/apt_equationgroup_c2.yml index 25a36f3bfb7..6d54778f59d 100644 --- a/rules/apt/apt_equationgroup_c2.yml +++ b/rules/apt/apt_equationgroup_c2.yml @@ -1,6 +1,6 @@ title: Equation Group C2 Communication description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools -reference: +references: - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation' - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195' author: Florian Roth diff --git a/rules/apt/apt_equationgroup_lnx.yml b/rules/apt/apt_equationgroup_lnx.yml index 3d35ba16769..808747ceb94 100644 --- a/rules/apt/apt_equationgroup_lnx.yml +++ b/rules/apt/apt_equationgroup_lnx.yml @@ -1,6 +1,6 @@ title: Equation Group Indicators description: Detects suspicious shell commands used in various Equation Group scripts and tools -reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 +references: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 author: Florian Roth logsource: product: linux diff --git a/rules/apt/apt_pandemic.yml b/rules/apt/apt_pandemic.yml index 49cfe61df65..8643d0cb5d5 100644 --- a/rules/apt/apt_pandemic.yml +++ b/rules/apt/apt_pandemic.yml @@ -1,7 +1,7 @@ title: Pandemic Registry Key status: experimental description: Detects Pandemic Windows Implant -reference: +references: - https://wikileaks.org/vault7/#Pandemic - https://twitter.com/MalwareJake/status/870349480356454401 author: Florian Roth diff --git a/rules/apt/apt_stonedrill.yml b/rules/apt/apt_stonedrill.yml index 7b511149112..650c04f5d90 100644 --- a/rules/apt/apt_stonedrill.yml +++ b/rules/apt/apt_stonedrill.yml @@ -1,7 +1,7 @@ title: StoneDrill Service Install description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky' author: Florian Roth -reference: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ +references: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ logsource: product: windows service: system diff --git a/rules/apt/apt_ta17_293a_ps.yml b/rules/apt/apt_ta17_293a_ps.yml index 1b2f8852e51..38b5115074c 100644 --- a/rules/apt/apt_ta17_293a_ps.yml +++ b/rules/apt/apt_ta17_293a_ps.yml @@ -1,6 +1,6 @@ title: Ps.exe Renamed SysInternals Tool description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report -reference: https://www.us-cert.gov/ncas/alerts/TA17-293A +references: https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth date: 2017/10/22 logsource: diff --git a/rules/apt/apt_turla_commands.yml b/rules/apt/apt_turla_commands.yml index c2411bda706..d6be983b209 100644 --- a/rules/apt/apt_turla_commands.yml +++ b/rules/apt/apt_turla_commands.yml @@ -3,7 +3,7 @@ action: global title: Turla Group Lateral Movement status: experimental description: Detects automated lateral movement by Turla group -reference: https://securelist.com/the-epic-turla-operation/65545/ +references: https://securelist.com/the-epic-turla-operation/65545/ author: Markus Neis date: 2017/11/07 logsource: diff --git a/rules/apt/apt_turla_namedpipes.yml b/rules/apt/apt_turla_namedpipes.yml index a82a096488c..dea97cfcb1c 100644 --- a/rules/apt/apt_turla_namedpipes.yml +++ b/rules/apt/apt_turla_namedpipes.yml @@ -1,7 +1,7 @@ title: Turla Group Named Pipes status: experimental description: Detects a named pipe used by Turla group samples -reference: Internal Research +references: Internal Research date: 2017/11/06 author: Markus Neis logsource: diff --git a/rules/apt/apt_zxshell.yml b/rules/apt/apt_zxshell.yml index ae3f0b97196..e6b4e63ba8e 100644 --- a/rules/apt/apt_zxshell.yml +++ b/rules/apt/apt_zxshell.yml @@ -1,7 +1,7 @@ title: ZxShell Malware description: Detects a ZxShell start by the called and well-known function name author: Florian Roth -reference: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 +references: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 logsource: product: windows service: sysmon diff --git a/rules/apt/crime_fireball.yml b/rules/apt/crime_fireball.yml index 0b8e9f017ed..84cc02070ff 100644 --- a/rules/apt/crime_fireball.yml +++ b/rules/apt/crime_fireball.yml @@ -3,7 +3,7 @@ status: experimental description: Detects Archer malware invocation via rundll32 author: Florian Roth date: 2017/06/03 -reference: +references: - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 231f06744b0..1f27e2ffe29 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -1,7 +1,7 @@ title: Detects Suspicious Commands on Linux systems status: experimental description: Detects relevant commands often related to malware or hacking activity -reference: 'Internal Research - mostly derived from exploit code including code in MSF' +references: 'Internal Research - mostly derived from exploit code including code in MSF' date: 2017/12/12 author: Florian Roth logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 50fef0dfbe8..80c35cad67b 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -1,7 +1,7 @@ title: Program Executions in Suspicious Folders status: experimental description: Detects program executions in suspicious non-program folders related to malware or hacking activity -reference: 'Internal Research' +references: 'Internal Research' date: 2018/01/23 author: Florian Roth logsource: diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/lnx_buffer_overflows.yml index dc615277f05..ef92ee2fc0a 100644 --- a/rules/linux/lnx_buffer_overflows.yml +++ b/rules/linux/lnx_buffer_overflows.yml @@ -1,6 +1,6 @@ title: Buffer Overflow Attempts description: Detects buffer overflow attempts in Linux system log files -reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml +references: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml logsource: product: linux detection: diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/lnx_clamav.yml index 0c8855b810e..a4729d56ea4 100644 --- a/rules/linux/lnx_clamav.yml +++ b/rules/linux/lnx_clamav.yml @@ -1,6 +1,6 @@ title: Relevant ClamAV Message description: Detects relevant ClamAV messages -reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml +references: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml logsource: product: linux service: clamav diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml index a99106aa05f..c37310d87fc 100644 --- a/rules/linux/lnx_shell_susp_commands.yml +++ b/rules/linux/lnx_shell_susp_commands.yml @@ -1,6 +1,6 @@ title: Suspicious Activity in Shell Commands description: Detects suspicious shell commands used in various exploit codes (see references) -reference: +references: - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121 - http://pastebin.com/FtygZ1cg diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index f1fe1fa2f36..38e11bbaaa1 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -1,6 +1,6 @@ title: Shellshock Expression description: Detects shellshock expressions in log files -reference: http://rubular.com/r/zxBfjWfFYs +references: http://rubular.com/r/zxBfjWfFYs logsource: product: linux detection: diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index 9d37cef2a7d..44ce6552f19 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -1,6 +1,6 @@ title: Suspicious SSHD Error description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -reference: https://github.com/openssh/openssh-portable/blob/master/ssherr.c +references: https://github.com/openssh/openssh-portable/blob/master/ssherr.c author: Florian Roth date: 2017/06/30 logsource: diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/lnx_susp_vsftp.yml index 2d03b563bd9..fc92017a194 100644 --- a/rules/linux/lnx_susp_vsftp.yml +++ b/rules/linux/lnx_susp_vsftp.yml @@ -1,6 +1,6 @@ title: Suspicious VSFTPD Error Messages description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -reference: https://github.com/dagwieers/vsftpd/ +references: https://github.com/dagwieers/vsftpd/ author: Florian Roth date: 2017/07/05 logsource: diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml index 0c98385ab8c..d4432b628e3 100644 --- a/rules/proxy/proxy_download_susp_dyndns.yml +++ b/rules/proxy/proxy_download_susp_dyndns.yml @@ -1,7 +1,7 @@ title: Download from Suspicious Dyndns Hosts status: experimental description: Detects download of certain file types from hosts with dynamic DNS names (selected list) -reference: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats +references: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats author: Florian Roth date: 2017/11/08 logsource: diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index ef57c0b00a4..d05f8309fec 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -1,7 +1,7 @@ title: Download from Suspicious TLD status: experimental description: Detects download of certain file types from hosts in suspicious TLDs -reference: +references: - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf - https://www.spamhaus.org/statistics/tlds/ diff --git a/rules/proxy/proxy_empty_ua.yml b/rules/proxy/proxy_empty_ua.yml index 4ffd58f4be2..faac0f93bd1 100644 --- a/rules/proxy/proxy_empty_ua.yml +++ b/rules/proxy/proxy_empty_ua.yml @@ -1,7 +1,7 @@ title: Empty User Agent status: experimental description: Detects suspicious empty user agent strings in proxy logs -reference: +references: - https://twitter.com/Carlos_Perez/status/883455096645931008 author: Florian Roth logsource: diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index 7ce34000ee3..effff040c92 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -1,7 +1,7 @@ title: Windows PowerShell User Agent status: experimental description: Detects Windows PowerShell Web Access -reference: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest +references: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest author: Florian Roth logsource: category: proxy diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index f9654f7ef9c..80f87f14126 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -1,7 +1,7 @@ title: Flash Player Update from Suspicious Location status: experimental description: Detects a flashplayer update from an unofficial location -reference: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb +references: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb author: Florian Roth logsource: category: proxy diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 3a33f0af896..155871ebaf4 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -1,7 +1,7 @@ title: APT User Agent status: experimental description: Detects suspicious user agent strings used in APT malware in proxy logs -reference: Internal Research +references: Internal Research author: Florian Roth logsource: category: proxy diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index 9beda694a05..7a6d4fd6a8d 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -1,7 +1,7 @@ title: Exploit Framework User Agent status: experimental description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs -reference: +references: - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ author: Florian Roth logsource: diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index 122a7fb758a..2c9e4f779e8 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -1,7 +1,7 @@ title: Hack Tool User Agent status: experimental description: Detects suspicious user agent strings user by hack tools in proxy logs -reference: +references: - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules author: Florian Roth diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index e23da1e7944..b67c9e0a9a4 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -1,7 +1,7 @@ title: Malware User Agent status: experimental description: Detects suspicious user agent strings used by malware in proxy logs -reference: +references: - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules - http://www.botopedia.org/search?searchword=scan&searchphrase=all - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index 89b0aae1020..27cfecb0c51 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -1,7 +1,7 @@ title: Suspicious User Agent status: experimental description: Detects suspicious malformed user agent strings in proxy logs -reference: +references: - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb author: Florian Roth logsource: diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index b1aff615354..d51faf2bd8d 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -1,7 +1,7 @@ title: Apache Segmentation Fault description: Detects a segmentation fault error message caused by a creashing apacke worker process author: Florian Roth -reference: http://www.securityfocus.com/infocus/1633 +references: http://www.securityfocus.com/infocus/1633 logsource: product: apache detection: diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/win_admin_rdp_login.yml index ffd040988e6..699816893f6 100644 --- a/rules/windows/builtin/win_admin_rdp_login.yml +++ b/rules/windows/builtin/win_admin_rdp_login.yml @@ -1,6 +1,6 @@ title: Admin User Remote Logon description: Detect remote login by Administrator user depending on internal pattern -reference: +references: - https://car.mitre.org/wiki/CAR-2016-04-005 status: experimental author: juju4 diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 72484fb2d6c..89da9b0ded5 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -1,6 +1,6 @@ title: Enabled User Right in AD to Control User Objects