Documentation

Contents
Contents
Contents
Contents
!
This documentation applies to a beta version of uberAgent (docs for the latest official release)

sigma-proc-creation-critical.conf

The following is the sigma-proc-creation-critical.conf configuration file that ships with uberAgent. It contains process tagging rules derived from the Sigma project for use with uberAgent ESA.

#
# These rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules flagged with the level 'critical' from the repository with Python
#    1. Clone the repository locally
#    2. Using a command line, change to the locally cloned repository
#    4. Run "python tools/sigmac -I --target uberagent -f level=critical -r rules/windows/process_creation"
#

[ProcessTaggingRule]
Rulename = APT29
# Source: https://github.com/Neo23x0/sigma
# This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
EventType = Process.Start
Process.CommandLine = (?=.*-noni)(?=.*-ep)(?=.*bypass)(?=.*$)
Tag = proc-start-apt29
RiskScore = 100

[ProcessTaggingRule]
Rulename = Judgement Panda Exfil Activity
# Source: https://github.com/Neo23x0/sigma
# Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
EventType = Process.Start
Process.Name = ^xcopy\.exe$
Process.CommandLine = (?=.*\/S)(?=.*\/E)(?=.*\/C)(?=.*\/Q)(?=.*\/H)(?=.*\\)
Process.Name = ^adexplorer\.exe$
Process.CommandLine = (?=.*-snapshot)(?=.*"")(?=.*c:\\users\\)
Tag = proc-start-judgement-panda-exfil-activity
RiskScore = 100

[ProcessTaggingRule]
Rulename = BlueMashroom DLL Load
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
EventType = Process.Start
Process.CommandLine = (?=.*\\regsvr32)(?=.*\\AppData\\Local\\)
Process.CommandLine = \\AppData\\Local\\\.*,DllEntry
Tag = proc-start-bluemashroom-dll-load
RiskScore = 100

[ProcessTaggingRule]
Rulename = WMIExec VBS Script
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious file execution by wscript and cscript
EventType = Process.Start
Process.Name = ^cscript\.exe$
Process.CommandLine = (?=.*\.vbs)(?=.*\/shell)
Tag = proc-start-wmiexec-vbs-script
RiskScore = 100

[ProcessTaggingRule]
Rulename = CrackMapExecWin
# Source: https://github.com/Neo23x0/sigma
# Detects CrackMapExecWin Activity as Described by NCSC
EventType = Process.Start
Process.Name = ^crackmapexec\.exe$
Tag = proc-start-crackmapexecwin
RiskScore = 100

[ProcessTaggingRule]
Rulename = Elise Backdoor
# Source: https://github.com/Neo23x0/sigma
# Detects Elise backdoor acitivty as used by APT32
EventType = Process.Start
Process.Path = C:\\Windows\\SysWOW64\\cmd\.exe
Process.CommandLine = \\Windows\\Caches\\NavShExt\.dll
Process.CommandLine = \\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt\.dll,Setting
Tag = proc-start-elise-backdoor
RiskScore = 100

[ProcessTaggingRule]
Rulename = Emissary Panda Malware SLLauncher
# Source: https://github.com/Neo23x0/sigma
# Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
EventType = Process.Start
Parent.Name = ^sllauncher\.exe$
Process.Name = ^svchost\.exe$
Tag = proc-start-emissary-panda-malware-sllauncher
RiskScore = 100

[ProcessTaggingRule]
Rulename = Empire Monkey
# Source: https://github.com/Neo23x0/sigma
# Detects EmpireMonkey APT reported Activity
EventType = Process.Start
Process.CommandLine = (?=.*\/i:%APPDATA%\\logs\.txt)(?=.*scrobj\.dll)
Process.Name = ^cutil\.exe$
Description = Microsoft(C) Registerserver
Tag = proc-start-empire-monkey
RiskScore = 100

[ProcessTaggingRule]
Rulename = Equation Group DLL_U Load
# Source: https://github.com/Neo23x0/sigma
# Detects a specific tool and export used by EquationGroup
EventType = Process.Start
Process.Name = ^rundll32\.exe$
Process.CommandLine = ,dll_u
Process.CommandLine = (?=.*-export)(?=.*dll_u)
Tag = proc-start-equation-group-dll_u-load
RiskScore = 100

