Documentation

Contents
Contents
Contents
Contents
!
This documentation applies to a beta version of uberAgent (docs for the latest official release)

sigma-proc-creation-high.conf

The following is the sigma-proc-creation-high.conf configuration file that ships with uberAgent. It contains process tagging rules derived from the Sigma project for use with uberAgent ESA.

#
# These rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules flagged with the level 'high' from the repository with Python
#    1. Clone the repository locally
#    2. Using a command line, change to the locally cloned repository
#    4. Run "python tools/sigmac -I --target uberagent -f level=high -r rules/windows/process_creation"
#

[ProcessTaggingRule]
Rulename = Baby Shark Activity
# Source: https://github.com/Neo23x0/sigma
# Detects activity that could be related to Baby Shark malware
EventType = Process.Start
Process.CommandLine = (?=.*reg)(?=.*query)(?=.*"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal)(?=.*Server)(?=.*Client\\Default")
Process.CommandLine = (?=.*powershell\.exe)(?=.*mshta\.exe)(?=.*http)
Process.CommandLine = (?=.*cmd\.exe)(?=.*\/c)(?=.*taskkill)(?=.*\/im)(?=.*cmd\.exe)
Tag = proc-start-baby-shark-activity
RiskScore = 75

[ProcessTaggingRule]
Rulename = Hurricane Panda Activity
# Source: https://github.com/Neo23x0/sigma
# Detects Hurricane Panda Activity
EventType = Process.Start
Process.CommandLine = (?=.*localgroup)(?=.*administrators)(?=.*admin)(?=.*\/add)
Process.CommandLine = \\Win64\.exe
Tag = proc-start-hurricane-panda-activity
RiskScore = 75

[ProcessTaggingRule]
Rulename = Mustang Panda Dropper
# Source: https://github.com/Neo23x0/sigma
# Detects specific process parameters as used by Mustang Panda droppers
EventType = Process.Start
Process.CommandLine = (?=.*Temp\\wtask\.exe)(?=.*\/create)
Process.CommandLine = %windir:~-3,1%%PUBLIC:~-9,1%
Process.CommandLine = (?=.*\/E:vbscript)(?=.*C:\\Users\\)(?=.*\.txt")(?=.*\/F)
Process.CommandLine = (?=.*\/tn)(?=.*"Security)(?=.*Script)
Process.CommandLine = %windir:~-1,1%
Process.Name = ^winwsh\.exe$
Tag = proc-start-mustang-panda-dropper
RiskScore = 75

[ProcessTaggingRule]
Rulename = Ps.exe Renamed SysInternals Tool
# Source: https://github.com/Neo23x0/sigma
# Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
EventType = Process.Start
Process.CommandLine = (?=.*ps\.exe)(?=.*-accepteula)
Tag = proc-start-ps.exe-renamed-sysinternals-tool
RiskScore = 75

[ProcessTaggingRule]
Rulename = TropicTrooper Campaign November 2018
# Source: https://github.com/Neo23x0/sigma
# Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
EventType = Process.Start
Process.CommandLine = abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc
Tag = proc-start-tropictrooper-campaign-november-2018
RiskScore = 75

[ProcessTaggingRule]
Rulename = Modification of Boot Configuration
# Source: https://github.com/Neo23x0/sigma
# Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
EventType = Process.Start
Process.Name = ^bcdedit\.exe$
Process.CommandLine = set
Process.CommandLine = bootstatuspolicy
Process.CommandLine = ignoreallfailures
Process.CommandLine = recoveryenabled
Process.CommandLine = no
Tag = proc-start-modification-of-boot-configuration
RiskScore = 75

[ProcessTaggingRule]
Rulename = CMSTP UAC Bypass via COM Object Access
# Source: https://github.com/Neo23x0/sigma
# Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects
EventType = Process.Start
Parent.CommandLine = \\DllHost\.exe
Parent.CommandLine = {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
Parent.CommandLine = {3E000D72-A845-4CD9-BD83-80C07C3B881F}
Tag = proc-start-cmstp-uac-bypass-via-com-object-access
RiskScore = 75

[ProcessTaggingRule]
Rulename = Copying Sensitive Files with Credential Data
# Source: https://github.com/Neo23x0/sigma
# Files with well-known filenames (sensitive files with credential data) copying
EventType = Process.Start
Process.Name = ^esentutl\.exe$
Process.CommandLine = vss
Process.CommandLine = \/m
Process.CommandLine = \/y
Process.CommandLine = \\windows\\ntds\\ntds\.dit
Process.CommandLine = \\config\\sam
Process.CommandLine = \\config\\security
Process.CommandLine = \\config\\system
Process.CommandLine = \\repair\\sam
Process.CommandLine = \\repair\\system
Process.CommandLine = \\repair\\security
Process.CommandLine = \\config\\RegBack\\sam
Process.CommandLine = \\config\\RegBack\\system
Process.CommandLine = \\config\\RegBack\\security
Tag = proc-start-copying-sensitive-files-with-credential-data
RiskScore = 75

[ProcessTaggingRule]
Rulename = Fireball Archer Install
# Source: https://github.com/Neo23x0/sigma
# Detects Archer malware invocation via rundll32
EventType = Process.Start
Process.CommandLine = (?=.*\\rundll32\.exe)(?=.*,InstallArcherSvc)
Tag = proc-start-fireball-archer-install
RiskScore = 75

[ProcessTaggingRule]
Rulename = DNS Exfiltration Tools Execution
# Source: https://github.com/Neo23x0/sigma
# Well-known DNS Exfiltration tools execution
EventType = Process.Start
Process.Name = ^iodine\.exe$
Process.Path = \\dnscat2
Tag = proc-start-dns-exfiltration-tools-execution
RiskScore = 75

[ProcessTaggingRule]
Rulename = Disable of ETW Trace
# Source: https://github.com/Neo23x0/sigma
# Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
EventType = Process.Start
Process.CommandLine = (?=.*cl)(?=.*\/Trace)
Process.CommandLine = (?=.*clear-log)(?=.*\/Trace)
Process.CommandLine = (?=.*sl)(?=.*\/e:false)
Process.CommandLine = (?=.*set-log)(?=.*\/e:false)
Tag = proc-start-disable-of-etw-trace
RiskScore = 75

