Skip to main content

uberAgent-ESA-am-sigma-critical.conf

The following is the uberAgent-ESA-am-sigma-critical.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: critical
#

[ActivityMonitoringRule]
# Detects suspicious DNS queries known from Cobalt Strike beacons
RuleId = 2975af79-28c4-4d2f-a951-9095f229df29
RuleName = Cobalt Strike DNS Beaconing
EventType = Dns.Query
Tag = cobalt-strike-dns-beaconing
RiskScore = 100
Annotation = {"mitre_attack": ["T1071.004"]}
Query = ((Dns.QueryRequest like r"aaa.stage.%" or Dns.QueryRequest like r"post.1%") or Dns.QueryRequest like r"%.stage.123456.%")
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
RuleId = f356a9c4-effd-4608-bbf8-408afd5cd006
RuleName = Suspicious Cobalt Strike DNS Beaconing
EventType = Dns.Query
Tag = suspicious-cobalt-strike-dns-beaconing
RiskScore = 100
Annotation = {"mitre_attack": ["T1071.004"]}
Query = ((Dns.QueryRequest like r"aaa.stage.%" or Dns.QueryRequest like r"post.1%") or Dns.QueryRequest like r"%.stage.123456.%")
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects DLL image load activity as used by FoggyWeb backdoor loader
RuleId = 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
RuleName = FoggyWeb Backdoor DLL Loading
EventType = Image.Load
Tag = foggyweb-backdoor-dll-loading
RiskScore = 100
Annotation = {"mitre_attack": ["T1587"]}
Query = Process.Path like r"C:\\Windows\\ADFS\\version.dll"

[ActivityMonitoringRule]
# Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
RuleId = b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
RuleName = Judgement Panda Credential Access Activity
EventType = Process.Start
Tag = proc-start-judgement-panda-credential-access-activity
RiskScore = 100
Annotation = {"mitre_attack": ["T1552.001", "T1003.003"]}
Query = ((Process.Path like r"%\\xcopy.exe" and Process.CommandLine like r"%/S%" and Process.CommandLine like r"%/E%" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%/Q%" and Process.CommandLine like r"%/H%" and Process.CommandLine like r"%\\\*") or (Process.Path like r"%\\adexplorer.exe" and Process.CommandLine like r"%-snapshot%" and Process.CommandLine like r"%\"\"%" and Process.CommandLine like r"%c:\\users\\%"))

[ActivityMonitoringRule]
# Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
RuleId = bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
RuleName = BlueMashroom DLL Load
EventType = Process.Start
Tag = proc-start-bluemashroom-dll-load
RiskScore = 100
Annotation = {"mitre_attack": ["T1218.010"]}
Query = (((Process.CommandLine like r"%\\regsvr32%" and Process.CommandLine like r"%\\AppData\\Local\\%") or (Process.CommandLine like r"%\\AppData\\Local\\%" and Process.CommandLine like r"%,DllEntry%")) and not ((Process.CommandLine like r"%AppData\\Local\\Microsoft\\TeamsMeetingAddin\\%" or (Process.CommandLine like r"%\\x86\\Microsoft.Teams.AddinLoader.dll" or Process.CommandLine like r"%\\x86\\Microsoft.Teams.AddinLoader.dll\"" or Process.CommandLine like r"%\\x64\\Microsoft.Teams.AddinLoader.dll" or Process.CommandLine like r"%\\x64\\Microsoft.Teams.AddinLoader.dll\"")) or (Process.CommandLine like r"%\\AppData\\Local\\WebEx\\WebEx64\\Meetings\\atucfobj.dll")))

[ActivityMonitoringRule]
# Detects CrackMapExecWin Activity as Described by NCSC
RuleId = 04d9079e-3905-4b70-ad37-6bdf11304965
RuleName = CrackMapExecWin
EventType = Process.Start
Tag = proc-start-crackmapexecwin
RiskScore = 100
Annotation = {"mitre_attack": ["T1110", "T1087"]}
Query = Process.Path like r"%\\crackmapexec.exe"

[ActivityMonitoringRule]
# Detects Elise backdoor acitivty as used by APT32
RuleId = e507feb7-5f73-4ef6-a970-91bb6f6d744f
RuleName = Elise Backdoor
EventType = Process.Start
Tag = proc-start-elise-backdoor
RiskScore = 100
Annotation = {"mitre_attack": ["T1059.003"]}
Query = ((Process.Path like r"C:\\Windows\\SysWOW64\\cmd.exe" and Process.CommandLine like r"%\\Windows\\Caches\\NavShExt.dll %") or Process.CommandLine like r"%\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting")

[ActivityMonitoringRule]
# Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
RuleId = 9aa01d62-7667-4d3b-acb8-8cb5103e2014
RuleName = Emissary Panda Malware SLLauncher
EventType = Process.Start
Tag = proc-start-emissary-panda-malware-sllauncher
RiskScore = 100
Annotation = {"mitre_attack": ["T1574.002"]}
Query = (Parent.Path like r"%\\sllauncher.exe" and Process.Path like r"%\\svchost.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a specific tool and export used by EquationGroup
RuleId = d465d1d8-27a2-4cca-9621-a800f37cf72e
RuleName = Equation Group DLL_U Load
EventType = Process.Start
Tag = proc-start-equation-group-dll_u-load
RiskScore = 100
Annotation = {"mitre_attack": ["T1218.011"]}
Query = ((Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%,dll\_u") or Process.CommandLine like r"% -export dll\_u %")

