Skip to main content

uberAgent-ESA-am-sigma-low.conf

The following is the uberAgent-ESA-am-sigma-low.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: low
#

[ActivityMonitoringRule]
# A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
RuleId = 666ecfc7-229d-42b8-821e-1a8f8cb7057c
RuleName = Suspicious System.Drawing Load
EventType = Image.Load
Tag = suspicious-system.drawing-load
RiskScore = 25
Annotation = {"mitre_attack": ["T1113"]}
Query = (Image.Path like r"%\\System.Drawing.ni.dll" and not (((Process.Path like r"C:\\Program Files\\%" or Process.Path like r"C:\\Program Files (x86)\\%" or Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\Microsoft.NET\\%" or Process.Path like r"C:\\Windows\\ImmersiveControlPanel\\%")) or ((Process.Path like r"C:\\Users\\%\\AppData\\Local\\NhNotifSys\\nahimic\\nahimicNotifSys.exe" or Process.Path like r"C:\\Users\\%\\GitHubDesktop\\Update.exe" or Process.Path like r"C:\\Windows\\System32\\NhNotifSys.exe"))))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects usage of attrib.exe to hide files from users.
RuleId = 4281cb20-2994-4580-aa63-c8b86d019934
RuleName = Hiding Files with Attrib.exe
EventType = Process.Start
Tag = proc-start-hiding-files-with-attrib.exe
RiskScore = 25
Annotation = {"mitre_attack": ["T1564.001"]}
Query = ((Process.Path like r"%\\attrib.exe" and Process.CommandLine like r"% +h %") and not ((Process.CommandLine like r"%\\desktop.ini %" or (Parent.Path like r"%\\cmd.exe" and Process.CommandLine like r"+R +H +S +A \\%.cui" and Parent.CommandLine like r"C:\\WINDOWS\\system32\\%.bat"))))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Marks a file as a system file using the attrib.exe utility
RuleId = bb19e94c-59ae-4c15-8c12-c563d23fe52b
RuleName = Set Windows System File with Attrib
EventType = Process.Start
Tag = proc-start-set-windows-system-file-with-attrib
RiskScore = 25
Annotation = {"mitre_attack": ["T1564.001"]}
Query = (Process.Path like r"%\\attrib.exe" and Process.CommandLine like r"% +s %")

[ActivityMonitoringRule]
# When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
RuleId = 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
RuleName = Change Default File Association
EventType = Process.Start
Tag = proc-start-change-default-file-association
RiskScore = 25
Annotation = {"mitre_attack": ["T1546.001"]}
Query = (Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%assoc%")

[ActivityMonitoringRule]
# Adversaries may collect data stored in the clipboard from users copying information within or between applications.
RuleId = ddeff553-5233-4ae9-bbab-d64d2bd634be
RuleName = Use of CLIP
EventType = Process.Start
Tag = proc-start-use-of-clip
RiskScore = 25
Annotation = {"mitre_attack": ["T1115"]}
Query = (Process.Path like r"%\\clip.exe" or Process.Name == "clip.exe")

[ActivityMonitoringRule]
# Adversaries may delete files left behind by the actions of their intrusion activity.
# Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
# Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
RuleId = 379fa130-190e-4c3f-b7bc-6c8e834485f3
RuleName = Windows Cmd Delete File
EventType = Process.Start
Tag = proc-start-windows-cmd-delete-file
RiskScore = 25
Annotation = {"mitre_attack": ["T1070.004"]}
Query = ((Process.CommandLine like r"%del %" and Process.CommandLine like r"%/f%") or (Process.CommandLine like r"%rmdir%" and Process.CommandLine like r"%/s%" and Process.CommandLine like r"%/q%"))

[ActivityMonitoringRule]
# Use ">" to redicrect information in commandline
RuleId = 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
RuleName = Redirect Output in CommandLine
EventType = Process.Start
Tag = proc-start-redirect-output-in-commandline
RiskScore = 25
Annotation = {"mitre_attack": ["T1082"]}
Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%>%")