[ProcessTaggingRule]
Rulename = Exploiting SetupComplete.cmd CVE-2019-1378
# Source: https://github.com/Neo23x0/sigma
# Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378
EventType = Process.Start
Parent.CommandLine = (?=.*\\cmd\.exe)(?=.*\/c)(?=.*C:\\Windows\\Setup\\Scripts\\SetupComplete\.cmd)
Parent.CommandLine = (?=.*\\cmd\.exe)(?=.*\/c)(?=.*C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete\.cmd)
Process.Path != C:\\Windows\\System32\\
Process.Path != C:\\Windows\\SysWOW64\\
Process.Path != C:\\Windows\\WinSxS\\
Process.Path != C:\\Windows\\Setup\\
Tag = proc-start-exploiting-setupcomplete.cmd-cve-2019-1378
RiskScore = 75

[ProcessTaggingRule]
Rulename = Bloodhound and Sharphound Hack Tool
# Source: https://github.com/Neo23x0/sigma
# Detects command line parameters used by Bloodhound and Sharphound hack tools
EventType = Process.Start
Process.Name = ^Bloodhound\.exe$
Process.Name = ^SharpHound\.exe$
Process.CommandLine = (?=.*-CollectionMethod)(?=.*All)
Process.CommandLine = (?=.*\.exe)(?=.*-c)(?=.*All)(?=.*-d)
Process.CommandLine = Invoke-Bloodhound
Process.CommandLine = Get-BloodHoundData
Process.CommandLine = -JsonFolder
Process.CommandLine = -ZipFileName
Process.CommandLine = DCOnly
Process.CommandLine = --NoSaveCache
Tag = proc-start-bloodhound-and-sharphound-hack-tool
RiskScore = 75

[ProcessTaggingRule]
Rulename = Koadic Execution
# Source: https://github.com/Neo23x0/sigma
# Detects command line parameters used by Koadic hack tool
EventType = Process.Start
Process.CommandLine = (?=.*cmd\.exe)(?=.*\/q)(?=.*\/c)(?=.*chcp)
Tag = proc-start-koadic-execution
RiskScore = 75

[ProcessTaggingRule]
Rulename = HH.exe Execution
# Source: https://github.com/Neo23x0/sigma
# Identifies usage of hh.exe executing recently modified .chm files.
EventType = Process.Start
Process.Name = ^hh\.exe$
Process.CommandLine = \.chm
Tag = proc-start-hh.exe-execution
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious HWP Sub Processes
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
EventType = Process.Start
Parent.Name = ^Hwp\.exe$
Process.Name = ^gbb\.exe$
Tag = proc-start-suspicious-hwp-sub-processes
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Debugger Registration Cmdline
# Source: https://github.com/Neo23x0/sigma
# Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
EventType = Process.Start
Process.CommandLine = (?=.*\\CurrentVersion\\Image)(?=.*File)(?=.*Execution)(?=.*Options\\sethc\.exe)
Process.CommandLine = (?=.*\\CurrentVersion\\Image)(?=.*File)(?=.*Execution)(?=.*Options\\utilman\.exe)
Process.CommandLine = (?=.*\\CurrentVersion\\Image)(?=.*File)(?=.*Execution)(?=.*Options\\osk\.exe)
Process.CommandLine = (?=.*\\CurrentVersion\\Image)(?=.*File)(?=.*Execution)(?=.*Options\\magnify\.exe)
Process.CommandLine = (?=.*\\CurrentVersion\\Image)(?=.*File)(?=.*Execution)(?=.*Options\\narrator\.exe)
Process.CommandLine = (?=.*\\CurrentVersion\\Image)(?=.*File)(?=.*Execution)(?=.*Options\\displayswitch\.exe)
Process.CommandLine = (?=.*\\CurrentVersion\\Image)(?=.*File)(?=.*Execution)(?=.*Options\\atbroker\.exe)
Tag = proc-start-suspicious-debugger-registration-cmdline
RiskScore = 75

[ProcessTaggingRule]
Rulename = Interactive AT Job
# Source: https://github.com/Neo23x0/sigma
# Detect an interactive AT job, which may be used as a form of privilege escalation
EventType = Process.Start
Process.Name = ^at\.exe$
Process.CommandLine = interactive
Tag = proc-start-interactive-at-job
RiskScore = 75

[ProcessTaggingRule]
Rulename = MSHTA Spwaned by SVCHOST
# Source: https://github.com/Neo23x0/sigma
# Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report
EventType = Process.Start
Parent.Name = ^svchost\.exe$
Process.Name = ^mshta\.exe$
Tag = proc-start-mshta-spwaned-by-svchost
RiskScore = 75

[ProcessTaggingRule]
Rulename = LSASS Memory Dumping
# Source: https://github.com/Neo23x0/sigma
# Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
EventType = Process.Start
Process.CommandLine = lsass
Process.CommandLine = \.dmp
Process.Name != ^werfault\.exe$
Process.Path = \\procdump
Process.Name = ^\.exe$
Process.CommandLine = lsass
Tag = proc-start-lsass-memory-dumping
RiskScore = 75

[ProcessTaggingRule]
Rulename = WScript or CScript Dropper
# Source: https://github.com/Neo23x0/sigma
# Detects wscript/cscript executions of scripts located in user directories
EventType = Process.Start
Process.Name = ^wscript\.exe$
Process.Name = ^cscript\.exe$
Process.CommandLine = C:\\Users\\\.*\.jse
Process.CommandLine = C:\\Users\\\.*\.vbe
Process.CommandLine = C:\\Users\\\.*\.js
Process.CommandLine = C:\\Users\\\.*\.vba
Process.CommandLine = C:\\Users\\\.*\.vbs
Process.CommandLine = C:\\ProgramData\\\.*\.jse
Process.CommandLine = C:\\ProgramData\\\.*\.vbe
Process.CommandLine = C:\\ProgramData\\\.*\.js
Process.CommandLine = C:\\ProgramData\\\.*\.vba
Process.CommandLine = C:\\ProgramData\\\.*\.vbs
Parent.Path != \\winzip
Tag = proc-start-wscript-or-cscript-dropper
RiskScore = 75