[ActivityMonitoringRule]
# Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020
RuleId = 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
RuleName = EvilNum Golden Chickens Deployment via OCX Files
EventType = Process.Start
Tag = proc-start-evilnum-golden-chickens-deployment-via-ocx-files
RiskScore = 100
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.CommandLine like r"%regsvr32%" and Process.CommandLine like r"%/s%" and Process.CommandLine like r"%/i%" and Process.CommandLine like r"%\\AppData\\Roaming\\%" and Process.CommandLine like r"%.ocx%")

[ActivityMonitoringRule]
# Detects tools and process executions as observed in a Greenbug campaign in May 2020
RuleId = 3711eee4-a808-4849-8a14-faf733da3612
RuleName = Greenbug Campaign Indicators
EventType = Process.Start
Tag = proc-start-greenbug-campaign-indicators
RiskScore = 100
Annotation = {"mitre_attack": ["T1059.001", "T1105", "T1036.005"]}
Query = ((Process.CommandLine like r"%bitsadmin%" and Process.CommandLine like r"%/transfer%" and Process.CommandLine like r"%CSIDL\_APPDATA%") or Process.CommandLine like r"%CSIDL\_SYSTEM\_DRIVE%" or (Process.CommandLine like r"%\\msf.ps1%" or Process.CommandLine like r"%8989 -e cmd.exe%" or Process.CommandLine like r"%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%" or Process.CommandLine like r"%-nop -w hidden -c $k=new-object%" or Process.CommandLine like r"%[Net.CredentialCache]::DefaultCredentials;IEX %" or Process.CommandLine like r"% -nop -w hidden -c $m=new-object net.webclient;$m%" or Process.CommandLine like r"%-noninteractive -executionpolicy bypass whoami%" or Process.CommandLine like r"%-noninteractive -executionpolicy bypass netstat -a%" or Process.CommandLine like r"%L3NlcnZlcj1%") or (Process.Path like r"%\\adobe\\Adobe.exe" or Process.Path like r"%\\oracle\\local.exe" or Process.Path like r"%\\revshell.exe" or Process.Path like r"%infopagesbackup\\ncat.exe" or Process.Path like r"%CSIDL\_SYSTEM\\cmd.exe" or Process.Path like r"%\\programdata\\oracle\\java.exe" or Process.Path like r"%CSIDL\_COMMON\_APPDATA\\comms\\comms.exe" or Process.Path like r"%\\Programdata\\VMware\\Vmware.exe"))

[ActivityMonitoringRule]
# Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
RuleId = 03e2746e-2b31-42f1-ab7a-eb39365b2422
RuleName = Judgement Panda Exfil Activity
EventType = Process.Start
Tag = proc-start-judgement-panda-exfil-activity
RiskScore = 100
Annotation = {"mitre_attack": ["T1003.001", "T1560.001"]}
Query = (Process.CommandLine like r"%eprod.ldf" or (Process.CommandLine like r"%\\ldifde.exe -f -n %" or Process.CommandLine like r"%\\7za.exe a 1.7z %" or Process.CommandLine like r"%\\aaaa\\procdump64.exe%" or Process.CommandLine like r"%\\aaaa\\netsess.exe%" or Process.CommandLine like r"%\\aaaa\\7za.exe%" or Process.CommandLine like r"%copy .\\1.7z \\%" or Process.CommandLine like r"%copy \\client\\c$\\aaaa\\%") or Process.Path like r"C:\\Users\\Public\\7za.exe")

[ActivityMonitoringRule]
# Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020
RuleId = 7b544661-69fc-419f-9a59-82ccc328f205
RuleName = Ke3chang Registry Key Modifications
EventType = Process.Start
Tag = proc-start-ke3chang-registry-key-modifications
RiskScore = 100
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (Process.CommandLine like r"%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%" or Process.CommandLine like r"%-Property String -name Check\_Associations -value%" or Process.CommandLine like r"%-Property DWORD -name IEHarden -value 0 -Force%")

[ActivityMonitoringRule]
# Detects different process creation events as described in various threat reports on Lazarus group activity
RuleId = 24c4d154-05a4-4b99-b57d-9b977472443a
RuleName = Lazarus Activity
EventType = Process.Start
Tag = proc-start-lazarus-activity
RiskScore = 100
Annotation = {"mitre_attack": ["T1059"]}
Query = ((Process.CommandLine like r"%reg.exe save hklm\\sam \%temp\%\\~reg\_sam.save%" or Process.CommandLine like r"%[email protected]#[email protected]#[email protected]#$%" or Process.CommandLine like r"% -hp1q2w3e4 %" or Process.CommandLine like r"%.dat data03 10000 -p %") or (Process.CommandLine like r"%process call create%" and Process.CommandLine like r"% > \%temp\%\\~%") or (Process.CommandLine like r"%netstat -aon | find %" and Process.CommandLine like r"% > \%temp\%\\~%") or Process.CommandLine like r"%.255 10 C:\\ProgramData\\%")

[ActivityMonitoringRule]
# Detects different loaders as described in various threat reports on Lazarus group activity
RuleId = 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
RuleName = Lazarus Loaders
EventType = Process.Start
Tag = proc-start-lazarus-loaders
RiskScore = 100
Annotation = {"mitre_attack": ["T1059"]}
Query = ((Process.CommandLine like r"%cmd.exe /c %" and Process.CommandLine like r"% -p 0x%" and (Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\RECYCLER\\%")) or (Process.CommandLine like r"%rundll32.exe %" and Process.CommandLine like r"%C:\\ProgramData\\%" and (Process.CommandLine like r"%.bin,%" or Process.CommandLine like r"%.tmp,%" or Process.CommandLine like r"%.dat,%" or Process.CommandLine like r"%.io,%" or Process.CommandLine like r"%.ini,%" or Process.CommandLine like r"%.db,%")))