[ProcessTaggingRule]
Rulename = Judgement Panda Exfil Activity
# Source: https://github.com/Neo23x0/sigma
# Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
EventType = Process.Start
Process.CommandLine = (?=.*\\ldifde\.exe)(?=.*-f)(?=.*-n)
Process.CommandLine = (?=.*\\7za\.exe)(?=.*a)(?=.*1\.7z)
Process.CommandLine = eprod\.ldf
Process.CommandLine = \\aaaa\\procdump64\.exe
Process.CommandLine = \\aaaa\\netsess\.exe
Process.CommandLine = \\aaaa\\7za\.exe
Process.CommandLine = (?=.*copy)(?=.*\.\\1\.7z)(?=.*\\)
Process.CommandLine = (?=.*copy)(?=.*\\\\client\\c$\\aaaa\\)
Process.Path = C:\\Users\\Public\\7za\.exe
Tag = proc-start-judgement-panda-exfil-activity
RiskScore = 100

[ProcessTaggingRule]
Rulename = Sofacy Trojan Loader Activity
# Source: https://github.com/Neo23x0/sigma
# Detects Trojan loader acitivty as used by APT28
EventType = Process.Start
Process.CommandLine = (?=.*rundll32\.exe)(?=.*%APPDATA%\\\.*\.dat",)
Process.CommandLine = (?=.*rundll32\.exe)(?=.*%APPDATA%\\\.*\.dll",#1)
Tag = proc-start-sofacy-trojan-loader-activity
RiskScore = 100

[ProcessTaggingRule]
Rulename = Turla Group Lateral Movement
# Source: https://github.com/Neo23x0/sigma
# Detects automated lateral movement by Turla group
EventType = Process.Start
Process.CommandLine = (?=.*net)(?=.*use)(?=.*\\\\%DomainController%\\C$)(?=.*"P@ssw0rd")
Process.CommandLine = (?=.*dir)(?=.*c:\\\.*\.doc)(?=.*\/s)
Process.CommandLine = (?=.*dir)(?=.*%TEMP%\\\.*\.exe)
Tag = proc-start-turla-group-lateral-movement
RiskScore = 100

[ProcessTaggingRule]
Rulename = Winnti Malware HK University Campaign
# Source: https://github.com/Neo23x0/sigma
# Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
EventType = Process.Start
Parent.Name = C:\\Windows\\Temp
Parent.Name = ^hpqhvind\.exe$
Process.Path = C:\\ProgramData\\DRM
Parent.Path = C:\\ProgramData\\DRM
Process.Name = ^wmplayer\.exe$
Parent.Name = ^Test\.exe$
Process.Name = ^wmplayer\.exe$
Process.Path = C:\\ProgramData\\DRM\\CLR\\CLR\.exe
Parent.Path = C:\\ProgramData\\DRM\\Windows
Process.Name = ^SearchFilterHost\.exe$
Tag = proc-start-winnti-malware-hk-university-campaign
RiskScore = 100

[ProcessTaggingRule]
Rulename = ZxShell Malware
# Source: https://github.com/Neo23x0/sigma
# Detects a ZxShell start by the called and well-known function name
EventType = Process.Start
Command = rundll32.exe *,zxFunction*
Command = rundll32.exe *,RemoteDiskXXXXX
Tag = proc-start-zxshell-malware
RiskScore = 100

[ProcessTaggingRule]
Rulename = Control Panel Items
# Source: https://github.com/Neo23x0/sigma
# Detects the use of a control panel item (.cpl) outside of the System32 folder
EventType = Process.Start
Process.CommandLine = \.cpl
Process.CommandLine != \\System32\\
Process.CommandLine != %System%
Tag = proc-start-control-panel-items
RiskScore = 100

[ProcessTaggingRule]
Rulename = Encoded FromBase64String
# Source: https://github.com/Neo23x0/sigma
# Detects a base64 encoded FromBase64String keyword in a process command line
EventType = Process.Start
Process.CommandLine = OjpGcm9tQmFzZTY0U3RyaW5n
Process.CommandLine = o6RnJvbUJhc2U2NFN0cmluZ
Process.CommandLine = 6OkZyb21CYXNlNjRTdHJpbm
Tag = proc-start-encoded-frombase64string
RiskScore = 100

