Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Documentation

Version

  1. uberAgent
  2. 6.0
  3. About uberAgent
  4. Default Configuration
  5. uberAgent-ESA-am-sigma-proc-creation-medium.conf
Previous document Next document
This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

uberAgent-ESA-am-sigma-proc-creation-medium.conf

The following is the uberAgent-ESA-am-sigma-proc-creation-medium.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: medium
#

[ActivityMonitoringRule]
# Detects the use of various web request methods (including aliases) via Windows PowerShell
RuleName = Windows PowerShell Web Request
EventType = Process.Start
Tag = proc-start-windows-powershell-web-request
RiskScore = 50
Query = (Process.CommandLine like r"%Invoke-WebRequest%" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%wget %" or Process.CommandLine like r"%curl %" or Process.CommandLine like r"%Net.WebClient%" or Process.CommandLine like r"%Start-BitsTransfer%")

[ActivityMonitoringRule]
# Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
RuleName = Advanced IP Scanner
EventType = Process.Start
Tag = proc-start-advanced-ip-scanner
RiskScore = 50
Query = Process.Path like r"%\\advanced\_ip\_scanner%"

[ActivityMonitoringRule]
# Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
RuleName = Defrag Deactivation
EventType = Process.Start
Tag = proc-start-defrag-deactivation
RiskScore = 50
Query = (Process.CommandLine like r"%schtasks% /delete %Defrag\\ScheduledDefrag%")

[ActivityMonitoringRule]
# Detects a discovery of domain trusts
RuleName = Domain Trust Discovery
EventType = Process.Start
Tag = proc-start-domain-trust-discovery
RiskScore = 50
Query = ((Process.Path like r"%\\dsquery.exe" and Process.CommandLine like r"%-filter%" and Process.CommandLine like r"%trustedDomain%") or (Process.Path like r"%\\nltest.exe" and Process.CommandLine like r"%domain\_trusts%"))

[ActivityMonitoringRule]
# Execution of well known tools for data exfiltration and tunneling
RuleName = Exfiltration and Tunneling Tools Execution
EventType = Process.Start
Tag = proc-start-exfiltration-and-tunneling-tools-execution
RiskScore = 50
Query = (Process.Path like r"%\\plink.exe" or Process.Path like r"%\\socat.exe" or Process.Path like r"%\\stunnel.exe" or Process.Path like r"%\\httptunnel.exe")

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
RuleName = Exploit for CVE-2017-0261
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2017-0261
RiskScore = 50
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\FLTLDR.exe%")

[ActivityMonitoringRule]
# Detects a file or folder permissions modifications
RuleName = File or Folder Permissions Modifications
EventType = Process.Start
Tag = proc-start-file-or-folder-permissions-modifications
RiskScore = 50
Query = (((Process.Path like r"%\\takeown.exe" or Process.Path like r"%\\cacls.exe" or Process.Path like r"%\\icacls.exe") and Process.CommandLine like r"%/grant%") or (Process.Path like r"%\\attrib.exe" and Process.CommandLine like r"%-r%"))

[ActivityMonitoringRule]
# Dump sam, system or security hives using REG.exe utility
RuleName = Grabbing Sensitive Hives via Reg Utility
EventType = Process.Start
Tag = proc-start-grabbing-sensitive-hives-via-reg-utility
RiskScore = 50
Query = (Process.Path like r"%\\reg.exe" and (Process.CommandLine like r"%save%" or Process.CommandLine like r"%export%") and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security"))

[ActivityMonitoringRule]
# Detection well-known mimikatz command line arguments
RuleName = Mimikatz Command Line
EventType = Process.Start
Tag = proc-start-mimikatz-command-line
RiskScore = 50
Query = ((Process.CommandLine like r"%DumpCreds%" or Process.CommandLine like r"%invoke-mimikatz%") or ((Process.CommandLine like r"%rpc%" or Process.CommandLine like r"%token%" or Process.CommandLine like r"%crypto%" or Process.CommandLine like r"%dpapi%" or Process.CommandLine like r"%sekurlsa%" or Process.CommandLine like r"%kerberos%" or Process.CommandLine like r"%lsadump%" or Process.CommandLine like r"%privilege%" or Process.CommandLine like r"%process%") and (Process.CommandLine like r"%::%")))