[ActivityMonitoringRule]
# Detecting DNS tunnel activity for Muddywater actor
RuleId = 36222790-0d43-4fe8-86e4-674b27809543
RuleName = DNS Tunnel Technique from MuddyWater
EventType = Process.Start
Tag = proc-start-dns-tunnel-technique-from-muddywater
RiskScore = 100
Annotation = {"mitre_attack": ["T1071.004"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Parent.Path like r"%\\excel.exe" and Process.CommandLine like r"%DataExchange.dll%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
RuleId = 5de632bc-7fbd-4c8a-944a-fce55c59eae5
RuleName = REvil Kaseya Incident Malware Patterns
EventType = Process.Start
Tag = proc-start-revil-kaseya-incident-malware-patterns
RiskScore = 100
Annotation = {"mitre_attack": ["T1059"]}
Query = ((Process.CommandLine like r"%C:\\Windows\\cert.exe%" or Process.CommandLine like r"%del /q /f c:\\kworking\\agent.crt%" or Process.CommandLine like r"%Kaseya VSA Agent Hot-fix%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\MsMpEng.exe%" or Process.CommandLine like r"%rmdir /s /q \%SystemDrive\%\\inetpub\\logs%" or Process.CommandLine like r"%del /s /q /f \%SystemDrive\%\\%.log%" or Process.CommandLine like r"%c:\\kworking1\\agent.exe%" or Process.CommandLine like r"%c:\\kworking1\\agent.crt%") or (Process.Path like r"C:\\Windows\\MsMpEng.exe" or Process.Path like r"C:\\Windows\\cert.exe" or Process.Path like r"C:\\kworking\\agent.exe" or Process.Path like r"C:\\kworking1\\agent.exe") or (Process.CommandLine like r"%del /s /q /f%" and Process.CommandLine like r"%WebPages\\Errors\\webErrorLog.txt%"))

[ActivityMonitoringRule]
# Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
RuleId = 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
RuleName = TA505 Dropper Load Pattern
EventType = Process.Start
Tag = proc-start-ta505-dropper-load-pattern
RiskScore = 100
Annotation = {"mitre_attack": ["T1106"]}
Query = (Parent.Path like r"%\\wmiprvse.exe" and (Process.Path like r"%\\mshta.exe" or Process.Name == "mshta.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects automated lateral movement by Turla group
RuleId = c601f20d-570a-4cde-a7d6-e17f99cb8e7f
RuleName = Turla Group Lateral Movement
EventType = Process.Start
Tag = proc-start-turla-group-lateral-movement
RiskScore = 100
Annotation = {"mitre_attack": ["T1059", "T1021.002", "T1083", "T1135"]}
Query = (Process.CommandLine like r"net use \\\%DomainController\%\\C$ \"[email protected]\" %" or Process.CommandLine like r"dir c:\\%.doc% /s" or Process.CommandLine like r"dir \%TEMP\%\\%.exe")

[ActivityMonitoringRule]
# Detects commands used by Turla group as reported by ESET in May 2020
RuleId = 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
RuleName = Turla Group Commands May 2020
EventType = Process.Start
Tag = proc-start-turla-group-commands-may-2020
RiskScore = 100
Annotation = {"mitre_attack": ["T1059.001", "T1053.005", "T1027"]}
Query = ((Process.CommandLine like r"%tracert -h 10 yahoo.com%" or Process.CommandLine like r"%.WSqmCons))|iex;%" or Process.CommandLine like r"%Fr`omBa`se6`4Str`ing%") or (Process.CommandLine like r"%net use https://docs.live.net%" and Process.CommandLine like r"%@aol.co.uk%"))

[ActivityMonitoringRule]
# Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
RuleId = b7155193-8a81-4d8f-805d-88de864ca50c
RuleName = UNC2452 PowerShell Pattern
EventType = Process.Start
Tag = proc-start-unc2452-powershell-pattern
RiskScore = 100
Annotation = {"mitre_attack": ["T1059.001", "T1047"]}
Query = ((Process.CommandLine like r"%Invoke-WMIMethod win32\_process -name create -argumentlist%" and Process.CommandLine like r"%rundll32 c:\\windows%") or (Process.CommandLine like r"%wmic /node:%" and Process.CommandLine like r"%process call create \"rundll32 c:\\windows%"))

[ActivityMonitoringRule]
# Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
RuleId = 3121461b-5aa0-4a41-b910-66d25524edbb
RuleName = Winnti Malware HK University Campaign
EventType = Process.Start
Tag = proc-start-winnti-malware-hk-university-campaign
RiskScore = 100
Annotation = {"mitre_attack": ["T1574.002"]}
Query = (((Parent.Path like r"%C:\\Windows\\Temp%" or Parent.Path like r"%\\hpqhvind.exe%") and Process.Path like r"C:\\ProgramData\\DRM%") or (Parent.Path like r"C:\\ProgramData\\DRM%" and Process.Path like r"%\\wmplayer.exe") or (Parent.Path like r"%\\Test.exe" and Process.Path like r"%\\wmplayer.exe") or Process.Path like r"C:\\ProgramData\\DRM\\CLR\\CLR.exe" or (Parent.Path like r"C:\\ProgramData\\DRM\\Windows%" and Process.Path like r"%\\SearchFilterHost.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects specific process characteristics of Winnti Pipemon malware reported by ESET
RuleId = 73d70463-75c9-4258-92c6-17500fe972f2
RuleName = Winnti Pipemon Characteristics
EventType = Process.Start
Tag = proc-start-winnti-pipemon-characteristics
RiskScore = 100
Annotation = {"mitre_attack": ["T1574.002"]}
Query = (Process.CommandLine like r"%setup0.exe -p%" or (Process.CommandLine like r"%setup.exe%" and (Process.CommandLine like r"%-x:0" or Process.CommandLine like r"%-x:1" or Process.CommandLine like r"%-x:2")))

