Documentation

Contents
Contents
Contents
Contents
!
This documentation applies to a beta version of uberAgent (docs for the latest official release)

sigma-proc-creation-medium.conf

The following is the sigma-proc-creation-medium.conf configuration file that ships with uberAgent. It contains process tagging rules derived from the Sigma project for use with uberAgent ESA.

#
# These rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules flagged with the level 'medium' from the repository with Python
#    1. Clone the repository locally
#    2. Using a command line, change to the locally cloned repository
#    4. Run "python tools/sigmac -I --target uberagent -f level=medium -r rules/windows/process_creation"
#

[ProcessTaggingRule]
Rulename = Domain Trust Discovery
# Source: https://github.com/Neo23x0/sigma
# Detects a discovery of domain trusts
EventType = Process.Start
Process.Name = ^dsquery\.exe$
Process.CommandLine = -filter
Process.CommandLine = trustedDomain
Process.Name = ^nltest\.exe$
Process.CommandLine = domain_trusts
Tag = proc-start-domain-trust-discovery

[ProcessTaggingRule]
Rulename = Exfiltration and Tunneling Tools Execution
# Source: https://github.com/Neo23x0/sigma
# Execution of well known tools for data exfiltration and tunneling
EventType = Process.Start
NewProcessName = *\plink.exe
NewProcessName = *\socat.exe
NewProcessName = *\stunnel.exe
NewProcessName = *\httptunnel.exe
Tag = proc-start-exfiltration-and-tunneling-tools-execution

[ProcessTaggingRule]
Rulename = Exploit for CVE-2017-0261
# Source: https://github.com/Neo23x0/sigma
# Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
EventType = Process.Start
Parent.Name = ^WINWORD\.EXE$
Process.Name = ^FLTLDR\.exe$
Tag = proc-start-exploit-for-cve-2017-0261

[ProcessTaggingRule]
Rulename = File or Folder Permissions Modifications
# Source: https://github.com/Neo23x0/sigma
# Detects a file or folder permissions modifications
EventType = Process.Start
Process.Name = ^takeown\.exe$
Process.Name = ^cacls\.exe$
Process.Name = ^icacls\.exe$
Process.CommandLine = \/grant
Process.Name = ^attrib\.exe$
Process.CommandLine = -r
Tag = proc-start-file-or-folder-permissions-modifications

[ProcessTaggingRule]
Rulename = Grabbing Sensitive Hives via Reg Utility
# Source: https://github.com/Neo23x0/sigma
# Dump sam, system or security hives using REG.exe utility
EventType = Process.Start
NewProcessName = *\reg.exe
Process.CommandLine = save
Process.CommandLine = export
Process.CommandLine = hklm
Process.CommandLine = hkey_local_machine
Process.CommandLine = \\system
Process.CommandLine = \\sam
Process.CommandLine = \\security
Tag = proc-start-grabbing-sensitive-hives-via-reg-utility

[ProcessTaggingRule]
Rulename = Mimikatz Command Line
# Source: https://github.com/Neo23x0/sigma
# Detection well-known mimikatz command line arguments
EventType = Process.Start
Process.CommandLine = DumpCreds
Process.CommandLine = invoke-mimikatz
Process.CommandLine = rpc
Process.CommandLine = token
Process.CommandLine = crypto
Process.CommandLine = dpapi
Process.CommandLine = sekurlsa
Process.CommandLine = kerberos
Process.CommandLine = lsadump
Process.CommandLine = privilege
Process.CommandLine = process
Process.CommandLine = ::
Tag = proc-start-mimikatz-command-line

[ProcessTaggingRule]
Rulename = Netsh
# Source: https://github.com/Neo23x0/sigma
# Allow Incoming Connections by Port or Application on Windows Firewall
EventType = Process.Start
Process.CommandLine = (?=.*netsh)(?=.*firewall)(?=.*add)
Tag = proc-start-netsh

[ProcessTaggingRule]
Rulename = Capture a Network Trace with netsh.exe
# Source: https://github.com/Neo23x0/sigma
# Detects capture a network trace via netsh.exe trace functionality
EventType = Process.Start
Process.CommandLine = netsh
Process.CommandLine = trace
Process.CommandLine = start
Tag = proc-start-capture-a-network-trace-with-netsh.exe

[ProcessTaggingRule]
Rulename = Netsh Port Forwarding
# Source: https://github.com/Neo23x0/sigma
# Detects netsh commands that configure a port forwarding
EventType = Process.Start
Process.CommandLine = (?=.*netsh)(?=.*interface)(?=.*portproxy)(?=.*add)(?=.*v4tov4)
Tag = proc-start-netsh-port-forwarding

