Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.


This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

uberAgent-ESA-am-sigma-critical.conf

The following is the uberAgent-ESA-am-sigma-critical.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: critical
#

[ActivityMonitoringRule]
# Detects suspicious DNS queries known from Cobalt Strike beacons
RuleName = Cobalt Strike DNS Beaconing
EventType = Dns.Query
Tag = cobalt-strike-dns-beaconing
RiskScore = 100
Query = (Dns.QueryRequest like r"aaa.stage.%" or Dns.QueryRequest like r"post.1%")
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
RuleName = CreateRemoteThread API and LoadLibrary
EventType = Process.CreateRemoteThread
Tag = createremotethread-api-and-loadlibrary
RiskScore = 100
Query = (Thread.StartModule like r"%\\kernel32.dll" and Thread.StartFunctionName == "LoadLibraryA")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
RuleName = Wmiprvse Wbemcomn DLL Hijack
EventType = Image.Load
Tag = wmiprvse-wbemcomn-dll-hijack
RiskScore = 100
Query = (Process.Path like r"%\\wmiprvse.exe" and Image.Path like r"%\\wbem\\wbemcomn.dll")
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects DLL image load activity as used by FoggyWeb backdoor loader
RuleName = FoggyWeb Backdoor DLL Loading
EventType = Image.Load
Tag = foggyweb-backdoor-dll-loading
RiskScore = 100
Query = Process.Path like r"C:\\Windows\\ADFS\\version.dll"
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects DarkSide Ransomware and helpers
RuleName = DarkSide Ransomware Pattern
EventType = Process.Start
Tag = proc-start-darkside-ransomware-pattern
RiskScore = 100
Query = ((Process.CommandLine like r"%=[char][byte]('0x'+%" or Process.CommandLine like r"% -work worker0 -path %") or ((Parent.CommandLine like r"%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%") and (Process.Path like r"%\\AppData\\Local\\Temp\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects LockerGoga Ransomware command line.
RuleName = LockerGoga Ransomware
EventType = Process.Start
Tag = proc-start-lockergoga-ransomware
RiskScore = 100
Query = Process.CommandLine like r"%-i SM-tgytutrc -s%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Ryuk Ransomware command lines
RuleName = Ryuk Ransomware
EventType = Process.Start
Tag = proc-start-ryuk-ransomware
RiskScore = 100
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%stop%" and (Process.CommandLine like r"%samss%" or Process.CommandLine like r"%audioendpointbuilder%" or Process.CommandLine like r"%unistoresvc\______%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects FlowCloud malware from threat group TA410.
RuleName = FlowCloud Malware
EventType = Reg.Any
Tag = flowcloud-malware
RiskScore = 100
Query = ((Reg.Key.Target like r"HKLM\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" or Reg.Key.Target like r"HKLM\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" or Reg.Key.Target like r"HKLM\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}") or (Reg.Key.Target like r"HKLM\\SYSTEM\\Setup\\PrintResponsor\\%"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects new registry key created by Ursnif malware.
RuleName = Ursnif
EventType = Reg.Any
Tag = ursnif
RiskScore = 100
Query = (Reg.Key.Target like r"%\\Software\\AppDataLow\\Software\\Microsoft\\%" and not ((Reg.Key.Target like r"%\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\Internet Explorer\\%" or Reg.Key.Target like r"%\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\RepService\\%" or Reg.Key.Target like r"%\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\IME\\%")))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
RuleName = Chafer Activity
EventType = Process.Start
Tag = proc-start-chafer-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%\\Service.exe%" and (Process.CommandLine like r"%i" or Process.CommandLine like r"%u")) or (Process.CommandLine like r"%\\microsoft\\Taskbar\\autoit3.exe" or Process.CommandLine like r"C:\\wsc.exe%") or (Process.Path like r"%\\Windows\\Temp\\DB\\%" and Process.Path like r"%.exe") or (Process.CommandLine like r"%\\nslookup.exe%" and Process.CommandLine like r"%-q=TXT%" and Parent.Path like r"%\\Autoit%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Pandemic Windows Implant
RuleName = Pandemic Registry Key
EventType = Process.Start
Tag = proc-start-pandemic-registry-key
RiskScore = 100
Query = Process.CommandLine like r"%loaddll -a %"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects automated lateral movement by Turla group
RuleName = Turla Group Lateral Movement
EventType = Process.Start
Tag = proc-start-turla-group-lateral-movement
RiskScore = 100
Query = (Process.CommandLine like r"net use \\\%DomainController\%\\C$ \"P@ssw0rd\" %" or Process.CommandLine like r"dir c:\\%.doc% /s" or Process.CommandLine like r"dir \%TEMP\%\\%.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
RuleName = F-Secure C3 Load by Rundll32
EventType = Process.Start
Tag = proc-start-f-secure-c3-load-by-rundll32
RiskScore = 100
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%.dll%" and Process.CommandLine like r"%StartNodeRelay%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
RuleName = CobaltStrike Load by Rundll32
EventType = Process.Start
Tag = proc-start-cobaltstrike-load-by-rundll32
RiskScore = 100
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%.dll%" and Process.CommandLine like r"%StartW%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Conti ransomware command line ioc
RuleName = Conti Ransomware Execution
EventType = Process.Start
Tag = proc-start-conti-ransomware-execution
RiskScore = 100
Query = (Process.CommandLine like r"%-m %" and Process.CommandLine like r"%-net %" and Process.CommandLine like r"%-size %" and Process.CommandLine like r"%-nomutex %" and Process.CommandLine like r"%-p \\\*" and Process.CommandLine like r"%$%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
RuleName = Dumpert Process Dumper
EventType = Process.Start
Tag = proc-start-dumpert-process-dumper
RiskScore = 100
Query = Process.Hash.IMP == "09D278F9DE118EF09163C6140255C690"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
RuleName = Sticky Key Like Backdoor Usage