[ActivityMonitoringRule]
# Detects a ZxShell start by the called and well-known function name
RuleId = f0b70adb-0075-43b0-9745-e82a1c608fcc
RuleName = ZxShell Malware
EventType = Process.Start
Tag = proc-start-zxshell-malware
RiskScore = 100
Annotation = {"mitre_attack": ["T1059.003", "T1218.011"]}
Query = (Process.Path like r"%\\rundll32.exe" and (Process.CommandLine like r"%zxFunction%" or Process.CommandLine like r"%RemoteDiskXXXXX%"))

[ActivityMonitoringRule]
# F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
RuleId = b18c9d4c-fac9-4708-bd06-dd5bfacf200f
RuleName = F-Secure C3 Load by Rundll32
EventType = Process.Start
Tag = proc-start-f-secure-c3-load-by-rundll32
RiskScore = 100
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%.dll%" and Process.CommandLine like r"%StartNodeRelay%")

[ActivityMonitoringRule]
# Conti ransomware command line ioc
RuleId = 689308fc-cfba-4f72-9897-796c1dc61487
RuleName = Conti Ransomware Execution
EventType = Process.Start
Tag = proc-start-conti-ransomware-execution
RiskScore = 100
Annotation = {"mitre_attack": ["T1486"]}
Query = (Process.CommandLine like r"%-m %" and Process.CommandLine like r"%-net %" and Process.CommandLine like r"%-size %" and Process.CommandLine like r"%-nomutex %" and Process.CommandLine like r"%-p \\\*" and Process.CommandLine like r"%$%")

[ActivityMonitoringRule]
# Detects specific process characteristics of Maze ransomware word document droppers
RuleId = 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
RuleName = Maze Ransomware
EventType = Process.Start
Tag = proc-start-maze-ransomware
RiskScore = 100
Annotation = {"mitre_attack": ["T1204.002", "T1047", "T1490"]}
Query = ((Parent.Path like r"%\\WINWORD.exe" and Process.Path like r"%.tmp") or (Process.Path like r"%\\wmic.exe" and Parent.Path like r"%\\Temp\\%" and Process.CommandLine like r"%shadowcopy delete") or (Process.CommandLine like r"%shadowcopy delete" and Process.CommandLine like r"%\\..\\..\\system32%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the use of the Dinject PowerShell cradle based on the specific flags
RuleId = d78b5d61-187d-44b6-bf02-93486a80de5a
RuleName = DInject PowerShell Cradle CommandLine Flags
EventType = Process.Start
Tag = proc-start-dinject-powershell-cradle-commandline-flags
RiskScore = 100
Annotation = {"mitre_attack": ["T1055"]}
Query = ((Process.CommandLine like r"% /am51%" or Process.CommandLine like r"% /password%") and not ((Process.CommandLine like r"% /PASSWORDCHG%" or (Parent.Path like r"C:\\Program Files\\CEETIS\\CEETIS\_IDE.exe" or Parent.Path like r"C:\\Program Files (x86)\\CEETIS\\CEETIS\_IDE.exe"))))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the use of the filename DumpStack.log to evade Microsoft Defender
RuleId = 4f647cfa-b598-4e12-ad69-c68dd16caef8
RuleName = DumpStack.log Defender Evasion
EventType = Process.Start
Tag = proc-start-dumpstack.log-defender-evasion
RiskScore = 100
Query = (Process.Path like r"%\\DumpStack.log" or Process.CommandLine like r"% -o DumpStack.log%")

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
RuleId = 7993792c-5ce2-4475-a3db-a3a5539827ef
RuleName = Exploit for CVE-2015-1641
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2015-1641
RiskScore = 100
Annotation = {"mitre_attack": ["T1036.005"]}
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\MicroScMgmt.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
RuleId = 678eb5f4-8597-4be6-8be7-905e4234b53a
RuleName = Droppers Exploiting CVE-2017-11882
EventType = Process.Start
Tag = proc-start-droppers-exploiting-cve-2017-11882
RiskScore = 100
Annotation = {"mitre_attack": ["T1203", "T1204.002", "T1566.001"]}
Query = Parent.Path like r"%\\EQNEDT32.EXE"
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
RuleId = fdd84c68-a1f6-47c9-9477-920584f94905
RuleName = Exploit for CVE-2017-8759
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2017-8759
RiskScore = 100
Annotation = {"mitre_attack": ["T1203", "T1204.002", "T1566.001"]}
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\csc.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
RuleId = b5281f31-f9cc-4d0d-95d0-45b91c45b487
RuleName = DNS RCE CVE-2020-1350
EventType = Process.Start
Tag = proc-start-dns-rce-cve-2020-1350
RiskScore = 100
Annotation = {"mitre_attack": ["T1190", "T1569.002"]}
Query = (Parent.Path like r"%\\System32\\dns.exe" and not ((Process.Path like r"%\\System32\\werfault.exe" or Process.Path like r"%\\System32\\conhost.exe" or Process.Path like r"%\\System32\\dnscmd.exe" or Process.Path like r"%\\System32\\dns.exe")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM
RuleId = c01f7bd6-0c1d-47aa-9c61-187b91273a16
RuleName = SystemNightmare Exploitation Script Execution
EventType = Process.Start
Tag = proc-start-systemnightmare-exploitation-script-execution
RiskScore = 100
Annotation = {"mitre_attack": ["T1068"]}
Query = (Process.CommandLine like r"%printnightmare.gentilkiwi.com%" or Process.CommandLine like r"% /user:gentilguest %" or Process.CommandLine like r"%Kiwi Legit Printer%")

