-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sigma Rule Update (2024-05-13 20:11:52) (#664)
Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
- Loading branch information
1 parent
dfcce33
commit ecc2f64
Showing
48 changed files
with
723 additions
and
210 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 37 additions & 0 deletions
37
sigma/builtin/powershell/powershell_script/posh_ps_packet_capture.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock | ||
id: 0357e3d7-f8fe-0601-0902-364f4cdbed81 | ||
related: | ||
- id: da34e323-1e65-42db-83be-a6725ac2caa3 | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. | ||
Adversaries may attempt to capture network to gather information over the course of an operation. | ||
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. | ||
references: | ||
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing | ||
- https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md | ||
- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 | ||
author: frack113 | ||
date: 2024/05/12 | ||
tags: | ||
- attack.credential_access | ||
- attack.discovery | ||
- attack.t1040 | ||
logsource: | ||
product: windows | ||
category: ps_script | ||
definition: 'Requirements: Script Block Logging must be enabled' | ||
detection: | ||
ps_script: | ||
EventID: 4104 | ||
Channel: | ||
- Microsoft-Windows-PowerShell/Operational | ||
- PowerShellCore/Operational | ||
selection: | ||
ScriptBlockText|contains: Start-NetEventSession | ||
condition: ps_script and selection | ||
falsepositives: | ||
- Legitimate network diagnostic scripts. | ||
level: medium | ||
ruletype: Sigma |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
sigma/builtin/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
title: Potentially Suspicious Child Process of KeyScrambler.exe | ||
id: b2e90afd-fc69-1c5c-0457-d908fe3c4335 | ||
status: experimental | ||
description: Detects potentially suspicious child processes of KeyScrambler.exe | ||
references: | ||
- https://twitter.com/DTCERT/status/1712785421845790799 | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/05/13 | ||
tags: | ||
- attack.execution | ||
- attack.defense_evasion | ||
- attack.privilege_escalation | ||
- attack.t1203 | ||
- attack.t1574.002 | ||
- sysmon | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
process_creation: | ||
EventID: 4688 | ||
Channel: Security | ||
selection_parent: | ||
ParentProcessName|endswith: \KeyScrambler.exe | ||
selection_binaries: | ||
# Note: add additional binaries that the attacker might use | ||
- NewProcessName|endswith: | ||
- \cmd.exe | ||
- \cscript.exe | ||
- \mshta.exe | ||
- \powershell.exe | ||
- \pwsh.exe | ||
- \regsvr32.exe | ||
- \rundll32.exe | ||
- \wscript.exe | ||
- OriginalFileName: | ||
- Cmd.Exe | ||
- cscript.exe | ||
- mshta.exe | ||
- PowerShell.EXE | ||
- pwsh.dll | ||
- regsvr32.exe | ||
- RUNDLL32.EXE | ||
- wscript.exe | ||
condition: process_creation and (all of selection_*) | ||
falsepositives: | ||
- Unknown | ||
level: medium | ||
ruletype: Sigma |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.