[ProcessTaggingRule]
Rulename = Net.exe User Account Creation
# Source: https://github.com/Neo23x0/sigma
# Identifies creation of local users via the net.exe command
EventType = Process.Start
Process.Name = ^net\.exe$
Process.Name = ^net1\.exe$
Process.CommandLine = user
Process.CommandLine = add
Tag = proc-start-net.exe-user-account-creation

[ProcessTaggingRule]
Rulename = Non Interactive PowerShell
# Source: https://github.com/Neo23x0/sigma
# Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
EventType = Process.Start
Process.Name = ^powershell\.exe$
Parent.Name != ^explorer\.exe$
Tag = proc-start-non-interactive-powershell

[ProcessTaggingRule]
Rulename = Audio Capture via PowerShell
# Source: https://github.com/Neo23x0/sigma
# Detects audio capture via PowerShell Cmdlet
EventType = Process.Start
Process.CommandLine = WindowsAudioDevice-Powershell-Cmdlet
Tag = proc-start-audio-capture-via-powershell

[ProcessTaggingRule]
Rulename = Suspicious Bitsadmin Job via PowerShell
# Source: https://github.com/Neo23x0/sigma
# Detect download by BITS jobs via PowerShell
EventType = Process.Start
Process.Name = ^powershell\.exe$
Process.CommandLine = Start-BitsTransfer
Tag = proc-start-suspicious-bitsadmin-job-via-powershell

[ProcessTaggingRule]
Rulename = PowerShell Download from URL
# Source: https://github.com/Neo23x0/sigma
# Detects a Powershell process that contains download commands in its command line string
EventType = Process.Start
Process.Name = ^powershell\.exe$
Process.CommandLine = (?=.*new-object)(?=.*system\.net\.webclient)\.downloadstring()
Process.CommandLine = (?=.*new-object)(?=.*system\.net\.webclient)\.downloadfile()
Process.CommandLine = (?=.*new-object)(?=.*net\.webclient)\.downloadstring()
Process.CommandLine = (?=.*new-object)(?=.*net\.webclient)\.downloadfile()
Tag = proc-start-powershell-download-from-url

[ProcessTaggingRule]
Rulename = Suspicious XOR Encoded PowerShell Command Line
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
EventType = Process.Start
Process.CommandLine = -bxor
Tag = proc-start-suspicious-xor-encoded-powershell-command-line

[ProcessTaggingRule]
Rulename = Bitsadmin Download
# Source: https://github.com/Neo23x0/sigma
# Detects usage of bitsadmin downloading a file
EventType = Process.Start
Process.Name = ^bitsadmin\.exe$
Process.CommandLine = \/transfer
Process.CommandLine = (?=.*copy)(?=.*bitsadmin\.exe)
Tag = proc-start-bitsadmin-download

[ProcessTaggingRule]
Rulename = Shadow Copies Access via Symlink
# Source: https://github.com/Neo23x0/sigma
# Shadow Copies storage symbolic link creation using operating systems utilities
EventType = Process.Start
Process.CommandLine = mklink
Process.CommandLine = HarddiskVolumeShadowCopy
Tag = proc-start-shadow-copies-access-via-symlink

[ProcessTaggingRule]
Rulename = Shadow Copies Creation Using Operating Systems Utilities
# Source: https://github.com/Neo23x0/sigma
# Shadow Copies creation using operating systems utilities, possible credential access
EventType = Process.Start
NewProcessName = *\powershell.exe
NewProcessName = *\wmic.exe
NewProcessName = *\vssadmin.exe
Process.CommandLine = shadow
Process.CommandLine = create
Tag = proc-start-shadow-copies-creation-using-operating-systems-utilities

[ProcessTaggingRule]
Rulename = Audio Capture via SoundRecorder
# Source: https://github.com/Neo23x0/sigma
# Detect attacker collecting audio via SoundRecorder application
EventType = Process.Start
Process.Name = ^SoundRecorder\.exe$
Process.CommandLine = \/FILE
Tag = proc-start-audio-capture-via-soundrecorder

[ProcessTaggingRule]
Rulename = Possible SPN Enumeration
# Source: https://github.com/Neo23x0/sigma
# Detects Service Principal Name Enumeration used for Kerberoasting
EventType = Process.Start
Process.Name = ^setspn\.exe$
Description = *Query or reset the computer* SPN attribute*
Process.CommandLine = -q
Tag = proc-start-possible-spn-enumeration