[ActivityMonitoringRule]
# Detects the execution of the hacktool Rubeus via PE information of command line parameters
RuleId = 7ec2c172-dceb-4c10-92c9-87c1881b7e18
RuleName = Rubeus Hack Tool
EventType = Process.Start
Tag = proc-start-rubeus-hack-tool
RiskScore = 100
Annotation = {"mitre_attack": ["T1003", "T1558.003", "T1550.003"]}
Query = (Process.Path like r"%˚\\Rubeus.exe'" or Process.Name == "Rubeus.exe" or (Process.CommandLine like r"% asreproast %" or Process.CommandLine like r"% dump /service:krbtgt %" or Process.CommandLine like r"% kerberoast %" or Process.CommandLine like r"% createnetonly /program:%" or Process.CommandLine like r"% ptt /ticket:%" or Process.CommandLine like r"% /impersonateuser:%" or Process.CommandLine like r"% renew /ticket:%" or Process.CommandLine like r"% asktgt /user:%" or Process.CommandLine like r"% harvest /interval:%" or Process.CommandLine like r"% s4u /user:%" or Process.CommandLine like r"% s4u /ticket:%" or Process.CommandLine like r"% hash /password:%"))

[ActivityMonitoringRule]
# Detects the execution of SecurityXploded Tools
RuleId = 7679d464-4f74-45e2-9e01-ac66c5eb041a
RuleName = SecurityXploded Tool
EventType = Process.Start
Tag = proc-start-securityxploded-tool
RiskScore = 100
Annotation = {"mitre_attack": ["T1555"]}
Query = (Process.Company == "SecurityXploded" or Process.Path like r"%PasswordDump.exe" or Process.Name like r"%PasswordDump.exe")
GenericProperty1 = Process.Company

[ActivityMonitoringRule]
# Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations
RuleId = 889719ef-dd62-43df-86c3-768fb08dc7c0
RuleName = Suspicious PowerShell Mailbox Export to Share
EventType = Process.Start
Tag = proc-start-suspicious-powershell-mailbox-export-to-share
RiskScore = 100
Annotation = {"mitre_attack": ["T1505.003", "T1584.006"]}
Query = (Process.CommandLine like r"%New-MailboxExport%" and Process.CommandLine like r"% -Mailbox %" and Process.CommandLine like r"% -FilePath \\\\127.0.0.1\\C$%")

[ActivityMonitoringRule]
# Detects typical Dridex process patterns
RuleId = e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
RuleName = Dridex Process Pattern
EventType = Process.Start
Tag = proc-start-dridex-process-pattern
RiskScore = 100
Annotation = {"mitre_attack": ["T1055", "T1135", "T1033"]}
Query = ((Process.Path like r"%\\svchost.exe" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\Desktop\\%") or (Parent.Path like r"%\\svchost.exe" and ((Process.Path like r"%\\whoami.exe" and Process.CommandLine like r"%all%") or ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%view%"))))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects specific process parameters as seen in DTRACK infections
RuleId = f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
RuleName = DTRACK Process Creation
EventType = Process.Start
Tag = proc-start-dtrack-process-creation
RiskScore = 100
Annotation = {"mitre_attack": ["T1490"]}
Query = Process.CommandLine like r"% echo EEEE > %"

[ActivityMonitoringRule]
# Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
RuleId = 79aeeb41-8156-4fac-a0cd-076495ab82a1
RuleName = NotPetya Ransomware Activity
EventType = Process.Start
Tag = proc-start-notpetya-ransomware-activity
RiskScore = 100
Annotation = {"mitre_attack": ["T1218.011", "T1070.001", "T1003.001"]}
Query = ((Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" and Process.CommandLine like r"%\\\\.\\pipe\\\*") or (Process.Path like r"%\\rundll32.exe" and (Process.CommandLine like r"%.dat,#1" or Process.CommandLine like r"%.dat #1")) or "\\perfc.dat")