EventType = Process.Start
Tag = proc-start-sticky-key-like-backdoor-usage
RiskScore = 100
Query = (Parent.Path like r"%\\winlogon.exe" and Process.Path like r"%\\cmd.exe" and (Process.CommandLine like r"%sethc.exe%" or Process.CommandLine like r"%utilman.exe%" or Process.CommandLine like r"%osk.exe%" or Process.CommandLine like r"%Magnify.exe%" or Process.CommandLine like r"%Narrator.exe%" or Process.CommandLine like r"%DisplaySwitch.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects UAC bypass method using Windows event viewer
RuleName = UAC Bypass via Event Viewer
EventType = Process.Start
Tag = proc-start-uac-bypass-via-event-viewer
RiskScore = 100
Query = (Parent.Path like r"%\\eventvwr.exe" and not (Process.Path like r"%\\mmc.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations
RuleName = Suspicious PowerShell Mailbox Export to Share
EventType = Process.Start
Tag = proc-start-suspicious-powershell-mailbox-export-to-share
RiskScore = 100
Query = (Process.CommandLine like r"%New-MailboxExport%" and Process.CommandLine like r"% -Mailbox %" and Process.CommandLine like r"% -FilePath \\127.0.0.1\\C$%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detecting DNS tunnel activity for Muddywater actor
RuleName = DNS Tunnel Technique from MuddyWater
EventType = Process.Start
Tag = proc-start-dns-tunnel-technique-from-muddywater
RiskScore = 100
Query = ((Process.Path like r"%\\powershell.exe") and (Parent.Path like r"%\\excel.exe") and (Process.CommandLine like r"%DataExchange.dll%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server’s Unified Messaging service
RuleName = CVE-2021-26857 Exchange Exploitation
EventType = Process.Start
Tag = proc-start-cve-2021-26857-exchange-exploitation
RiskScore = 100
Query = (Parent.Path like r"%UMWorkerProcess.exe" and not ((Process.Path like r"%wermgr.exe" or Process.Path like r"%WerFault.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Windows Credential Editor (WCE)
RuleName = Windows Credential Editor
EventType = Process.Start
Tag = proc-start-windows-credential-editor
RiskScore = 100
Query = ((Process.Hash.IMP in ["a53a02b997935fd8eedcb5f7abab9b9f", "e96a73c7bf33a464c510ede582318bf2"] or (Process.CommandLine like r"%.exe -S" and Parent.Path like r"%\\services.exe")) and not (Process.Path like r"%\\clussvc.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.
RuleName = Proxy Execution via Wuauclt
EventType = Process.Start
Tag = proc-start-proxy-execution-via-wuauclt
RiskScore = 100
Query = (((Process.Path like r"%wuauclt%" or Process.Name == "wuauclt.exe") and (Process.CommandLine like r"%UpdateDeploymentProvider%" and Process.CommandLine like r"%.dll%" and Process.CommandLine like r"%RunHandlerComServer%")) and not ((Process.CommandLine like r"% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %" or Process.CommandLine like r"% wuaueng.dll %")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
RuleName = APT29
EventType = Process.Start
Tag = proc-start-apt29
RiskScore = 100
Query = (Process.CommandLine like r"%-noni%" and Process.CommandLine like r"%-ep%" and Process.CommandLine like r"%bypass%" and Process.CommandLine like r"%$%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
RuleName = Judgement Panda Credential Access Activity
EventType = Process.Start
Tag = proc-start-judgement-panda-credential-access-activity
RiskScore = 100
Query = ((Process.Path like r"%\\xcopy.exe" and Process.CommandLine like r"%/S%" and Process.CommandLine like r"%/E%" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%/Q%" and Process.CommandLine like r"%/H%" and Process.CommandLine like r"%\\\*") or (Process.Path like r"%\\adexplorer.exe" and Process.CommandLine like r"%-snapshot%" and Process.CommandLine like r"%\"\"%" and Process.CommandLine like r"%c:\\users\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
RuleName = BlueMashroom DLL Load
EventType = Process.Start
Tag = proc-start-bluemashroom-dll-load
RiskScore = 100
Query = (Process.CommandLine like r"%\\AppData\\Local\\%" and (Process.CommandLine like r"%\\regsvr32%" or Process.CommandLine like r"%,DllEntry%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious file execution by wscript and cscript
RuleName = WMIExec VBS Script
EventType = Process.Start
Tag = proc-start-wmiexec-vbs-script
RiskScore = 100
Query = (Process.Path like r"%\\cscript.exe" and Process.CommandLine like r"%.vbs%" and Process.CommandLine like r"%/shell%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects CrackMapExecWin Activity as Described by NCSC
RuleName = CrackMapExecWin
EventType = Process.Start
Tag = proc-start-crackmapexecwin
RiskScore = 100
Query = (Process.Path like r"%\\crackmapexec.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Elise backdoor acitivty as used by APT32
RuleName = Elise Backdoor
EventType = Process.Start
Tag = proc-start-elise-backdoor
RiskScore = 100
Query = ((Process.Path like r"C:\\Windows\\SysWOW64\\cmd.exe" and Process.CommandLine like r"%\\Windows\\Caches\\NavShExt.dll %") or Process.CommandLine like r"%\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
RuleName = Emissary Panda Malware SLLauncher
EventType = Process.Start
Tag = proc-start-emissary-panda-malware-sllauncher
RiskScore = 100
Query = (Parent.Path like r"%\\sllauncher.exe" and Process.Path like r"%\\svchost.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a specific tool and export used by EquationGroup
RuleName = Equation Group DLL_U Load
EventType = Process.Start
Tag = proc-start-equation-group-dll_u-load
RiskScore = 100
Query = ((Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%,dll\_u") or Process.CommandLine like r"% -export dll\_u %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020
RuleName = EvilNum Golden Chickens Deployment via OCX Files
EventType = Process.Start
Tag = proc-start-evilnum-golden-chickens-deployment-via-ocx-files
RiskScore = 100
Query = (Process.CommandLine like r"%regsvr32%" and Process.CommandLine like r"%/s%" and Process.CommandLine like r"%/i%" and Process.CommandLine like r"%\\AppData\\Roaming\\%" and Process.CommandLine like r"%.ocx%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects tools and process executions as observed in a Greenbug campaign in May 2020