[ActivityMonitoringRule]
# An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
RuleId = 6f3e2987-db24-4c78-a860-b4f4095a7095
RuleName = Data Compressed - rar.exe
EventType = Process.Start
Tag = proc-start-data-compressed-rar.exe
RiskScore = 25
Annotation = {"mitre_attack": ["T1560.001"]}
Query = (Process.Path like r"%\\rar.exe" and Process.CommandLine like r"% a %")

[ActivityMonitoringRule]
# Attackers may leverage fsutil to enumerated connected drives.
RuleId = 63de06b9-a385-40b5-8b32-73f2b9ef84b6
RuleName = Fsutil Drive Enumeration
EventType = Process.Start
Tag = proc-start-fsutil-drive-enumeration
RiskScore = 25
Annotation = {"mitre_attack": ["T1120"]}
Query = ((Process.Path like r"%\\fsutil.exe" or Process.Name == "fsutil.exe") and Process.CommandLine like r"%drives%")

[ActivityMonitoringRule]
# Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
RuleId = fa47597e-90e9-41cd-ab72-c3b74cfb0d02
RuleName = Indirect Command Execution
EventType = Process.Start
Tag = proc-start-indirect-command-execution
RiskScore = 25
Annotation = {"mitre_attack": ["T1202"]}
Query = (Parent.Path like r"%\\pcalua.exe" or Parent.Path like r"%\\forfiles.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Local accounts, System Owner/User discovery using operating systems utilities
RuleId = 502b42de-4306-40b4-9596-6f590c81f073
RuleName = Local Accounts Discovery
EventType = Process.Start
Tag = proc-start-local-accounts-discovery
RiskScore = 25
Annotation = {"mitre_attack": ["T1033", "T1087.001"]}
Query = (((Process.Path like r"%\\whoami.exe" or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%useraccount%" and Process.CommandLine like r"%get%") or (Process.Path like r"%\\quser.exe" or Process.Path like r"%\\qwinsta.exe") or (Process.Path like r"%\\cmdkey.exe" and Process.CommandLine like r"% /l%") or (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"% /c%" and Process.CommandLine like r"%dir %" and Process.CommandLine like r"%\\Users\\%")) and not (Process.CommandLine like r"% rmdir %")) or (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%user%") and not ((Process.CommandLine like r"%/domain%" or Process.CommandLine like r"%/add%" or Process.CommandLine like r"%/delete%" or Process.CommandLine like r"%/active%" or Process.CommandLine like r"%/expires%" or Process.CommandLine like r"%/passwordreq%" or Process.CommandLine like r"%/scriptpath%" or Process.CommandLine like r"%/times%" or Process.CommandLine like r"%/workstations%"))))

[ActivityMonitoringRule]
# Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
RuleId = b97cd4b1-30b8-4a9d-bd72-6293928d52bc
RuleName = Indirect Command Execution By Program Compatibility Wizard
EventType = Process.Start
Tag = proc-start-indirect-command-execution-by-program-compatibility-wizard
RiskScore = 25
Annotation = {"mitre_attack": ["T1218"]}
Query = Parent.Path like r"%\\pcwrun.exe"
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
# Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
RuleId = 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5
RuleName = Suspicious Msiexec Quiet Install
EventType = Process.Start
Tag = proc-start-suspicious-msiexec-quiet-install
RiskScore = 25
Annotation = {"mitre_attack": ["T1218.007"]}
Query = (Process.Path like r"%\\msiexec.exe" and Process.CommandLine like r"% /i%" and Process.CommandLine like r"% /q%")

[ActivityMonitoringRule]
# Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
RuleId = ba1f7802-adc7-48b4-9ecb-81e227fddfd5
RuleName = Network Sniffing
EventType = Process.Start
Tag = proc-start-network-sniffing
RiskScore = 25
Annotation = {"mitre_attack": ["T1040"]}
Query = ((Process.Path like r"%\\tshark.exe" and Process.CommandLine like r"%-i%") or Process.Path like r"%\\windump.exe")

[ActivityMonitoringRule]
# Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
RuleId = 62510e69-616b-4078-b371-847da438cc03
RuleName = Windows Network Enumeration
EventType = Process.Start
Tag = proc-start-windows-network-enumeration
RiskScore = 25
Annotation = {"mitre_attack": ["T1018"]}
Query = (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%view%") and not (Process.CommandLine like r"%\\%"))

