Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.


This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

uberAgent-ESA-am-sigma-proc-creation-low.conf

The following is the uberAgent-ESA-am-sigma-proc-creation-low.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: low
#

[ActivityMonitoringRule]
# Detects PsExec service installation and execution events (service and Sysmon)
RuleName = PsExec Tool Execution
EventType = Process.Start
Tag = proc-start-psexec-tool-execution
RiskScore = 25
Query = (Process.Path like r"%\\PSEXESVC.exe" and Process.User like r"NT AUTHORITY\\SYSTEM")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of attrib.exe to hide files from users.
RuleName = Hiding Files with Attrib.exe
EventType = Process.Start
Tag = proc-start-hiding-files-with-attrib.exe
RiskScore = 25
Query = ((Process.Path like r"%\\attrib.exe" and Process.CommandLine like r"% +h %") and not ((Process.CommandLine like r"%\\desktop.ini %" or (Parent.Path like r"%\\cmd.exe" and Process.CommandLine like r"+R +H +S +A \\%.cui" and Parent.CommandLine like r"C:\\WINDOWS\\system32\\%.bat"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
RuleName = Change Default File Association
EventType = Process.Start
Tag = proc-start-change-default-file-association
RiskScore = 25
Query = (Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%assoc%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of cmdkey to look for cached credentials
RuleName = Cmdkey Cached Credentials Recon
EventType = Process.Start
Tag = proc-start-cmdkey-cached-credentials-recon
RiskScore = 25
Query = (Process.Path like r"%\\cmdkey.exe" and Process.CommandLine like r"% /list %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
RuleName = Data Compressed - rar.exe
EventType = Process.Start
Tag = proc-start-data-compressed-rar.exe
RiskScore = 25
Query = (Process.Path like r"%\\rar.exe" and Process.CommandLine like r"% a %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
RuleName = Indirect Command Execution
EventType = Process.Start
Tag = proc-start-indirect-command-execution
RiskScore = 25
Query = (Parent.Path like r"%\\pcalua.exe" or Parent.Path like r"%\\forfiles.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
RuleName = Indirect Command Execution By Program Compatibility Wizard
EventType = Process.Start
Tag = proc-start-indirect-command-execution-by-program-compatibility-wizard
RiskScore = 25
Query = Parent.Path like r"%\\pcwrun.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Local accounts, System Owner/User discovery using operating systems utilities
RuleName = Local Accounts Discovery
EventType = Process.Start
Tag = proc-start-local-accounts-discovery
RiskScore = 25
Query = (((Process.Path like r"%\\whoami.exe" or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%useraccount%" and Process.CommandLine like r"%get%") or (Process.Path like r"%\\quser.exe" or Process.Path like r"%\\qwinsta.exe") or (Process.Path like r"%\\cmdkey.exe" and Process.CommandLine like r"%/list%") or (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%dir %" and Process.CommandLine like r"%\\Users\\%")) and not ((Process.CommandLine like r"% rmdir %"))) or (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%user%") and not ((Process.CommandLine like r"%/domain%" or Process.CommandLine like r"%/add%" or Process.CommandLine like r"%/delete%" or Process.CommandLine like r"%/active%" or Process.CommandLine like r"%/expires%" or Process.CommandLine like r"%/passwordreq%" or Process.CommandLine like r"%/scriptpath%" or Process.CommandLine like r"%/times%" or Process.CommandLine like r"%/workstations%"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
RuleName = Network Sniffing
EventType = Process.Start
Tag = proc-start-network-sniffing
RiskScore = 25
Query = ((Process.Path like r"%\\tshark.exe" and Process.CommandLine like r"%-i%") or Process.Path like r"%\\windump.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
RuleName = Windows Network Enumeration
EventType = Process.Start
Tag = proc-start-windows-network-enumeration
RiskScore = 25
Query = (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%view%") and not (Process.CommandLine like r"%\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects creation of a new service
RuleName = New Service Creation
EventType = Process.Start
Tag = proc-start-new-service-creation
RiskScore = 25
Query = ((Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%binpath%") or (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%new-service%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of executables that can be used to bypass Applocker whitelisting
RuleName = Possible Applocker Bypass
EventType = Process.Start
Tag = proc-start-possible-applocker-bypass
RiskScore = 25
Query = (Process.CommandLine like r"%\\msdt.exe%" or Process.CommandLine like r"%\\installutil.exe%" or Process.CommandLine like r"%\\regsvcs.exe%" or Process.CommandLine like r"%\\regasm.exe%" or Process.CommandLine like r"%\\msbuild.exe%" or Process.CommandLine like r"%\\ieexec.exe%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect suspicious parent processes of well-known Windows processes
RuleName = Windows Processes Suspicious Parent Directory
EventType = Process.Start
Tag = proc-start-windows-processes-suspicious-parent-directory
RiskScore = 25
Query = ((((Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\taskhost.exe" or Process.Path like r"%\\lsm.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\services.exe" or Process.Path like r"%\\lsaiso.exe" or Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\winlogon.exe") and not (Parent.Path like r"%\\SavService.exe" or (Parent.Path like r"%\\System32\\%" or Parent.Path like r"%\\SysWOW64\\%"))) and not ((Parent.Path like r"%\\Windows Defender\\%" or Parent.Path like r"%\\Microsoft Security Client\\%") and Parent.Path like r"%\\MsMpEng.exe")) and not (Parent.Path == ''))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a PsExec service start