RuleName = Greenbug Campaign Indicators
EventType = Process.Start
Tag = proc-start-greenbug-campaign-indicators
RiskScore = 100
Query = ((Process.CommandLine like r"%bitsadmin%" and Process.CommandLine like r"%/transfer%" and Process.CommandLine like r"%CSIDL\_APPDATA%") or (Process.CommandLine like r"%CSIDL\_SYSTEM\_DRIVE%") or (Process.CommandLine like r"%\\msf.ps1%" or Process.CommandLine like r"%8989 -e cmd.exe%" or Process.CommandLine like r"%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%" or Process.CommandLine like r"%-nop -w hidden -c $k=new-object%" or Process.CommandLine like r"%[Net.CredentialCache]::DefaultCredentials;IEX %" or Process.CommandLine like r"% -nop -w hidden -c $m=new-object net.webclient;$m%" or Process.CommandLine like r"%-noninteractive -executionpolicy bypass whoami%" or Process.CommandLine like r"%-noninteractive -executionpolicy bypass netstat -a%" or Process.CommandLine like r"%L3NlcnZlcj1%") or (Process.Path like r"%\\adobe\\Adobe.exe" or Process.Path like r"%\\oracle\\local.exe" or Process.Path like r"%\\revshell.exe" or Process.Path like r"%infopagesbackup\\ncat.exe" or Process.Path like r"%CSIDL\_SYSTEM\\cmd.exe" or Process.Path like r"%\\programdata\\oracle\\java.exe" or Process.Path like r"%CSIDL\_COMMON\_APPDATA\\comms\\comms.exe" or Process.Path like r"%\\Programdata\\VMware\\Vmware.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
RuleName = Judgement Panda Exfil Activity
EventType = Process.Start
Tag = proc-start-judgement-panda-exfil-activity
RiskScore = 100
Query = (Process.CommandLine like r"%eprod.ldf" or (Process.CommandLine like r"%\\ldifde.exe -f -n %" or Process.CommandLine like r"%\\7za.exe a 1.7z %" or Process.CommandLine like r"%\\aaaa\\procdump64.exe%" or Process.CommandLine like r"%\\aaaa\\netsess.exe%" or Process.CommandLine like r"%\\aaaa\\7za.exe%" or Process.CommandLine like r"%copy .\\1.7z \\%" or Process.CommandLine like r"%copy \\client\\c$\\aaaa\\%") or Process.Path like r"C:\\Users\\Public\\7za.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020
RuleName = Ke3chang Registry Key Modifications
EventType = Process.Start
Tag = proc-start-ke3chang-registry-key-modifications
RiskScore = 100
Query = (Process.CommandLine like r"%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%" or Process.CommandLine like r"%-Property String -name Check\_Associations -value%" or Process.CommandLine like r"%-Property DWORD -name IEHarden -value 0 -Force%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
RuleName = Lazarus Activity
EventType = Process.Start
Tag = proc-start-lazarus-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%mshta%" and Process.CommandLine like r"%.zip%") or ((Parent.Path like r"C:\\Windows\\System32\\wbem\\wmiprvse.exe") and (Process.Path like r"C:\\Windows\\System32\\mshta.exe")) or ((Parent.Path like r"%:\\Users\\Public\\%") and (Process.Path like r"C:\\Windows\\System32\\rundll32.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects different process creation events as described in various threat reports on Lazarus group activity
RuleName = Lazarus Activity
EventType = Process.Start
Tag = proc-start-lazarus-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%reg.exe save hklm\\sam \%temp\%\\~reg\_sam.save%" or Process.CommandLine like r"%1q2w3e4r@#$@#$@#$%" or Process.CommandLine like r"% -hp1q2w3e4 %" or Process.CommandLine like r"%.dat data03 10000 -p %") or (Process.CommandLine like r"%process call create%" and Process.CommandLine like r"% > \%temp\%\\~%") or (Process.CommandLine like r"%netstat -aon | find %" and Process.CommandLine like r"% > \%temp\%\\~%") or (Process.CommandLine like r"%.255 10 C:\\ProgramData\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects different loaders as described in various threat reports on Lazarus group activity
RuleName = Lazarus Loaders
EventType = Process.Start
Tag = proc-start-lazarus-loaders
RiskScore = 100
Query = ((Process.CommandLine like r"%cmd.exe /c %" and Process.CommandLine like r"% -p 0x%" and (Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\RECYCLER\\%")) or (Process.CommandLine like r"%rundll32.exe %" and Process.CommandLine like r"%C:\\ProgramData\\%" and (Process.CommandLine like r"%.bin,%" or Process.CommandLine like r"%.tmp,%" or Process.CommandLine like r"%.dat,%" or Process.CommandLine like r"%.io,%" or Process.CommandLine like r"%.ini,%" or Process.CommandLine like r"%.db,%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
RuleName = REvil Kaseya Incident Malware Patterns
EventType = Process.Start
Tag = proc-start-revil-kaseya-incident-malware-patterns
RiskScore = 100
Query = ((Process.CommandLine like r"%C:\\Windows\\cert.exe%" or Process.CommandLine like r"%Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled%" or Process.CommandLine like r"%del /q /f c:\\kworking\\agent.crt%" or Process.CommandLine like r"%Kaseya VSA Agent Hot-fix%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\MsMpEng.exe%" or Process.CommandLine like r"%rmdir /s /q \%SystemDrive\%\\inetpub\\logs%" or Process.CommandLine like r"%del /s /q /f \%SystemDrive\%\\%.log%" or Process.CommandLine like r"%c:\\kworking1\\agent.exe%" or Process.CommandLine like r"%c:\\kworking1\\agent.crt%") and (Process.Path like r"C:\\Windows\\MsMpEng.exe" or Process.Path like r"C:\\Windows\\cert.exe" or Process.Path like r"C:\\kworking\\agent.exe" or Process.Path like r"C:\\kworking1\\agent.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Trojan loader acitivty as used by APT28
RuleName = Sofacy Trojan Loader Activity
EventType = Process.Start
Tag = proc-start-sofacy-trojan-loader-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%\%APPDATA\%\\%") and (Process.CommandLine like r"%.dat\",%" or Process.CommandLine like r"%.dll\",#1"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
RuleName = TA505 Dropper Load Pattern
EventType = Process.Start
Tag = proc-start-ta505-dropper-load-pattern
RiskScore = 100
Query = (Process.Path like r"%\\mshta.exe" and Parent.Path like r"%\\wmiprvse.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process characteristics of Chinese TAIDOOR RAT malware load