[ProcessTaggingRule]
Rulename = Possible Ransomware or Unauthorized MBR Modifications
# Source: https://github.com/Neo23x0/sigma
# Detects, possibly, malicious unauthorized usage of bcdedit.exe
EventType = Process.Start
NewProcessName = *\bcdedit.exe
Process.CommandLine = delete
Process.CommandLine = deletevalue
Process.CommandLine = import
Tag = proc-start-possible-ransomware-or-unauthorized-mbr-modifications

[ProcessTaggingRule]
Rulename = Application Whitelisting Bypass via Bginfo
# Source: https://github.com/Neo23x0/sigma
# Execute VBscript code that is referenced within the *.bgi file.
EventType = Process.Start
Process.Name = ^bginfo\.exe$
Process.CommandLine = \/popup
Process.CommandLine = \/nolicprompt
Tag = proc-start-application-whitelisting-bypass-via-bginfo

[ProcessTaggingRule]
Rulename = Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
# Source: https://github.com/Neo23x0/sigma
# Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
EventType = Process.Start
Process.Name = ^cdb\.exe$
Process.CommandLine = -cf
Tag = proc-start-possible-app-whitelisting-bypass-via-windbg/cdb-as-a-shellcode-runner

[ProcessTaggingRule]
Rulename = Certutil Encode
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
EventType = Process.Start
Process.CommandLine = (?=.*certutil)(?=.*-f)(?=.*-encode)
Process.CommandLine = (?=.*certutil\.exe)(?=.*-f)(?=.*-encode)
Process.CommandLine = (?=.*certutil)(?=.*-encode)(?=.*-f)
Process.CommandLine = (?=.*certutil\.exe)(?=.*-encode)(?=.*-f)
Tag = proc-start-certutil-encode

[ProcessTaggingRule]
Rulename = Command Line Execution with Suspicious URL and AppData Strings
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
EventType = Process.Start
Process.CommandLine = (?=.*cmd\.exe)(?=.*\/c)(?=.*http:\/\/)(?=.*%AppData%)
Process.CommandLine = (?=.*cmd\.exe)(?=.*\/c)(?=.*https:\/\/)(?=.*%AppData%)
Tag = proc-start-command-line-execution-with-suspicious-url-and-appdata-strings

[ProcessTaggingRule]
Rulename = Suspicious Code Page Switch
# Source: https://github.com/Neo23x0/sigma
# Detects a code page switch in command line or batch scripts to a rare language
EventType = Process.Start
Process.CommandLine = (?=.*chcp)(?=.*936)
Process.CommandLine = (?=.*chcp)(?=.*1258)
Tag = proc-start-suspicious-code-page-switch

[ProcessTaggingRule]
Rulename = Curl Start Combination
# Source: https://github.com/Neo23x0/sigma
# Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
EventType = Process.Start
Process.CommandLine = (?=.*curl)(?=.*start)
Tag = proc-start-curl-start-combination

[ProcessTaggingRule]
Rulename = Direct Autorun Keys Modification
# Source: https://github.com/Neo23x0/sigma
# Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
EventType = Process.Start
Process.Name = ^reg\.exe$
Process.CommandLine = add
Process.CommandLine = \\software\\Microsoft\\Windows\\CurrentVersion\\Run
Process.CommandLine = \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
Process.CommandLine = \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx
Process.CommandLine = \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices
Process.CommandLine = \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce
Process.CommandLine = (?=.*\\software\\Microsoft\\Windows)(?=.*NT\\CurrentVersion\\Winlogon\\Userinit)
Process.CommandLine = (?=.*\\software\\Microsoft\\Windows)(?=.*NT\\CurrentVersion\\Winlogon\\Shell)
Process.CommandLine = (?=.*\\software\\Microsoft\\Windows)(?=.*NT\\CurrentVersion\\Windows)
Process.CommandLine = (?=.*\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User)(?=.*Shell)(?=.*Folders)
Process.CommandLine = \\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell
Tag = proc-start-direct-autorun-keys-modification

[ProcessTaggingRule]
Rulename = Application Whitelisting Bypass via Dnx.exe
# Source: https://github.com/Neo23x0/sigma
# Execute C# code located in the consoleapp folder
EventType = Process.Start
Process.Name = ^dnx\.exe$
Tag = proc-start-application-whitelisting-bypass-via-dnx.exe