[ProcessTaggingRule]
Rulename = Meterpreter or Cobalt Strike Getsystem Service Start
# Source: https://github.com/Neo23x0/sigma
# Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
EventType = Process.Start
Parent.Name = ^services\.exe$
Process.CommandLine = cmd
Process.CommandLine = comspec
Process.CommandLine = cmd
Process.CommandLine = \/c
Process.CommandLine = echo
Process.CommandLine = \\pipe
Process.CommandLine = %COMSPEC%
Process.CommandLine = \/c
Process.CommandLine = echo
Process.CommandLine = \\pipe
Process.CommandLine = rundll32
Process.CommandLine = \.dll,a
Process.CommandLine = \/p:
Process.CommandLine != MpCmdRun
Tag = proc-start-meterpreter-or-cobalt-strike-getsystem-service-start
RiskScore = 75

[ProcessTaggingRule]
Rulename = MMC Spawning Windows Shell
# Source: https://github.com/Neo23x0/sigma
# Detects a Windows command line executable started from MMC.
EventType = Process.Start
Parent.Name = ^mmc\.exe$
Process.Path = ^cmd\.exe$
Process.Path = ^powershell\.exe$
Process.Path = ^wscript\.exe$
Process.Path = ^cscript\.exe$
Process.Path = ^sh\.exe$
Process.Path = ^bash\.exe$
Process.Path = ^reg\.exe$
Process.Path = ^regsvr32\.exe$
Process.Path = \\BITSADMIN
Tag = proc-start-mmc-spawning-windows-shell
RiskScore = 75

[ProcessTaggingRule]
Rulename = Mshta JavaScript Execution
# Source: https://github.com/Neo23x0/sigma
# Identifies suspicious mshta.exe commands
EventType = Process.Start
Process.Name = ^mshta\.exe$
Process.CommandLine = javascript
Tag = proc-start-mshta-javascript-execution
RiskScore = 75

[ProcessTaggingRule]
Rulename = MSHTA Spawning Windows Shell
# Source: https://github.com/Neo23x0/sigma
# Detects a Windows command line executable started from MSHTA.
EventType = Process.Start
Parent.Name = ^mshta\.exe$
Process.Path = ^cmd\.exe$
Process.Path = ^powershell\.exe$
Process.Path = ^wscript\.exe$
Process.Path = ^cscript\.exe$
Process.Path = ^sh\.exe$
Process.Path = ^bash\.exe$
Process.Path = ^reg\.exe$
Process.Path = ^regsvr32\.exe$
Process.Path = \\BITSADMIN
Tag = proc-start-mshta-spawning-windows-shell
RiskScore = 75

[ProcessTaggingRule]
Rulename = Netsh RDP Port Forwarding
# Source: https://github.com/Neo23x0/sigma
# Detects netsh commands that configure a port forwarding of port 3389 used for RDP
EventType = Process.Start
Process.CommandLine = (?=.*netsh)(?=.*i)(?=.*p)(?=.*=3389)(?=.*c)
Tag = proc-start-netsh-rdp-port-forwarding
RiskScore = 75

[ProcessTaggingRule]
Rulename = Microsoft Office Product Spawning Windows Shell
# Source: https://github.com/Neo23x0/sigma
# Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
EventType = Process.Start
Parent.Name = ^WINWORD\.EXE$
Parent.Name = ^EXCEL\.EXE$
Parent.Name = ^POWERPNT\.exe$
Parent.Name = ^MSPUB\.exe$
Parent.Name = ^VISIO\.exe$
Parent.Name = ^OUTLOOK\.EXE$
Process.Name = ^cmd\.exe$
Process.Name = ^powershell\.exe$
Process.Name = ^wscript\.exe$
Process.Name = ^cscript\.exe$
Process.Name = ^sh\.exe$
Process.Name = ^bash\.exe$
Process.Name = ^scrcons\.exe$
Process.Name = ^schtasks\.exe$
Process.Name = ^regsvr32\.exe$
Process.Name = ^hh\.exe$
Process.Name = ^wmic\.exe$
Process.Name = ^mshta\.exe$
Process.Name = ^rundll32\.exe$
Process.Name = ^msiexec\.exe$
Process.Name = ^forfiles\.exe$
Process.Name = ^scriptrunner\.exe$
Process.Name = ^mftrace\.exe$
Process.Name = ^AppVLP\.exe$
Process.Name = ^svchost\.exe$
Tag = proc-start-microsoft-office-product-spawning-windows-shell
RiskScore = 75

[ProcessTaggingRule]
Rulename = MS Office Product Spawning Exe in User Dir
# Source: https://github.com/Neo23x0/sigma
# Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
EventType = Process.Start
Parent.Name = ^WINWORD\.EXE$
Parent.Name = ^EXCEL\.EXE$
Parent.Name = ^POWERPNT\.exe$
Parent.Name = ^MSPUB\.exe$
Parent.Name = ^VISIO\.exe$
Parent.Name = ^OUTLOOK\.EXE$
Process.Path = C:\\users\\\.*\.exe
Tag = proc-start-ms-office-product-spawning-exe-in-user-dir
RiskScore = 75

[ProcessTaggingRule]
Rulename = Executable Used by PlugX in Uncommon Location
# Source: https://github.com/Neo23x0/sigma
# Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
EventType = Process.Start
Process.Name = ^CamMute\.exe$
Process.Path != \\Lenovo\\Communication Utility\\
Process.Name = ^chrome_frame_helper\.exe$
Process.Path != \\Google\\Chrome\\application\\
Process.Name = ^dvcemumanager\.exe$
Process.Path != \\Microsoft Device Emulator\\
Process.Name = ^Gadget\.exe$
Process.Path != \\Windows Media Player\\
Process.Name = ^hcc\.exe$
Process.Path != \\HTML Help Workshop\\
Process.Name = ^hkcmd\.exe$
Process.Path != \\System32\\
Process.Path != \\SysNative\\
Process.Path != \\SysWowo64\\
Process.Name = ^Mc\.exe$
Process.Path != \\Microsoft Visual Studio
Process.Path != \\Microsoft SDK
Process.Path != \\Windows Kit
Process.Name = ^MsMpEng\.exe$
Process.Path != \\Microsoft Security Client\\
Process.Path != \\Windows Defender\\
Process.Path != \\AntiMalware\\
Process.Name = ^msseces\.exe$
Process.Path != \\Microsoft Security Center\\
Process.Path != \\Microsoft Security Client\\
Process.Path != \\Microsoft Security Essentials\\
Process.Name = ^OInfoP11\.exe$
Process.Path != \\Common Files\\Microsoft Shared\\
Process.Name = ^OleView\.exe$
Process.Path != \\Microsoft Visual Studio
Process.Path != \\Microsoft SDK
Process.Path != \\Windows Kit
Process.Path != \\Windows Resource Kit\\
Process.Name = ^rc\.exe$
Process.Name != \\Microsoft Visual Studio
Process.Name != \\Microsoft SDK
Process.Name != \\Windows Kit
Process.Name != \\Windows Resource Kit\\
Process.Name != ^Microsoft\.NET$
Tag = proc-start-executable-used-by-plugx-in-uncommon-location
RiskScore = 75