RuleName = TAIDOOR RAT DLL Load
EventType = Process.Start
Tag = proc-start-taidoor-rat-dll-load
RiskScore = 100
Query = ((Process.CommandLine like r"%dll,MyStart%" or Process.CommandLine like r"%dll MyStart%") or ((Process.CommandLine like r"% MyStart") and (Process.CommandLine like r"%rundll32.exe%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects commands used by Turla group as reported by ESET in May 2020
RuleName = Turla Group Commands May 2020
EventType = Process.Start
Tag = proc-start-turla-group-commands-may-2020
RiskScore = 100
Query = ((Process.CommandLine like r"%tracert -h 10 yahoo.com%" or Process.CommandLine like r"%.WSqmCons))|iex;%" or Process.CommandLine like r"%Fr`omBa`se6`4Str`ing%") or (Process.CommandLine like r"%net use https://docs.live.net%" and Process.CommandLine like r"%@aol.co.uk%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
RuleName = UNC2452 Process Creation Patterns
EventType = Process.Start
Tag = proc-start-unc2452-process-creation-patterns
RiskScore = 100
Query = (((((Process.CommandLine like r"%7z.exe a -v500m -mx9 -r0 -p%") or (Parent.CommandLine like r"%wscript.exe%" and Parent.CommandLine like r"%.vbs%" and Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%C:\\Windows%" and Process.CommandLine like r"%.dll,Tk\_%")) or (Parent.Path like r"%\\rundll32.exe" and Parent.CommandLine like r"%C:\\Windows%" and Process.CommandLine like r"%cmd.exe /C %")) or (Process.CommandLine like r"%rundll32 c:\\windows\\%" and Process.CommandLine like r"%.dll %")) or ((Parent.Path like r"%\\rundll32.exe" and Process.Path like r"%\\dllhost.exe") and not (Process.CommandLine in [" ", ""])))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
RuleName = UNC2452 PowerShell Pattern
EventType = Process.Start
Tag = proc-start-unc2452-powershell-pattern
RiskScore = 100
Query = ((Process.CommandLine like r"%Invoke-WMIMethod win32\_process -name create -argumentlist%" and Process.CommandLine like r"%rundll32 c:\\windows%") or (Process.CommandLine like r"%wmic /node:%" and Process.CommandLine like r"%process call create \"rundll32 c:\\windows%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
RuleName = Winnti Malware HK University Campaign
EventType = Process.Start
Tag = proc-start-winnti-malware-hk-university-campaign
RiskScore = 100
Query = (((Parent.Path like r"%C:\\Windows\\Temp%" or Parent.Path like r"%\\hpqhvind.exe%") and Process.Path like r"C:\\ProgramData\\DRM%") or (Parent.Path like r"C:\\ProgramData\\DRM%" and Process.Path like r"%\\wmplayer.exe") or (Parent.Path like r"%\\Test.exe" and Process.Path like r"%\\wmplayer.exe") or Process.Path like r"C:\\ProgramData\\DRM\\CLR\\CLR.exe" or (Parent.Path like r"C:\\ProgramData\\DRM\\Windows%" and Process.Path like r"%\\SearchFilterHost.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process characteristics of Winnti Pipemon malware reported by ESET
RuleName = Winnti Pipemon Characteristics
EventType = Process.Start
Tag = proc-start-winnti-pipemon-characteristics
RiskScore = 100
Query = ((Process.CommandLine like r"%setup0.exe -p%") or (Process.CommandLine like r"%setup.exe%" and (Process.CommandLine like r"%-x:0" or Process.CommandLine like r"%-x:1" or Process.CommandLine like r"%-x:2")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a ZxShell start by the called and well-known function name
RuleName = ZxShell Malware
EventType = Process.Start
Tag = proc-start-zxshell-malware
RiskScore = 100
Query = ((Process.Path like r"%\\rundll32.exe") and (Process.CommandLine like r"%zxFunction%" or Process.CommandLine like r"%RemoteDiskXXXXX%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the malicious use of a control panel item
RuleName = Control Panel Items
EventType = Process.Start
Tag = proc-start-control-panel-items
RiskScore = 100
Query = ((Process.CommandLine like r"%.cpl" and not ((Process.CommandLine like r"%\\System32\\%" or Process.CommandLine like r"%\%System\%%"))) or (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%add%" and (Process.CommandLine like r"%CurrentVersion\\Control Panel\\CPLs%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process characteristics of Maze ransomware word document droppers
RuleName = Maze Ransomware
EventType = Process.Start
Tag = proc-start-maze-ransomware
RiskScore = 100
Query = (((Parent.Path like r"%\\WINWORD.exe") and (Process.Path like r"%.tmp")) or (Process.Path like r"%\\wmic.exe" and Parent.Path like r"%\\Temp\\%" and Process.CommandLine like r"%shadowcopy delete") or (Process.CommandLine like r"%shadowcopy delete" and Process.CommandLine like r"%\\..\\..\\system32%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process characteristics of Snatch ransomware word document droppers
RuleName = Snatch Ransomware
EventType = Process.Start
Tag = proc-start-snatch-ransomware
RiskScore = 100
Query = (Process.CommandLine like r"%shutdown /r /f /t 00%" or Process.CommandLine like r"%net stop SuperBackupMan%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a base64 encoded FromBase64String keyword in a process command line
RuleName = Encoded FromBase64String
EventType = Process.Start
Tag = proc-start-encoded-frombase64string
RiskScore = 100
Query = (Process.CommandLine like r"%OjpGcm9tQmFzZTY0U3RyaW5n%" or Process.CommandLine like r"%o6RnJvbUJhc2U2NFN0cmluZ%" or Process.CommandLine like r"%6OkZyb21CYXNlNjRTdHJpbm%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a base64 encoded IEX command string in a process command line
RuleName = Encoded IEX
EventType = Process.Start
Tag = proc-start-encoded-iex
RiskScore = 100
Query = (Process.CommandLine like r"%SUVYIChb%" or Process.CommandLine like r"%lFWCAoW%" or Process.CommandLine like r"%JRVggKF%" or Process.CommandLine like r"%aWV4IChb%" or Process.CommandLine like r"%lleCAoW%" or Process.CommandLine like r"%pZXggKF%" or Process.CommandLine like r"%aWV4IChOZX%" or Process.CommandLine like r"%lleCAoTmV3%" or Process.CommandLine like r"%pZXggKE5ld%" or Process.CommandLine like r"%SUVYIChOZX%" or Process.CommandLine like r"%lFWCAoTmV3%" or Process.CommandLine like r"%JRVggKE5ld%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Potential adversaries stopping ETW providers recording loaded .NET assemblies.