[ActivityMonitoringRule]
# Detects creation of a new service.
RuleId = 7fe71fc9-de3b-432a-8d57-8c809efc10ab
RuleName = New Service Creation
EventType = Process.Start
Tag = proc-start-new-service-creation
RiskScore = 25
Annotation = {"mitre_attack": ["T1543.003"]}
Query = ((Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%binPath%") or (Process.CommandLine like r"%New-Service%" and Process.CommandLine like r"%-BinaryPathName%"))

[ActivityMonitoringRule]
# Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
RuleId = f4bbd493-b796-416e-bbf2-121235348529
RuleName = Non Interactive PowerShell
EventType = Process.Start
Tag = proc-start-non-interactive-powershell
RiskScore = 25
Annotation = {"mitre_attack": ["T1059.001"]}
Query = (Process.Path like r"%\\powershell.exe" and not ((Parent.Path like r"%\\explorer.exe" or Parent.Path like r"%\\CompatTelRunner.exe")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects execution of executables that can be used to bypass Applocker whitelisting
RuleId = 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719
RuleName = Possible Applocker Bypass
EventType = Process.Start
Tag = proc-start-possible-applocker-bypass
RiskScore = 25
Annotation = {"mitre_attack": ["T1218.004", "T1218.009", "T1127.001", "T1218.005", "T1218"]}
Query = (Process.CommandLine like r"%\\msdt.exe%" or Process.CommandLine like r"%\\installutil.exe%" or Process.CommandLine like r"%\\regsvcs.exe%" or Process.CommandLine like r"%\\regasm.exe%" or Process.CommandLine like r"%\\msbuild.exe%" or Process.CommandLine like r"%\\ieexec.exe%")

[ActivityMonitoringRule]
# Detects specific combinations of encoding methods in the PowerShell command lines
RuleId = cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
RuleName = Encoded PowerShell Command Line
EventType = Process.Start
Tag = proc-start-encoded-powershell-command-line
RiskScore = 25
Annotation = {"mitre_attack": ["T1027", "T1059.001"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (((Process.CommandLine like r"%ToInt%" or Process.CommandLine like r"%ToDecimal%" or Process.CommandLine like r"%ToByte%" or Process.CommandLine like r"%ToUint%" or Process.CommandLine like r"%ToSingle%" or Process.CommandLine like r"%ToSByte%") and (Process.CommandLine like r"%ToChar%" or Process.CommandLine like r"%ToString%" or Process.CommandLine like r"%String%")) or ((Process.CommandLine like r"%char%" and Process.CommandLine like r"%join%") or (Process.CommandLine like r"%split%" and Process.CommandLine like r"%join%"))))

[ActivityMonitoringRule]
# Detect suspicious parent processes of well-known Windows processes
RuleId = 96036718-71cc-4027-a538-d1587e0006a7
RuleName = Windows Processes Suspicious Parent Directory
EventType = Process.Start
Tag = proc-start-windows-processes-suspicious-parent-directory
RiskScore = 25
Annotation = {"mitre_attack": ["T1036.003", "T1036.005"]}
Query = ((Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\taskhost.exe" or Process.Path like r"%\\lsm.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\services.exe" or Process.Path like r"%\\lsaiso.exe" or Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\winlogon.exe") and not (((Parent.Path like r"%\\SavService.exe" or Parent.Path like r"%\\ngen.exe") or (Parent.Path like r"%\\System32\\%" or Parent.Path like r"%\\SysWOW64\\%")) or ((Parent.Path like r"%\\Windows Defender\\%" or Parent.Path like r"%\\Microsoft Security Client\\%") and Parent.Path like r"%\\MsMpEng.exe") or (Parent.Path == '' or Parent.Path == "-")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a PsExec service start
RuleId = 3ede524d-21cc-472d-a3ce-d21b568d8db7
RuleName = PsExec Service Start
EventType = Process.Start
Tag = proc-start-psexec-service-start
RiskScore = 25
Annotation = {"mitre_attack": ["T1569.002"]}
Query = Process.CommandLine like r"C:\\Windows\\PSEXESVC.exe"