[ProcessTaggingRule]
Rulename = Detection of Possible Rotten Potato
# Source: https://github.com/Neo23x0/sigma
# Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges
EventType = Process.Start
ParentUser = NT AUTHORITY\NETWORK SERVICE
ParentUser = NT AUTHORITY\LOCAL SERVICE
Process.User = NT AUTHORITY\SYSTEM
Process.Name != ^rundll32\.exe$
Process.CommandLine != DavSetCookie
Tag = proc-start-detection-of-possible-rotten-potato
RiskScore = 75

[ProcessTaggingRule]
Rulename = Powershell AMSI Bypass via .NET Reflection
# Source: https://github.com/Neo23x0/sigma
# Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
EventType = Process.Start
Process.CommandLine = System\.Management\.Automation\.AmsiUtils
Process.CommandLine = amsiInitFailed
Tag = proc-start-powershell-amsi-bypass-via-.net-reflection
RiskScore = 75

[ProcessTaggingRule]
Rulename = Detection of PowerShell Execution via DLL
# Source: https://github.com/Neo23x0/sigma
# Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll
EventType = Process.Start
Process.Name = ^rundll32\.exe$
Description = *Windows-Hostprozess (Rundll32)*
Process.CommandLine = Default\.GetString
Process.CommandLine = FromBase64String
Tag = proc-start-detection-of-powershell-execution-via-dll
RiskScore = 75

[ProcessTaggingRule]
Rulename = FromBase64String Command Line
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious FromBase64String expressions in command line arguments
EventType = Process.Start
Process.CommandLine = ::FromBase64String(
Tag = proc-start-frombase64string-command-line
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious PowerShell Parameter Substring
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious PowerShell invocation with a parameter substring
EventType = Process.Start
Process.Name = ^Powershell\.exe$
Process.CommandLine = (?=.*-windowstyle)(?=.*h)
Process.CommandLine = (?=.*-windowstyl)(?=.*h)
Process.CommandLine = (?=.*-windowsty)(?=.*h)
Process.CommandLine = (?=.*-windowst)(?=.*h)
Process.CommandLine = (?=.*-windows)(?=.*h)
Process.CommandLine = (?=.*-windo)(?=.*h)
Process.CommandLine = (?=.*-wind)(?=.*h)
Process.CommandLine = (?=.*-win)(?=.*h)
Process.CommandLine = (?=.*-wi)(?=.*h)
Process.CommandLine = (?=.*-win)(?=.*h)
Process.CommandLine = (?=.*-win)(?=.*hi)
Process.CommandLine = (?=.*-win)(?=.*hid)
Process.CommandLine = (?=.*-win)(?=.*hidd)
Process.CommandLine = (?=.*-win)(?=.*hidde)
Process.CommandLine = -NoPr
Process.CommandLine = -NoPro
Process.CommandLine = -NoProf
Process.CommandLine = -NoProfi
Process.CommandLine = -NoProfil
Process.CommandLine = -nonin
Process.CommandLine = -nonint
Process.CommandLine = -noninte
Process.CommandLine = -noninter
Process.CommandLine = -nonintera
Process.CommandLine = -noninterac
Process.CommandLine = -noninteract
Process.CommandLine = -noninteracti
Process.CommandLine = -noninteractiv
Process.CommandLine = -ec
Process.CommandLine = -encodedComman
Process.CommandLine = -encodedComma
Process.CommandLine = -encodedComm
Process.CommandLine = -encodedCom
Process.CommandLine = -encodedCo
Process.CommandLine = -encodedC
Process.CommandLine = -encoded
Process.CommandLine = -encode
Process.CommandLine = -encod
Process.CommandLine = -enco
Process.CommandLine = -en
Tag = proc-start-suspicious-powershell-parameter-substring
RiskScore = 75

[ProcessTaggingRule]
Rulename = Default PowerSploit and Empire Schtasks Persistence
# Source: https://github.com/Neo23x0/sigma
# Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
EventType = Process.Start
Parent.Name = ^powershell\.exe$
Process.CommandLine = (?=.*schtasks)(?=.*\/Create)(?=.*\/SC)(?=.*ONLOGON)(?=.*\/TN)(?=.*Updater)(?=.*\/TR)(?=.**powershell)
Process.CommandLine = (?=.*schtasks)(?=.*\/Create)(?=.*\/SC)(?=.*DAILY)(?=.*\/TN)(?=.*Updater)(?=.*\/TR)(?=.**powershell)
Process.CommandLine = (?=.*schtasks)(?=.*\/Create)(?=.*\/SC)(?=.*ONIDLE)(?=.*\/TN)(?=.*Updater)(?=.*\/TR)(?=.**powershell)
Process.CommandLine = (?=.*schtasks)(?=.*\/Create)(?=.*\/SC)(?=.*Updater)(?=.*\/TN)(?=.*Updater)(?=.*\/TR)(?=.**powershell)
Tag = proc-start-default-powersploit-and-empire-schtasks-persistence
RiskScore = 75

[ProcessTaggingRule]
Rulename = Process Dump via Rundll32 and Comsvcs.dll
# Source: https://github.com/Neo23x0/sigma
# Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
EventType = Process.Start
Process.CommandLine = comsvcs\.dll,#24
Process.CommandLine = comsvcs\.dll,MiniDump
Tag = proc-start-process-dump-via-rundll32-and-comsvcs.dll
RiskScore = 75

[ProcessTaggingRule]
Rulename = MSTSC Shadowing
# Source: https://github.com/Neo23x0/sigma
# Detects RDP session hijacking by using MSTSC shadowing
EventType = Process.Start
Process.CommandLine = noconsentprompt
Process.CommandLine = shadow:
Tag = proc-start-mstsc-shadowing
RiskScore = 75