[ProcessTaggingRule]
Rulename = Encoded IEX
# Source: https://github.com/Neo23x0/sigma
# Detects a base64 encoded IEX command string in a process command line
EventType = Process.Start
Process.CommandLine = SUVYIChb
Process.CommandLine = lFWCAoW
Process.CommandLine = JRVggKF
Process.CommandLine = aWV4IChb
Process.CommandLine = lleCAoW
Process.CommandLine = pZXggKF
Process.CommandLine = aWV4IChOZX
Process.CommandLine = lleCAoTmV3
Process.CommandLine = pZXggKE5ld
Process.CommandLine = SUVYIChOZX
Process.CommandLine = lFWCAoTmV3
Process.CommandLine = JRVggKE5ld
Tag = proc-start-encoded-iex
RiskScore = 100

[ProcessTaggingRule]
Rulename = Exploit for CVE-2015-1641
# Source: https://github.com/Neo23x0/sigma
# Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
EventType = Process.Start
Parent.Name = ^WINWORD\.EXE$
Process.Name = ^MicroScMgmt\.exe$
Tag = proc-start-exploit-for-cve-2015-1641
RiskScore = 100

[ProcessTaggingRule]
Rulename = Droppers Exploiting CVE-2017-11882
# Source: https://github.com/Neo23x0/sigma
# Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
EventType = Process.Start
Parent.Name = ^EQNEDT32\.EXE$
Tag = proc-start-droppers-exploiting-cve-2017-11882
RiskScore = 100

[ProcessTaggingRule]
Rulename = Exploit for CVE-2017-8759
# Source: https://github.com/Neo23x0/sigma
# Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
EventType = Process.Start
Parent.Name = ^WINWORD\.EXE$
Process.Name = ^csc\.exe$
Tag = proc-start-exploit-for-cve-2017-8759
RiskScore = 100

[ProcessTaggingRule]
Rulename = Rubeus Hack Tool
# Source: https://github.com/Neo23x0/sigma
# Detects command line parameters used by Rubeus hack tool
EventType = Process.Start
Process.CommandLine = asreproast
Process.CommandLine = (?=.*dump)(?=.*\/service:krbtgt)
Process.CommandLine = kerberoast
Process.CommandLine = (?=.*createnetonly)(?=.*\/program:)
Process.CommandLine = (?=.*ptt)(?=.*\/ticket:)
Process.CommandLine = \/impersonateuser:
Process.CommandLine = (?=.*renew)(?=.*\/ticket:)
Process.CommandLine = (?=.*asktgt)(?=.*\/user:)
Process.CommandLine = (?=.*harvest)(?=.*\/interval:)
Tag = proc-start-rubeus-hack-tool
RiskScore = 100

[ProcessTaggingRule]
Rulename = Impacket Lateralization Detection
# Source: https://github.com/Neo23x0/sigma
# Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
EventType = Process.Start
Parent.Name = ^wmiprvse\.exe$
Parent.Name = ^mmc\.exe$
Parent.Name = ^explorer\.exe$
Parent.Name = ^services\.exe$
Process.CommandLine = (?=.*cmd\.exe)(?=.*\/Q)(?=.*\/c)(?=.*\\\\\\\\127\.0\.0\.1\\\.*&1)
Parent.CommandLine = (?=.*svchost\.exe)(?=.*-k)(?=.*netsvcs)
Parent.CommandLine = taskeng\.exe
Process.CommandLine = (?=.*cmd\.exe)(?=.*\/C)(?=.*Windows\\\\Temp\\\.*&1)
Tag = proc-start-impacket-lateralization-detection
RiskScore = 100

[ProcessTaggingRule]
Rulename = Dridex Process Pattern
# Source: https://github.com/Neo23x0/sigma
# Detects typical Dridex process patterns
EventType = Process.Start
Process.CommandLine = (?=.*\\svchost\.exe)(?=.*C:\\Users\\\.*\\Desktop\\)
Parent.Name = ^svchost\.exe$
Process.CommandLine = (?=.*whoami\.exe)(?=.*\/all)
Process.CommandLine = (?=.*net\.exe)(?=.*view)
Tag = proc-start-dridex-process-pattern
RiskScore = 100

[ProcessTaggingRule]
Rulename = DTRACK Process Creation
# Source: https://github.com/Neo23x0/sigma
# Detects specific process parameters as seen in DTRACK infections
EventType = Process.Start
Process.CommandLine = (?=.*echo)(?=.*EEEE)(?=.*>)
Tag = proc-start-dtrack-process-creation
RiskScore = 100