[ActivityMonitoringRule]
# Allow Incoming Connections by Port or Application on Windows Firewall
RuleName = Netsh Port or Application Allowed
EventType = Process.Start
Tag = proc-start-netsh-port-or-application-allowed
RiskScore = 50
Query = ((Process.CommandLine like r"%netsh%") and (Process.CommandLine like r"%firewall add%"))

[ActivityMonitoringRule]
# Detects capture a network trace via netsh.exe trace functionality
RuleName = Capture a Network Trace with netsh.exe
EventType = Process.Start
Tag = proc-start-capture-a-network-trace-with-netsh.exe
RiskScore = 50
Query = (Process.CommandLine like r"%netsh%" and Process.CommandLine like r"%trace%" and Process.CommandLine like r"%start%")

[ActivityMonitoringRule]
# Detects netsh commands that configure a port forwarding
RuleName = Netsh Port Forwarding
EventType = Process.Start
Tag = proc-start-netsh-port-forwarding
RiskScore = 50
Query = (Process.CommandLine like r"netsh interface portproxy add v4tov4 %")

[ActivityMonitoringRule]
# Detect the harvesting of wifi credentials using netsh.exe
RuleName = Harvesting of Wifi Credentials Using netsh.exe
EventType = Process.Start
Tag = proc-start-harvesting-of-wifi-credentials-using-netsh.exe
RiskScore = 50
Query = (Process.CommandLine like r"netsh wlan s% p% k%=clear")

[ActivityMonitoringRule]
# Identifies creation of local users via the net.exe command
RuleName = Net.exe User Account Creation
EventType = Process.Start
Tag = proc-start-net.exe-user-account-creation
RiskScore = 50
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%user%" and Process.CommandLine like r"%add%")

[ActivityMonitoringRule]
# Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
RuleName = Non Interactive PowerShell
EventType = Process.Start
Tag = proc-start-non-interactive-powershell
RiskScore = 50
Query = (Process.Path like r"%\\powershell.exe" and not (Parent.Path like r"%\\explorer.exe"))

[ActivityMonitoringRule]
# Detects audio capture via PowerShell Cmdlet
RuleName = Audio Capture via PowerShell
EventType = Process.Start
Tag = proc-start-audio-capture-via-powershell
RiskScore = 50
Query = Process.CommandLine like r"%WindowsAudioDevice-Powershell-Cmdlet%"

[ActivityMonitoringRule]
# Detect download by BITS jobs via PowerShell
RuleName = Suspicious Bitsadmin Job via PowerShell
EventType = Process.Start
Tag = proc-start-suspicious-bitsadmin-job-via-powershell
RiskScore = 50
Query = (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%Start-BitsTransfer%")

[ActivityMonitoringRule]
# Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
RuleName = PowerShell Downgrade Attack
EventType = Process.Start
Tag = proc-start-powershell-downgrade-attack
RiskScore = 50
Query = ((Process.CommandLine like r"% -version 2 %" or Process.CommandLine like r"% -versio 2 %" or Process.CommandLine like r"% -versi 2 %" or Process.CommandLine like r"% -vers 2 %" or Process.CommandLine like r"% -ver 2 %" or Process.CommandLine like r"% -ve 2 %") and Process.Path like r"%\\powershell.exe")

[ActivityMonitoringRule]
# Detects a Powershell process that contains download commands in its command line string
RuleName = PowerShell Download from URL
EventType = Process.Start
Tag = proc-start-powershell-download-from-url
RiskScore = 50
Query = (Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%new-object system.net.webclient).downloadstring(%" or Process.CommandLine like r"%new-object system.net.webclient).downloadfile(%" or Process.CommandLine like r"%new-object net.webclient).downloadstring(%" or Process.CommandLine like r"%new-object net.webclient).downloadfile(%"))

[ActivityMonitoringRule]
# Detects usage of bitsadmin downloading a file
RuleName = Bitsadmin Download
EventType = Process.Start
Tag = proc-start-bitsadmin-download
RiskScore = 50
Query = (((Process.Path like r"%\\bitsadmin.exe") and (Process.CommandLine like r"% /transfer %")) or (Process.CommandLine like r"%copy bitsadmin.exe%"))