[ProcessTaggingRule]
Rulename = Remote PowerShell Session
# Source: https://github.com/Neo23x0/sigma
# Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)
EventType = Process.Start
Process.Name = ^wsmprovhost\.exe$
Parent.Name = ^wsmprovhost\.exe$
Tag = proc-start-remote-powershell-session
RiskScore = 75

[ProcessTaggingRule]
Rulename = Run PowerShell Script from ADS
# Source: https://github.com/Neo23x0/sigma
# Detects PowerShell script execution from Alternate Data Stream (ADS)
EventType = Process.Start
Parent.Name = ^powershell\.exe$
Process.Name = ^powershell\.exe$
Process.CommandLine = Get-Content
Process.CommandLine = -Stream
Tag = proc-start-run-powershell-script-from-ads
RiskScore = 75

[ProcessTaggingRule]
Rulename = Possible Shim Database Persistence via sdbinst.exe
# Source: https://github.com/Neo23x0/sigma
# Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
EventType = Process.Start
Process.Name = ^sdbinst\.exe$
Process.CommandLine = \.sdb
Tag = proc-start-possible-shim-database-persistence-via-sdbinst.exe
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Calculator Usage
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
EventType = Process.Start
Process.CommandLine = \\calc\.exe
Process.Name = ^calc\.exe$
Process.Path != \\Windows\\Sys
Tag = proc-start-suspicious-calculator-usage
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Certutil Command
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
EventType = Process.Start
Process.CommandLine = -decode
Process.CommandLine = \/decode
Process.CommandLine = -decodehex
Process.CommandLine = \/decodehex
Process.CommandLine = -urlcache
Process.CommandLine = \/urlcache
Process.CommandLine = -verifyctl
Process.CommandLine = \/verifyctl
Process.CommandLine = -encode
Process.CommandLine = \/encode
Process.CommandLine = (?=.*certutil)(?=.*-URL)
Process.CommandLine = (?=.*certutil)(?=.*\/URL)
Process.CommandLine = (?=.*certutil)(?=.*-ping)
Process.CommandLine = (?=.*certutil)(?=.*\/ping)
Tag = proc-start-suspicious-certutil-command
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Control Panel DLL Load
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
EventType = Process.Start
Parent.Name = ^control\.exe$
Process.CommandLine = \\rundll32\.exe
Process.CommandLine != Shell32\.dll
Tag = proc-start-suspicious-control-panel-dll-load
RiskScore = 75

[ProcessTaggingRule]
Rulename = Copy from Admin Share
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious copy command from a remote C$ or ADMIN$ share
EventType = Process.Start
Process.CommandLine = (?=.*copy)(?=.*\\c$)
Process.CommandLine = (?=.*copy)(?=.*\\ADMIN$)
Tag = proc-start-copy-from-admin-share
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Parent of Csc.exe
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
EventType = Process.Start
Process.Name = ^csc\.exe$
Parent.Name = ^wscript\.exe$
Parent.Name = ^cscript\.exe$
Parent.Name = ^mshta\.exe$
Tag = proc-start-suspicious-parent-of-csc.exe
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Csc.exe Source File Folder
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
EventType = Process.Start
Process.Name = ^csc\.exe$
Process.CommandLine = \\AppData\\
Process.CommandLine = \\Windows\\Temp\\
Parent.Name != C:\\Program Files
Parent.Name != ^sdiagnhost\.exe$
Parent.Name != ^w3wp\.exe$
Tag = proc-start-suspicious-csc.exe-source-file-folder
RiskScore = 75

[ProcessTaggingRule]
Rulename = ZOHO Dctask64 Process Injection
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious process injection using ZOHO's dctask64.exe
EventType = Process.Start
Process.Name = ^dctask64\.exe$
Process.CommandLine != DesktopCentral_Agent\\agent
Tag = proc-start-zoho-dctask64-process-injection
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Eventlog Clear or Configuration Using Wevtutil
# Source: https://github.com/Neo23x0/sigma
# Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)
EventType = Process.Start
Process.Name = ^powershell\.exe$
Process.CommandLine = Clear-EventLog
Process.CommandLine = Remove-EventLog
Process.CommandLine = Limit-EventLog
Process.Name = ^wmic\.exe$
Process.CommandLine = ClearEventLog
Process.Name = ^wevtutil\.exe$
Process.CommandLine = clear-log
Process.CommandLine = cl
Process.CommandLine = set-log
Process.CommandLine = sl
Tag = proc-start-suspicious-eventlog-clear-or-configuration-using-wevtutil
RiskScore = 75

[ProcessTaggingRule]
Rulename = Execution in Non-Executable Folder
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious exection from an uncommon folder
EventType = Process.Start
Process.Path = ^Recycle\.bin$
Process.Path = \\Users\\All Users\\
Process.Path = \\Users\\Default\\
Process.Path = \\Users\\Public\\
Process.Path = C:\\Perflogs\\
Process.Path = \\config\\systemprofile\\
Process.Path = \\Windows\\Fonts\\
Process.Path = \\Windows\\IME\\
Process.Path = \\Windows\\addins\\
Tag = proc-start-execution-in-non-executable-folder
RiskScore = 75

[ProcessTaggingRule]
Rulename = Executables Started in Suspicious Folder
# Source: https://github.com/Neo23x0/sigma
# Detects process starts of binaries from a suspicious folder
EventType = Process.Start
Process.Path = C:\\PerfLogs\\
Process.Path = C:\\$Recycle\.bin\\
Process.Path = C:\\Intel\\Logs\\
Process.Path = C:\\Users\\Default\\
Process.Path = C:\\Users\\Public\\
Process.Path = C:\\Users\\NetworkService\\
Process.Path = C:\\Windows\\Fonts\\
Process.Path = C:\\Windows\\Debug\\
Process.Path = C:\\Windows\\Media\\
Process.Path = C:\\Windows\\Help\\
Process.Path = C:\\Windows\\addins\\
Process.Path = C:\\Windows\\repair\\
Process.Path = C:\\Windows\\security\\
Process.Path = \\RSA\\MachineKeys\\
Process.Path = C:\\Windows\\system32\\config\\systemprofile\\
Process.Path = C:\\Windows\\Tasks\\
Process.Path = C:\\Windows\\System32\\Tasks\\
Tag = proc-start-executables-started-in-suspicious-folder
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious GUP Usage
# Source: https://github.com/Neo23x0/sigma
# Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
EventType = Process.Start
Process.Name = ^GUP\.exe$
Process.Path != C:\\Users\\\.*\\AppData\\Local\\Notepad++\\updater\\gup\.exe
Process.Path != C:\\Users\\\.*\\AppData\\Roaming\\Notepad++\\updater\\gup\.exe
Process.Path != C:\\Program Files\\Notepad++\\updater\\gup\.exe
Process.Path != C:\\Program Files (x86)\\Notepad++\\updater\\gup\.exe
Tag = proc-start-suspicious-gup-usage
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious MsiExec Directory
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious msiexec process starts in an uncommon directory
EventType = Process.Start
Process.Name = ^msiexec\.exe$
Process.Path != C:\\Windows\\System32\\
Process.Path != C:\\Windows\\SysWOW64\\
Process.Path != C:\\Windows\\WinSxS\\
Tag = proc-start-suspicious-msiexec-directory
RiskScore = 75