[ProcessTaggingRule]
Rulename = Emotet Process Creation
# Source: https://github.com/Neo23x0/sigma
# Detects all Emotet like process executions that are not covered by the more generic rules
EventType = Process.Start
Process.CommandLine = (?=.*-e)(?=.*PAA)
Process.CommandLine = JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ
Process.CommandLine = QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA
Process.CommandLine = kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA
Process.CommandLine = IgAoACcAKgAnACkAOwAkA
Process.CommandLine = IAKAAnACoAJwApADsAJA
Process.CommandLine = iACgAJwAqACcAKQA7ACQA
Process.CommandLine = JABGAGwAeAByAGgAYwBmAGQ
Tag = proc-start-emotet-process-creation
RiskScore = 100

[ProcessTaggingRule]
Rulename = Formbook Process Creation
# Source: https://github.com/Neo23x0/sigma
# Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
EventType = Process.Start
Parent.CommandLine = C:\\Windows\\System32\\\.*\.exe
Parent.CommandLine = C:\\Windows\\SysWOW64\\\.*\.exe
Process.CommandLine = (?=.*\/c)(?=.*del)(?=.*"C:\\Users\\\.*\\AppData\\Local\\Temp\\\.*\.exe)
Process.CommandLine = (?=.*\/c)(?=.*del)(?=.*"C:\\Users\\\.*\\Desktop\\\.*\.exe)
Process.CommandLine = (?=.*\/C)(?=.*type)(?=.*nul)(?=.*>)(?=.*"C:\\Users\\\.*\\Desktop\\\.*\.exe)
Tag = proc-start-formbook-process-creation
RiskScore = 100

[ProcessTaggingRule]
Rulename = NotPetya Ransomware Activity
# Source: https://github.com/Neo23x0/sigma
# Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
EventType = Process.Start
Process.CommandLine = (?=.*\\AppData\\Local\\Temp\\\.*)(?=.*\\\\\.\\pipe\\)
Process.Name = ^rundll32\.exe$
Process.CommandLine = \.dat,#1
*\perfc.dat*
Tag = proc-start-notpetya-ransomware-activity
RiskScore = 100

[ProcessTaggingRule]
Rulename = QBot Process Creation
# Source: https://github.com/Neo23x0/sigma
# Detects QBot like process executions
EventType = Process.Start
Parent.Name = ^WinRAR\.exe$
Process.Name = ^wscript\.exe$
Process.CommandLine = (?=.*\/c)(?=.*ping\.exe)(?=.*-n)(?=.*6)(?=.*127\.0\.0\.1)(?=.*&)(?=.*type)
Tag = proc-start-qbot-process-creation
RiskScore = 100

[ProcessTaggingRule]
Rulename = Ryuk Ransomware
# Source: https://github.com/Neo23x0/sigma
# Detects Ryuk ransomware activity
EventType = Process.Start
Process.CommandLine = Microsoft\\Windows\\CurrentVersion\\Run
Process.CommandLine = C:\\users\\Public
Tag = proc-start-ryuk-ransomware
RiskScore = 100

[ProcessTaggingRule]
Rulename = Trickbot Malware Recon Activity
# Source: https://github.com/Neo23x0/sigma
# Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
EventType = Process.Start
Process.Name = ^nltest\.exe$
Process.CommandLine = (?=.*\/domain_trusts)(?=.*\/all_trusts)
Process.CommandLine = \/domain_trusts
Tag = proc-start-trickbot-malware-recon-activity
RiskScore = 100

[ProcessTaggingRule]
Rulename = WannaCry Ransomware
# Source: https://github.com/Neo23x0/sigma
# Detects WannaCry ransomware activity
EventType = Process.Start
Process.Name = ^tasksche\.exe$
Process.Name = ^mssecsvc\.exe$
Process.Name = ^taskdl\.exe$
Process.Name = \\@WanaDecryptor@
Process.Name = \\WanaDecryptor
Process.Name = ^taskhsvc\.exe$
Process.Name = ^taskse\.exe$
Process.Name = ^111\.exe$
Process.Name = ^lhdfrgui\.exe$
Process.Name = ^diskpart\.exe$
Process.Name = ^linuxnew\.exe$
Process.Name = ^wannacry\.exe$
Process.CommandLine = (?=.*icacls)(?=.*\/grant)(?=.*Everyone:F)(?=.*\/T)(?=.*\/C)(?=.*\/Q)
Process.CommandLine = (?=.*bcdedit)(?=.*\/set)(?=.*{default})(?=.*recoveryenabled)(?=.*no)
Process.CommandLine = (?=.*wbadmin)(?=.*delete)(?=.*catalog)(?=.*-quiet)
Process.CommandLine = @Please_Read_Me@\.txt
Tag = proc-start-wannacry-ransomware
RiskScore = 100