[ActivityMonitoringRule]
# Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
RuleId = 970007b7-ce32-49d0-a4a4-fbef016950bd
RuleName = Query Registry
EventType = Process.Start
Tag = proc-start-query-registry
RiskScore = 25
Annotation = {"mitre_attack": ["T1012", "T1007"]}
Query = (Process.Path like r"%\\reg.exe" and (Process.CommandLine like r"%query%" or Process.CommandLine like r"%save%" or Process.CommandLine like r"%export%") and (Process.CommandLine like r"%currentVersion\\windows%" or Process.CommandLine like r"%currentVersion\\runServicesOnce%" or Process.CommandLine like r"%currentVersion\\runServices%" or Process.CommandLine like r"%winlogon\\%" or Process.CommandLine like r"%currentVersion\\shellServiceObjectDelayLoad%" or Process.CommandLine like r"%currentVersion\\runOnce%" or Process.CommandLine like r"%currentVersion\\runOnceEx%" or Process.CommandLine like r"%currentVersion\\run%" or Process.CommandLine like r"%currentVersion\\policies\\explorer\\run%" or Process.CommandLine like r"%currentcontrolset\\services%"))

[ActivityMonitoringRule]
# Detects the export of the target Registry key to a file.
RuleId = f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
RuleName = Exports Registry Key To a File
EventType = Process.Start
Tag = proc-start-exports-registry-key-to-a-file
RiskScore = 25
Annotation = {"mitre_attack": ["T1012"]}
Query = ((Process.Path like r"%\\regedit.exe" and (Process.CommandLine like r"% /E %" or Process.CommandLine like r"% -E %")) and not (((Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%")) and ((Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security"))))

[ActivityMonitoringRule]
# Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
RuleId = b243b280-65fe-48df-ba07-6ddea7646427
RuleName = Discovery of a System Time
EventType = Process.Start
Tag = proc-start-discovery-of-a-system-time
RiskScore = 25
Annotation = {"mitre_attack": ["T1124"]}
Query = (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%time%") or (Process.Path like r"%\\w32tm.exe" and Process.CommandLine like r"%tz%"))

[ActivityMonitoringRule]
# Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
RuleId = bab049ca-7471-4828-9024-38279a4c04da
RuleName = Detect Virtualbox Driver Installation OR Starting Of VMs
EventType = Process.Start
Tag = proc-start-detect-virtualbox-driver-installation-or-starting-of-vms
RiskScore = 25
Annotation = {"mitre_attack": ["T1564.006", "T1564"]}
Query = ((Process.CommandLine like r"%VBoxRT.dll,RTR3Init%" or Process.CommandLine like r"%VBoxC.dll%" or Process.CommandLine like r"%VBoxDrv.sys%") or (Process.CommandLine like r"%startvm%" or Process.CommandLine like r"%controlvm%"))

[ActivityMonitoringRule]
# Detects manual service execution (start) via system utilities.
RuleId = 2a072a96-a086-49fa-bcb5-15cc5a619093
RuleName = Service Execution
EventType = Process.Start
Tag = proc-start-service-execution
RiskScore = 25
Annotation = {"mitre_attack": ["T1569.002"]}
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"% start %")

[ActivityMonitoringRule]
# Detects a windows service to be stopped
RuleId = eb87818d-db5d-49cc-a987-d5da331fbd90
RuleName = Stop Windows Service
EventType = Process.Start
Tag = proc-start-stop-windows-service
RiskScore = 25
Annotation = {"mitre_attack": ["T1489"]}
Query = (((Process.Name in ["sc.exe", "net.exe", "net1.exe"] or (Process.Path like r"%\\sc.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe")) and Process.CommandLine like r"%stop%") and not (Process.CommandLine == "sc  stop KSCWebConsoleMessageQueue" and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%")))
GenericProperty1 = Process.User

[ActivityMonitoringRule]
# This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
# Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
RuleId = 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
RuleName = Suspicious Execution of Adidnsdump
EventType = Process.Start
Tag = proc-start-suspicious-execution-of-adidnsdump
RiskScore = 25
Annotation = {"mitre_attack": ["T1018"]}
Query = (Process.Path like r"%\\python.exe" and Process.CommandLine like r"%adidnsdump%")