[ActivityMonitoringRule]
# Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)
RuleName = Remote PowerShell Session
EventType = Process.Start
Tag = proc-start-remote-powershell-session
RiskScore = 50
Query = (Process.Path like r"%\\wsmprovhost.exe" or Parent.Path like r"%\\wsmprovhost.exe")

[ActivityMonitoringRule]
# Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
RuleName = Renamed Binary
EventType = Process.Start
Tag = proc-start-renamed-binary
RiskScore = 50
Query = ((Process.Name like r"cmd.exe" or Process.Name like r"powershell.exe" or Process.Name like r"powershell\_ise.exe" or Process.Name like r"psexec.exe" or Process.Name like r"psexec.c" or Process.Name like r"cscript.exe" or Process.Name like r"wscript.exe" or Process.Name like r"mshta.exe" or Process.Name like r"regsvr32.exe" or Process.Name like r"wmic.exe" or Process.Name like r"certutil.exe" or Process.Name like r"rundll32.exe" or Process.Name like r"cmstp.exe" or Process.Name like r"msiexec.exe" or Process.Name like r"7z.exe" or Process.Name like r"winrar.exe" or Process.Name like r"wevtutil.exe" or Process.Name like r"net.exe" or Process.Name like r"net1.exe" or Process.Name like r"netsh.exe") and not ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\psexec.exe" or Process.Path like r"%\\psexec64.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\7z.exe" or Process.Path like r"%\\winrar.exe" or Process.Path like r"%\\wevtutil.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\netsh.exe")))

[ActivityMonitoringRule]
# Shadow Copies storage symbolic link creation using operating systems utilities
RuleName = Shadow Copies Access via Symlink
EventType = Process.Start
Tag = proc-start-shadow-copies-access-via-symlink
RiskScore = 50
Query = (Process.CommandLine like r"%mklink%" and Process.CommandLine like r"%HarddiskVolumeShadowCopy%")

[ActivityMonitoringRule]
# Shadow Copies creation using operating systems utilities, possible credential access
RuleName = Shadow Copies Creation Using Operating Systems Utilities
EventType = Process.Start
Tag = proc-start-shadow-copies-creation-using-operating-systems-utilities
RiskScore = 50
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\vssadmin.exe") and Process.CommandLine like r"%shadow%" and Process.CommandLine like r"%create%")

[ActivityMonitoringRule]
# Detect attacker collecting audio via SoundRecorder application
RuleName = Audio Capture via SoundRecorder
EventType = Process.Start
Tag = proc-start-audio-capture-via-soundrecorder
RiskScore = 50
Query = (Process.Path like r"%\\SoundRecorder.exe" and Process.CommandLine like r"%/FILE%")

[ActivityMonitoringRule]
# Detects, possibly, malicious unauthorized usage of bcdedit.exe
RuleName = Possible Ransomware or Unauthorized MBR Modifications
EventType = Process.Start
Tag = proc-start-possible-ransomware-or-unauthorized-mbr-modifications
RiskScore = 50
Query = (Process.Path like r"%\\bcdedit.exe" and (Process.CommandLine like r"%delete%" or Process.CommandLine like r"%deletevalue%" or Process.CommandLine like r"%import%"))

[ActivityMonitoringRule]
# Execute VBscript code that is referenced within the *.bgi file.
RuleName = Application Whitelisting Bypass via Bginfo
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-bginfo
RiskScore = 50
Query = (Process.Path like r"%\\bginfo.exe" and Process.CommandLine like r"%/popup%" and Process.CommandLine like r"%/nolicprompt%")

[ActivityMonitoringRule]
# Launch 64-bit shellcode from a debugger script file using cdb.exe.
RuleName = Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
EventType = Process.Start
Tag = proc-start-possible-app-whitelisting-bypass-via-windbg/cdb-as-a-shellcode-runner
RiskScore = 50
Query = (Process.Path like r"%\\cdb.exe" and Process.CommandLine like r"%-cf%")

[ActivityMonitoringRule]
# Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
RuleName = Certutil Encode
EventType = Process.Start
Tag = proc-start-certutil-encode
RiskScore = 50
Query = (Process.CommandLine like r"certutil -f -encode %" or Process.CommandLine like r"certutil.exe -f -encode %" or Process.CommandLine like r"certutil -encode -f %" or Process.CommandLine like r"certutil.exe -encode -f %")