[ProcessTaggingRule]
Rulename = MavInject Process Injection
# Source: https://github.com/Neo23x0/sigma
# Detects process injection using the signed Windows tool Mavinject32.exe
EventType = Process.Start
Process.CommandLine = \/INJECTRUNNING
Tag = proc-start-mavinject-process-injection
RiskScore = 100

[ProcessTaggingRule]
Rulename = PowerShell Base64 Encoded Shellcode
# Source: https://github.com/Neo23x0/sigma
# Detects Base64 encoded Shellcode
EventType = Process.Start
Process.CommandLine = AAAAYInlM
Process.CommandLine = OiCAAAAYInlM
Process.CommandLine = OiJAAAAYInlM
Tag = proc-start-powershell-base64-encoded-shellcode
RiskScore = 100

[ProcessTaggingRule]
Rulename = Shadow Copies Deletion Using Operating Systems Utilities
# Source: https://github.com/Neo23x0/sigma
# Shadow Copies deletion using operating systems utilities
EventType = Process.Start
NewProcessName = *\powershell.exe
NewProcessName = *\wmic.exe
NewProcessName = *\vssadmin.exe
Process.CommandLine = shadow
Process.CommandLine = delete
Tag = proc-start-shadow-copies-deletion-using-operating-systems-utilities
RiskScore = 100

[ProcessTaggingRule]
Rulename = Devtoolslauncher.exe Executes Specified Binary
# Source: https://github.com/Neo23x0/sigma
# The Devtoolslauncher.exe executes other binary
EventType = Process.Start
Process.Name = ^devtoolslauncher\.exe$
Process.CommandLine = LaunchForDeploy
Tag = proc-start-devtoolslauncher.exe-executes-specified-binary
RiskScore = 100

[ProcessTaggingRule]
Rulename = Suspicious Double Extension
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
EventType = Process.Start
Process.Name = ^\.doc$
Process.Name = ^\.docx$
Process.Name = ^\.xls$
Process.Name = ^\.xlsx$
Process.Name = ^\.ppt$
Process.Name = ^\.pptx$
Process.Name = ^\.rtf$
Process.Name = ^\.pdf$
Process.Name = ^\.txt$
Process.Name = ^\.exe$
Process.Name = ^______\.exe$
Tag = proc-start-suspicious-double-extension
RiskScore = 100

[ProcessTaggingRule]
Rulename = Empire PowerShell Launch Parameters
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious powershell command line parameters used in Empire
EventType = Process.Start
Process.CommandLine = (?=.*-NoP)(?=.*-sta)(?=.*-NonI)(?=.*-W)(?=.*Hidden)(?=.*-Enc)
Process.CommandLine = (?=.*-noP)(?=.*-sta)(?=.*-w)(?=.*1)(?=.*-enc)
Process.CommandLine = (?=.*-NoP)(?=.*-NonI)(?=.*-W)(?=.*Hidden)(?=.*-enc)
Tag = proc-start-empire-powershell-launch-parameters
RiskScore = 100

[ProcessTaggingRule]
Rulename = Empire PowerShell UAC Bypass
# Source: https://github.com/Neo23x0/sigma
# Detects some Empire PowerShell UAC bypass methods
EventType = Process.Start
Process.CommandLine = (?=.*-NoP)(?=.*-NonI)(?=.*-w)(?=.*Hidden)(?=.*-c)(?=.*$x=$((gp)(?=.*HKCU:Software\\\\Microsoft\\\\Windows)(?=.*Update)\.Update))
Process.CommandLine = (?=.*-NoP)(?=.*-NonI)(?=.*-c)(?=.*$x=$((gp)(?=.*HKCU:Software\\\\Microsoft\\\\Windows)(?=.*Update)\.Update);)
Tag = proc-start-empire-powershell-uac-bypass
RiskScore = 100

[ProcessTaggingRule]
Rulename = WMI Backdoor Exchange Transport Agent
# Source: https://github.com/Neo23x0/sigma
# Detects a WMi backdoor in Exchange Transport Agents via WMi event filters
EventType = Process.Start
Parent.Name = ^EdgeTransport\.exe$
Tag = proc-start-wmi-backdoor-exchange-transport-agent
RiskScore = 100

Leave a Reply

Your email address will not be published. Required fields are marked *