Documentation

Contents
Contents
Contents
Contents
!
This documentation applies to a beta version of uberAgent (docs for the latest official release)

sigma-proc-creation-low.conf

The following is the sigma-proc-creation-low.conf configuration file that ships with uberAgent. It contains process tagging rules derived from the Sigma project for use with uberAgent ESA.

#
# These rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules flagged with the level 'low' from the repository with Python
#    1. Clone the repository locally
#    2. Using a command line, change to the locally cloned repository
#    4. Run "python tools/sigmac -I --target uberagent -f level=low -r rules/windows/process_creation"
#

[ProcessTaggingRule]
Rulename = Hiding Files with Attrib.exe
# Source: https://github.com/Neo23x0/sigma
# Detects usage of attrib.exe to hide files from users.
EventType = Process.Start
Process.Name = ^attrib\.exe$
Process.CommandLine = +h
Process.CommandLine != \\desktop\.ini
Parent.Name != ^cmd\.exe$
Process.CommandLine != (?=.*+R)(?=.*+H)(?=.*+S)(?=.*+A)(?=.*\\\.*\.cui)
Parent.CommandLine != C:\\WINDOWS\\system32\\\.*\.bat
Tag = proc-start-hiding-files-with-attrib.exe
RiskScore = 25

[ProcessTaggingRule]
Rulename = Change Default File Association
# Source: https://github.com/Neo23x0/sigma
# When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
EventType = Process.Start
Process.CommandLine = cmd
Process.CommandLine = \/c
Process.CommandLine = assoc
Tag = proc-start-change-default-file-association
RiskScore = 25

[ProcessTaggingRule]
Rulename = Cmdkey Cached Credentials Recon
# Source: https://github.com/Neo23x0/sigma
# Detects usage of cmdkey to look for cached credentials
EventType = Process.Start
Process.Name = ^cmdkey\.exe$
Process.CommandLine = \/list
Tag = proc-start-cmdkey-cached-credentials-recon
RiskScore = 25

[ProcessTaggingRule]
Rulename = Data Compressed - rar.exe
# Source: https://github.com/Neo23x0/sigma
# An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
EventType = Process.Start
Process.Name = ^rar\.exe$
Process.CommandLine = a
Tag = proc-start-data-compressed-rar.exe
RiskScore = 25

[ProcessTaggingRule]
Rulename = Indirect Command Execution
# Source: https://github.com/Neo23x0/sigma
# Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
EventType = Process.Start
Parent.Name = ^pcalua\.exe$
Parent.Name = ^forfiles\.exe$
Tag = proc-start-indirect-command-execution
RiskScore = 25

[ProcessTaggingRule]
Rulename = Local Accounts Discovery
# Source: https://github.com/Neo23x0/sigma
# Local accounts, System Owner/User discovery using operating systems utilities
EventType = Process.Start
Process.Name = ^whoami\.exe$
Process.Name = ^wmic\.exe$
Process.CommandLine = useraccount
Process.CommandLine = get
Process.Name = ^quser\.exe$
Process.Name = ^qwinsta\.exe$
Process.Name = ^cmdkey\.exe$
Process.CommandLine = \/list
Process.Name = ^cmd\.exe$
Process.CommandLine = \/c
Process.CommandLine = dir
Process.CommandLine = \\Users
Process.CommandLine != rmdir
Process.Name = ^net\.exe$
Process.Name = ^net1\.exe$
Process.CommandLine = user
Process.CommandLine != \/domain
Process.CommandLine != \/add
Process.CommandLine != \/delete
Process.CommandLine != \/active
Process.CommandLine != \/expires
Process.CommandLine != \/passwordreq
Process.CommandLine != \/scriptpath
Process.CommandLine != \/times
Process.CommandLine != \/workstations
Tag = proc-start-local-accounts-discovery
RiskScore = 25

[ProcessTaggingRule]
Rulename = Network Sniffing
# Source: https://github.com/Neo23x0/sigma
# Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
EventType = Process.Start
Process.Name = ^tshark\.exe$
Process.CommandLine = -i
Process.Name = ^windump\.exe$
Tag = proc-start-network-sniffing
RiskScore = 25

[ProcessTaggingRule]
Rulename = Windows Network Enumeration
# Source: https://github.com/Neo23x0/sigma
# Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
EventType = Process.Start
Process.Name = ^net\.exe$
Process.Name = ^net1\.exe$
Process.CommandLine = view
Process.CommandLine != \\
Tag = proc-start-windows-network-enumeration
RiskScore = 25

[ProcessTaggingRule]
Rulename = New Service Creation
# Source: https://github.com/Neo23x0/sigma
# Detects creation if a new service
EventType = Process.Start
Process.Name = ^sc\.exe$
Process.CommandLine = create
Process.CommandLine = binpath
Process.Name = ^powershell\.exe$
Process.CommandLine = new-service
Tag = proc-start-new-service-creation
RiskScore = 25