[ActivityMonitoringRule]
# Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
RuleName = Command Line Execution with Suspicious URL and AppData Strings
EventType = Process.Start
Tag = proc-start-command-line-execution-with-suspicious-url-and-appdata-strings
RiskScore = 50
Query = (Process.CommandLine like r"cmd.exe /c %http://%\%AppData\%" or Process.CommandLine like r"cmd.exe /c %https://%\%AppData\%")

[ActivityMonitoringRule]
# Detects a code page switch in command line or batch scripts to a rare language
RuleName = Suspicious Code Page Switch
EventType = Process.Start
Tag = proc-start-suspicious-code-page-switch
RiskScore = 50
Query = (Process.CommandLine like r"chcp% 936" or Process.CommandLine like r"chcp% 1258")

[ActivityMonitoringRule]
# Detects process memory dump via comsvcs.dll and rundll32
RuleName = Process Dump via Comsvcs DLL
EventType = Process.Start
Tag = proc-start-process-dump-via-comsvcs-dll
RiskScore = 50
Query = ((Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and (Process.CommandLine like r"%comsvcs%MiniDump%full%" or Process.CommandLine like r"%comsvcs%MiniDumpW%full%"))

[ActivityMonitoringRule]
# Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name
RuleName = Suspicious Copy From or To System32
EventType = Process.Start
Tag = proc-start-suspicious-copy-from-or-to-system32
RiskScore = 50
Query = (Process.CommandLine like r"% /c copy %\\System32\\%" or Process.CommandLine like r"%xcopy%\\System32\\%")

[ActivityMonitoringRule]
# Detects a suspicious curl process start the adds a file to a web request
RuleName = Suspicious Curl File Upload
EventType = Process.Start
Tag = proc-start-suspicious-curl-file-upload
RiskScore = 50
Query = (Process.Path like r"%\\curl.exe" and Process.CommandLine like r"% -F %")

[ActivityMonitoringRule]
# Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
RuleName = Curl Start Combination
EventType = Process.Start
Tag = proc-start-curl-start-combination
RiskScore = 50
Query = Process.CommandLine like r"%curl% start %"

[ActivityMonitoringRule]
# Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
RuleName = Direct Autorun Keys Modification
EventType = Process.Start
Tag = proc-start-direct-autorun-keys-modification
RiskScore = 50
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%add%" and (Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Run%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders%" or Process.CommandLine like r"%\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell%"))

[ActivityMonitoringRule]
# Execute C# code located in the consoleapp folder
RuleName = Application Whitelisting Bypass via Dnx.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dnx.exe
RiskScore = 50
Query = Process.Path like r"%\\dnx.exe"

[ActivityMonitoringRule]
# Detects execution of of Dxcap.exe
RuleName = Application Whitelisting Bypass via Dxcap.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dxcap.exe
RiskScore = 50
Query = (Process.Path like r"%\\dxcap.exe" and Process.CommandLine like r"%-c%" and Process.CommandLine like r"%.exe%")

[ActivityMonitoringRule]
# Detects a suspicious program execution in a web service root folder (filter out false positives)
RuleName = Execution in Webserver Root Folder
EventType = Process.Start
Tag = proc-start-execution-in-webserver-root-folder
RiskScore = 50
Query = ((Process.Path like r"%\\wwwroot\\%" or Process.Path like r"%\\wmpub\\%" or Process.Path like r"%\\htdocs\\%") and not ((Process.Path like r"%bin\\%" or Process.Path like r"%\\Tools\\%" or Process.Path like r"%\\SMSComponent\\%") and (Parent.Path like r"%\\services.exe")))

[ActivityMonitoringRule]
# Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer
RuleName = Explorer Root Flag Process Tree Break
EventType = Process.Start
Tag = proc-start-explorer-root-flag-process-tree-break
RiskScore = 50
Query = (Process.CommandLine like r"%explorer.exe%" and Process.CommandLine like r"% /root,%")

[ActivityMonitoringRule]
# Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
RuleName = Findstr Launching .lnk File
EventType = Process.Start
Tag = proc-start-findstr-launching-.lnk-file
RiskScore = 50
Query = (Process.Path like r"%\\findstr.exe" and Process.CommandLine like r"%.lnk")