[ProcessTaggingRule]
Rulename = Malicious Payload Download via Office Binaries
# Source: https://github.com/Neo23x0/sigma
# Downloads payload from remote server
EventType = Process.Start
Process.Name = ^powerpnt\.exe$
Process.Name = ^winword\.exe$
Process.Name = ^excel\.exe$
Process.CommandLine = http
Tag = proc-start-malicious-payload-download-via-office-binaries
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Netsh DLL Persistence
# Source: https://github.com/Neo23x0/sigma
# Detects persitence via netsh helper
EventType = Process.Start
Process.Name = ^netsh\.exe$
Process.CommandLine = add
Process.CommandLine = helper
Tag = proc-start-suspicious-netsh-dll-persistence
RiskScore = 75

[ProcessTaggingRule]
Rulename = Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
# Source: https://github.com/Neo23x0/sigma
# Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
EventType = Process.Start
Process.CommandLine = \\ntdsutil
Tag = proc-start-invocation-of-active-directory-diagnostic-tool-(ntdsutil.exe)
RiskScore = 75

[ProcessTaggingRule]
Rulename = OpenWith.exe Executes Specified Binary
# Source: https://github.com/Neo23x0/sigma
# The OpenWith.exe executes other binary
EventType = Process.Start
Process.Name = ^OpenWith\.exe$
Process.CommandLine = \/c
Tag = proc-start-openwith.exe-executes-specified-binary
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Execution from Outlook
# Source: https://github.com/Neo23x0/sigma
# Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
EventType = Process.Start
Process.CommandLine = EnableUnsafeClientMailRules
Parent.Name = ^outlook\.exe$
Process.CommandLine = \\\\\\\.*\\\.*\.exe
Tag = proc-start-suspicious-execution-from-outlook
RiskScore = 75

[ProcessTaggingRule]
Rulename = Execution in Outlook Temp Folder
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious program execution in Outlook temp folder
EventType = Process.Start
Process.Name = ^Content\.Outlook$
Tag = proc-start-execution-in-outlook-temp-folder
RiskScore = 75

[ProcessTaggingRule]
Rulename = Ping Hex IP
# Source: https://github.com/Neo23x0/sigma
# Detects a ping command that uses a hex encoded IP address
EventType = Process.Start
Process.CommandLine = (?=.*\\ping\.exe)(?=.*0x)
Process.CommandLine = (?=.*\\ping)(?=.*0x)
Tag = proc-start-ping-hex-ip
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Encoded PowerShell Command Line
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
EventType = Process.Start
Process.CommandLine = (?=.*-e)(?=.*JAB)
Process.CommandLine = (?=.*-e)(?=.*JAB)
Process.CommandLine = (?=.*-e)(?=.*JAB)
Process.CommandLine = (?=.*-e)(?=.*JAB)
Process.CommandLine = (?=.*-e)(?=.*JAB)
Process.CommandLine = (?=.*-e)(?=.*JAB)
Process.CommandLine = (?=.*-en)(?=.*JAB)
Process.CommandLine = (?=.*-enc)(?=.*JAB)
Process.CommandLine = (?=.*-enc)(?=.*JAB)
Process.CommandLine = (?=.*-w)(?=.*hidden)(?=.*-e)(?=.*JAB)
Process.CommandLine = (?=.*BA^J)(?=.*e-)
Process.CommandLine = (?=.*-e)(?=.*SUVYI)
Process.CommandLine = (?=.*-e)(?=.*aWV4I)
Process.CommandLine = (?=.*-e)(?=.*SQBFAFgA)
Process.CommandLine = (?=.*-e)(?=.*aQBlAHgA)
Process.CommandLine = (?=.*-enc)(?=.*SUVYI)
Process.CommandLine = (?=.*-enc)(?=.*aWV4I)
Process.CommandLine = (?=.*-enc)(?=.*SQBFAFgA)
Process.CommandLine = (?=.*-enc)(?=.*aQBlAHgA)
Process.CommandLine != (?=.*-ExecutionPolicy)(?=.*remotesigned)
Tag = proc-start-suspicious-encoded-powershell-command-line
RiskScore = 75