[ProcessTaggingRule]
Rulename = Possible Applocker Bypass
# Source: https://github.com/Neo23x0/sigma
# Detects execution of executables that can be used to bypass Applocker whitelisting
EventType = Process.Start
Process.CommandLine = \\msdt\.exe
Process.CommandLine = \\installutil\.exe
Process.CommandLine = \\regsvcs\.exe
Process.CommandLine = \\regasm\.exe
Process.CommandLine = \\msbuild\.exe
Process.CommandLine = \\ieexec\.exe
Tag = proc-start-possible-applocker-bypass
RiskScore = 25

[ProcessTaggingRule]
Rulename = PsExec Service Start
# Source: https://github.com/Neo23x0/sigma
# Detects a PsExec service start
EventType = Process.Start
Process.CommandLine = C:\\Windows\\PSEXESVC\.exe
Tag = proc-start-psexec-service-start
RiskScore = 25

[ProcessTaggingRule]
Rulename = Query Registry
# Source: https://github.com/Neo23x0/sigma
# Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
EventType = Process.Start
Process.Name = ^reg\.exe$
Process.CommandLine = query
Process.CommandLine = save
Process.CommandLine = export
Process.CommandLine = currentVersion\\windows
Process.CommandLine = currentVersion\\runServicesOnce
Process.CommandLine = currentVersion\\runServices
Process.CommandLine = winlogon
Process.CommandLine = currentVersion\\shellServiceObjectDelayLoad
Process.CommandLine = currentVersion\\runOnce
Process.CommandLine = currentVersion\\runOnceEx
Process.CommandLine = currentVersion\\run
Process.CommandLine = currentVersion\\policies\\explorer\\run
Process.CommandLine = currentcontrolset\\services
Tag = proc-start-query-registry
RiskScore = 25

[ProcessTaggingRule]
Rulename = Discovery of a System Time
# Source: https://github.com/Neo23x0/sigma
# Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
EventType = Process.Start
Process.Name = ^net\.exe$
Process.Name = ^net1\.exe$
Process.CommandLine = time
Process.Name = ^w32tm\.exe$
Process.CommandLine = tz
Process.Name = ^powershell\.exe$
Process.CommandLine = Get-Date
Tag = proc-start-discovery-of-a-system-time
RiskScore = 25

[ProcessTaggingRule]
Rulename = Service Execution
# Source: https://github.com/Neo23x0/sigma
# Detects manual service execution (start) via system utilities
EventType = Process.Start
Process.Name = ^net\.exe$
Process.Name = ^net1\.exe$
Process.CommandLine = start
Tag = proc-start-service-execution
RiskScore = 25

[ProcessTaggingRule]
Rulename = Stop Windows Service
# Source: https://github.com/Neo23x0/sigma
# Detects a windows service to be stopped
EventType = Process.Start
Process.Name = ^sc\.exe$
Process.Name = ^net\.exe$
Process.Name = ^net1\.exe$
Process.CommandLine = stop
Tag = proc-start-stop-windows-service
RiskScore = 25

[ProcessTaggingRule]
Rulename = Suspicious Commandline Escape
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious process that use escape characters
EventType = Process.Start
Process.CommandLine = ^h^t^t^p
Process.CommandLine = h"t"t"p
Tag = proc-start-suspicious-commandline-escape
RiskScore = 25

[ProcessTaggingRule]
Rulename = Net.exe Execution
# Source: https://github.com/Neo23x0/sigma
# Detects execution of Net.exe, whether suspicious or benign.
EventType = Process.Start
Process.Name = ^net\.exe$
Process.Name = ^net1\.exe$
Process.CommandLine = group
Process.CommandLine = localgroup
Process.CommandLine = user
Process.CommandLine = view
Process.CommandLine = share
Process.CommandLine = accounts
Process.CommandLine = use
Process.CommandLine = stop
Tag = proc-start-net.exe-execution
RiskScore = 25

[ProcessTaggingRule]
Rulename = Scheduled Task Creation
# Source: https://github.com/Neo23x0/sigma
# Detects the creation of scheduled tasks in user session
EventType = Process.Start
Process.Name = ^schtasks\.exe$
Process.CommandLine = \/create
Process.User != NT AUTHORITY\SYSTEM
Tag = proc-start-scheduled-task-creation
RiskScore = 25

[ProcessTaggingRule]
Rulename = Taskmgr as Parent
# Source: https://github.com/Neo23x0/sigma
# Detects the creation of a process from Windows task manager
EventType = Process.Start
Parent.Name = ^taskmgr\.exe$
Process.Name != ^resmon\.exe$
Process.Name != ^mmc\.exe$
Process.Name != ^taskmgr\.exe$
Tag = proc-start-taskmgr-as-parent
RiskScore = 25

Leave a Reply

Your email address will not be published. Required fields are marked *