description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. -reference: +references: - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' logsource: diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml index 5aa66b9634c..444674594e6 100644 --- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml @@ -1,6 +1,6 @@ title: Active Directory User Backdoors description: Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN). -reference: +references: - https://msdn.microsoft.com/en-us/library/cc220234.aspx - https://adsecurity.org/?p=3466 author: '@neu5ron' diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index e47e9241341..f34bbfd64f0 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -1,6 +1,6 @@ title: Weak Encryption Enabled and Kerberoast description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. -reference: +references: - https://adsecurity.org/?p=2053 - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ author: '@neu5ron' diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index 955ff0fa1fd..13ee54d178f 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -6,7 +6,7 @@ description: > that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. -reference: +references: - https://bit.ly/WinLogsZero2Hero author: '@neu5ron' logsource: diff --git a/rules/windows/builtin/win_eventlog_cleared.yml b/rules/windows/builtin/win_eventlog_cleared.yml index ddb9bd0d76a..c45f3c2b938 100644 --- a/rules/windows/builtin/win_eventlog_cleared.yml +++ b/rules/windows/builtin/win_eventlog_cleared.yml @@ -3,7 +3,7 @@ status: experimental description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution author: Florian Roth date: 2017/06/27 -reference: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 +references: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml index b0854fc7b81..73cf9838c35 100644 --- a/rules/windows/builtin/win_mal_wceaux_dll.yml +++ b/rules/windows/builtin/win_mal_wceaux_dll.yml @@ -2,7 +2,7 @@ title: WCE wceaux.dll Access status: experimental description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host author: Thomas Patzke -reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html +references: https://www.jpcert.or.jp/english/pub/sr/ir_research.html logsource: product: windows service: security diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml index 9820ae139fc..a4db0233595 100644 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ b/rules/windows/builtin/win_multiple_suspicious_cli.yml @@ -2,7 +2,7 @@ action: global title: Quick Execution of a Series of Suspicious Commands description: Detects multiple suspicious process in a limited timeframe status: experimental -reference: +references: - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 detection: diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index b5d5d1be25c..c79ce2badf0 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -1,7 +1,7 @@ title: Pass the Hash Activity status: experimental description: 'Detects the attack technique pass the hash which is used to move laterally inside the network' -reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events +references: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) logsource: product: windows diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml index b6b368443b2..77dbd377d54 100644 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ b/rules/windows/builtin/win_plugx_susp_exe_locations.yml @@ -1,7 +1,7 @@ title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -reference: +references: - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth diff --git a/rules/windows/builtin/win_possible_applocker_bypass.yml b/rules/windows/builtin/win_possible_applocker_bypass.yml index 48b2ed72f31..f62151bdc6f 100644 --- a/rules/windows/builtin/win_possible_applocker_bypass.yml +++ b/rules/windows/builtin/win_possible_applocker_bypass.yml @@ -2,7 +2,7 @@ action: global title: Possible Applocker Bypass description: Detects execution of executables that can be used to bypass Applocker whitelisting status: experimental -reference: +references: - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ author: juju4 diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml index 42169e992c3..9d7a68a5539 100644 --- a/rules/windows/builtin/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -1,7 +1,7 @@ title: Addition of SID History to Active Directory Object status: stable description: An attacker can use the SID history attribute to gain additional privileges. -reference: https://adsecurity.org/?p=1772 +references: https://adsecurity.org/?p=1772 author: Thomas Patzke logsource: product: windows diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index 7c4aa5403e6..a178db8e240 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -1,7 +1,7 @@ title: Backup Catalog Deleted status: experimental description: Detects backup catalog deletions -reference: +references: - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml index 4c71bdf2ed3..39bae210ab0 100644 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ b/rules/windows/builtin/win_susp_cli_escape.yml @@ -2,7 +2,7 @@ action: global title: Suspicious Commandline Escape description: Detects suspicious process that use escape characters status: experimental -reference: +references: - https://twitter.com/vysecurity/status/885545634958385153 - https://twitter.com/Hexacorn/status/885553465417756673 - https://twitter.com/Hexacorn/status/885570278637678592 diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml index 2dd5c855a00..5858471bda4 100644 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml @@ -3,7 +3,7 @@ action: global title: Reconnaissance Activity with Net Command status: experimental description: 'Detects a set of commands often used in recon stages by different attack groups' -reference: +references: - https://twitter.com/haroonmeer/status/939099379834658817 - https://twitter.com/c_APT_ure/status/939475433711722497 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/win_susp_dhcp_config.yml index 080a1996427..e7f3fb9b56f 100644 --- a/rules/windows/builtin/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/win_susp_dhcp_config.yml @@ -1,7 +1,7 @@ title: DHCP Server Loaded the CallOut DLL status: experimental description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded -reference: +references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/win_susp_dhcp_config_failed.yml index 67dda88e266..a92d354d757 100644 --- a/rules/windows/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/win_susp_dhcp_config_failed.yml @@ -1,7 +1,7 @@ title: DHCP Server Error Failed Loading the CallOut DLL description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded status: experimental -reference: +references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/builtin/win_susp_dns_config.yml index 874598f120c..68679e08164 100644 --- a/rules/windows/builtin/win_susp_dns_config.yml +++ b/rules/windows/builtin/win_susp_dns_config.yml @@ -2,7 +2,7 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded status: experimental date: 2017/05/08 -reference: +references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx - https://twitter.com/gentilkiwi/status/861641945944391680 diff --git a/rules/windows/builtin/win_susp_dsrm_password_change.yml b/rules/windows/builtin/win_susp_dsrm_password_change.yml index 2390881b5c7..c4798def218 100644 --- a/rules/windows/builtin/win_susp_dsrm_password_change.yml +++ b/rules/windows/builtin/win_susp_dsrm_password_change.yml @@ -1,7 +1,7 @@ title: Password Change on Directory Service Restore Mode (DSRM) Account status: stable description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. -reference: https://adsecurity.org/?p=1714 +references: https://adsecurity.org/?p=1714 author: Thomas Patzke logsource: product: windows diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 676235687e6..0d10b3db953 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,6 +1,6 @@ title: Eventlog Cleared description: One of the Windows Eventlogs has been cleared -reference: https://twitter.com/deviouspolack/status/832535435960209408 +references: https://twitter.com/deviouspolack/status/832535435960209408 author: Florian Roth logsource: product: windows diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/builtin/win_susp_iss_module_install.yml index 7a8cb895da2..3563095e909 100644 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ b/rules/windows/builtin/win_susp_iss_module_install.yml @@ -3,7 +3,7 @@ action: global title: IIS Native-Code Module Command Line Installation description: Detects suspicious IIS native-code module installations via command line status: experimental -reference: +references: - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth detection: diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 0cb86bcd752..38f6670a201 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -1,7 +1,7 @@ title: Password Dumper Activity on LSASS description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental -reference: https://twitter.com/jackcr/status/807385668833968128 +references: https://twitter.com/jackcr/status/807385668833968128 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 705d660023f..937ee121de0 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -2,7 +2,7 @@ title: Microsoft Malware Protection Engine Crash description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine status: experimental date: 2017/05/09 -reference: +references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index 07f527f5bc6..3761dfafaac 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -1,7 +1,7 @@ title: Reconnaissance Activity status: experimental description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' -reference: https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html +references: https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (rule), Jack Croock (method) logsource: product: windows diff --git a/rules/windows/builtin/win_susp_phantom_dll.yml b/rules/windows/builtin/win_susp_phantom_dll.yml index 3b05d93838a..8ec72786a33 100644 --- a/rules/windows/builtin/win_susp_phantom_dll.yml +++ b/rules/windows/builtin/win_susp_phantom_dll.yml @@ -2,7 +2,7 @@ action: global title: Phantom DLLs Usage description: Detects Phantom DLLs usage and matching executable status: experimental -reference: +references: - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ author: juju4 diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index 7837e19bc2f..f1fcbc36db7 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -3,7 +3,7 @@ action: global title: Suspicious Process Creation description: Detects suspicious process starts on Windows systems bsed on keywords status: experimental -reference: +references: - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ diff --git a/rules/windows/builtin/win_susp_rasdial_activity.yml b/rules/windows/builtin/win_susp_rasdial_activity.yml index c5d24f40c2f..334767d1299 100644 --- a/rules/windows/builtin/win_susp_rasdial_activity.yml +++ b/rules/windows/builtin/win_susp_rasdial_activity.yml @@ -2,7 +2,7 @@ action: global title: Suspicious RASdial Activity description: Detects suspicious process related to rasdial.exe status: experimental -reference: +references: - https://twitter.com/subTee/status/891298217907830785 author: juju4 detection: diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 3fa722b5b24..44862ee0588 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -1,6 +1,6 @@ title: Suspicious Kerberos RC4 Ticket Encryption status: experimental -reference: https://adsecurity.org/?p=3458 +references: https://adsecurity.org/?p=3458 description: Detects logons using RC4 encryption type logsource: product: windows diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml index c4ab6d14fa2..65e1f147523 100644 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ b/rules/windows/builtin/win_susp_run_locations.yml @@ -2,7 +2,7 @@ action: global title: Suspicious Process Start Locations description: Detects suspicious process run from unusual locations status: experimental -reference: +references: - https://car.mitre.org/wiki/CAR-2013-05-002 author: juju4 detection: diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/builtin/win_susp_rundll32_activity.yml index fe41e0a3621..b642304576a 100644 --- a/rules/windows/builtin/win_susp_rundll32_activity.yml +++ b/rules/windows/builtin/win_susp_rundll32_activity.yml @@ -2,7 +2,7 @@ action: global title: Suspicious Rundll32 Activity description: Detects suspicious process related to rundll32 based on arguments status: experimental -reference: +references: - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - https://twitter.com/Hexacorn/status/885258886428725250 - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 6859396bdd2..06e5519537b 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -2,7 +2,7 @@ title: Secure Deletion with SDelete status: experimental description: Detects renaming of file while deletion with SDelete tool author: Thomas Patzke -reference: +references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx logsource: diff --git a/rules/windows/builtin/win_usb_device_plugged.yml