[ActivityMonitoringRule]
# Detects netsh commands that turns off the Windows firewall
RuleName = Firewall Disabled via Netsh
EventType = Process.Start
Tag = proc-start-firewall-disabled-via-netsh
RiskScore = 50
Query = (Process.CommandLine like r"netsh firewall set opmode mode=disable" or Process.CommandLine like r"netsh advfirewall set % state off")

[ActivityMonitoringRule]
# Detects suspicious IIS native-code module installations via command line
RuleName = IIS Native-Code Module Command Line Installation
EventType = Process.Start
Tag = proc-start-iis-native-code-module-command-line-installation
RiskScore = 50
Query = (Process.CommandLine like r"%\\APPCMD.EXE install module /name:%")

[ActivityMonitoringRule]
# Detects suspicious msiexec process starts with web addreses as parameter
RuleName = MsiExec Web Install
EventType = Process.Start
Tag = proc-start-msiexec-web-install
RiskScore = 50
Query = (Process.CommandLine like r"% msiexec%://%")

[ActivityMonitoringRule]
# Detects defence evasion attempt via odbcconf.exe execution to load DLL
RuleName = Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dll-loaded-by-odbcconf.exe
RiskScore = 50
Query = ((Process.Path like r"%\\odbcconf.exe" and (Process.CommandLine like r"%-f%" or Process.CommandLine like r"%regsvr%")) or (Parent.Path like r"%\\odbcconf.exe" and Process.Path like r"%\\rundll32.exe"))

[ActivityMonitoringRule]
# The psr.exe captures desktop screenshots and saves them on the local machine
RuleName = Psr.exe Capture Screenshots
EventType = Process.Start
Tag = proc-start-psr.exe-capture-screenshots
RiskScore = 50
Query = (Process.Path like r"%\\Psr.exe" and Process.CommandLine like r"%/start%")

[ActivityMonitoringRule]
# Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
RuleName = PowerShell Script Run in AppData
EventType = Process.Start
Tag = proc-start-powershell-script-run-in-appdata
RiskScore = 50
Query = (Process.CommandLine like r"% /c powershell%\\AppData\\Local\\%" or Process.CommandLine like r"% /c powershell%\\AppData\\Roaming\\%")

[ActivityMonitoringRule]
# Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
RuleName = Rar with Password or Compression Level
EventType = Process.Start
Tag = proc-start-rar-with-password-or-compression-level
RiskScore = 50
Query = (Process.CommandLine like r"% -hp%" and Process.CommandLine like r"% -m%")

[ActivityMonitoringRule]
# Detects suspicious process related to rasdial.exe
RuleName = Suspicious RASdial Activity
EventType = Process.Start
Tag = proc-start-suspicious-rasdial-activity
RiskScore = 50
Query = (Process.Path like r"%rasdial.exe")

[ActivityMonitoringRule]
# Detects suspicious command line activity on Windows systems
RuleName = Suspicious Reconnaissance Activity
EventType = Process.Start
Tag = proc-start-suspicious-reconnaissance-activity
RiskScore = 50
Query = Process.CommandLine in ["net group \"domain admins\" /domain", "net localgroup administrators"]

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on arguments
RuleName = Suspicious Rundll32 Activity
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-activity
RiskScore = 50
Query = (Process.CommandLine like r"%\\rundll32.exe% url.dll,%OpenURL %" or Process.CommandLine like r"%\\rundll32.exe% url.dll,%OpenURLA %" or Process.CommandLine like r"%\\rundll32.exe% url.dll,%FileProtocolHandler %" or Process.CommandLine like r"%\\rundll32.exe% zipfldr.dll,%RouteTheCall %" or Process.CommandLine like r"%\\rundll32.exe% Shell32.dll,%Control\_RunDLL %" or Process.CommandLine like r"%\\rundll32.exe javascript:%" or Process.CommandLine like r"% url.dll,%OpenURL %" or Process.CommandLine like r"% url.dll,%OpenURLA %" or Process.CommandLine like r"% url.dll,%FileProtocolHandler %" or Process.CommandLine like r"% zipfldr.dll,%RouteTheCall %" or Process.CommandLine like r"% Shell32.dll,%Control\_RunDLL %" or Process.CommandLine like r"% javascript:%" or Process.CommandLine like r"%.RegisterXLL%")