[ActivityMonitoringRule]
# Adversaries may attempt to find local system groups and permission settings.
# The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
# Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
RuleId = 164eda96-11b2-430b-85ff-6a265c15bf32
RuleName = Suspicious Get Local Groups Information with WMIC
EventType = Process.Start
Tag = proc-start-suspicious-get-local-groups-information-with-wmic
RiskScore = 25
Annotation = {"mitre_attack": ["T1069.001"]}
Query = ((Process.Path like r"%\\wmic.exe" or Process.Name == "wmic.exe") and Process.CommandLine like r"% group%")

[ActivityMonitoringRule]
# Detects suspicious process that use escape characters
RuleId = f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
RuleName = Suspicious Commandline Escape
EventType = Process.Start
Tag = proc-start-suspicious-commandline-escape
RiskScore = 25
Annotation = {"mitre_attack": ["T1140"]}
Query = (Process.CommandLine like r"%h^t^t^p%" or Process.CommandLine like r"%h\"t\"t\"p%")

[ActivityMonitoringRule]
# Detects usage of the "dir" command that's part of windows batch/cmd to collect information about directories
RuleId = 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
RuleName = Suspicious DIR Execution
EventType = Process.Start
Tag = proc-start-suspicious-dir-execution
RiskScore = 25
Annotation = {"mitre_attack": ["T1217"]}
Query = (Process.CommandLine like r"%dir %" and Process.CommandLine like r"% /s%" and Process.CommandLine like r"% /b%")

[ActivityMonitoringRule]
# Attackers can use explorer.exe for evading defense mechanisms
RuleId = 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
RuleName = Proxy Execution Via Explorer.exe
EventType = Process.Start
Tag = proc-start-proxy-execution-via-explorer.exe
RiskScore = 25
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\explorer.exe" and Parent.Path like r"%\\cmd.exe" and Process.CommandLine like r"%explorer.exe%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Use of hostname to get information
RuleId = 7be5fb68-f9ef-476d-8b51-0256ebece19e
RuleName = Suspicious Execution of Hostname
EventType = Process.Start
Tag = proc-start-suspicious-execution-of-hostname
RiskScore = 25
Annotation = {"mitre_attack": ["T1082"]}
Query = Process.Path like r"%\\HOSTNAME.EXE"

[ActivityMonitoringRule]
# Use of reg to get MachineGuid information
RuleId = f5240972-3938-4e56-8e4b-e33893176c1f
RuleName = Suspicious Query of MachineGUID
EventType = Process.Start
Tag = proc-start-suspicious-query-of-machineguid
RiskScore = 25
Annotation = {"mitre_attack": ["T1082"]}
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%SOFTWARE\\Microsoft\\Cryptography%" and Process.CommandLine like r"%/v %" and Process.CommandLine like r"%MachineGuid%")

[ActivityMonitoringRule]
# Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
RuleId = cb7c4a03-2871-43c0-9bbb-18bbdb079896
RuleName = Mounted Share Deleted
EventType = Process.Start
Tag = proc-start-mounted-share-deleted
RiskScore = 25
Annotation = {"mitre_attack": ["T1070.005"]}
Query = (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") or Process.Name in ["net.exe", "net1.exe"]) and (Process.CommandLine like r"%share%" and Process.CommandLine like r"%/delete%"))

[ActivityMonitoringRule]
# Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
RuleId = 0e4164da-94bc-450d-a7be-a4b176179f1f
RuleName = Suspicious Netsh Discovery Command
EventType = Process.Start
Tag = proc-start-suspicious-netsh-discovery-command
RiskScore = 25
Annotation = {"mitre_attack": ["T1016"]}
Query = (Process.CommandLine like r"%netsh %" and Process.CommandLine like r"%show %" and Process.CommandLine like r"%firewall %" and (Process.CommandLine like r"%config %" or Process.CommandLine like r"%state %" or Process.CommandLine like r"%rule %" or Process.CommandLine like r"%name=all%"))