[ProcessTaggingRule]
Rulename = Application Whitelisting Bypass via Dxcap.exe
# Source: https://github.com/Neo23x0/sigma
# Detects execution of of Dxcap.exe
EventType = Process.Start
Process.Name = ^dxcap\.exe$
Process.CommandLine = -c
Process.CommandLine = \.exe
Tag = proc-start-application-whitelisting-bypass-via-dxcap.exe

[ProcessTaggingRule]
Rulename = Execution in Webserver Root Folder
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious program execution in a web service root folder (filter out false positives)
EventType = Process.Start
Process.Path = \\wwwroot\\
Process.Path = \\wmpub\\
Process.Path = \\htdocs\\
Process.Path != bin\\
Process.Path != \\Tools\\
Process.Path != \\SMSComponent\\
Parent.Name != ^services\.exe$
Tag = proc-start-execution-in-webserver-root-folder

[ProcessTaggingRule]
Rulename = Firewall Disabled via Netsh
# Source: https://github.com/Neo23x0/sigma
# Detects netsh commands that turns off the Windows firewall
EventType = Process.Start
Process.CommandLine = (?=.*netsh)(?=.*firewall)(?=.*set)(?=.*opmode)(?=.*mode=disable)
Process.CommandLine = (?=.*netsh)(?=.*advfirewall)(?=.*set)(?=.*state)(?=.*off)
Tag = proc-start-firewall-disabled-via-netsh

[ProcessTaggingRule]
Rulename = IIS Native-Code Module Command Line Installation
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious IIS native-code module installations via command line
EventType = Process.Start
Process.CommandLine = (?=.*\\APPCMD\.EXE)(?=.*install)(?=.*module)(?=.*\/name:)
Tag = proc-start-iis-native-code-module-command-line-installation

[ProcessTaggingRule]
Rulename = MsiExec Web Install
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious msiexec process starts with web addreses as parameter
EventType = Process.Start
Process.CommandLine = (?=.*msiexec)(?=.*:\/\/)
Tag = proc-start-msiexec-web-install

[ProcessTaggingRule]
Rulename = Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
# Source: https://github.com/Neo23x0/sigma
# Detects defence evasion attempt via odbcconf.exe execution to load DLL
EventType = Process.Start
Process.Name = ^odbcconf\.exe$
Process.CommandLine = -f
Process.CommandLine = regsvr
Parent.Name = ^odbcconf\.exe$
Process.Name = ^rundll32\.exe$
Tag = proc-start-application-whitelisting-bypass-via-dll-loaded-by-odbcconf.exe

[ProcessTaggingRule]
Rulename = Suspicious Process Creation
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious process starts on Windows systems based on keywords
EventType = Process.Start
Process.CommandLine = sekurlsa:
Process.CommandLine = (?=.*net)(?=.*localgroup)(?=.*administrators)(?=.*\/add)
Process.CommandLine = (?=.*net)(?=.*group)(?=.*"Domain)(?=.*Admins")(?=.*\/ADD)(?=.*\/DOMAIN)
Process.CommandLine = (?=.*certutil\.exe)(?=.*-urlcache)(?=.*http)
Process.CommandLine = (?=.*certutil\.exe)(?=.*-urlcache)(?=.*ftp)
Process.CommandLine = (?=.*netsh)(?=.*advfirewall)(?=.*firewall)(?=.*\\AppData\\)
Process.CommandLine = (?=.*attrib)(?=.*+S)(?=.*+H)(?=.*+R)(?=.*\\AppData\\)
Process.CommandLine = (?=.*schtasks)(?=.*\/create)(?=.*\\AppData\\)
Process.CommandLine = (?=.*schtasks)(?=.*\/sc)(?=.*minute)
Process.CommandLine = (?=.*\\Regasm\.exe)(?=.*\\AppData\\)
Process.CommandLine = (?=.*\\Regasm)(?=.*\\AppData\\)
Process.CommandLine = (?=.*\\bitsadmin)(?=.*\/transfer)
Process.CommandLine = (?=.*\\certutil\.exe)(?=.*-decode)
Process.CommandLine = (?=.*\\certutil\.exe)(?=.*-decodehex)
Process.CommandLine = (?=.*\\certutil\.exe)(?=.*-ping)
Process.CommandLine = (?=.*icacls)(?=.*\/grant)(?=.*Everyone:F)(?=.*\/T)(?=.*\/C)(?=.*\/Q)
Process.CommandLine = (?=.*wbadmin\.exe)(?=.*delete)(?=.*catalog)(?=.*-quiet)
Process.CommandLine = (?=.*\\wscript\.exe)(?=.*\.jse)
Process.CommandLine = (?=.*\\wscript\.exe)(?=.*\.js)
Process.CommandLine = (?=.*\\wscript\.exe)(?=.*\.vba)
Process.CommandLine = (?=.*\\wscript\.exe)(?=.*\.vbe)
Process.CommandLine = (?=.*\\cscript\.exe)(?=.*\.jse)
Process.CommandLine = (?=.*\\cscript\.exe)(?=.*\.js)
Process.CommandLine = (?=.*\\cscript\.exe)(?=.*\.vba)
Process.CommandLine = (?=.*\\cscript\.exe)(?=.*\.vbe)
Process.CommandLine = \\fodhelper\.exe
Process.CommandLine = (?=.*waitfor)(?=.*\/s)
Process.CommandLine = (?=.*waitfor)(?=.*\/si)(?=.*persist)
Process.CommandLine = (?=.*remote)(?=.*\/s)
Process.CommandLine = (?=.*remote)(?=.*\/c)
Process.CommandLine = (?=.*remote)(?=.*\/q)
Process.CommandLine = AddInProcess
Process.CommandLine = \/stext
Process.CommandLine = \/scomma
Process.CommandLine = \/stab
Process.CommandLine = \/stabular
Process.CommandLine = \/shtml
Process.CommandLine = \/sverhtml
Process.CommandLine = \/sxml
Tag = proc-start-suspicious-process-creation