RuleName = COMPlus_ETWEnabled Command Line Arguments
EventType = Process.Start
Tag = proc-start-complus_etwenabled-command-line-arguments
RiskScore = 100
Query = Process.CommandLine like r"%COMPlus\_ETWEnabled=0%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
RuleName = Exploit for CVE-2015-1641
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2015-1641
RiskScore = 100
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\MicroScMgmt.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
RuleName = Droppers Exploiting CVE-2017-11882
EventType = Process.Start
Tag = proc-start-droppers-exploiting-cve-2017-11882
RiskScore = 100
Query = Parent.Path like r"%\\EQNEDT32.EXE"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
RuleName = Exploit for CVE-2017-8759
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2017-8759
RiskScore = 100
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\csc.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
RuleName = Exploited CVE-2020-10189 Zoho ManageEngine
EventType = Process.Start
Tag = proc-start-exploited-cve-2020-10189-zoho-manageengine
RiskScore = 100
Query = (Parent.Path like r"%DesktopCentral\_Server\\jre\\bin\\java.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\bitsadmin.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
RuleName = DNS RCE CVE-2020-1350
EventType = Process.Start
Tag = proc-start-dns-rce-cve-2020-1350
RiskScore = 100
Query = (Parent.Path like r"%\\System32\\dns.exe" and not ((Process.Path like r"%\\System32\\werfault.exe" or Process.Path like r"%\\System32\\conhost.exe" or Process.Path like r"%\\System32\\dnscmd.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM
RuleName = SystemNightmare Exploitation Script Execution
EventType = Process.Start
Tag = proc-start-systemnightmare-exploitation-script-execution
RiskScore = 100
Query = (Process.CommandLine like r"%printnightmare.gentilkiwi.com%" or Process.CommandLine like r"% /user:gentilguest %" or Process.CommandLine like r"%Kiwi Legit Printer%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
RuleName = ADCSPwn Hack Tool
EventType = Process.Start
Tag = proc-start-adcspwn-hack-tool
RiskScore = 100
Query = (Process.CommandLine like r"% --adcs %" and Process.CommandLine like r"% --port %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command line parameters used by Rubeus hack tool
RuleName = Rubeus Hack Tool
EventType = Process.Start
Tag = proc-start-rubeus-hack-tool
RiskScore = 100
Query = (Process.CommandLine like r"% asreproast %" or Process.CommandLine like r"% dump /service:krbtgt %" or Process.CommandLine like r"% kerberoast %" or Process.CommandLine like r"% createnetonly /program:%" or Process.CommandLine like r"% ptt /ticket:%" or Process.CommandLine like r"% /impersonateuser:%" or Process.CommandLine like r"% renew /ticket:%" or Process.CommandLine like r"% asktgt /user:%" or Process.CommandLine like r"% harvest /interval:%" or Process.CommandLine like r"% s4u /user:%" or Process.CommandLine like r"% s4u /ticket:%" or Process.CommandLine like r"% hash /password:%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of SecurityXploded Tools
RuleName = SecurityXploded Tool
EventType = Process.Start
Tag = proc-start-securityxploded-tool
RiskScore = 100
Query = (Process.Company == "SecurityXploded" or Process.Path like r"%PasswordDump.exe" or Process.Name like r"%PasswordDump.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
RuleName = Impacket Lateralization Detection
EventType = Process.Start
Tag = proc-start-impacket-lateralization-detection
RiskScore = 100
Query = (Process.CommandLine like r"%cmd.exe%" and Process.CommandLine like r"%&1%" and (((Parent.Path like r"%\\wmiprvse.exe" or Parent.Path like r"%\\mmc.exe" or Parent.Path like r"%\\explorer.exe" or Parent.Path like r"%\\services.exe") and Process.CommandLine like r"%/Q%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%\\\\127.0.0.1\\%") or ((Parent.CommandLine like r"%svchost.exe -k netsvcs%" or Parent.CommandLine like r"%taskeng.exe%") and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%Windows\\Temp\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects typical Dridex process patterns
RuleName = Dridex Process Pattern
EventType = Process.Start
Tag = proc-start-dridex-process-pattern
RiskScore = 100
Query = ((Process.Path like r"%\\svchost.exe" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\Desktop\\%") or (Parent.Path like r"%\\svchost.exe" and ((Process.Path like r"%\\whoami.exe" and Process.CommandLine like r"%all%") or ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%view%"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process parameters as seen in DTRACK infections
RuleName = DTRACK Process Creation
EventType = Process.Start
Tag = proc-start-dtrack-process-creation
RiskScore = 100
Query = Process.CommandLine like r"% echo EEEE > %"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects all Emotet like process executions that are not covered by the more generic rules
RuleName = Emotet Process Creation
EventType = Process.Start
Tag = proc-start-emotet-process-creation
RiskScore = 100
Query = (Process.CommandLine like r"% -e% PAA%" or Process.CommandLine like r"%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%" or Process.CommandLine like r"%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%" or Process.CommandLine like r"%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%" or Process.CommandLine like r"%IgAoACcAKgAnACkAOwAkA%" or Process.CommandLine like r"%IAKAAnACoAJwApADsAJA%" or Process.CommandLine like r"%iACgAJwAqACcAKQA7ACQA%" or Process.CommandLine like r"%JABGAGwAeAByAGgAYwBmAGQ%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
RuleName = Formbook Process Creation
EventType = Process.Start
Tag = proc-start-formbook-process-creation
RiskScore = 100
