Skip to content

Commit

Permalink
Adding more rules.
Browse files Browse the repository at this point in the history
  • Loading branch information
@bmcder02
bmcder02 committed Nov 30, 2023
1 parent 1e07f0a commit 69f8674
Show file tree
Hide file tree
Showing 159 changed files with 5,773 additions and 0 deletions.
31 changes: 31 additions & 0 deletions docs/content/rules/antivirus/crowdstrike/proc_creation_win_uninstall_crowdstrike_falcon.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
title: Uninstall Crowdstrike Falcon Sensor
id: f0f7be61-9cf5-43be-9836-99d6ef448a18
status: test
description: Adversaries may disable security tools to avoid possible detection of
their tools and activities by uninstalling Crowdstrike Falcon
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113
date: 2021/07/12
modified: 2023/03/09
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection:
CommandLine|contains|all:
- \WindowsSensor.exe
- ' /uninstall'
- ' /quiet'
condition: process_creation and selection
falsepositives:
- Administrator might leverage the same command line for debugging or other purposes.
However this action must be always investigated
level: high
ruletype: Sigma
70 changes: 70 additions & 0 deletions docs/content/rules/antivirus/windows_defender/windows_defender_exploiting.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: Detects a highly relevant Antivirus alert that reports an exploitation
framework
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
- https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018/09/09
modified: 2023/01/13
tags:
- attack.execution
- attack.t1203
- attack.command_and_control
- attack.t1219
logsource:
category: antivirus
product: windows
service: windefend
detection:
antivirus:
EventID:
- 1006
- 1007
- 1008
- 1009
- 1010
- 1011
- 1012
- 1115
- 1116
- 1017
- 1018
- 1019
- 1115
- 1116
Channel: Microsoft-Windows-Windows Defender/Operational
selection:
ThreatName|contains:
- MeteTool
- MPreter
- Meterpreter
- Metasploit
- PowerSploit
- CobaltStrike
- BruteR
- Brutel
- Swrort
- Rozena
- Backdoor.Cobalt
- CobaltStr
- COBEACON
- Cometer
- Razy
- IISExchgSpawnCMD
- Exploit.Script.CVE
- Seatbelt
- Sbelt
- Sliver
condition: antivirus and selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical
ruletype: Sigma
86 changes: 86 additions & 0 deletions docs/content/rules/antivirus/windows_defender/windows_defender_hacktool.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
status: stable
description: Detects a highly relevant Antivirus alert that reports a hack tool or
other attack tool
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021/08/16
modified: 2023/02/03
tags:
- attack.execution
- attack.t1204
logsource:
category: antivirus
product: windows
service: windefend
detection:
antivirus:
EventID:
- 1006
- 1007
- 1008
- 1009
- 1010
- 1011
- 1012
- 1115
- 1116
- 1017
- 1018
- 1019
- 1115
- 1116
Channel: Microsoft-Windows-Windows Defender/Operational
selection:
- ThreatName|startswith:
- HTOOL
- HKTL
- SecurityTool
- Adfind
- ATK/
- Exploit.Script.CVE
- PWS.
- PWSX
- ThreatName|contains:
- Hacktool
- ATK/
- Potato
- Rozena
- Sbelt
- Seatbelt
- SecurityTool
- SharpDump
- Sliver
- Splinter
- Swrort
- Impacket
- Koadic
- Lazagne
- Metasploit
- Meterpreter
- MeteTool
- Mimikatz
- Mpreter
- Nighthawk
- PentestPowerShell
- PowerSploit
- PowerSSH
- PshlSpy
- PSWTool
- PWCrack
- Brutel
- BruteR
- Cobalt
- COBEACON
- Cometer
- DumpCreds
- FastReverseProxy
- PWDump
condition: antivirus and selection
falsepositives:
- Unlikely
level: high
ruletype: Sigma
63 changes: 63 additions & 0 deletions docs/content/rules/antivirus/windows_defender/windows_defender_password_dumper.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: Detects a highly relevant Antivirus alert that reports a password dumper
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems)
date: 2018/09/09
modified: 2023/01/18
tags:
- attack.credential_access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource:
category: antivirus
product: windows
service: windefend
detection:
antivirus:
EventID:
- 1006
- 1007
- 1008
- 1009
- 1010
- 1011
- 1012
- 1115
- 1116
- 1017
- 1018
- 1019
- 1115
- 1116
Channel: Microsoft-Windows-Windows Defender/Operational
selection:
- ThreatName|startswith: PWS
- ThreatName|contains:
- DumpCreds
- Mimikatz
- PWCrack
- HTool/WCE
- PSWTool
- PWDump
- SecurityTool
- PShlSpy
- Rubeus
- Kekeo
- LsassDump
- Outflank
- DumpLsass
- SharpDump
- PWSX
- PWS.
condition: antivirus and selection
falsepositives:
- Unlikely
level: critical
ruletype: Sigma
61 changes: 61 additions & 0 deletions docs/content/rules/antivirus/windows_defender/windows_defender_ransomware.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
title: Antivirus Ransomware Detection
id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
status: test
description: Detects a highly relevant Antivirus alert that reports ransomware
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
- https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
- https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
- https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
- https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2022/05/12
modified: 2023/02/03
tags:
- attack.t1486
logsource:
category: antivirus
product: windows
service: windefend
detection:
antivirus:
EventID:
- 1006
- 1007
- 1008
- 1009
- 1010
- 1011
- 1012
- 1115
- 1116
- 1017
- 1018
- 1019
- 1115
- 1116
Channel: Microsoft-Windows-Windows Defender/Operational
selection:
ThreatName|contains:
- Ransom
- Cryptor
- Crypter
- CRYPTES
- GandCrab
- BlackWorm
- Phobos
- Destructor
- Filecoder
- GrandCrab
- Krypt
- Locker
- Ryuk
- Ryzerlo
- Tescrypt
- TeslaCrypt
condition: antivirus and selection
falsepositives:
- Unlikely
level: critical
ruletype: Sigma
Loading

0 comments on commit 69f8674

Please sign in to comment.