[ProcessTaggingRule]
Rulename = Psr.exe Capture Screenshots
# Source: https://github.com/Neo23x0/sigma
# The psr.exe captures desktop screenshots and saves them on the local machine
EventType = Process.Start
Process.Name = ^Psr\.exe$
Process.CommandLine = \/start
Tag = proc-start-psr.exe-capture-screenshots

[ProcessTaggingRule]
Rulename = PowerShell Script Run in AppData
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
EventType = Process.Start
Process.CommandLine = (?=.*\/c)(?=.*powershell)(?=.*\\AppData\\Local\\)
Process.CommandLine = (?=.*\/c)(?=.*powershell)(?=.*\\AppData\\Roaming\\)
Tag = proc-start-powershell-script-run-in-appdata

[ProcessTaggingRule]
Rulename = Suspicious RASdial Activity
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious process related to rasdial.exe
EventType = Process.Start
Process.CommandLine = rasdial
Tag = proc-start-suspicious-rasdial-activity

[ProcessTaggingRule]
Rulename = Suspicious Reconnaissance Activity
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious command line activity on Windows systems
EventType = Process.Start
Process.CommandLine = (?=.*net)(?=.*group)(?=.*"domain)(?=.*admins")(?=.*\/domain)
Process.CommandLine = (?=.*net)(?=.*localgroup)(?=.*administrators)
Tag = proc-start-suspicious-reconnaissance-activity

[ProcessTaggingRule]
Rulename = Suspicious Rundll32 Activity
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious process related to rundll32 based on arguments
EventType = Process.Start
Process.CommandLine = (?=.*\\rundll32\.exe)(?=.*url\.dll,)(?=.*OpenURL)
Process.CommandLine = (?=.*\\rundll32\.exe)(?=.*url\.dll,)(?=.*OpenURLA)
Process.CommandLine = (?=.*\\rundll32\.exe)(?=.*url\.dll,)(?=.*FileProtocolHandler)
Process.CommandLine = (?=.*\\rundll32\.exe)(?=.*zipfldr\.dll,)(?=.*RouteTheCall)
Process.CommandLine = (?=.*\\rundll32\.exe)(?=.*Shell32\.dll,)(?=.*Control_RunDLL)
Process.CommandLine = (?=.*\\rundll32\.exe)(?=.*javascript:)
Process.CommandLine = (?=.*url\.dll,)(?=.*OpenURL)
Process.CommandLine = (?=.*url\.dll,)(?=.*OpenURLA)
Process.CommandLine = (?=.*url\.dll,)(?=.*FileProtocolHandler)
Process.CommandLine = (?=.*zipfldr\.dll,)(?=.*RouteTheCall)
Process.CommandLine = (?=.*Shell32\.dll,)(?=.*Control_RunDLL)
Process.CommandLine = javascript:
Process.CommandLine = \.RegisterXLL
Tag = proc-start-suspicious-rundll32-activity