Query = ((Parent.CommandLine like r"C:\\Windows\\System32\\%" or Parent.CommandLine like r"C:\\Windows\\SysWOW64\\%") and (Parent.CommandLine like r"%.exe") and Process.CommandLine like r"%C:\\Users\\%" and ((Process.CommandLine like r"%/c%" and Process.CommandLine like r"%del%" and Process.CommandLine like r"%\\AppData\\Local\\Temp\\%") or (Process.CommandLine like r"%/c%" and Process.CommandLine like r"%del%" and Process.CommandLine like r"%\\Desktop\\%") or (Process.CommandLine like r"%/C%" and Process.CommandLine like r"%type nul >%" and Process.CommandLine like r"%\\Desktop\\%")) and Process.CommandLine like r"%.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
RuleName = NotPetya Ransomware Activity
EventType = Process.Start
Tag = proc-start-notpetya-ransomware-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" and Process.CommandLine like r"%\\.\\pipe\\\*") or (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%.dat,#1") or "\\perfc.dat")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects QBot like process executions
RuleName = QBot Process Creation
EventType = Process.Start
Tag = proc-start-qbot-process-creation
RiskScore = 100
Query = (((Parent.Path like r"%\\WinRAR.exe" and Process.Path like r"%\\wscript.exe") or Process.CommandLine like r"% /c ping.exe -n 6 127.0.0.1 & type %") or (Process.CommandLine like r"%regsvr32.exe%" and Process.CommandLine like r"%C:\\ProgramData%" and Process.CommandLine like r"%.tmp%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Ryuk ransomware activity
RuleName = Ryuk Ransomware
EventType = Process.Start
Tag = proc-start-ryuk-ransomware
RiskScore = 100
Query = (Process.CommandLine like r"%Microsoft\\Windows\\CurrentVersion\\Run%" and Process.CommandLine like r"%C:\\users\\Public\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
RuleName = Trickbot Malware Recon Activity
EventType = Process.Start
Tag = proc-start-trickbot-malware-recon-activity
RiskScore = 100
Query = ((Parent.Path like r"%\\cmd.exe") and (Process.Path like r"%\\nltest.exe") and (Process.CommandLine like r"%/domain\_trusts /all\_trusts%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe
RuleName = Trickbot Malware Activity
EventType = Process.Start
Tag = proc-start-trickbot-malware-activity
RiskScore = 100
Query = ((Process.Path like r"%\\wermgr.exe") and (Parent.Path like r"%\\rundll32.exe") and (Parent.CommandLine like r"%DllRegisterServer%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WannaCry ransomware activity
RuleName = WannaCry Ransomware
EventType = Process.Start
Tag = proc-start-wannacry-ransomware
RiskScore = 100
Query = ((Process.Path like r"%\\tasksche.exe" or Process.Path like r"%\\mssecsvc.exe" or Process.Path like r"%\\taskdl.exe" or Process.Path like r"%\\taskhsvc.exe" or Process.Path like r"%\\taskse.exe" or Process.Path like r"%\\111.exe" or Process.Path like r"%\\lhdfrgui.exe" or Process.Path like r"%\\diskpart.exe" or Process.Path like r"%\\linuxnew.exe" or Process.Path like r"%\\wannacry.exe") or Process.Path like r"%WanaDecryptor%" or (Process.CommandLine like r"%icacls%" and Process.CommandLine like r"%/grant%" and Process.CommandLine like r"%Everyone:F%" and Process.CommandLine like r"%/T%" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%/Q%") or (Process.CommandLine like r"%bcdedit%" and Process.CommandLine like r"%/set%" and Process.CommandLine like r"%{default}%" and Process.CommandLine like r"%recoveryenabled%" and Process.CommandLine like r"%no%") or (Process.CommandLine like r"%wbadmin%" and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%catalog%" and Process.CommandLine like r"%-quiet%") or Process.CommandLine like r"%@Please\_Read\[email protected]%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects process injection using the signed Windows tool Mavinject32.exe
RuleName = MavInject Process Injection
EventType = Process.Start
Tag = proc-start-mavinject-process-injection
RiskScore = 100
Query = Process.CommandLine like r"% /INJECTRUNNING %"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Base64 encoded Shellcode
RuleName = PowerShell Base64 Encoded Shellcode
EventType = Process.Start
Tag = proc-start-powershell-base64-encoded-shellcode
RiskScore = 100
Query = (Process.CommandLine like r"%AAAAYInlM%" and (Process.CommandLine like r"%OiCAAAAYInlM%" or Process.CommandLine like r"%OiJAAAAYInlM%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect
RuleName = PurpleSharp Indicator
EventType = Process.Start
Tag = proc-start-purplesharp-indicator
RiskScore = 100
Query = ((Process.CommandLine like r"%xyz123456.exe%" or Process.CommandLine like r"%PurpleSharp%") or (Process.Name like r"PurpleSharp.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of a renamed ProcDump executable often used by attackers or malware
RuleName = Renamed ProcDump
EventType = Process.Start
Tag = proc-start-renamed-procdump
RiskScore = 100
Query = (((Process.Name == "procdump" or (Process.CommandLine like r"% -ma %" and Process.CommandLine like r"% -accepteula %")) or (Process.CommandLine like r"% -ma %" and Process.CommandLine like r"%.dmp%")) and not ((Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of whoami that has been renamed to a different name to avoid detection
RuleName = Renamed Whoami Execution
EventType = Process.Start
Tag = proc-start-renamed-whoami-execution
RiskScore = 100
Query = (Process.Name == "whoami.exe" and not (Process.Path like r"%\\whoami.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Shadow Copies deletion using operating systems utilities
RuleName = Shadow Copies Deletion Using Operating Systems Utilities
EventType = Process.Start
Tag = proc-start-shadow-copies-deletion-using-operating-systems-utilities
RiskScore = 100
Query = (((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\diskshadow.exe") and Process.CommandLine like r"%shadow%" and Process.CommandLine like r"%delete%") or ((Process.Path like r"%\\wbadmin.exe") and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%catalog%" and Process.CommandLine like r"%quiet%") or (Process.Path like r"%\\vssadmin.exe" and Process.CommandLine like r"%resize%" and Process.CommandLine like r"%shadowstorage%" and Process.CommandLine like r"%unbounded%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious process pattern found in CVE-2021-40444 exploitation
RuleName = CVE-2021-40444 Process Pattern
EventType = Process.Start
Tag = proc-start-cve-2021-40444-process-pattern