[ProcessTaggingRule]
Rulename = Malicious Base64 Encoded PowerShell Keywords in Command Lines
# Source: https://github.com/Neo23x0/sigma
# Detects base64 encoded strings used in hidden malicious PowerShell command lines
EventType = Process.Start
Process.Name = ^powershell\.exe$
Process.CommandLine = hidden
Process.CommandLine = AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA
Process.CommandLine = aXRzYWRtaW4gL3RyYW5zZmVy
Process.CommandLine = IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA
Process.CommandLine = JpdHNhZG1pbiAvdHJhbnNmZX
Process.CommandLine = YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg
Process.CommandLine = Yml0c2FkbWluIC90cmFuc2Zlc
Process.CommandLine = AGMAaAB1AG4AawBfAHMAaQB6AGUA
Process.CommandLine = JABjAGgAdQBuAGsAXwBzAGkAegBlA
Process.CommandLine = JGNodW5rX3Npem
Process.CommandLine = QAYwBoAHUAbgBrAF8AcwBpAHoAZQ
Process.CommandLine = RjaHVua19zaXpl
Process.CommandLine = Y2h1bmtfc2l6Z
Process.CommandLine = AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A
Process.CommandLine = kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg
Process.CommandLine = lPLkNvbXByZXNzaW9u
Process.CommandLine = SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA
Process.CommandLine = SU8uQ29tcHJlc3Npb2
Process.CommandLine = Ty5Db21wcmVzc2lvb
Process.CommandLine = AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ
Process.CommandLine = kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA
Process.CommandLine = lPLk1lbW9yeVN0cmVhb
Process.CommandLine = SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A
Process.CommandLine = SU8uTWVtb3J5U3RyZWFt
Process.CommandLine = Ty5NZW1vcnlTdHJlYW
Process.CommandLine = 4ARwBlAHQAQwBoAHUAbgBrA
Process.CommandLine = 5HZXRDaHVua
Process.CommandLine = AEcAZQB0AEMAaAB1AG4Aaw
Process.CommandLine = LgBHAGUAdABDAGgAdQBuAGsA
Process.CommandLine = LkdldENodW5r
Process.CommandLine = R2V0Q2h1bm
Process.CommandLine = AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A
Process.CommandLine = QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA
Process.CommandLine = RIUkVBRF9JTkZPNj
Process.CommandLine = SFJFQURfSU5GTzY0
Process.CommandLine = VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA
Process.CommandLine = VEhSRUFEX0lORk82N
Process.CommandLine = AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA
Process.CommandLine = cmVhdGVSZW1vdGVUaHJlYW
Process.CommandLine = MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA
Process.CommandLine = NyZWF0ZVJlbW90ZVRocmVhZ
Process.CommandLine = Q3JlYXRlUmVtb3RlVGhyZWFk
Process.CommandLine = QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA
Process.CommandLine = 0AZQBtAG0AbwB2AGUA
Process.CommandLine = 1lbW1vdm
Process.CommandLine = AGUAbQBtAG8AdgBlA
Process.CommandLine = bQBlAG0AbQBvAHYAZQ
Process.CommandLine = bWVtbW92Z
Process.CommandLine = ZW1tb3Zl
Tag = proc-start-malicious-base64-encoded-powershell-keywords-in-command-lines
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Use of Procdump
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
EventType = Process.Start
Process.CommandLine = -ma
Process.CommandLine = lsass
Process.CommandLine = (?=.*-ma)(?=.*ls)
Tag = proc-start-suspicious-use-of-procdump
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Program Location Process Starts
# Source: https://github.com/Neo23x0/sigma
# Detects programs running in suspicious files system locations
EventType = Process.Start
Process.Path = ^Recycle\.bin$
Process.Path = \\Users\\Public\\
Process.Path = C:\\Perflogs\\
Process.Path = \\Windows\\Fonts\\
Process.Path = \\Windows\\IME\\
Process.Path = \\Windows\\addins\\
Process.Path = \\Windows\\debug\\
Tag = proc-start-suspicious-program-location-process-starts
RiskScore = 75

[ProcessTaggingRule]
Rulename = Regsvr32 Anomaly
# Source: https://github.com/Neo23x0/sigma
# Detects various anomalies in relation to regsvr32.exe
EventType = Process.Start
Process.Name = ^regsvr32\.exe$
Process.CommandLine = \\Temp\\
Process.Name = ^regsvr32\.exe$
Parent.Name = ^powershell\.exe$
Process.Name = ^regsvr32\.exe$
Parent.Name = ^cmd\.exe$
Process.Name = ^regsvr32\.exe$
Process.CommandLine = (?=.*\/i:http)(?=.*scrobj\.dll)
Process.CommandLine = (?=.*\/i:ftp)(?=.*scrobj\.dll)
Process.Name = ^wscript\.exe$
Parent.Name = ^regsvr32\.exe$
Process.Name = ^EXCEL\.EXE$
Process.CommandLine = \.\.\\\.\.\\\.\.\\Windows\\System32\\regsvr32\.exe
Tag = proc-start-regsvr32-anomaly
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Call by Ordinal
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
EventType = Process.Start
Process.CommandLine = (?=.*\\rundll32\.exe)(?=.*,#)
Tag = proc-start-suspicious-call-by-ordinal
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious Service Path Modification
# Source: https://github.com/Neo23x0/sigma
# Detects service path modification to powershell/cmd
EventType = Process.Start
Process.Name = ^sc\.exe$
Process.CommandLine = config
Process.CommandLine = binpath
Process.CommandLine = powershell
Process.CommandLine = cmd
Tag = proc-start-suspicious-service-path-modification
RiskScore = 75

[ProcessTaggingRule]
Rulename = Squirrel Lolbin
# Source: https://github.com/Neo23x0/sigma
# Detects Possible Squirrel Packages Manager as Lolbin
EventType = Process.Start
Process.Name = ^update\.exe$
Process.CommandLine = (?=.*--processStart)(?=.*\.exe)
Process.CommandLine = (?=.*--processStartAndWait)(?=.*\.exe)
Process.CommandLine = (?=.*--createShortcut)(?=.*\.exe)
Tag = proc-start-squirrel-lolbin
RiskScore = 75

[ProcessTaggingRule]
Rulename = Taskmgr as LOCAL_SYSTEM
# Source: https://github.com/Neo23x0/sigma
# Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
EventType = Process.Start
Process.User = NT AUTHORITY\SYSTEM
Process.Name = ^taskmgr\.exe$
Tag = proc-start-taskmgr-as-local_system
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious TSCON Start
# Source: https://github.com/Neo23x0/sigma
# Detects a tscon.exe start as LOCAL SYSTEM
EventType = Process.Start
Process.User = NT AUTHORITY\SYSTEM
Process.Name = ^tscon\.exe$
Tag = proc-start-suspicious-tscon-start
RiskScore = 75

[ProcessTaggingRule]
Rulename = Suspicious RDP Redirect Using TSCON
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious RDP session redirect using tscon.exe
EventType = Process.Start
Process.CommandLine = \/dest:rdp-tcp:
Tag = proc-start-suspicious-rdp-redirect-using-tscon
RiskScore = 75

[ProcessTaggingRule]
Rulename = Sysmon Driver Unload
# Source: https://github.com/Neo23x0/sigma
# Detect possible Sysmon driver unload
EventType = Process.Start
Process.Name = ^fltmc\.exe$
Process.CommandLine = unload
Process.CommandLine = sys
Tag = proc-start-sysmon-driver-unload
RiskScore = 75