RuleName = PsExec Service Start
EventType = Process.Start
Tag = proc-start-psexec-service-start
RiskScore = 25
Query = Process.CommandLine like r"C:\\Windows\\PSEXESVC.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
RuleName = Query Registry
EventType = Process.Start
Tag = proc-start-query-registry
RiskScore = 25
Query = (Process.Path like r"%\\reg.exe" and (Process.CommandLine like r"%query%" or Process.CommandLine like r"%save%" or Process.CommandLine like r"%export%") and (Process.CommandLine like r"%currentVersion\\windows%" or Process.CommandLine like r"%currentVersion\\runServicesOnce%" or Process.CommandLine like r"%currentVersion\\runServices%" or Process.CommandLine like r"%winlogon\\%" or Process.CommandLine like r"%currentVersion\\shellServiceObjectDelayLoad%" or Process.CommandLine like r"%currentVersion\\runOnce%" or Process.CommandLine like r"%currentVersion\\runOnceEx%" or Process.CommandLine like r"%currentVersion\\run%" or Process.CommandLine like r"%currentVersion\\policies\\explorer\\run%" or Process.CommandLine like r"%currentcontrolset\\services%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the export of the target Registry key to a file.
RuleName = Exports Registry Key To a File
EventType = Process.Start
Tag = proc-start-exports-registry-key-to-a-file
RiskScore = 25
Query = ((Process.Path like r"%\\regedit.exe" and Process.CommandLine like r"% /E %") and not (((Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
RuleName = Discovery of a System Time
EventType = Process.Start
Tag = proc-start-discovery-of-a-system-time
RiskScore = 25
Query = (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%time%") or (Process.Path like r"%\\w32tm.exe" and Process.CommandLine like r"%tz%") or (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%Get-Date%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects manual service execution (start) via system utilities
RuleName = Service Execution
EventType = Process.Start
Tag = proc-start-service-execution
RiskScore = 25
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"% start %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a windows service to be stopped
RuleName = Stop Windows Service
EventType = Process.Start
Tag = proc-start-stop-windows-service
RiskScore = 25
Query = ((Process.Path like r"%\\sc.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%stop%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process that use escape characters
RuleName = Suspicious Commandline Escape
EventType = Process.Start
Tag = proc-start-suspicious-commandline-escape
RiskScore = 25
Query = (Process.CommandLine like r"%h^t^t^p%" or Process.CommandLine like r"%h\"t\"t\"p%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Attackers can use explorer.exe for evading defense mechanisms
RuleName = Proxy Execution Via Explorer.exe
EventType = Process.Start
Tag = proc-start-proxy-execution-via-explorer.exe
RiskScore = 25
Query = ((Process.Path like r"%\\explorer.exe") and (Parent.Path like r"%\\cmd.exe") and (Process.CommandLine like r"%explorer.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
RuleName = Mounted Share Deleted
EventType = Process.Start
Tag = proc-start-mounted-share-deleted
RiskScore = 25
Query = (Parent.Path like r"%\\net.exe" and Process.Path like r"%\\net1.exe" and Process.CommandLine like r"%share%" and Process.CommandLine like r"%/delete%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of Net.exe, whether suspicious or benign.
RuleName = Net.exe Execution
EventType = Process.Start
Tag = proc-start-net.exe-execution
RiskScore = 25
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and (Process.CommandLine like r"% group%" or Process.CommandLine like r"% localgroup%" or Process.CommandLine like r"% user%" or Process.CommandLine like r"% view%" or Process.CommandLine like r"% share%" or Process.CommandLine like r"% accounts%" or Process.CommandLine like r"% stop %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the creation of scheduled tasks in user session
RuleName = Scheduled Task Creation
EventType = Process.Start
Tag = proc-start-scheduled-task-creation
RiskScore = 25
Query = ((Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %") and not (Process.User like r"NT AUTHORITY\\SYSTEM"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the creation of a process from Windows task manager
RuleName = Taskmgr as Parent
EventType = Process.Start
Tag = proc-start-taskmgr-as-parent
RiskScore = 25
Query = (Parent.Path like r"%\\taskmgr.exe" and not ((Process.Path like r"%\\resmon.exe" or Process.Path like r"%\\mmc.exe" or Process.Path like r"%\\taskmgr.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
RuleName = Malicious Windows Script Components File Execution by TAEF Detection
EventType = Process.Start
Tag = proc-start-malicious-windows-script-components-file-execution-by-taef-detection
RiskScore = 25
Query = (Process.Path like r"%\\te.exe" or Parent.Path like r"%\\te.exe" or Process.Name like r"\\te.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
RuleName = Usage of Sysinternals Tools
EventType = Process.Start
Tag = proc-start-usage-of-sysinternals-tools
RiskScore = 25
Query = Process.CommandLine like r"% -accepteula%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP


Comments

Your email address will not be published. Required fields are marked *