RiskScore = 100
Query = ((Process.Path like r"%\\control.exe" and (Parent.Path like r"%\\winword.exe" or Parent.Path like r"%\\powerpnt.exe" or Parent.Path like r"%\\excel.exe")) and not (Process.CommandLine like r"%\\control.exe input.dll"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# The Devtoolslauncher.exe executes other binary
RuleName = Devtoolslauncher.exe Executes Specified Binary
EventType = Process.Start
Tag = proc-start-devtoolslauncher.exe-executes-specified-binary
RiskScore = 100
Query = (Process.Path like r"%\\devtoolslauncher.exe" and Process.CommandLine like r"%LaunchForDeploy%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
RuleName = Suspicious Double Extension
EventType = Process.Start
Tag = proc-start-suspicious-double-extension
RiskScore = 100
Query = (Process.Path like r"%.doc.exe" or Process.Path like r"%.docx.exe" or Process.Path like r"%.xls.exe" or Process.Path like r"%.xlsx.exe" or Process.Path like r"%.ppt.exe" or Process.Path like r"%.pptx.exe" or Process.Path like r"%.rtf.exe" or Process.Path like r"%.pdf.exe" or Process.Path like r"%.txt.exe" or Process.Path like r"%      .exe" or Process.Path like r"%\_\_\_\_\_\_.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,#1
RuleName = Emotet RunDLL32 Process Creation
EventType = Process.Start
Tag = proc-start-emotet-rundll32-process-creation
RiskScore = 100
Query = (((Process.Path like r"%\\rundll32.exe") and (Process.CommandLine like r"%,RunDLL")) and not ((Parent.Path like r"%\\tracker.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious powershell command line parameters used in Empire
RuleName = Empire PowerShell Launch Parameters
EventType = Process.Start
Tag = proc-start-empire-powershell-launch-parameters
RiskScore = 100
Query = (Process.CommandLine like r"% -NoP -sta -NonI -W Hidden -Enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc %" or Process.CommandLine like r"% -NoP -NonI -W Hidden -enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc%" or Process.CommandLine like r"% -enc  SQB%" or Process.CommandLine like r"% -nop -exec bypass -EncodedCommand %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects some Empire PowerShell UAC bypass methods
RuleName = Empire PowerShell UAC Bypass
EventType = Process.Start
Tag = proc-start-empire-powershell-uac-bypass
RiskScore = 100
Query = (Process.CommandLine like r"% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)%" or Process.CommandLine like r"% -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
RuleName = Suspicious Use of Procdump on LSASS
EventType = Process.Start
Tag = proc-start-suspicious-use-of-procdump-on-lsass
RiskScore = 100
Query = (Process.CommandLine like r"% -ma %" and (Process.CommandLine like r"% lsass%" or Process.CommandLine like r"% ls%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
RuleName = Serv-U Exploitation CVE-2021-35211 by DEV-0322
EventType = Process.Start
Tag = proc-start-serv-u-exploitation-cve-2021-35211-by-dev-0322
RiskScore = 100
Query = ((Process.CommandLine like r"%whoami%" and (Process.CommandLine like r"%./Client/Common/%" or Process.CommandLine like r"%.\\Client\\Common\\%")) or Process.CommandLine like r"%C:\\Windows\\Temp\\Serv-U.bat%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
RuleName = Suspicious Serv-U Process Pattern
EventType = Process.Start
Tag = proc-start-suspicious-serv-u-process-pattern
RiskScore = 100
Query = (Parent.Path like r"%\\Serv-U.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection
RuleName = Suspicious Shells Spawn by SQL Server
EventType = Process.Start
Tag = proc-start-suspicious-shells-spawn-by-sql-server
RiskScore = 100
Query = (Parent.Path like r"%\\sqlservr.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\bitsadmin.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects actions that clear the local ShimCache and remove forensic evidence
RuleName = ShimCache Flush
EventType = Process.Start
Tag = proc-start-shimcache-flush
RiskScore = 100
Query = (Process.CommandLine like r"%rundll32%" and ((Process.CommandLine like r"%apphelp.dll%" and (Process.CommandLine like r"%ShimFlushCache%" or Process.CommandLine like r"%#250%")) or (Process.CommandLine like r"%kernel32.dll%" and (Process.CommandLine like r"%BaseFlushAppcompatCache%" or Process.CommandLine like r"%#46%"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
RuleName = Suspect Svchost Activity
EventType = Process.Start
Tag = proc-start-suspect-svchost-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%svchost.exe" and Process.Path like r"%\\svchost.exe") and not ((Parent.Path like r"%\\rpcnet.exe" or Parent.Path like r"%\\rpcnetp.exe") or Process.CommandLine == ''))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects indicators of a UAC bypass method by mocking directories
RuleName = TrustedPath UAC Bypass Pattern
EventType = Process.Start
Tag = proc-start-trustedpath-uac-bypass-pattern
RiskScore = 100
Query = Process.Path like r"%C:\\Windows \\System32\\%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects different hacktools used for relay attacks on Windows for privilege escalation
RuleName = SMB Relay Attack Tools
EventType = Process.Start
Tag = proc-start-smb-relay-attack-tools
RiskScore = 100
Query = ((Process.Path like r"%PetitPotam%" or Process.Path like r"%RottenPotato%" or Process.Path like r"%HotPotato%" or Process.Path like r"%JuicyPotato%" or Process.Path like r"%\\just\_dce\_%" or Process.Path like r"%Juicy Potato%" or Process.Path like r"%\\temp\\rot.exe%" or Process.Path like r"%\\Potato.exe%" or Process.Path like r"%\\SpoolSample.exe%" or Process.Path like r"%\\Responder.exe%" or Process.Path like r"%\\smbrelayx%" or Process.Path like r"%\\ntlmrelayx%") or (Process.CommandLine like r"%Invoke-Tater%" or Process.CommandLine like r"% smbrelay%" or Process.CommandLine like r"% ntlmrelay%" or Process.CommandLine like r"%cme smb %" or Process.CommandLine like r"% /ntlm:NTLMhash %" or Process.CommandLine like r"%Invoke-PetitPotam%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
RuleName = WMI Backdoor Exchange Transport Agent
EventType = Process.Start