[ActivityMonitoringRule]
# Detects QBot like process executions
RuleId = 4fcac6eb-0287-4090-8eea-2602e4c20040
RuleName = QBot Process Creation
EventType = Process.Start
Tag = proc-start-qbot-process-creation
RiskScore = 100
Annotation = {"mitre_attack": ["T1059.005"]}
Query = (((Parent.Path like r"%\\WinRAR.exe" and Process.Path like r"%\\wscript.exe") or Process.CommandLine like r"% /c ping.exe -n 6 127.0.0.1 & type %") or (Process.CommandLine like r"%regsvr32.exe%" and Process.CommandLine like r"%C:\\ProgramData%" and Process.CommandLine like r"%.tmp%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
RuleId = 410ad193-a728-4107-bc79-4419789fcbf8
RuleName = Trickbot Malware Recon Activity
EventType = Process.Start
Tag = proc-start-trickbot-malware-recon-activity
RiskScore = 100
Annotation = {"mitre_attack": ["T1482"]}
Query = (Parent.Path like r"%\\cmd.exe" and Process.Path like r"%\\nltest.exe" and Process.CommandLine like r"%/domain\_trusts /all\_trusts%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects WannaCry ransomware activity
RuleId = 41d40bff-377a-43e2-8e1b-2e543069e079
RuleName = WannaCry Ransomware
EventType = Process.Start
Tag = proc-start-wannacry-ransomware
RiskScore = 100
Annotation = {"mitre_attack": ["T1210", "T1083", "T1222.001", "T1486", "T1490"]}
Query = ((Process.Path like r"%\\tasksche.exe" or Process.Path like r"%\\mssecsvc.exe" or Process.Path like r"%\\taskdl.exe" or Process.Path like r"%\\taskhsvc.exe" or Process.Path like r"%\\taskse.exe" or Process.Path like r"%\\111.exe" or Process.Path like r"%\\lhdfrgui.exe" or Process.Path like r"%\\linuxnew.exe" or Process.Path like r"%\\wannacry.exe") or Process.Path like r"%WanaDecryptor%" or (Process.CommandLine like r"%icacls%" and Process.CommandLine like r"%/grant%" and Process.CommandLine like r"%Everyone:F%" and Process.CommandLine like r"%/T%" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%/Q%") or (Process.CommandLine like r"%bcdedit%" and Process.CommandLine like r"%/set%" and Process.CommandLine like r"%{default}%" and Process.CommandLine like r"%recoveryenabled%" and Process.CommandLine like r"%no%") or (Process.CommandLine like r"%wbadmin%" and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%catalog%" and Process.CommandLine like r"%-quiet%") or Process.CommandLine like r"%@Please\_Read\[email protected]%")

[ActivityMonitoringRule]
# Detects DarkSide Ransomware and helpers
RuleId = 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
RuleName = DarkSide Ransomware Pattern
EventType = Process.Start
Tag = proc-start-darkside-ransomware-pattern
RiskScore = 100
Annotation = {"mitre_attack": ["T1204"]}
Query = ((Process.CommandLine like r"%=[char][byte]('0x'+%" or Process.CommandLine like r"% -work worker0 -path %") or (Parent.CommandLine like r"%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%" and Process.Path like r"%\\AppData\\Local\\Temp\\%"))
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects LockerGoga Ransomware command line.
RuleId = 74db3488-fd28-480a-95aa-b7af626de068
RuleName = LockerGoga Ransomware
EventType = Process.Start
Tag = proc-start-lockergoga-ransomware
RiskScore = 100
Annotation = {"mitre_attack": ["T1486"]}
Query = Process.CommandLine like r"%-i SM-tgytutrc -s%"

[ActivityMonitoringRule]
# Detects Ryuk Ransomware command lines
RuleId = 0acaad27-9f02-4136-a243-c357202edd74
RuleName = Ryuk Ransomware
EventType = Process.Start
Tag = proc-start-ryuk-ransomware
RiskScore = 100
Annotation = {"mitre_attack": ["T1204"]}
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%stop%" and (Process.CommandLine like r"%samss%" or Process.CommandLine like r"%audioendpointbuilder%" or Process.CommandLine like r"%unistoresvc\______%"))

[ActivityMonitoringRule]
# Detects Base64 encoded Shellcode
RuleId = 2d117e49-e626-4c7c-bd1f-c3c0147774c8
RuleName = PowerShell Base64 Encoded Shellcode
EventType = Process.Start
Tag = proc-start-powershell-base64-encoded-shellcode
RiskScore = 100
Annotation = {"mitre_attack": ["T1027"]}
Query = (Process.CommandLine like r"%AAAAYInlM%" and (Process.CommandLine like r"%OiCAAAAYInlM%" or Process.CommandLine like r"%OiJAAAAYInlM%"))

[ActivityMonitoringRule]
# Detects the execution of the PurpleSharp adversary simulation tool
RuleId = ff23ffbc-3378-435e-992f-0624dcf93ab4
RuleName = PurpleSharp Indicator
EventType = Process.Start
Tag = proc-start-purplesharp-indicator
RiskScore = 100
Annotation = {"mitre_attack": ["T1587"]}
Query = ((Process.CommandLine like r"%xyz123456.exe%" or Process.CommandLine like r"%PurpleSharp%") or Process.Name == "PurpleSharp.exe")

[ActivityMonitoringRule]
# Detects the execution of whoami that has been renamed to a different name to avoid detection
RuleId = f1086bf7-a0c4-4a37-9102-01e573caf4a0
RuleName = Renamed Whoami Execution
EventType = Process.Start
Tag = proc-start-renamed-whoami-execution
RiskScore = 100
Annotation = {"mitre_attack": ["T1033"]}
Query = (Process.Name == "whoami.exe" and not (Process.Path like r"%\\whoami.exe"))

[ActivityMonitoringRule]
# Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
RuleId = 2fdefcb3-dbda-401e-ae23-f0db027628bc
RuleName = Sticky Key Like Backdoor Usage
EventType = Process.Start
Tag = proc-start-sticky-key-like-backdoor-usage
RiskScore = 100
Annotation = {"mitre_attack": ["T1546.008"]}
Query = (Parent.Path like r"%\\winlogon.exe" and Process.Path like r"%\\cmd.exe" and (Process.CommandLine like r"%sethc.exe%" or Process.CommandLine like r"%utilman.exe%" or Process.CommandLine like r"%osk.exe%" or Process.CommandLine like r"%Magnify.exe%" or Process.CommandLine like r"%Narrator.exe%" or Process.CommandLine like r"%DisplaySwitch.exe%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
RuleId = 1cdd9a09-06c9-4769-99ff-626e2b3991b8
RuleName = Suspicious Double Extension
EventType = Process.Start
Tag = proc-start-suspicious-double-extension
RiskScore = 100
Annotation = {"mitre_attack": ["T1566.001"]}
Query = (Process.Path like r"%.doc.exe" or Process.Path like r"%.docx.exe" or Process.Path like r"%.xls.exe" or Process.Path like r"%.xlsx.exe" or Process.Path like r"%.ppt.exe" or Process.Path like r"%.pptx.exe" or Process.Path like r"%.rtf.exe" or Process.Path like r"%.pdf.exe" or Process.Path like r"%.txt.exe" or Process.Path like r"%      .exe" or Process.Path like r"%\_\_\_\_\_\_.exe")