[ActivityMonitoringRule]
# Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
RuleId = a29c1813-ab1f-4dde-b489-330b952e91ae
RuleName = Suspicious Network Command
EventType = Process.Start
Tag = proc-start-suspicious-network-command
RiskScore = 25
Annotation = {"mitre_attack": ["T1016"]}
Query = (Process.CommandLine like r"%ipconfig /all%" or Process.CommandLine like r"%netsh interface show interface%" or Process.CommandLine like r"%arp -a%" or Process.CommandLine like r"%nbtstat -n%" or Process.CommandLine like r"%net config%" or Process.CommandLine like r"%route print%")

[ActivityMonitoringRule]
# Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
RuleId = 1c67a717-32ba-409b-a45d-0fb704a73a81
RuleName = Suspicious Listing of Network Connections
EventType = Process.Start
Tag = proc-start-suspicious-listing-of-network-connections
RiskScore = 25
Annotation = {"mitre_attack": ["T1049"]}
Query = (Process.CommandLine like r"%netstat%" or (Process.CommandLine like r"%net %" and ((Process.CommandLine like r"% use" or Process.CommandLine like r"% sessions") or (Process.CommandLine like r"% use %" or Process.CommandLine like r"% sessions %"))))

[ActivityMonitoringRule]
# Detects execution of Net.exe, whether suspicious or benign.
RuleId = 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
RuleName = Net.exe Execution
EventType = Process.Start
Tag = proc-start-net.exe-execution
RiskScore = 25
Annotation = {"mitre_attack": ["T1007", "T1049", "T1018", "T1135", "T1201", "T1069.001", "T1069.002", "T1087.001", "T1087.002", "T1021.002"]}
Query = (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") or Process.Name in ["net.exe", "net1.exe"]) and (Process.CommandLine like r"% group%" or Process.CommandLine like r"% localgroup%" or Process.CommandLine like r"% user%" or Process.CommandLine like r"% view%" or Process.CommandLine like r"% share%" or Process.CommandLine like r"% accounts%" or Process.CommandLine like r"% stop %" or Process.CommandLine like r"% start%"))

[ActivityMonitoringRule]
# Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files
RuleId = dca91cfd-d7ab-4c66-8da7-ee57d487b35b
RuleName = Process Start From Suspicious Folder
EventType = Process.Start
Tag = proc-start-process-start-from-suspicious-folder
RiskScore = 25
Annotation = {"mitre_attack": ["T1204"]}
Query = ((Process.Path like r"%\\Desktop\\%" or Process.Path like r"%\\Temp\\%" or Process.Path like r"%\\Temporary Internet%") and not (((Parent.Path like r"C:\\Windows\\System32\\cleanmgr.exe" or Parent.Path like r"C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\resources\\app\\ServiceHub\\Services\\Microsoft.VisualStudio.Setup.Service\\BackgroundDownload.exe" or Parent.Path like r"C:\\Windows\\System32\\dxgiadaptercache.exe") or Parent.Path like r"C:\\Program Files (x86)\\NVIDIA Corporation\\%") or (Process.Path like r"%setup.exe") or (Process.Path like r"C:\\Program Files (x86)\\Microsoft\\Temp\\%" and Process.Path like r"%.tmp\\MicrosoftEdgeUpdate.exe")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the creation of scheduled tasks in user session
RuleId = 92626ddd-662c-49e3-ac59-f6535f12d189
RuleName = Scheduled Task Creation
EventType = Process.Start
Tag = proc-start-scheduled-task-creation
RiskScore = 25
Annotation = {"mitre_attack": ["T1053.005"]}
Query = ((Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %") and not ((Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%")))
GenericProperty1 = Process.User

[ActivityMonitoringRule]
# Adversaries may try to get information about registered services
RuleId = 57712d7a-679c-4a41-a913-87e7175ae429
RuleName = Suspicious Sc Query
EventType = Process.Start
Tag = proc-start-suspicious-sc-query
RiskScore = 25
Annotation = {"mitre_attack": ["T1007"]}
Query = Process.CommandLine like r"%sc query%"

[ActivityMonitoringRule]
# Detects usage of the "systeminfo" command to retrieve information
RuleId = 0ef56343-059e-4cb6-adc1-4c3c967c5e46
RuleName = Suspicious Execution of Systeminfo
EventType = Process.Start
Tag = proc-start-suspicious-execution-of-systeminfo
RiskScore = 25
Annotation = {"mitre_attack": ["T1082"]}
Query = (Process.Path like r"%\\systeminfo.exe" or Process.Name == "sysinfo.exe")