Tag = proc-start-wmi-backdoor-exchange-transport-agent
RiskScore = 100
Query = Parent.Path like r"%\\EdgeTransport.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
RuleName = Chafer Activity
EventType = Reg.Any
Tag = chafer-activity
RiskScore = 100
Query = (Reg.Key.Target like r"%SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" or Reg.Key.Target like r"%SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects Pandemic Windows Implant
RuleName = Pandemic Registry Key
EventType = Reg.Any
Tag = pandemic-registry-key
RiskScore = 100
Query = Reg.Key.Target like r"%\\SYSTEM\\CurrentControlSet\\services\\null\\Instance%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
RuleName = CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
EventType = Reg.Any
Tag = cve-2021-31979-cve-2021-33771-exploits-by-sourgum
RiskScore = 100
Query = ((Reg.Key.Target like r"%\\Software\\Classes\\CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32%" or Reg.Key.Target like r"%\\SOFTWARE\\Classes\\CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32%") and "IMJPUEXP.DLL")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects NetNTLM downgrade attack
RuleName = NetNTLM Downgrade Attack
EventType = Reg.Any
Tag = netntlm-downgrade-attack
RiskScore = 100
Query = (Reg.Key.Target like r"%SYSTEM\\%" and Reg.Key.Target like r"%ControlSet%" and Reg.Key.Target like r"%\\Control\\Lsa%" and (Reg.Key.Target like r"%\\lmcompatibilitylevel" or Reg.Key.Target like r"%\\NtlmMinClientSec" or Reg.Key.Target like r"%\\RestrictSendingNTLMTraffic"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
RuleName = Sticky Key Like Backdoor Usage
EventType = Reg.Any
Tag = sticky-key-like-backdoor-usage
RiskScore = 100
Query = (Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects UAC bypass method using Windows event viewer
RuleName = UAC Bypass via Event Viewer
EventType = Reg.Any
Tag = uac-bypass-via-event-viewer
RiskScore = 100
Query = (Reg.Key.Target like r"HKCU\\%" and Reg.Key.Target like r"%\\mscfile\\shell\\open\\command")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects registry key used by Leviathan APT in Malaysian focused campaign
RuleName = Leviathan Registry Key Activity
EventType = Reg.Any
Tag = leviathan-registry-key-activity
RiskScore = 100
Query = Reg.Key.Target like r"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects registry keys created in OceanLotus (also known as APT32) attacks
RuleName = OceanLotus Registry Activity
EventType = Reg.Any
Tag = oceanlotus-registry-activity
RiskScore = 100
Query = ((Reg.Key.Target like r"HKCU\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model" or ((Reg.Key.Target like r"HKCU\\SOFTWARE\\App\\%" or Reg.Key.Target like r"HKLM\\SOFTWARE\\App\\%") and (Reg.Key.Target like r"%AppXbf13d4ea2945444d8b13e2121cb6b663\\%" or Reg.Key.Target like r"%AppX70162486c7554f7f80f481985d67586d\\%" or Reg.Key.Target like r"%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\%") and (Reg.Key.Target like r"%Application" or Reg.Key.Target like r"%DefaultIcon"))) or ((Reg.Key.Target like r"HKCU\\%") and (Reg.Key.Target like r"%Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\%" or Reg.Key.Target like r"%Classes\\AppX3bbba44c6cae4d9695755183472171e2\\%" or Reg.Key.Target like r"%Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\%" or Reg.Key.Target like r"%Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model%")))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
RuleName = Wdigest CredGuard Registry Modification
EventType = Reg.Any
Tag = wdigest-credguard-registry-modification
RiskScore = 100
Query = Reg.Key.Target like r"%\\IsCredGuardEnabled"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the use of Windows Credential Editor (WCE)
RuleName = Windows Credential Editor Registry
EventType = Reg.Any
Tag = windows-credential-editor-registry
RiskScore = 100
Query = Reg.Key.Target like r"%Services\\WCESERVICE\\Start%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory
RuleName = SilentProcessExit Monitor Registrytion for LSASS
EventType = Reg.Any
Tag = silentprocessexit-monitor-registrytion-for-lsass
RiskScore = 100
Query = Reg.Key.Target like r"%Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
RuleName = Security Support Provider (SSP) Added to LSA Configuration
EventType = Reg.Any
Tag = security-support-provider-(ssp)-added-to-lsa-configuration
RiskScore = 100
Query = ((Reg.Key.Target like r"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages" or Reg.Key.Target like r"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages") and not (Process.Path like r"C:\\Windows\\system32\\msiexec.exe" or Process.Path like r"C:\\Windows\\syswow64\\MsiExec.exe"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects persistence registry keys
RuleName = Registry Persistence Mechanisms
EventType = Reg.Any
Tag = registry-persistence-mechanisms
RiskScore = 100
Query = ((Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion%") and ((Reg.Key.Target like r"%\\Image File Execution Options\\%" and Reg.Key.Target like r"%\\GlobalFlag%") or (Reg.Key.Target like r"%SilentProcessExit\\%" and Reg.Key.Target like r"%\\ReportingMode%") or (Reg.Key.Target like r"%SilentProcessExit\\%" and Reg.Key.Target like r"%\\MonitorProcess%")))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
RuleName = PrinterNightmare Mimimkatz Driver Name
EventType = Reg.Any
Tag = printernightmare-mimimkatz-driver-name
RiskScore = 100
Query = (((Reg.Key.Target like r"%\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\%" or Reg.Key.Target like r"%\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz%") or (Reg.Key.Target like r"%legitprinter%" and Reg.Key.Target like r"%\\Control\\Print\\Environments\\Windows%")) or ((Reg.Key.Target like r"%\\Control\\Print\\Environments%" or Reg.Key.Target like r"%\\CurrentVersion\\Print\\Printers%") and (Reg.Key.Target like r"%Gentil Kiwi%" or Reg.Key.Target like r"%mimikatz printer%" or Reg.Key.Target like r"%Kiwi Legit Printer%")))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

Comments

Your email address will not be published. Required fields are marked *