[ProcessTaggingRule]
Rulename = System File Execution Location Anomaly
# Source: https://github.com/Neo23x0/sigma
# Detects a Windows program executable started in a suspicious folder
EventType = Process.Start
Process.Name = ^svchost\.exe$
Process.Name = ^rundll32\.exe$
Process.Name = ^services\.exe$
Process.Name = ^powershell\.exe$
Process.Name = ^regsvr32\.exe$
Process.Name = ^spoolsv\.exe$
Process.Name = ^lsass\.exe$
Process.Name = ^smss\.exe$
Process.Name = ^csrss\.exe$
Process.Name = ^conhost\.exe$
Process.Name = ^wininit\.exe$
Process.Name = ^lsm\.exe$
Process.Name = ^winlogon\.exe$
Process.Name = ^explorer\.exe$
Process.Name = ^taskhost\.exe$
Process.Path != C:\\Windows\\System32\\
Process.Path != C:\\Windows\\SysWow64\\
Process.Path != C:\\Windows\\SysWOW64\\
Process.Path != C:\\Windows\\explorer\.exe
Process.Path != C:\\Windows\\winsxs\\
Process.Path != C:\\Windows\\WinSxS\\
Process.Path != \\SystemRoot\\System32\\
Tag = proc-start-system-file-execution-location-anomaly
RiskScore = 75

[ProcessTaggingRule]
Rulename = Terminal Service Process Spawn
# Source: https://github.com/Neo23x0/sigma
# Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
EventType = Process.Start
Parent.CommandLine = (?=.*\\svchost\.exe)(?=.*termsvcs)
Process.Name != ^rdpclip\.exe$
Tag = proc-start-terminal-service-process-spawn
RiskScore = 75

[ProcessTaggingRule]
Rulename = Bypass UAC via CMSTP
# Source: https://github.com/Neo23x0/sigma
# Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
EventType = Process.Start
Process.Name = ^cmstp\.exe$
Process.CommandLine = \/s
Process.CommandLine = \/au
Tag = proc-start-bypass-uac-via-cmstp
RiskScore = 75

[ProcessTaggingRule]
Rulename = Bypass UAC via Fodhelper.exe
# Source: https://github.com/Neo23x0/sigma
# Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
EventType = Process.Start
Parent.Name = ^fodhelper\.exe$
Tag = proc-start-bypass-uac-via-fodhelper.exe
RiskScore = 75

[ProcessTaggingRule]
Rulename = Bypass UAC via WSReset.exe
# Source: https://github.com/Neo23x0/sigma
# Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
EventType = Process.Start
Parent.Name = ^wsreset\.exe$
Process.Name != ^conhost\.exe$
Tag = proc-start-bypass-uac-via-wsreset.exe
RiskScore = 75

[ProcessTaggingRule]
Rulename = Webshell Detection With Command Line Keywords
# Source: https://github.com/Neo23x0/sigma
# Detects certain command line parameters often used during reconnaissance activity via web shells
EventType = Process.Start
Parent.Name = \\apache
Parent.Name = \\tomcat
Parent.Name = ^w3wp\.exe$
Parent.Name = ^cgi\.exe$
Parent.Name = ^nginx\.exe$
Parent.Name = ^httpd\.exe$
Process.CommandLine = whoami
Process.CommandLine = (?=.*net)(?=.*user)
Process.CommandLine = (?=.*ping)(?=.*-n)
Process.CommandLine = systeminfo
Process.CommandLine = &cd&echo
Process.CommandLine = (?=.*cd)(?=.*\/d)
Tag = proc-start-webshell-detection-with-command-line-keywords
RiskScore = 75

[ProcessTaggingRule]
Rulename = Shells Spawned by Web Servers
# Source: https://github.com/Neo23x0/sigma
# Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
EventType = Process.Start
Parent.Name = ^w3wp\.exe$
Parent.Name = ^httpd\.exe$
Parent.Name = ^nginx\.exe$
Parent.Name = ^cgi\.exe$
Process.Name = ^cmd\.exe$
Process.Name = ^sh\.exe$
Process.Name = ^bash\.exe$
Process.Name = ^powershell\.exe$
Tag = proc-start-shells-spawned-by-web-servers
RiskScore = 75

[ProcessTaggingRule]
Rulename = Run Whoami as SYSTEM
# Source: https://github.com/Neo23x0/sigma
# Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
EventType = Process.Start
Process.User = NT AUTHORITY\SYSTEM
Process.Name = ^whoami\.exe$
Tag = proc-start-run-whoami-as-system
RiskScore = 75

[ProcessTaggingRule]
Rulename = Windows 10 Scheduled Task SandboxEscaper 0-day
# Source: https://github.com/Neo23x0/sigma
# Detects Task Scheduler .job import arbitrary DACL write\par
EventType = Process.Start
Process.Name = ^schtasks\.exe$
Process.CommandLine = (?=.*\/change)(?=.*\/TN)(?=.*\/RU)(?=.*\/RP)
Tag = proc-start-windows-10-scheduled-task-sandboxescaper-0-day
RiskScore = 75

[ProcessTaggingRule]
Rulename = WMI Persistence - Script Event Consumer
# Source: https://github.com/Neo23x0/sigma
# Detects WMI script event consumers
EventType = Process.Start
Process.Path = C:\\WINDOWS\\system32\\wbem\\scrcons\.exe
Parent.Path = C:\\Windows\\System32\\svchost\.exe
Tag = proc-start-wmi-persistence-script-event-consumer
RiskScore = 75

[ProcessTaggingRule]
Rulename = WMI Spawning Windows PowerShell
# Source: https://github.com/Neo23x0/sigma
# Detects WMI spawning PowerShell
EventType = Process.Start
Parent.Name = ^wmiprvse\.exe$
Process.Name = ^powershell\.exe$
Tag = proc-start-wmi-spawning-windows-powershell
RiskScore = 75

[ProcessTaggingRule]
Rulename = Microsoft Workflow Compiler
# Source: https://github.com/Neo23x0/sigma
# Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
EventType = Process.Start
Process.Name = ^Microsoft\.Workflow$
Tag = proc-start-microsoft-workflow-compiler
RiskScore = 75

[ProcessTaggingRule]
Rulename = Wsreset UAC Bypass
# Source: https://github.com/Neo23x0/sigma
# Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC
EventType = Process.Start
Parent.Name = ^WSreset\.exe$
Tag = proc-start-wsreset-uac-bypass
RiskScore = 75

Leave a Reply

Your email address will not be published. Required fields are marked *