[ActivityMonitoringRule]
# Detects suspicious process run from unusual locations
RuleName = Suspicious Process Start Locations
EventType = Process.Start
Tag = proc-start-suspicious-process-start-locations
RiskScore = 50
Query = (Process.Path like r"%:\\RECYCLER\\%" or Process.Path like r"%:\\SystemVolumeInformation\\%" or Process.Path like r"C:\\Windows\\Tasks\\%" or Process.Path like r"C:\\Windows\\debug\\%" or Process.Path like r"C:\\Windows\\fonts\\%" or Process.Path like r"C:\\Windows\\help\\%" or Process.Path like r"C:\\Windows\\drivers\\%" or Process.Path like r"C:\\Windows\\addins\\%" or Process.Path like r"C:\\Windows\\cursors\\%" or Process.Path like r"C:\\Windows\\system32\\tasks\\%")

[ActivityMonitoringRule]
# Detects suspicious file execution by wscript and cscript
RuleName = WSF/JSE/JS/VBA/VBE File Execution
EventType = Process.Start
Tag = proc-start-wsf/jse/js/vba/vbe-file-execution
RiskScore = 50
Query = ((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%.jse%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.vba%"))

[ActivityMonitoringRule]
# Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
RuleName = Sysprep on AppData Folder
EventType = Process.Start
Tag = proc-start-sysprep-on-appdata-folder
RiskScore = 50
Query = (Process.CommandLine like r"%\\sysprep.exe %\\AppData\\%" or Process.CommandLine like r"sysprep.exe %\\AppData\\%")

[ActivityMonitoringRule]
# Detects Access to Domain Group Policies stored in SYSVOL
RuleName = Suspicious SYSVOL Domain Group Policy Access
EventType = Process.Start
Tag = proc-start-suspicious-sysvol-domain-group-policy-access
RiskScore = 50
Query = Process.CommandLine like r"%\\SYSVOL\\%\\policies\\%"

[ActivityMonitoringRule]
# Detects a suspicious child process of userinit
RuleName = Suspicious Userinit Child Process
EventType = Process.Start
Tag = proc-start-suspicious-userinit-child-process
RiskScore = 50
Query = ((Parent.Path like r"%\\userinit.exe" and not (Process.CommandLine like r"%\\netlogon\\%")) and not (Process.Path like r"%\\explorer.exe"))

[ActivityMonitoringRule]
# Detects WMI executing suspicious commands
RuleName = Suspicious WMI Execution
EventType = Process.Start
Tag = proc-start-suspicious-wmi-execution
RiskScore = 50
Query = ((Process.Path like r"%\\wmic.exe") and (Process.CommandLine like r"%/NODE:%process call create %" or Process.CommandLine like r"% path AntiVirusProduct get %" or Process.CommandLine like r"% path FirewallProduct get %" or Process.CommandLine like r"% shadowcopy delete %"))

[ActivityMonitoringRule]
# Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
RuleName = Tap Installer Execution
EventType = Process.Start
Tag = proc-start-tap-installer-execution
RiskScore = 50
Query = Process.Path like r"%\\tapinstall.exe"

[ActivityMonitoringRule]
# Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
RuleName = Domain Trust Discovery
EventType = Process.Start
Tag = proc-start-domain-trust-discovery
RiskScore = 50
Query = ((Process.Path like r"%\\nltest.exe" and Process.CommandLine like r"%domain\_trusts%") or (Process.Path like r"%\\dsquery.exe" and Process.CommandLine like r"%trustedDomain%"))

[ActivityMonitoringRule]
# Detects a JAVA process running with remote debugging allowing more than just localhost to connect
RuleName = Java Running with Remote Debugging
EventType = Process.Start
Tag = proc-start-java-running-with-remote-debugging
RiskScore = 50
Query = (Process.CommandLine like r"%transport=dt\_socket,address=%" and not (Process.CommandLine like r"%address=127.0.0.1%" or Process.CommandLine like r"%address=localhost%"))

[ActivityMonitoringRule]
# Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses
RuleName = XSL Script Processing
EventType = Process.Start
Tag = proc-start-xsl-script-processing
RiskScore = 50
Query = ((Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%/format%") or Process.Path like r"%\\msxsl.exe")

Comments

Your email address will not be published. Required fields are marked *