[ActivityMonitoringRule]
# Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.
RuleId = 86085955-ea48-42a2-9dd3-85d4c36b167d
RuleName = Suspicious Execution of Taskkill
EventType = Process.Start
Tag = proc-start-suspicious-execution-of-taskkill
RiskScore = 25
Annotation = {"mitre_attack": ["T1489"]}
Query = ((Process.Path like r"%\\taskkill.exe" or Process.Name == "taskkill.exe") and (Process.CommandLine like r"% /f%" and Process.CommandLine like r"% /im %"))

[ActivityMonitoringRule]
# Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
RuleId = 63332011-f057-496c-ad8d-d2b6afb27f96
RuleName = Suspicious Tasklist Discovery Command
EventType = Process.Start
Tag = proc-start-suspicious-tasklist-discovery-command
RiskScore = 25
Annotation = {"mitre_attack": ["T1057"]}
Query = (Process.CommandLine like r"%tasklist%" or Process.Path like r"%\\tasklist.exe" or Process.Name == "tasklist.exe")

[ActivityMonitoringRule]
# Detects the creation of a process from Windows task manager
RuleId = 3d7679bd-0c00-440c-97b0-3f204273e6c7
RuleName = Taskmgr as Parent
EventType = Process.Start
Tag = proc-start-taskmgr-as-parent
RiskScore = 25
Annotation = {"mitre_attack": ["T1036"]}
Query = (Parent.Path like r"%\\taskmgr.exe" and not ((Process.Path like r"%\\resmon.exe" or Process.Path like r"%\\mmc.exe" or Process.Path like r"%\\taskmgr.exe")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
RuleId = 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
RuleName = Malicious Windows Script Components File Execution by TAEF Detection
EventType = Process.Start
Tag = proc-start-malicious-windows-script-components-file-execution-by-taef-detection
RiskScore = 25
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\te.exe" or Parent.Path like r"%\\te.exe" or Process.Name like r"\\te.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
# Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
# internal network resources such as servers, tools/dashboards, or other related infrastructure.
RuleId = 725a9768-0f5e-4cb3-aec2-bc5719c6831a
RuleName = Suspicious Where Execution
EventType = Process.Start
Tag = proc-start-suspicious-where-execution
RiskScore = 25
Annotation = {"mitre_attack": ["T1217"]}
Query = ((Process.Path like r"%\\where.exe" or Process.Name == "where.exe") and (Process.CommandLine like r"%places.sqlite%" or Process.CommandLine like r"%cookies.sqlite%" or Process.CommandLine like r"%formhistory.sqlite%" or Process.CommandLine like r"%logins.json%" or Process.CommandLine like r"%key4.db%" or Process.CommandLine like r"%key3.db%" or Process.CommandLine like r"%sessionstore.jsonlz4%" or Process.CommandLine like r"%History%" or Process.CommandLine like r"%Bookmarks%" or Process.CommandLine like r"%Cookies%" or Process.CommandLine like r"%Login Data%"))

[ActivityMonitoringRule]
# Detects the usage of Sysinternals Tools due to accepteula option being seen in the command line.
RuleId = 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
RuleName = Usage of Sysinternals Tools
EventType = Process.Start
Tag = proc-start-usage-of-sysinternals-tools
RiskScore = 25
Annotation = {"mitre_attack": ["T1588.002"]}
Query = (Process.CommandLine like r"% -accepteula%" or Process.CommandLine like r"% /accepteula%")

[ActivityMonitoringRule]
# Detects PsExec service installation and execution events (service and Sysmon)
RuleId = fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
RuleName = PsExec Tool Execution
EventType = Process.Start
Tag = proc-start-psexec-tool-execution
RiskScore = 25
Annotation = {"mitre_attack": ["T1569.002"]}
Query = (Process.Path like r"%\\PSEXESVC.exe" and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%"))
GenericProperty1 = Process.User


Comments

Your email address will not be published. Required fields are marked *