[ActivityMonitoringRule]
# Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
RuleId = 54e57ce3-0672-46eb-a402-2c0948d5e3e9
RuleName = Emotet RunDLL32 Process Creation
EventType = Process.Start
Tag = proc-start-emotet-rundll32-process-creation
RiskScore = 100
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (((Process.Path like r"%\\rundll32.exe" and (Process.CommandLine like r"%,RunDLL" or Process.CommandLine like r"%,Control\_RunDLL")) and not (Parent.Path like r"%\\tracker.exe")) and not ((Process.CommandLine like r"%.dll,Control\_RunDLL" or Process.CommandLine like r"%.dll\",Control\_RunDLL" or Process.CommandLine like r"%.dll',Control\_RunDLL")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a suspicious LSASS process process clone that could be a sign of process dumping activity
RuleId = c8da0dfd-4ed0-4b68-962d-13c9c884384e
RuleName = Suspicious LSASS Process Clone
EventType = Process.Start
Tag = proc-start-suspicious-lsass-process-clone
RiskScore = 100
Annotation = {"mitre_attack": ["T1003", "T1003.001"]}
Query = (Process.Path like r"%\\Windows\\System32\\lsass.exe" and Parent.Path like r"%\\Windows\\System32\\lsass.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects some Empire PowerShell UAC bypass methods
RuleId = 3268b746-88d8-4cd3-bffc-30077d02c787
RuleName = Empire PowerShell UAC Bypass
EventType = Process.Start
Tag = proc-start-empire-powershell-uac-bypass
RiskScore = 100
Annotation = {"mitre_attack": ["T1548.002"]}
Query = (Process.CommandLine like r"% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)%" or Process.CommandLine like r"% -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);%")

[ActivityMonitoringRule]
# Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
RuleId = 75578840-9526-4b2a-9462-af469a45e767
RuleName = Serv-U Exploitation CVE-2021-35211 by DEV-0322
EventType = Process.Start
Tag = proc-start-serv-u-exploitation-cve-2021-35211-by-dev-0322
RiskScore = 100
Annotation = {"mitre_attack": ["T1136.001"]}
Query = ((Process.CommandLine like r"%whoami%" and (Process.CommandLine like r"%./Client/Common/%" or Process.CommandLine like r"%.\\Client\\Common\\%")) or Process.CommandLine like r"%C:\\Windows\\Temp\\Serv-U.bat%")

[ActivityMonitoringRule]
# Detects indicators of a UAC bypass method by mocking directories
RuleId = 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
RuleName = TrustedPath UAC Bypass Pattern
EventType = Process.Start
Tag = proc-start-trustedpath-uac-bypass-pattern
RiskScore = 100
Annotation = {"mitre_attack": ["T1548.002"]}
Query = Process.Path like r"%C:\\Windows \\System32\\%"

[ActivityMonitoringRule]
# Detects different hacktools used for relay attacks on Windows for privilege escalation
RuleId = 5589ab4f-a767-433c-961d-c91f3f704db1
RuleName = SMB Relay Attack Tools
EventType = Process.Start
Tag = proc-start-smb-relay-attack-tools
RiskScore = 100
Annotation = {"mitre_attack": ["T1557.001"]}
Query = (((Process.Path like r"%PetitPotam%" or Process.Path like r"%RottenPotato%" or Process.Path like r"%HotPotato%" or Process.Path like r"%JuicyPotato%" or Process.Path like r"%\\just\_dce\_%" or Process.Path like r"%Juicy Potato%" or Process.Path like r"%\\temp\\rot.exe%" or Process.Path like r"%\\Potato.exe%" or Process.Path like r"%\\SpoolSample.exe%" or Process.Path like r"%\\Responder.exe%" or Process.Path like r"%\\smbrelayx%" or Process.Path like r"%\\ntlmrelayx%") or (Process.CommandLine like r"%Invoke-Tater%" or Process.CommandLine like r"% smbrelay%" or Process.CommandLine like r"% ntlmrelay%" or Process.CommandLine like r"%cme smb %" or Process.CommandLine like r"% /ntlm:NTLMhash %" or Process.CommandLine like r"%Invoke-PetitPotam%")) and not (((Process.Path like r"%HotPotatoes6%" or Process.Path like r"%HotPotatoes 6%" or Process.Path like r"%HotPotatoes7%" or Process.Path like r"%HotPotatoes 7%" or Process.Path like r"%HotPotatoes Help%" or Process.Path like r"%HotPotatoes Tutorial%"))))

[ActivityMonitoringRule]
# Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
RuleId = 797011dc-44f4-4e6f-9f10-a8ceefbe566b
RuleName = WMI Backdoor Exchange Transport Agent
EventType = Process.Start
Tag = proc-start-wmi-backdoor-exchange-transport-agent
RiskScore = 100
Annotation = {"mitre_attack": ["T1546.003"]}
Query = (Parent.Path like r"%\\EdgeTransport.exe" and not (Process.Path like r"C:\\Windows\\System32\\conhost.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
RuleId = 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5
RuleName = Chafer Activity
EventType = Reg.Any
Tag = chafer-activity
RiskScore = 100
Annotation = {"mitre_attack": ["T1053.005", "T1543.003", "T1112", "T1071.004"]}
Query = (Reg.Key.Target like r"%SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" or Reg.Key.Target like r"%SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects registry key used by Leviathan APT in Malaysian focused campaign
RuleId = 70d43542-cd2d-483c-8f30-f16b436fd7db
RuleName = Leviathan Registry Key Activity
EventType = Reg.Any
Tag = leviathan-registry-key-activity
RiskScore = 100
Annotation = {"mitre_attack": ["T1547.001"]}
Query = Reg.Key.Target like r"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects registry keys created in OceanLotus (also known as APT32) attacks
RuleId = 4ac5fc44-a601-4c06-955b-309df8c4e9d4
RuleName = OceanLotus Registry Activity
EventType = Reg.Any
Tag = oceanlotus-registry-activity
RiskScore = 100
Annotation = {"mitre_attack": ["T1112"]}
Query = (Reg.Key.Target like r"HKCU\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model" or ((Reg.Key.Target like r"HKCU\\SOFTWARE\\App\\%" or Reg.Key.Target like r"HKLM\\SOFTWARE\\App\\%") and (Reg.Key.Target like r"%AppXbf13d4ea2945444d8b13e2121cb6b663\\%" or Reg.Key.Target like r"%AppX70162486c7554f7f80f481985d67586d\\%" or Reg.Key.Target like r"%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\%") and (Reg.Key.Target like r"%Application" or Reg.Key.Target like r"%DefaultIcon")) or (Reg.Key.Target like r"HKCU\\%" and (Reg.Key.Target like r"%Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\%" or Reg.Key.Target like r"%Classes\\AppX3bbba44c6cae4d9695755183472171e2\\%" or Reg.Key.Target like r"%Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\%" or Reg.Key.Target like r"%Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model%")))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects Pandemic Windows Implant
RuleId = 47e0852a-cf81-4494-a8e6-31864f8c86ed
RuleName = Pandemic Registry Key
EventType = Reg.Any
Tag = pandemic-registry-key
RiskScore = 100
Annotation = {"mitre_attack": ["T1105"]}
Query = Reg.Key.Target like r"%\\SYSTEM\\CurrentControlSet\\services\\null\\Instance%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the use of Windows Credential Editor (WCE)
RuleId = a6b33c02-8305-488f-8585-03cb2a7763f2
RuleName = Windows Credential Editor Registry
EventType = Reg.Any
Tag = windows-credential-editor-registry
RiskScore = 100
Annotation = {"mitre_attack": ["T1003.001"]}
Query = Reg.Key.Target like r"%Services\\WCESERVICE\\Start%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects FlowCloud malware from threat group TA410.
RuleId = 5118765f-6657-4ddb-a487-d7bd673abbf1
RuleName = FlowCloud Malware
EventType = Reg.Any
Tag = flowcloud-malware
RiskScore = 100
Annotation = {"mitre_attack": ["T1112"]}
Query = ((Reg.Key.Target like r"HKLM\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" or Reg.Key.Target like r"HKLM\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" or Reg.Key.Target like r"HKLM\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}") or (Reg.Key.Target like r"HKLM\\SYSTEM\\Setup\\PrintResponsor\\%"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
RuleId = ba6b9e43-1d45-4d3c-a504-1043a64c8469
RuleName = PrinterNightmare Mimimkatz Driver Name
EventType = Reg.Any
Tag = printernightmare-mimimkatz-driver-name
RiskScore = 100
Annotation = {"mitre_attack": ["T1204"]}
Query = (((Reg.Key.Target like r"%\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\%" or Reg.Key.Target like r"%\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz%") or (Reg.Key.Target like r"%legitprinter%" and Reg.Key.Target like r"%\\Control\\Print\\Environments\\Windows%")) or ((Reg.Key.Target like r"%\\Control\\Print\\Environments%" or Reg.Key.Target like r"%\\CurrentVersion\\Print\\Printers%") and (Reg.Key.Target like r"%Gentil Kiwi%" or Reg.Key.Target like r"%mimikatz printer%" or Reg.Key.Target like r"%Kiwi Legit Printer%")))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory
RuleId = 55e29995-75e7-451a-bef0-6225e2f13597
RuleName = SilentProcessExit Monitor Registrytion for LSASS
EventType = Reg.Any
Tag = silentprocessexit-monitor-registrytion-for-lsass
RiskScore = 100
Annotation = {"mitre_attack": ["T1003.007"]}
Query = Reg.Key.Target like r"%Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
RuleId = eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
RuleName = Security Support Provider (SSP) Added to LSA Configuration
EventType = Reg.Any
Tag = security-support-provider-(ssp)-added-to-lsa-configuration
RiskScore = 100
Annotation = {"mitre_attack": ["T1547.005"]}
Query = ((Reg.Key.Target like r"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages" or Reg.Key.Target like r"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages") and not (Process.Path like r"C:\\Windows\\system32\\msiexec.exe" or Process.Path like r"C:\\Windows\\syswow64\\MsiExec.exe"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
RuleId = baca5663-583c-45f9-b5dc-ea96a22ce542
RuleName = Sticky Key Like Backdoor Usage
EventType = Reg.Any
Tag = sticky-key-like-backdoor-usage
RiskScore = 100
Annotation = {"mitre_attack": ["T1546.008"]}
Query = (Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target


Comments

Your email address will not be published. Required fields are marked *