b/rules/windows/builtin/win_usb_device_plugged.yml index 8cc3df993b4..00acec4ff2a 100644 --- a/rules/windows/builtin/win_usb_device_plugged.yml +++ b/rules/windows/builtin/win_usb_device_plugged.yml @@ -1,6 +1,6 @@ title: USB Device Plugged description: Detects plugged USB devices -reference: +references: - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ status: experimental diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml index ecb66fb5cc6..15f45ac44a5 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/malware/sysmon_malware_notpetya.yml @@ -2,7 +2,7 @@ title: NotPetya Ransomware Activity status: experimental description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi -reference: +references: - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 logsource: diff --git a/rules/windows/malware/sysmon_malware_wannacry.yml b/rules/windows/malware/sysmon_malware_wannacry.yml index 2f3cded0bf3..65c74aab17b 100644 --- a/rules/windows/malware/sysmon_malware_wannacry.yml +++ b/rules/windows/malware/sysmon_malware_wannacry.yml @@ -1,7 +1,7 @@ title: WannaCry Ransomware via Sysmon status: experimental description: Detects WannaCry ransomware activity via Sysmon -reference: https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 +references: https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) logsource: product: windows diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/malware/win_mal_adwind.yml index 381264cd3bf..2d01d0bca52 100644 --- a/rules/windows/malware/win_mal_adwind.yml +++ b/rules/windows/malware/win_mal_adwind.yml @@ -3,7 +3,7 @@ action: global title: Adwind RAT / JRAT status: experimental description: Detects javaw.exe in AppData folder as used by Adwind / JRAT -reference: +references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi diff --git a/rules/windows/malware/win_mal_wannacry.yml b/rules/windows/malware/win_mal_wannacry.yml index 15caec121d7..a998e3e0962 100644 --- a/rules/windows/malware/win_mal_wannacry.yml +++ b/rules/windows/malware/win_mal_wannacry.yml @@ -2,7 +2,7 @@ action: global title: WannaCry Ransomware description: Detects WannaCry Ransomware Activity status: experimental -reference: +references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa author: Florian Roth detection: diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 0172e09da09..0605f8ebf9f 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -2,7 +2,7 @@ title: PsExec Tool Execution status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke -reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html +references: https://www.jpcert.or.jp/english/pub/sr/ir_research.html logsource: product: windows detection: diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 1dc3ef98403..b359622e6ea 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -2,7 +2,7 @@ title: WMI Persistence status: experimental description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher) author: Florian Roth -reference: https://twitter.com/mattifestation/status/899646620148539397 +references: https://twitter.com/mattifestation/status/899646620148539397 logsource: product: windows service: wmi diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml index 27484be913e..6342d5ce99c 100644 --- a/rules/windows/powershell/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_downgrade_attack.yml @@ -1,7 +1,7 @@ title: PowerShell Downgrade Attack status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -reference: http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ +references: http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (rule), Lee Holmes (idea) logsource: product: windows diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index b5836b00abe..e7584aef2c5 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -1,7 +1,7 @@ title: PowerShell called from an Executable Version Mismatch status: experimental description: Detects PowerShell called from an executable by the version mismatch method -reference: https://adsecurity.org/?p=2921 +references: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 743c84e2070..0d798b0b092 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -1,7 +1,7 @@ title: Malicious PowerShell Commandlets status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks -reference: https://adsecurity.org/?p=2921 +references: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 7a8399952e8..d4b81a5d8a1 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -1,7 +1,7 @@ title: Malicious PowerShell Commandlets status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks -reference: https://adsecurity.org/?p=2921 +references: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 4930e515cd9..fbd3b38bcbe 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -1,7 +1,7 @@ title: PowerShell Credential Prompt status: experimental description: Detects PowerShell calling a credential prompt -reference: +references: - https://twitter.com/JohnLaTwC/status/850381440629981184 - https://t.co/ezOTGy1a1G author: John Lambert (idea), Florian Roth (rule) diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index ddc18cbc342..11c36dcc2a0 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -1,7 +1,7 @@ title: PowerShell PSAttack status: experimental description: Detects the use of PSAttack PowerShell hack tool -reference: https://adsecurity.org/?p=2921 +references: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_bitsadmin_download.yml b/rules/windows/sysmon/sysmon_bitsadmin_download.yml index b5529e3476a..65aca7f1d73 100644 --- a/rules/windows/sysmon/sysmon_bitsadmin_download.yml +++ b/rules/windows/sysmon/sysmon_bitsadmin_download.yml @@ -1,7 +1,7 @@ title: Bitsadmin Download status: experimental description: Detects usage of bitsadmin downloading a file -reference: +references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 author: Michael Haag diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml index 94387f5379c..a0c16526a9c 100644 --- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml @@ -1,7 +1,7 @@ title: DHCP Callout DLL installation status: experimental description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) -reference: +references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx diff --git a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml index e80e98459df..2b0202d9b56 100644 --- a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml @@ -1,7 +1,7 @@ title: DNS ServerLevelPluginDll Install status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) -reference: +references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml index 16e17108d97..a54eae4b083 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml +++ b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml @@ -1,7 +1,7 @@ title: Droppers exploiting CVE-2017-11882 status: experimental description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe -reference: +references: - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/sysmon/sysmon_mal_namedpipes.yml index f85e734a490..9b50b2235b3 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/sysmon/sysmon_mal_namedpipes.yml @@ -1,7 +1,7 @@ title: Malicious Named Pipe status: experimental description: Detects the creation of a named pipe used by known APT malware -reference: Various sources +references: Various sources date: 2017/11/06 author: Florian Roth logsource: diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index dc100dbe936..70972032e61 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -1,7 +1,7 @@ title: Suspicious Typical Malware Back Connect Ports status: experimental description: Detects programs that connect to typical malware back connetc ports based on statistical analysis from two different sandbox system databases -reference: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +references: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth date: 2017/03/19 logsource: diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml index ce5ef718c5f..c63ae611f68 100644 --- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml @@ -1,7 +1,7 @@ title: Malware Shellcode in Verclsid Target Process status: experimental description: Detetcs a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro -reference: https://twitter.com/JohnLaTwC/status/837743453039534080 +references: https://twitter.com/JohnLaTwC/status/837743453039534080 author: John Lambert (tech), Florian Roth (rule) date: 2017/03/04 logsource: diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index 21637d88078..92108dc8626 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -1,7 +1,7 @@ title: Mimikatz Detection LSASS Access status: experimental description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ) -reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow +references: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index aa51de6b254..10443ce116f 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -1,7 +1,7 @@ title: Mimikatz In-Memory status: experimental description: Detects certain DLL loads when Mimikatz gets executed -reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ +references: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml index 2cdefc3d0c9..9e64fbdb49a 100644 --- a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml +++ b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml @@ -1,7 +1,7 @@ title: MSHTA Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from MSHTA. -reference: https://www.trustedsec.com/july-2015/malicious-htas/ +references: https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_office_macro_cmd.yml b/rules/windows/sysmon/sysmon_office_macro_cmd.yml index c99d9737c4a..053e2efb5c9 100644 --- a/rules/windows/sysmon/sysmon_office_macro_cmd.yml +++ b/rules/windows/sysmon/sysmon_office_macro_cmd.yml @@ -1,7 +1,7 @@ title: Office Macro Starts Cmd status: experimental description: Detects a Windows command line executable started from Microsoft Word or Excel -reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 +references: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 author: Florian Roth logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index cea01f57670..bff44d0f631 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -1,7 +1,7 @@ title: Microsoft Office Product Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. -reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 +references: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 author: Michael Haag logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index fee494a6207..82c84b7e7b4 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -1,7 +1,7 @@ title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -reference: +references: - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index f93bd1be535..36023fd93fe 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -2,7 +2,7 @@ title: PowerShell Network Connections status: experimental description: "Detetcs a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')" author: Florian Roth -reference: https://www.youtube.com/watch?v=DLtJTxMWZ2o +references: https://www.youtube.com/watch?v=DLtJTxMWZ2o logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml index 920bd18ac8a..818c90e1091 100644 --- a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml @@ -1,7 +1,7 @@ title: Suspicious PowerShell Parameter Substring status: experimental description: Detects suspicious PowerShell invocation with a parameter substring -reference: http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier +references: http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier author: Florian Roth (rule), Daniel Bohannon (idea) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index cc41ae14a58..e928fdf51e7 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -1,7 +1,7 @@ title: Rundll32 Internet Connection status: experimental description: Detects a rundll32 that communicates with piblic IP addresses -reference: https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 +references: https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 author: Florian Roth date: 2017/11/04 logsource: diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml index 0576e250bf1..a58838d2381 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml @@ -4,7 +4,7 @@ description: Detetcs a suspicious Microsoft certutil execution with sub commands author: - Florian Roth - juju4 -reference: +references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 - https://twitter.com/subTee/status/888071631528235010 diff --git a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml index 07880455ff5..f8ef570a7b9 100644 --- a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml +++ b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml @@ -1,7 +1,7 @@ title: Command Line Execution with suspicious URL and AppData Strings status: experimental description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) -reference: +references: - 'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100' - 'https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100' author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml index d53839fc6f4..0bc8f699fb2 100644 --- a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml @@ -3,7 +3,7 @@ status: experimental description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits author: Florian Roth date: 2017/04/15 -reference: https://twitter.com/rikvduijn/status/853251879320662017 +references: https://twitter.com/rikvduijn/status/853251879320662017 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml index f71a300c7dc..6f5c889b364 100644 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_exec_folder.yml @@ -3,7 +3,7 @@ status: experimental description: Detects process starts of binaries from a suspicious folder author: Florian Roth date: 2017/10/14 -reference: +references: - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses logsource: diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index 8261336374a..b0e73b56588 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -1,7 +1,7 @@ title: Processes created by MMC status: experimental description: Processes started by MMC could by a sign of lateral movement using MMC application COM object -reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ +references: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_net_execution.yml b/rules/windows/sysmon/sysmon_susp_net_execution.yml index 1cd98ebe722..31ac43127b0 100644 --- a/rules/windows/sysmon/sysmon_susp_net_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_net_execution.yml @@ -1,7 +1,7 @@ title: Net.exe Execution status: experimental description: Detects execution of Net.exe, whether suspicious or benign. -reference: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ +references: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ author: Michael Haag, Mark Woan (improvements) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml index 2b4327d8b75..46d6e14220b 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml @@ -2,7 +2,7 @@ title: Suspicious PowerShell Invocation based on Parent Process status: experimental description: Detects suspicious powershell invocations from interpreters or unusual programs author: Florian Roth -reference: https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ +references: https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml index 4a096316770..69a9a91a03c 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml @@ -1,7 +1,7 @@ title: Suspicious Program Location with Network Connections status: experimental description: Detects programs with network connections running in suspicious files system locations -reference: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +references: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth date: 2017/03/19 logsource: diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml index b186c75c3f6..49053564f70 100644 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml @@ -2,7 +2,7 @@ title: Regsvr32 Anomaly status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth -reference: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html +references: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml index 8709b37012a..2cd13d3065a 100644 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml @@ -2,7 +2,7 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval status: experimental description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth, Michael Haag -reference: +references: - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ diff --git a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml index 479fb4fe7eb..eabf207e63f 100644 --- a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml @@ -1,7 +1,7 @@ title: Suspicious WMI execution status: experimental description: Detects WMI executing suspicious commands -reference: +references: - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml index 467056159c0..b08b5d313a1 100644 --- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml +++ b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml @@ -1,7 +1,7 @@ title: System File Execution Location Anomaly status: experimental description: Detects a Windows program executable started in a suspicious folder -reference: https://twitter.com/GelosSnake/status/934900723426439170 +references: https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth date: 2017/11/27 logsource: diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index 3472e28c32c..d516ac99f08 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -1,7 +1,7 @@ title: UAC Bypass via Event Viewer status: experimental description: Detects UAC bypass method using Windows event viewer -reference: +references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 85d50ff8938..4fbd2e557c4 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -1,7 +1,7 @@ title: UAC Bypass via sdclt status: experimental description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand -reference: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ +references: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ author: Omer Yampel logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml b/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml index 061db921036..7267b3d3eb8 100644 --- a/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml +++ b/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml @@ -1,6 +1,6 @@ title: Exploit for CVE-2017-8759 description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 -reference: +references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 42e2a5c9464..93951e19066 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -1,7 +1,7 @@ title: Microsoft Binary Github Communication status: experimental description: Detects an executable in the Windows folder accessing github.com -reference: https://twitter.com/M_haggis/status/900741347035889665 +references: https://twitter.com/M_haggis/status/900741347035889665 author: Michael Haag (idea), Florian Roth (rule) logsource: product: windows From 48441962cce50cd475a5d682d2a796b03ddebba7 Mon Sep 17 00:00:00 2001 From: SherifEldeeb Date: Sun, 28 Jan 2018 02:24:16 +0300 Subject: [PATCH 2/3] Change All "str" references to be "list"to mach schema update --- rules/application/app_sqlinjection_errors.yml | 3 ++- rules/apt/apt_apt29_tor.yml | 3 ++- rules/apt/apt_carbonpaper_turla.yml | 3 ++- rules/apt/apt_cloudhopper.yml | 3 ++- rules/apt/apt_equationgroup_lnx.yml | 3 ++- rules/apt/apt_pandemic.yml | 3 ++- rules/apt/apt_stonedrill.yml | 3 ++- rules/apt/apt_ta17_293a_ps.yml | 3 ++- rules/apt/apt_turla_commands.yml | 3 ++- rules/apt/apt_turla_namedpipes.yml | 3 ++- rules/apt/apt_zxshell.yml | 3 ++- rules/apt/crime_fireball.yml | 3 ++- rules/linux/auditd/lnx_auditd_susp_cmds.yml | 3 ++- rules/linux/auditd/lnx_auditd_susp_exe_folders.yml | 3 ++- rules/linux/lnx_buffer_overflows.yml | 3 ++- rules/linux/lnx_clamav.yml | 3 ++- rules/linux/lnx_shell_susp_commands.yml | 3 ++- rules/linux/lnx_shellshock.yml | 3 ++- rules/linux/lnx_susp_ssh.yml | 3 ++- rules/linux/lnx_susp_vsftp.yml | 3 ++- rules/proxy/proxy_download_susp_dyndns.yml | 3 ++- rules/proxy/proxy_download_susp_tlds_blacklist.yml | 3 ++- rules/proxy/proxy_powershell_ua.yml | 3 ++- rules/proxy/proxy_susp_flash_download_loc.yml | 3 ++- rules/proxy/proxy_ua_apt.yml | 3 ++- rules/web/web_apache_segfault.yml | 3 ++- .../builtin/win_alert_active_directory_user_control.yml | 3 ++- rules/windows/builtin/win_alert_enable_weak_encryption.yml | 3 ++- rules/windows/builtin/win_eventlog_cleared.yml | 3 ++- rules/windows/builtin/win_mal_wceaux_dll.yml | 3 ++- rules/windows/builtin/win_multiple_suspicious_cli.yml | 3 ++- rules/windows/builtin/win_pass_the_hash.yml | 3 ++- rules/windows/builtin/win_plugx_susp_exe_locations.yml | 3 ++- rules/windows/builtin/win_susp_add_sid_history.yml | 3 ++- rules/windows/builtin/win_susp_backup_delete.yml | 3 ++- rules/windows/builtin/win_susp_cli_escape.yml | 3 ++- rules/windows/builtin/win_susp_commands_recon_activity.yml | 3 ++- rules/windows/builtin/win_susp_dns_config.yml | 3 ++- rules/windows/builtin/win_susp_dsrm_password_change.yml | 3 ++- rules/windows/builtin/win_susp_eventlog_cleared.yml | 3 ++- rules/windows/builtin/win_susp_iss_module_install.yml | 3 ++- rules/windows/builtin/win_susp_lsass_dump.yml | 3 ++- rules/windows/builtin/win_susp_msmpeng_crash.yml | 3 ++- rules/windows/builtin/win_susp_net_recon_activity.yml | 3 ++- rules/windows/builtin/win_susp_phantom_dll.yml | 3 ++- rules/windows/builtin/win_susp_process_creations.yml | 3 ++- rules/windows/builtin/win_susp_rasdial_activity.yml | 3 ++- rules/windows/builtin/win_susp_rc4_kerberos.yml | 3 ++- rules/windows/builtin/win_susp_run_locations.yml | 3 ++- rules/windows/builtin/win_susp_rundll32_activity.yml | 3 ++- rules/windows/malware/sysmon_malware_notpetya.yml | 3 ++- rules/windows/malware/sysmon_malware_wannacry.yml | 3 ++- rules/windows/malware/win_mal_wannacry.yml | 3 ++- rules/windows/other/win_tool_psexec.yml | 3 ++- rules/windows/other/win_wmi_persistence.yml | 3 ++- rules/windows/powershell/powershell_downgrade_attack.yml | 3 ++- rules/windows/powershell/powershell_exe_calling_ps.yml | 3 ++- rules/windows/powershell/powershell_malicious_commandlets.yml | 3 ++- rules/windows/powershell/powershell_malicious_keywords.yml | 3 ++- rules/windows/powershell/powershell_prompt_credentials.yml | 3 ++- rules/windows/powershell/powershell_psattack.yml | 3 ++- rules/windows/sysmon/sysmon_bitsadmin_download.yml | 3 ++- rules/windows/sysmon/sysmon_dhcp_calloutdll.yml | 3 ++- rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml | 3 ++- rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml | 3 ++- rules/windows/sysmon/sysmon_mal_namedpipes.yml | 3 ++- rules/windows/sysmon/sysmon_malware_backconnect_ports.yml | 3 ++- rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml | 3 ++- rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml | 3 ++- rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml | 3 ++- rules/windows/sysmon/sysmon_mshta_spawn_shell.yml | 3 ++- rules/windows/sysmon/sysmon_office_macro_cmd.yml | 3 ++- rules/windows/sysmon/sysmon_office_shell.yml | 3 ++- rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml | 3 ++- rules/windows/sysmon/sysmon_powershell_network_connection.yml | 3 ++- .../sysmon_powershell_suspicious_parameter_variation.yml | 3 ++- rules/windows/sysmon/sysmon_rundll32_net_connections.yml | 3 ++- rules/windows/sysmon/sysmon_susp_certutil_command.yml | 3 ++- rules/windows/sysmon/sysmon_susp_control_dll_load.yml | 3 ++- rules/windows/sysmon/sysmon_susp_exec_folder.yml | 3 ++- rules/windows/sysmon/sysmon_susp_mmc_source.yml | 3 ++- rules/windows/sysmon/sysmon_susp_net_execution.yml | 3 ++- rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml | 3 ++- .../sysmon/sysmon_susp_prog_location_network_connection.yml | 3 ++- rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml | 3 ++- rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml | 3 ++- rules/windows/sysmon/sysmon_susp_wmi_execution.yml | 3 ++- rules/windows/sysmon/sysmon_system_exe_anomaly.yml | 3 ++- rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml | 3 ++- rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml | 3 ++- rules/windows/sysmon/sysmon_win_binary_github_com.yml | 3 ++- 91 files changed, 182 insertions(+), 91 deletions(-) diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/app_sqlinjection_errors.yml index f16f47cc550..b6063f05dc0 100644 --- a/rules/application/app_sqlinjection_errors.yml +++ b/rules/application/app_sqlinjection_errors.yml @@ -2,7 +2,8 @@ title: Suspicious SQL Error Messages status: experimental description: Detects SQL error messages that indicate probing for an injection attack author: Bjoern Kimminich -references: http://www.sqlinjection.net/errors +references: + - http://www.sqlinjection.net/errors logsource: category: application product: sql diff --git a/rules/apt/apt_apt29_tor.yml b/rules/apt/apt_apt29_tor.yml index b8640948ddb..ff03d7b9a7e 100644 --- a/rules/apt/apt_apt29_tor.yml +++ b/rules/apt/apt_apt29_tor.yml @@ -1,7 +1,8 @@ action: global title: APT29 Google Update Service Install description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' -references: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html +references: + - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html logsource: product: windows detection: diff --git a/rules/apt/apt_carbonpaper_turla.yml b/rules/apt/apt_carbonpaper_turla.yml index df615aa3280..0afd0473a61 100644 --- a/rules/apt/apt_carbonpaper_turla.yml +++ b/rules/apt/apt_carbonpaper_turla.yml @@ -1,6 +1,7 @@ title: Turla Service Install description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' -references: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ +references: + - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ logsource: product: windows service: system diff --git a/rules/apt/apt_cloudhopper.yml b/rules/apt/apt_cloudhopper.yml index 0d63e4c7070..222faa9860c 100644 --- a/rules/apt/apt_cloudhopper.yml +++ b/rules/apt/apt_cloudhopper.yml @@ -1,7 +1,8 @@ title: WMIExec VBS Script description: Detects suspicious file execution by wscript and cscript author: Florian Roth -references: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf +references: + - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf logsource: product: windows service: sysmon diff --git a/rules/apt/apt_equationgroup_lnx.yml b/rules/apt/apt_equationgroup_lnx.yml index 808747ceb94..24a0dc4f84d 100644 --- a/rules/apt/apt_equationgroup_lnx.yml +++ b/rules/apt/apt_equationgroup_lnx.yml @@ -1,6 +1,7 @@ title: Equation Group Indicators description: Detects suspicious shell commands used in various Equation Group scripts and tools -references: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 +references: + - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 author: Florian Roth logsource: product: linux diff --git a/rules/apt/apt_pandemic.yml b/rules/apt/apt_pandemic.yml index 8643d0cb5d5..db6b9dfdd45 100644 --- a/rules/apt/apt_pandemic.yml +++ b/rules/apt/apt_pandemic.yml @@ -1,7 +1,8 @@ title: Pandemic Registry Key status: experimental description: Detects Pandemic Windows Implant -references: +references: + - - https://wikileaks.org/vault7/#Pandemic - https://twitter.com/MalwareJake/status/870349480356454401 author: Florian Roth diff --git a/rules/apt/apt_stonedrill.yml b/rules/apt/apt_stonedrill.yml index 650c04f5d90..6055faae236 100644 --- a/rules/apt/apt_stonedrill.yml +++ b/rules/apt/apt_stonedrill.yml @@ -1,7 +1,8 @@ title: StoneDrill Service Install description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky' author: Florian Roth -references: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ +references: + - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ logsource: product: windows service: system diff --git a/rules/apt/apt_ta17_293a_ps.yml b/rules/apt/apt_ta17_293a_ps.yml index 38b5115074c..e2f01b715cc 100644 --- a/rules/apt/apt_ta17_293a_ps.yml +++ b/rules/apt/apt_ta17_293a_ps.yml @@ -1,6 +1,7 @@ title: Ps.exe Renamed SysInternals Tool description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report -references: https://www.us-cert.gov/ncas/alerts/TA17-293A +references: + - https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth date: 2017/10/22 logsource: diff --git a/rules/apt/apt_turla_commands.yml b/rules/apt/apt_turla_commands.yml index d6be983b209..96f9add90aa 100644 --- a/rules/apt/apt_turla_commands.yml +++ b/rules/apt/apt_turla_commands.yml @@ -3,7 +3,8 @@ action: global title: Turla Group Lateral Movement status: experimental description: Detects automated lateral movement by Turla group -references: https://securelist.com/the-epic-turla-operation/65545/ +references: + - https://securelist.com/the-epic-turla-operation/65545/ author: Markus Neis date: 2017/11/07 logsource: diff --git a/rules/apt/apt_turla_namedpipes.yml b/rules/apt/apt_turla_namedpipes.yml index dea97cfcb1c..37827a884f5 100644 --- a/rules/apt/apt_turla_namedpipes.yml +++ b/rules/apt/apt_turla_namedpipes.yml @@ -1,7 +1,8 @@ title: Turla Group Named Pipes status: experimental description: Detects a named pipe used by Turla group samples -references: Internal Research +references: + - Internal Research date: 2017/11/06 author: Markus Neis logsource: diff --git a/rules/apt/apt_zxshell.yml b/rules/apt/apt_zxshell.yml index e6b4e63ba8e..f91bdc69dda 100644 --- a/rules/apt/apt_zxshell.yml +++ b/rules/apt/apt_zxshell.yml @@ -1,7 +1,8 @@ title: ZxShell Malware description: Detects a ZxShell start by the called and well-known function name author: Florian Roth -references: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 logsource: product: windows service: sysmon diff --git a/rules/apt/crime_fireball.yml b/rules/apt/crime_fireball.yml index 84cc02070ff..ddd520b6317 100644 --- a/rules/apt/crime_fireball.yml +++ b/rules/apt/crime_fireball.yml @@ -3,7 +3,8 @@ status: experimental description: Detects Archer malware invocation via rundll32 author: Florian Roth date: 2017/06/03 -references: +references: + - - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 1f27e2ffe29..72f72669db5 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -1,7 +1,8 @@ title: Detects Suspicious Commands on Linux systems status: experimental description: Detects relevant commands often related to malware or hacking activity -references: 'Internal Research - mostly derived from exploit code including code in MSF' +references: + - 'Internal Research - mostly derived from exploit code including code in MSF' date: 2017/12/12 author: Florian Roth logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 80c35cad67b..8dab5fd546b 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -1,7 +1,8 @@ title: Program Executions in Suspicious Folders status: experimental description: Detects program executions in suspicious non-program folders related to malware or hacking activity -references: 'Internal Research' +references: + - 'Internal Research' date: 2018/01/23 author: Florian Roth logsource: diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/lnx_buffer_overflows.yml index ef92ee2fc0a..4e0ace1c078 100644 --- a/rules/linux/lnx_buffer_overflows.yml +++ b/rules/linux/lnx_buffer_overflows.yml @@ -1,6 +1,7 @@ title: Buffer Overflow Attempts description: Detects buffer overflow attempts in Linux system log files -references: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml logsource: product: linux detection: diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/lnx_clamav.yml index a4729d56ea4..336c636fad9 100644 --- a/rules/linux/lnx_clamav.yml +++ b/rules/linux/lnx_clamav.yml @@ -1,6 +1,7 @@ title: Relevant ClamAV Message description: Detects relevant ClamAV messages -references: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml logsource: product: linux service: clamav diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml index c37310d87fc..4e2d9adac08 100644 --- a/rules/linux/lnx_shell_susp_commands.yml +++ b/rules/linux/lnx_shell_susp_commands.yml @@ -1,6 +1,7 @@ title: Suspicious Activity in Shell Commands description: Detects suspicious shell commands used in various exploit codes (see references) -references: +references: + - - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121 - http://pastebin.com/FtygZ1cg diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index 38e11bbaaa1..3b89b68a7b2 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -1,6 +1,7 @@ title: Shellshock Expression description: Detects shellshock expressions in log files -references: http://rubular.com/r/zxBfjWfFYs +references: + - http://rubular.com/r/zxBfjWfFYs logsource: product: linux detection: diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index 44ce6552f19..731951dc425 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -1,6 +1,7 @@ title: Suspicious SSHD Error description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -references: https://github.com/openssh/openssh-portable/blob/master/ssherr.c +references: + - https://github.com/openssh/openssh-portable/blob/master/ssherr.c author: Florian Roth date: 2017/06/30 logsource: diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/lnx_susp_vsftp.yml index fc92017a194..bbc5e04a8f4 100644 --- a/rules/linux/lnx_susp_vsftp.yml +++ b/rules/linux/lnx_susp_vsftp.yml @@ -1,6 +1,7 @@ title: Suspicious VSFTPD Error Messages description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -references: https://github.com/dagwieers/vsftpd/ +references: + - https://github.com/dagwieers/vsftpd/ author: Florian Roth date: 2017/07/05 logsource: diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml index d4432b628e3..83143db4e4c 100644 --- a/rules/proxy/proxy_download_susp_dyndns.yml +++ b/rules/proxy/proxy_download_susp_dyndns.yml @@ -1,7 +1,8 @@ title: Download from Suspicious Dyndns Hosts status: experimental description: Detects download of certain file types from hosts with dynamic DNS names (selected list) -references: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats +references: + - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats author: Florian Roth date: 2017/11/08 logsource: diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index d05f8309fec..358de00ca6c 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -1,7 +1,8 @@ title: Download from Suspicious TLD status: experimental description: Detects download of certain file types from hosts in suspicious TLDs -references: +references: + - - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf - https://www.spamhaus.org/statistics/tlds/ diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index effff040c92..ccf64bfcfaa 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -1,7 +1,8 @@ title: Windows PowerShell User Agent status: experimental description: Detects Windows PowerShell Web Access -references: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest +references: + - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest author: Florian Roth logsource: category: proxy diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index 80f87f14126..adf0ada9daf 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -1,7 +1,8 @@ title: Flash Player Update from Suspicious Location status: experimental description: Detects a flashplayer update from an unofficial location -references: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb +references: + - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb author: Florian Roth logsource: category: proxy diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 155871ebaf4..3ecfc11aba3 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -1,7 +1,8 @@ title: APT User Agent status: experimental description: Detects suspicious user agent strings used in APT malware in proxy logs -references: Internal Research +references: + - Internal Research author: Florian Roth logsource: category: proxy diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index d51faf2bd8d..ed3352d9dd2 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -1,7 +1,8 @@ title: Apache Segmentation Fault description: Detects a segmentation fault error message caused by a creashing apacke worker process author: Florian Roth -references: http://www.securityfocus.com/infocus/1633 +references: + - http://www.securityfocus.com/infocus/1633 logsource: product: apache detection: diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 89da9b0ded5..ad10fbea3cc 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -1,6 +1,7 @@ title: Enabled User Right in AD to Control User Objects description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. -references: +references: + - - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' logsource: diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index f34bbfd64f0..291f1f5a0d5 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -1,6 +1,7 @@ title: Weak Encryption Enabled and Kerberoast description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. -references: +references: + - - https://adsecurity.org/?p=2053 - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ author: '@neu5ron' diff --git a/rules/windows/builtin/win_eventlog_cleared.yml b/rules/windows/builtin/win_eventlog_cleared.yml index c45f3c2b938..3c015cf38bf 100644 --- a/rules/windows/builtin/win_eventlog_cleared.yml +++ b/rules/windows/builtin/win_eventlog_cleared.yml @@ -3,7 +3,8 @@ status: experimental description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution author: Florian Roth date: 2017/06/27 -references: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml index 73cf9838c35..2983b2ba3fe 100644 --- a/rules/windows/builtin/win_mal_wceaux_dll.yml +++ b/rules/windows/builtin/win_mal_wceaux_dll.yml @@ -2,7 +2,8 @@ title: WCE wceaux.dll Access status: experimental description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host author: Thomas Patzke -references: https://www.jpcert.or.jp/english/pub/sr/ir_research.html +references: + - https://www.jpcert.or.jp/english/pub/sr/ir_research.html logsource: product: windows service: security diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml index a4db0233595..845789df835 100644 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ b/rules/windows/builtin/win_multiple_suspicious_cli.yml @@ -2,7 +2,8 @@ action: global title: Quick Execution of a Series of Suspicious Commands description: Detects multiple suspicious process in a limited timeframe status: experimental -references: +references: + - - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 detection: diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index c79ce2badf0..c8f28fd23b8 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -1,7 +1,8 @@ title: Pass the Hash Activity status: experimental description: 'Detects the attack technique pass the hash which is used to move laterally inside the network' -references: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events +references: + - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) logsource: product: windows diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml index 77dbd377d54..3cc5f46c8a0 100644 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ b/rules/windows/builtin/win_plugx_susp_exe_locations.yml @@ -1,7 +1,8 @@ title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -references: +references: + - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml index 9d7a68a5539..af00795907d 100644 --- a/rules/windows/builtin/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -1,7 +1,8 @@ title: Addition of SID History to Active Directory Object status: stable description: An attacker can use the SID history attribute to gain additional privileges. -references: https://adsecurity.org/?p=1772 +references: + - https://adsecurity.org/?p=1772 author: Thomas Patzke logsource: product: windows diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index a178db8e240..2c53a797ef4 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -1,7 +1,8 @@ title: Backup Catalog Deleted status: experimental description: Detects backup catalog deletions -references: +references: + - - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml index 39bae210ab0..bcaa2d1cf0d 100644 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ b/rules/windows/builtin/win_susp_cli_escape.yml @@ -2,7 +2,8 @@ action: global title: Suspicious Commandline Escape description: Detects suspicious process that use escape characters status: experimental -references: +references: + - - https://twitter.com/vysecurity/status/885545634958385153 - https://twitter.com/Hexacorn/status/885553465417756673 - https://twitter.com/Hexacorn/status/885570278637678592 diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml index 5858471bda4..68e1a5e5ead 100644 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml @@ -3,7 +3,8 @@ action: global title: Reconnaissance Activity with Net Command status: experimental description: 'Detects a set of commands often used in recon stages by different attack groups' -references: +references: + - - https://twitter.com/haroonmeer/status/939099379834658817 - https://twitter.com/c_APT_ure/status/939475433711722497 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/builtin/win_susp_dns_config.yml index 68679e08164..3eebe27d33a 100644 --- a/rules/windows/builtin/win_susp_dns_config.yml +++ b/rules/windows/builtin/win_susp_dns_config.yml @@ -2,7 +2,8 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded status: experimental date: 2017/05/08 -references: +references: + - - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx - https://twitter.com/gentilkiwi/status/861641945944391680 diff --git a/rules/windows/builtin/win_susp_dsrm_password_change.yml b/rules/windows/builtin/win_susp_dsrm_password_change.yml index c4798def218..ec8e7a46dcc 100644 --- a/rules/windows/builtin/win_susp_dsrm_password_change.yml +++ b/rules/windows/builtin/win_susp_dsrm_password_change.yml @@ -1,7 +1,8 @@ title: Password Change on Directory Service Restore Mode (DSRM) Account status: stable description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. -references: https://adsecurity.org/?p=1714 +references: + - https://adsecurity.org/?p=1714 author: Thomas Patzke logsource: product: windows diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 0d10b3db953..3d4de217c87 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,6 +1,7 @@ title: Eventlog Cleared description: One of the Windows Eventlogs has been cleared -references: https://twitter.com/deviouspolack/status/832535435960209408 +references: + - https://twitter.com/deviouspolack/status/832535435960209408 author: Florian Roth logsource: product: windows diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/builtin/win_susp_iss_module_install.yml index 3563095e909..c2ad6d21296 100644 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ b/rules/windows/builtin/win_susp_iss_module_install.yml @@ -3,7 +3,8 @@ action: global title: IIS Native-Code Module Command Line Installation description: Detects suspicious IIS native-code module installations via command line status: experimental -references: +references: + - - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth detection: diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 38f6670a201..857ebe803e4 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -1,7 +1,8 @@ title: Password Dumper Activity on LSASS description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental -references: https://twitter.com/jackcr/status/807385668833968128 +references: + - https://twitter.com/jackcr/status/807385668833968128 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 937ee121de0..39b56e7d9fd 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -2,7 +2,8 @@ title: Microsoft Malware Protection Engine Crash description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine status: experimental date: 2017/05/09 -references: +references: + - - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index 3761dfafaac..ad857762a89 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -1,7 +1,8 @@ title: Reconnaissance Activity status: experimental description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' -references: https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html +references: + - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (rule), Jack Croock (method) logsource: product: windows diff --git a/rules/windows/builtin/win_susp_phantom_dll.yml b/rules/windows/builtin/win_susp_phantom_dll.yml index 8ec72786a33..1dfeabe1327 100644 --- a/rules/windows/builtin/win_susp_phantom_dll.yml +++ b/rules/windows/builtin/win_susp_phantom_dll.yml @@ -2,7 +2,8 @@ action: global title: Phantom DLLs Usage description: Detects Phantom DLLs usage and matching executable status: experimental -references: +references: + - - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ author: juju4 diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index f1fcbc36db7..f20f0be9918 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -3,7 +3,8 @@ action: global title: Suspicious Process Creation description: Detects suspicious process starts on Windows systems bsed on keywords status: experimental -references: +references: + - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ diff --git a/rules/windows/builtin/win_susp_rasdial_activity.yml b/rules/windows/builtin/win_susp_rasdial_activity.yml index 334767d1299..0ca74c6cbb3 100644 --- a/rules/windows/builtin/win_susp_rasdial_activity.yml +++ b/rules/windows/builtin/win_susp_rasdial_activity.yml @@ -2,7 +2,8 @@ action: global title: Suspicious RASdial Activity description: Detects suspicious process related to rasdial.exe status: experimental -references: +references: + - - https://twitter.com/subTee/status/891298217907830785 author: juju4 detection: diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 44862ee0588..0e355b2fc53 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -1,6 +1,7 @@ title: Suspicious Kerberos RC4 Ticket Encryption status: experimental -references: https://adsecurity.org/?p=3458 +references: + - https://adsecurity.org/?p=3458 description: Detects logons using RC4 encryption type logsource: product: windows diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml index 65e1f147523..5620a4893a0 100644 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ b/rules/windows/builtin/win_susp_run_locations.yml @@ -2,7 +2,8 @@ action: global title: Suspicious Process Start Locations description: Detects suspicious process run from unusual locations status: experimental -references: +references: + - - https://car.mitre.org/wiki/CAR-2013-05-002 author: juju4 detection: diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/builtin/win_susp_rundll32_activity.yml index b642304576a..c8c11105a49 100644 --- a/rules/windows/builtin/win_susp_rundll32_activity.yml +++ b/rules/windows/builtin/win_susp_rundll32_activity.yml @@ -2,7 +2,8 @@ action: global title: Suspicious Rundll32 Activity description: Detects suspicious process related to rundll32 based on arguments status: experimental -references: +references: + - - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - https://twitter.com/Hexacorn/status/885258886428725250 - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml index 15f45ac44a5..d12233e4e1c 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/malware/sysmon_malware_notpetya.yml @@ -2,7 +2,8 @@ title: NotPetya Ransomware Activity status: experimental description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi -references: +references: + - - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 logsource: diff --git a/rules/windows/malware/sysmon_malware_wannacry.yml b/rules/windows/malware/sysmon_malware_wannacry.yml index 65c74aab17b..dc7d33d882e 100644 --- a/rules/windows/malware/sysmon_malware_wannacry.yml +++ b/rules/windows/malware/sysmon_malware_wannacry.yml @@ -1,7 +1,8 @@ title: WannaCry Ransomware via Sysmon status: experimental description: Detects WannaCry ransomware activity via Sysmon -references: https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) logsource: product: windows diff --git a/rules/windows/malware/win_mal_wannacry.yml b/rules/windows/malware/win_mal_wannacry.yml index a998e3e0962..7aea41d32d8 100644 --- a/rules/windows/malware/win_mal_wannacry.yml +++ b/rules/windows/malware/win_mal_wannacry.yml @@ -2,7 +2,8 @@ action: global title: WannaCry Ransomware description: Detects WannaCry Ransomware Activity status: experimental -references: +references: + - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa author: Florian Roth detection: diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 0605f8ebf9f..aa77de45c6e 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -2,7 +2,8 @@ title: PsExec Tool Execution status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke -references: https://www.jpcert.or.jp/english/pub/sr/ir_research.html +references: + - https://www.jpcert.or.jp/english/pub/sr/ir_research.html logsource: product: windows detection: diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index b359622e6ea..e48c3779bf6 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -2,7 +2,8 @@ title: WMI Persistence status: experimental description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher) author: Florian Roth -references: https://twitter.com/mattifestation/status/899646620148539397 +references: + - https://twitter.com/mattifestation/status/899646620148539397 logsource: product: windows service: wmi diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml index 6342d5ce99c..728c1b54cd7 100644 --- a/rules/windows/powershell/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_downgrade_attack.yml @@ -1,7 +1,8 @@ title: PowerShell Downgrade Attack status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -references: http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ +references: + - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (rule), Lee Holmes (idea) logsource: product: windows diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index e7584aef2c5..dee93074c55 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -1,7 +1,8 @@ title: PowerShell called from an Executable Version Mismatch status: experimental description: Detects PowerShell called from an executable by the version mismatch method -references: https://adsecurity.org/?p=2921 +references: + - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 0d798b0b092..e41ed4d9e22 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -1,7 +1,8 @@ title: Malicious PowerShell Commandlets status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks -references: https://adsecurity.org/?p=2921 +references: + - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index d4b81a5d8a1..c56cc7a38c4 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -1,7 +1,8 @@ title: Malicious PowerShell Commandlets status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks -references: https://adsecurity.org/?p=2921 +references: + - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index fbd3b38bcbe..7e172089830 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -1,7 +1,8 @@ title: PowerShell Credential Prompt status: experimental description: Detects PowerShell calling a credential prompt -references: +references: + - - https://twitter.com/JohnLaTwC/status/850381440629981184 - https://t.co/ezOTGy1a1G author: John Lambert (idea), Florian Roth (rule) diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index 11c36dcc2a0..18df89e05e0 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -1,7 +1,8 @@ title: PowerShell PSAttack status: experimental description: Detects the use of PSAttack PowerShell hack tool -references: https://adsecurity.org/?p=2921 +references: + - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_bitsadmin_download.yml b/rules/windows/sysmon/sysmon_bitsadmin_download.yml index 65aca7f1d73..92ae11523fa 100644 --- a/rules/windows/sysmon/sysmon_bitsadmin_download.yml +++ b/rules/windows/sysmon/sysmon_bitsadmin_download.yml @@ -1,7 +1,8 @@ title: Bitsadmin Download status: experimental description: Detects usage of bitsadmin downloading a file -references: +references: + - - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 author: Michael Haag diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml index a0c16526a9c..adde51bb4b5 100644 --- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml @@ -1,7 +1,8 @@ title: DHCP Callout DLL installation status: experimental description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) -references: +references: + - - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx diff --git a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml index 2b0202d9b56..a5f77397317 