[ProcessTaggingRule]
Rulename = Suspicious Process Start Locations
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious process run from unusual locations
EventType = Process.Start
Process.Path = :\\RECYCLER\\
Process.Path = :\\SystemVolumeInformation\\
Process.Path = C:\\Windows\\Tasks\\
Process.Path = C:\\Windows\\debug\\
Process.Path = C:\\Windows\\fonts\\
Process.Path = C:\\Windows\\help\\
Process.Path = C:\\Windows\\drivers\\
Process.Path = C:\\Windows\\addins\\
Process.Path = C:\\Windows\\cursors\\
Process.Path = C:\\Windows\\system32\\tasks\\
Tag = proc-start-suspicious-process-start-locations

[ProcessTaggingRule]
Rulename = WSF/JSE/JS/VBA/VBE File Execution
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious file execution by wscript and cscript
EventType = Process.Start
Process.Name = ^wscript\.exe$
Process.Name = ^cscript\.exe$
Process.CommandLine = \.jse
Process.CommandLine = \.vbe
Process.CommandLine = \.js
Process.CommandLine = \.vba
Tag = proc-start-wsf/jse/js/vba/vbe-file-execution

[ProcessTaggingRule]
Rulename = Sysprep on AppData Folder
# Source: https://github.com/Neo23x0/sigma
# Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
EventType = Process.Start
Process.CommandLine = (?=.*\\sysprep\.exe)(?=.*\\AppData\\)
Process.CommandLine = (?=.*sysprep\.exe)(?=.*\\AppData\\)
Tag = proc-start-sysprep-on-appdata-folder

[ProcessTaggingRule]
Rulename = Suspicious SYSVOL Domain Group Policy Access
# Source: https://github.com/Neo23x0/sigma
# Detects Access to Domain Group Policies stored in SYSVOL
EventType = Process.Start
Process.CommandLine = \\SYSVOL\\\.*\\policies\\
Tag = proc-start-suspicious-sysvol-domain-group-policy-access

[ProcessTaggingRule]
Rulename = Suspicious Userinit Child Process
# Source: https://github.com/Neo23x0/sigma
# Detects a suspicious child process of userinit
EventType = Process.Start
Parent.Name = ^userinit\.exe$
Process.CommandLine != \\\\netlogon\\
Process.Name != ^explorer\.exe$
Tag = proc-start-suspicious-userinit-child-process

[ProcessTaggingRule]
Rulename = Suspicious WMI Execution
# Source: https://github.com/Neo23x0/sigma
# Detects WMI executing suspicious commands
EventType = Process.Start
Process.Name = ^wmic\.exe$
Process.CommandLine = (?=.*\/NODE:)(?=.*process)(?=.*call)(?=.*create)
Process.CommandLine = (?=.*path)(?=.*AntiVirusProduct)(?=.*get)
Process.CommandLine = (?=.*path)(?=.*FirewallProduct)(?=.*get)
Process.CommandLine = (?=.*shadowcopy)(?=.*delete)
Tag = proc-start-suspicious-wmi-execution

[ProcessTaggingRule]
Rulename = Tap Installer Execution
# Source: https://github.com/Neo23x0/sigma
# Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
EventType = Process.Start
Process.Name = ^tapinstall\.exe$
Tag = proc-start-tap-installer-execution

[ProcessTaggingRule]
Rulename = Domain Trust Discovery
# Source: https://github.com/Neo23x0/sigma
# Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
EventType = Process.Start
Process.Name = ^nltest\.exe$
Process.CommandLine = domain_trusts
Process.Name = ^dsquery\.exe$
Process.CommandLine = trustedDomain
Tag = proc-start-domain-trust-discovery

[ProcessTaggingRule]
Rulename = Java Running with Remote Debugging
# Source: https://github.com/Neo23x0/sigma
# Detects a JAVA process running with remote debugging allowing more than just localhost to connect
EventType = Process.Start
Process.CommandLine = transport=dt_socket,address=
Process.CommandLine != address=127\.0\.0\.1
Process.CommandLine != address=localhost
Tag = proc-start-java-running-with-remote-debugging

[ProcessTaggingRule]
Rulename = XSL Script Processing
# Source: https://github.com/Neo23x0/sigma
# Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses
EventType = Process.Start
Process.Name = ^wmic\.exe$
Process.CommandLine = \/format
Process.Name = ^msxsl\.exe$
Tag = proc-start-xsl-script-processing

Leave a Reply

Your email address will not be published. Required fields are marked *