100644 --- a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml @@ -1,7 +1,8 @@ title: DNS ServerLevelPluginDll Install status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) -references: +references: + - - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml index a54eae4b083..c92391d6192 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml +++ b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml @@ -1,7 +1,8 @@ title: Droppers exploiting CVE-2017-11882 status: experimental description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe -references: +references: + - - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/sysmon/sysmon_mal_namedpipes.yml index 9b50b2235b3..33e87085ee7 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/sysmon/sysmon_mal_namedpipes.yml @@ -1,7 +1,8 @@ title: Malicious Named Pipe status: experimental description: Detects the creation of a named pipe used by known APT malware -references: Various sources +references: + - Various sources date: 2017/11/06 author: Florian Roth logsource: diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index 70972032e61..bde56111ff8 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -1,7 +1,8 @@ title: Suspicious Typical Malware Back Connect Ports status: experimental description: Detects programs that connect to typical malware back connetc ports based on statistical analysis from two different sandbox system databases -references: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +references: + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth date: 2017/03/19 logsource: diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml index c63ae611f68..92768aad1cb 100644 --- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml @@ -1,7 +1,8 @@ title: Malware Shellcode in Verclsid Target Process status: experimental description: Detetcs a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro -references: https://twitter.com/JohnLaTwC/status/837743453039534080 +references: + - https://twitter.com/JohnLaTwC/status/837743453039534080 author: John Lambert (tech), Florian Roth (rule) date: 2017/03/04 logsource: diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index 92108dc8626..6bc5b9a424d 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -1,7 +1,8 @@ title: Mimikatz Detection LSASS Access status: experimental description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ) -references: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow +references: + - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index 10443ce116f..8ac6e4bbbae 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -1,7 +1,8 @@ title: Mimikatz In-Memory status: experimental description: Detects certain DLL loads when Mimikatz gets executed -references: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ +references: + - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml index 9e64fbdb49a..3f141899682 100644 --- a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml +++ b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml @@ -1,7 +1,8 @@ title: MSHTA Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from MSHTA. -references: https://www.trustedsec.com/july-2015/malicious-htas/ +references: + - https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_office_macro_cmd.yml b/rules/windows/sysmon/sysmon_office_macro_cmd.yml index 053e2efb5c9..ad9f87e4ae4 100644 --- a/rules/windows/sysmon/sysmon_office_macro_cmd.yml +++ b/rules/windows/sysmon/sysmon_office_macro_cmd.yml @@ -1,7 +1,8 @@ title: Office Macro Starts Cmd status: experimental description: Detects a Windows command line executable started from Microsoft Word or Excel -references: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 author: Florian Roth logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index bff44d0f631..6e61e3ba9fe 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -1,7 +1,8 @@ title: Microsoft Office Product Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. -references: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 author: Michael Haag logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index 82c84b7e7b4..8cb9a7a62e4 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -1,7 +1,8 @@ title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -references: +references: + - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index 36023fd93fe..11e807ea086 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -2,7 +2,8 @@ title: PowerShell Network Connections status: experimental description: "Detetcs a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')" author: Florian Roth -references: https://www.youtube.com/watch?v=DLtJTxMWZ2o +references: + - https://www.youtube.com/watch?v=DLtJTxMWZ2o logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml index 818c90e1091..424640dede0 100644 --- a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml @@ -1,7 +1,8 @@ title: Suspicious PowerShell Parameter Substring status: experimental description: Detects suspicious PowerShell invocation with a parameter substring -references: http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier +references: + - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier author: Florian Roth (rule), Daniel Bohannon (idea) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index e928fdf51e7..bca589d342b 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -1,7 +1,8 @@ title: Rundll32 Internet Connection status: experimental description: Detects a rundll32 that communicates with piblic IP addresses -references: https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 author: Florian Roth date: 2017/11/04 logsource: diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml index a58838d2381..c74bd2fd9fc 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml @@ -4,7 +4,8 @@ description: Detetcs a suspicious Microsoft certutil execution with sub commands author: - Florian Roth - juju4 -references: +references: + - - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 - https://twitter.com/subTee/status/888071631528235010 diff --git a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml index 0bc8f699fb2..f2a069d1a48 100644 --- a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml @@ -3,7 +3,8 @@ status: experimental description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits author: Florian Roth date: 2017/04/15 -references: https://twitter.com/rikvduijn/status/853251879320662017 +references: + - https://twitter.com/rikvduijn/status/853251879320662017 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml index 6f5c889b364..8a444db694c 100644 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_exec_folder.yml @@ -3,7 +3,8 @@ status: experimental description: Detects process starts of binaries from a suspicious folder author: Florian Roth date: 2017/10/14 -references: +references: + - - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses logsource: diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index b0e73b56588..f31d0bf06fc 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -1,7 +1,8 @@ title: Processes created by MMC status: experimental description: Processes started by MMC could by a sign of lateral movement using MMC application COM object -references: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ +references: + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_net_execution.yml b/rules/windows/sysmon/sysmon_susp_net_execution.yml index 31ac43127b0..a3ac5f82c50 100644 --- a/rules/windows/sysmon/sysmon_susp_net_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_net_execution.yml @@ -1,7 +1,8 @@ title: Net.exe Execution status: experimental description: Detects execution of Net.exe, whether suspicious or benign. -references: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ +references: + - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ author: Michael Haag, Mark Woan (improvements) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml index 46d6e14220b..f6aa932a465 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml @@ -2,7 +2,8 @@ title: Suspicious PowerShell Invocation based on Parent Process status: experimental description: Detects suspicious powershell invocations from interpreters or unusual programs author: Florian Roth -references: https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ +references: + - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml index 69a9a91a03c..d7febde9c32 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml @@ -1,7 +1,8 @@ title: Suspicious Program Location with Network Connections status: experimental description: Detects programs with network connections running in suspicious files system locations -references: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +references: + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth date: 2017/03/19 logsource: diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml index 49053564f70..40917ac4115 100644 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml @@ -2,7 +2,8 @@ title: Regsvr32 Anomaly status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth -references: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html +references: + - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml index 2cd13d3065a..5cf9faa6ca7 100644 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml @@ -2,7 +2,8 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval status: experimental description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth, Michael Haag -references: +references: + - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ diff --git a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml index eabf207e63f..3088ab4dff5 100644 --- a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml @@ -1,7 +1,8 @@ title: Suspicious WMI execution status: experimental description: Detects WMI executing suspicious commands -references: +references: + - - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml index b08b5d313a1..847f2bbcfc3 100644 --- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml +++ b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml @@ -1,7 +1,8 @@ title: System File Execution Location Anomaly status: experimental description: Detects a Windows program executable started in a suspicious folder -references: https://twitter.com/GelosSnake/status/934900723426439170 +references: + - https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth date: 2017/11/27 logsource: diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index d516ac99f08..f3f4e291357 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -1,7 +1,8 @@ title: UAC Bypass via Event Viewer status: experimental description: Detects UAC bypass method using Windows event viewer -references: +references: + - - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 4fbd2e557c4..7e986069f66 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -1,7 +1,8 @@ title: UAC Bypass via sdclt status: experimental description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand -references: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ +references: + - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ author: Omer Yampel logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 93951e19066..dd8af4d8d15 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -1,7 +1,8 @@ title: Microsoft Binary Github Communication status: experimental description: Detects an executable in the Windows folder accessing github.com -references: https://twitter.com/M_haggis/status/900741347035889665 +references: + - https://twitter.com/M_haggis/status/900741347035889665 author: Michael Haag (idea), Florian Roth (rule) logsource: product: windows From 348728bdd9973ad7cf2082c5bbc9fbd1e1a5abda Mon Sep 17 00:00:00 2001 From: SherifEldeeb Date: Sun, 28 Jan 2018 02:36:39 +0300 Subject: [PATCH 3/3] Cleaning up empty list items --- rules/apt/apt_pandemic.yml | 1 - rules/apt/crime_fireball.yml | 1 - rules/linux/lnx_shell_susp_commands.yml | 1 - rules/proxy/proxy_download_susp_tlds_blacklist.yml | 1 - .../windows/builtin/win_alert_active_directory_user_control.yml | 1 - rules/windows/builtin/win_alert_enable_weak_encryption.yml | 1 - rules/windows/builtin/win_multiple_suspicious_cli.yml | 1 - rules/windows/builtin/win_plugx_susp_exe_locations.yml | 1 - rules/windows/builtin/win_susp_backup_delete.yml | 1 - rules/windows/builtin/win_susp_cli_escape.yml | 1 - rules/windows/builtin/win_susp_commands_recon_activity.yml | 1 - rules/windows/builtin/win_susp_dns_config.yml | 1 - rules/windows/builtin/win_susp_iss_module_install.yml | 1 - rules/windows/builtin/win_susp_msmpeng_crash.yml | 1 - rules/windows/builtin/win_susp_phantom_dll.yml | 1 - rules/windows/builtin/win_susp_process_creations.yml | 1 - rules/windows/builtin/win_susp_rasdial_activity.yml | 1 - rules/windows/builtin/win_susp_run_locations.yml | 1 - rules/windows/builtin/win_susp_rundll32_activity.yml | 1 - rules/windows/malware/sysmon_malware_notpetya.yml | 1 - rules/windows/malware/win_mal_wannacry.yml | 1 - rules/windows/powershell/powershell_prompt_credentials.yml | 1 - rules/windows/sysmon/sysmon_bitsadmin_download.yml | 1 - rules/windows/sysmon/sysmon_dhcp_calloutdll.yml | 1 - rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml | 1 - rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml | 1 - rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml | 1 - rules/windows/sysmon/sysmon_susp_certutil_command.yml | 1 - rules/windows/sysmon/sysmon_susp_exec_folder.yml | 1 - rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml | 1 - rules/windows/sysmon/sysmon_susp_wmi_execution.yml | 1 - rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml | 1 - 32 files changed, 32 deletions(-) diff --git a/rules/apt/apt_pandemic.yml b/rules/apt/apt_pandemic.yml index db6b9dfdd45..46c69e25f72 100644 --- a/rules/apt/apt_pandemic.yml +++ b/rules/apt/apt_pandemic.yml @@ -2,7 +2,6 @@ title: Pandemic Registry Key status: experimental description: Detects Pandemic Windows Implant references: - - - https://wikileaks.org/vault7/#Pandemic - https://twitter.com/MalwareJake/status/870349480356454401 author: Florian Roth diff --git a/rules/apt/crime_fireball.yml b/rules/apt/crime_fireball.yml index ddd520b6317..7b383e6188a 100644 --- a/rules/apt/crime_fireball.yml +++ b/rules/apt/crime_fireball.yml @@ -4,7 +4,6 @@ description: Detects Archer malware invocation via rundll32 author: Florian Roth date: 2017/06/03 references: - - - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 logsource: diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml index 4e2d9adac08..1a2d407026e 100644 --- a/rules/linux/lnx_shell_susp_commands.yml +++ b/rules/linux/lnx_shell_susp_commands.yml @@ -1,7 +1,6 @@ title: Suspicious Activity in Shell Commands description: Detects suspicious shell commands used in various exploit codes (see references) references: - - - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121 - http://pastebin.com/FtygZ1cg diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index 358de00ca6c..1f23c3b2cae 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -2,7 +2,6 @@ title: Download from Suspicious TLD status: experimental description: Detects download of certain file types from hosts in suspicious TLDs references: - - - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf - https://www.spamhaus.org/statistics/tlds/ diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index ad10fbea3cc..52b36834ad2 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -1,7 +1,6 @@ title: Enabled User Right in AD to Control User Objects description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. references: - - - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' logsource: diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index 291f1f5a0d5..a8e2be3bd83 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -1,7 +1,6 @@ title: Weak Encryption Enabled and Kerberoast description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. references: - - - https://adsecurity.org/?p=2053 - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ author: '@neu5ron' diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml index 845789df835..1a6d9c8b22f 100644 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ b/rules/windows/builtin/win_multiple_suspicious_cli.yml @@ -3,7 +3,6 @@ title: Quick Execution of a Series of Suspicious Commands description: Detects multiple suspicious process in a limited timeframe status: experimental references: - - - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 detection: diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml index 3cc5f46c8a0..33c55efccab 100644 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ b/rules/windows/builtin/win_plugx_susp_exe_locations.yml @@ -2,7 +2,6 @@ title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location references: - - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index 2c53a797ef4..61320ece5a7 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -2,7 +2,6 @@ title: Backup Catalog Deleted status: experimental description: Detects backup catalog deletions references: - - - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml index bcaa2d1cf0d..c295d56140e 100644 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ b/rules/windows/builtin/win_susp_cli_escape.yml @@ -3,7 +3,6 @@ title: Suspicious Commandline Escape description: Detects suspicious process that use escape characters status: experimental references: - - - https://twitter.com/vysecurity/status/885545634958385153 - https://twitter.com/Hexacorn/status/885553465417756673 - https://twitter.com/Hexacorn/status/885570278637678592 diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml index 68e1a5e5ead..4cf2131a81c 100644 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml @@ -4,7 +4,6 @@ title: Reconnaissance Activity with Net Command status: experimental description: 'Detects a set of commands often used in recon stages by different attack groups' references: - - - https://twitter.com/haroonmeer/status/939099379834658817 - https://twitter.com/c_APT_ure/status/939475433711722497 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/builtin/win_susp_dns_config.yml index 3eebe27d33a..c8630b31c05 100644 --- a/rules/windows/builtin/win_susp_dns_config.yml +++ b/rules/windows/builtin/win_susp_dns_config.yml @@ -3,7 +3,6 @@ description: This rule detects a DNS server error in which a specified plugin DL status: experimental date: 2017/05/08 references: - - - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx - https://twitter.com/gentilkiwi/status/861641945944391680 diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/builtin/win_susp_iss_module_install.yml index c2ad6d21296..7980e3c181f 100644 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ b/rules/windows/builtin/win_susp_iss_module_install.yml @@ -4,7 +4,6 @@ title: IIS Native-Code Module Command Line Installation description: Detects suspicious IIS native-code module installations via command line status: experimental references: - - - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth detection: diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 39b56e7d9fd..74d541a5933 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -3,7 +3,6 @@ description: This rule detects a suspicious crash of the Microsoft Malware Prote status: experimental date: 2017/05/09 references: - - - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_phantom_dll.yml b/rules/windows/builtin/win_susp_phantom_dll.yml index 1dfeabe1327..85dfdc62e8e 100644 --- a/rules/windows/builtin/win_susp_phantom_dll.yml +++ b/rules/windows/builtin/win_susp_phantom_dll.yml @@ -3,7 +3,6 @@ title: Phantom DLLs Usage description: Detects Phantom DLLs usage and matching executable status: experimental references: - - - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ author: juju4 diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index f20f0be9918..d88ec77c8d6 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -4,7 +4,6 @@ title: Suspicious Process Creation description: Detects suspicious process starts on Windows systems bsed on keywords status: experimental references: - - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ diff --git a/rules/windows/builtin/win_susp_rasdial_activity.yml b/rules/windows/builtin/win_susp_rasdial_activity.yml index 0ca74c6cbb3..bad621d167b 100644 --- a/rules/windows/builtin/win_susp_rasdial_activity.yml +++ b/rules/windows/builtin/win_susp_rasdial_activity.yml @@ -3,7 +3,6 @@ title: Suspicious RASdial Activity description: Detects suspicious process related to rasdial.exe status: experimental references: - - - https://twitter.com/subTee/status/891298217907830785 author: juju4 detection: diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml index 5620a4893a0..77715a76b72 100644 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ b/rules/windows/builtin/win_susp_run_locations.yml @@ -3,7 +3,6 @@ title: Suspicious Process Start Locations description: Detects suspicious process run from unusual locations status: experimental references: - - - https://car.mitre.org/wiki/CAR-2013-05-002 author: juju4 detection: diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/builtin/win_susp_rundll32_activity.yml index c8c11105a49..76c2f709657 100644 --- a/rules/windows/builtin/win_susp_rundll32_activity.yml +++ b/rules/windows/builtin/win_susp_rundll32_activity.yml @@ -3,7 +3,6 @@ title: Suspicious Rundll32 Activity description: Detects suspicious process related to rundll32 based on arguments status: experimental references: - - - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - https://twitter.com/Hexacorn/status/885258886428725250 - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml index d12233e4e1c..73b05eedc08 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/malware/sysmon_malware_notpetya.yml @@ -3,7 +3,6 @@ status: experimental description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi references: - - - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 logsource: diff --git a/rules/windows/malware/win_mal_wannacry.yml b/rules/windows/malware/win_mal_wannacry.yml index 7aea41d32d8..489bc588e28 100644 --- a/rules/windows/malware/win_mal_wannacry.yml +++ b/rules/windows/malware/win_mal_wannacry.yml @@ -3,7 +3,6 @@ title: WannaCry Ransomware description: Detects WannaCry Ransomware Activity status: experimental references: - - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa author: Florian Roth detection: diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 7e172089830..822c49dabb2 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -2,7 +2,6 @@ title: PowerShell Credential Prompt status: experimental description: Detects PowerShell calling a credential prompt references: - - - https://twitter.com/JohnLaTwC/status/850381440629981184 - https://t.co/ezOTGy1a1G author: John Lambert (idea), Florian Roth (rule) diff --git a/rules/windows/sysmon/sysmon_bitsadmin_download.yml b/rules/windows/sysmon/sysmon_bitsadmin_download.yml index 92ae11523fa..8c4aac9df1c 100644 --- a/rules/windows/sysmon/sysmon_bitsadmin_download.yml +++ b/rules/windows/sysmon/sysmon_bitsadmin_download.yml @@ -2,7 +2,6 @@ title: Bitsadmin Download status: experimental description: Detects usage of bitsadmin downloading a file references: - - - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 author: Michael Haag diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml index adde51bb4b5..3ce455d750d 100644 --- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml @@ -2,7 +2,6 @@ title: DHCP Callout DLL installation status: experimental description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) references: - - - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx diff --git a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml index a5f77397317..f029b0cd893 100644 --- a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml @@ -2,7 +2,6 @@ title: DNS ServerLevelPluginDll Install status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) references: - - - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml index c92391d6192..ad2eff25141 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml +++ b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml @@ -2,7 +2,6 @@ title: Droppers exploiting CVE-2017-11882 status: experimental description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe references: - - - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index 8cb9a7a62e4..9271116db28 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -2,7 +2,6 @@ title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location references: - - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml index c74bd2fd9fc..12c8abe87b9 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml @@ -5,7 +5,6 @@ author: - Florian Roth - juju4 references: - - - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 - https://twitter.com/subTee/status/888071631528235010 diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml index 8a444db694c..02a9eb35ed8 100644 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_exec_folder.yml @@ -4,7 +4,6 @@ description: Detects process starts of binaries from a suspicious folder author: Florian Roth date: 2017/10/14 references: - - - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses logsource: diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml index 5cf9faa6ca7..5657c885e15 100644 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml @@ -3,7 +3,6 @@ status: experimental description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth, Michael Haag references: - - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ diff --git a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml index 3088ab4dff5..a59044bcc5f 100644 --- a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml @@ -2,7 +2,6 @@ title: Suspicious WMI execution status: experimental description: Detects WMI executing suspicious commands references: - - - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index f3f4e291357..f3a28a27c7d 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -2,7 +2,6 @@ title: UAC Bypass via Event Viewer status: experimental description: Detects UAC bypass method using Windows event viewer references: - - - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth