Documentation

Contents
Contents
Contents
Contents

uberAgent-ESA-am-sigma-proc-creation-critical.conf

The following is the uberAgent-ESA-am-sigma-proc-creation-critical.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: critical
#

[ActivityMonitoringRule]
# Detects Ryuk Ransomware command lines
RuleName = Ryuk Ransomware
EventType = Process.Start
Tag = proc-start-ryuk-ransomware
RiskScore = 100
Query = (Process.CommandLine like r"%\\net.exe stop \"samss\" %" or Process.CommandLine like r"%\\net.exe stop \"audioendpointbuilder\" %" or Process.CommandLine like r"%\\net.exe stop \"unistoresvc\______\" %")

[ActivityMonitoringRule]
# Detecting DNS tunnel activity for Muddywater actor
RuleName = DNS Tunnel Technique from MuddyWater
EventType = Process.Start
Tag = proc-start-dns-tunnel-technique-from-muddywater
RiskScore = 100
Query = ((Process.Path like r"%\\powershell.exe") and (Parent.Path like r"%\\excel.exe") and (Process.CommandLine like r"%DataExchange.dll%"))

[ActivityMonitoringRule]
# This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
RuleName = APT29
EventType = Process.Start
Tag = proc-start-apt29
RiskScore = 100
Query = Process.CommandLine like r"%-noni -ep bypass $%"

[ActivityMonitoringRule]
# Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
RuleName = Judgement Panda Credential Access Activity
EventType = Process.Start
Tag = proc-start-judgement-panda-credential-access-activity
RiskScore = 100
Query = ((Process.Path like r"%\\xcopy.exe" and Process.CommandLine like r"% /S /E /C /Q /H \\%") or (Process.Path like r"%\\adexplorer.exe" and Process.CommandLine like r"% -snapshot \"\" c:\\users\\%"))

[ActivityMonitoringRule]
# Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
RuleName = BlueMashroom DLL Load
EventType = Process.Start
Tag = proc-start-bluemashroom-dll-load
RiskScore = 100
Query = (Process.CommandLine like r"%\\regsvr32%\\AppData\\Local\\%" or Process.CommandLine like r"%\\AppData\\Local\\%,DllEntry%")

[ActivityMonitoringRule]
# Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
RuleName = Chafer Activity
EventType = Process.Start
Tag = proc-start-chafer-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%\\Service.exe i" or Process.CommandLine like r"%\\Service.exe u" or Process.CommandLine like r"%\\microsoft\\Taskbar\\autoit3.exe" or Process.CommandLine like r"C:\\wsc.exe%") or Process.Path like r"%\\Windows\\Temp\\DB\\%.exe" or (Process.CommandLine like r"%\\nslookup.exe -q=TXT%" and Parent.Path like r"%\\Autoit%"))

[ActivityMonitoringRule]
# Detects suspicious file execution by wscript and cscript
RuleName = WMIExec VBS Script
EventType = Process.Start
Tag = proc-start-wmiexec-vbs-script
RiskScore = 100
Query = (Process.Path like r"%\\cscript.exe" and Process.CommandLine like r"%.vbs /shell %")

[ActivityMonitoringRule]
# Detects CrackMapExecWin Activity as Described by NCSC
RuleName = CrackMapExecWin
EventType = Process.Start
Tag = proc-start-crackmapexecwin
RiskScore = 100
Query = (Process.Path like r"%\\crackmapexec.exe")

[ActivityMonitoringRule]
# Detects Elise backdoor acitivty as used by APT32
RuleName = Elise Backdoor
EventType = Process.Start
Tag = proc-start-elise-backdoor
RiskScore = 100
Query = ((Process.Path like r"C:\\Windows\\SysWOW64\\cmd.exe" and Process.CommandLine like r"%\\Windows\\Caches\\NavShExt.dll %") or Process.CommandLine like r"%\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting")

[ActivityMonitoringRule]
# Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
RuleName = Emissary Panda Malware SLLauncher
EventType = Process.Start
Tag = proc-start-emissary-panda-malware-sllauncher
RiskScore = 100
Query = (Parent.Path like r"%\\sllauncher.exe" and Process.Path like r"%\\svchost.exe")

[ActivityMonitoringRule]
# Detects a specific tool and export used by EquationGroup
RuleName = Equation Group DLL_U Load
EventType = Process.Start
Tag = proc-start-equation-group-dll_u-load
RiskScore = 100
Query = ((Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%,dll\_u") or Process.CommandLine like r"% -export dll\_u %")

[ActivityMonitoringRule]
# Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020
RuleName = EvilNum Golden Chickens Deployment via OCX Files
EventType = Process.Start
Tag = proc-start-evilnum-golden-chickens-deployment-via-ocx-files
RiskScore = 100
Query = (Process.CommandLine like r"%regsvr32%" and Process.CommandLine like r"% /s /i %" and Process.CommandLine like r"%\\AppData\\Roaming\\%" and Process.CommandLine like r"%.ocx%")

[ActivityMonitoringRule]
# Detects tools and process executions as observed in a Greenbug campaign in May 2020
RuleName = Greenbug Campaign Indicators
EventType = Process.Start
Tag = proc-start-greenbug-campaign-indicators
RiskScore = 100
Query = ((Process.CommandLine like r"%bitsadmin /transfer%" and Process.CommandLine like r"%CSIDL\_APPDATA%") or (Process.CommandLine like r"%CSIDL\_SYSTEM\_DRIVE%") or (Process.CommandLine like r"%\\msf.ps1%" or Process.CommandLine like r"%8989 -e cmd.exe%" or Process.CommandLine like r"%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%" or Process.CommandLine like r"%-nop -w hidden -c $k=new-object%" or Process.CommandLine like r"%[Net.CredentialCache]::DefaultCredentials;IEX %" or Process.CommandLine like r"% -nop -w hidden -c $m=new-object net.webclient;$m%" or Process.CommandLine like r"%-noninteractive -executionpolicy bypass whoami%" or Process.CommandLine like r"%-noninteractive -executionpolicy bypass netstat -a%" or Process.CommandLine like r"%L3NlcnZlc%") or (Process.Path like r"%\\adobe\\Adobe.exe" or Process.Path like r"%\\oracle\\local.exe" or Process.Path like r"%\\revshell.exe" or Process.Path like r"%infopagesbackup\\ncat.exe" or Process.Path like r"%CSIDL\_SYSTEM\\cmd.exe" or Process.Path like r"%\\programdata\\oracle\\java.exe" or Process.Path like r"%CSIDL\_COMMON\_APPDATA\\comms\\comms.exe" or Process.Path like r"%\\Programdata\\VMware\\Vmware.exe"))

[ActivityMonitoringRule]
# Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
RuleName = Judgement Panda Exfil Activity
EventType = Process.Start
Tag = proc-start-judgement-panda-exfil-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%\\ldifde.exe -f -n %" or Process.CommandLine like r"%\\7za.exe a 1.7z %" or Process.CommandLine like r"% eprod.ldf" or Process.CommandLine like r"%\\aaaa\\procdump64.exe%" or Process.CommandLine like r"%\\aaaa\\netsess.exe%" or Process.CommandLine like r"%\\aaaa\\7za.exe%" or Process.CommandLine like r"%copy .\\1.7z \\%" or Process.CommandLine like r"%copy \\client\\c$\\aaaa\\%") or Process.Path like r"C:\\Users\\Public\\7za.exe")

[ActivityMonitoringRule]
# Detects Registry modifcations performaed by Ke3chang malware in campaigns running in 2019 and 2020
RuleName = Ke3chang Registry Key Modifications
EventType = Process.Start
Tag = proc-start-ke3chang-registry-key-modifications
RiskScore = 100
Query = (Process.CommandLine like r"%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%" or Process.CommandLine like r"%-Property String -name Check\_Associations -value%" or Process.CommandLine like r"%-Property DWORD -name IEHarden -value 0 -Force%")

[ActivityMonitoringRule]
# Detects Trojan loader acitivty as used by APT28
RuleName = Sofacy Trojan Loader Activity
EventType = Process.Start
Tag = proc-start-sofacy-trojan-loader-activity
RiskScore = 100
Query = (Process.CommandLine like r"rundll32.exe \%APPDATA\%\\%.dat\",%" or Process.CommandLine like r"rundll32.exe \%APPDATA\%\\%.dll\",#1")

[ActivityMonitoringRule]
# Detects specific process characteristics of Chinese TAIDOOR RAT malware load
RuleName = TAIDOOR RAT DLL Load
EventType = Process.Start
Tag = proc-start-taidoor-rat-dll-load
RiskScore = 100
Query = ((Process.CommandLine like r"%dll,MyStart%" or Process.CommandLine like r"%dll MyStart%") or ((Process.CommandLine like r"% MyStart") and (Process.CommandLine like r"%rundll32.exe%")))

[ActivityMonitoringRule]
# Detects automated lateral movement by Turla group
RuleName = Turla Group Lateral Movement
EventType = Process.Start
Tag = proc-start-turla-group-lateral-movement
RiskScore = 100
Query = (Process.CommandLine like r"net use \\\%DomainController\%\\C$ \"[email protected]\" %" or Process.CommandLine like r"dir c:\\%.doc% /s" or Process.CommandLine like r"dir \%TEMP\%\\%.exe")

[ActivityMonitoringRule]
# Detects commands used by Turla group as reported by ESET in May 2020
RuleName = Turla Group Commands May 2020
EventType = Process.Start
Tag = proc-start-turla-group-commands-may-2020
RiskScore = 100
Query = ((Process.CommandLine like r"%tracert -h 10 yahoo.com%" or Process.CommandLine like r"%.WSqmCons))|iex;%" or Process.CommandLine like r"%Fr`omBa`se6`4Str`ing%") or (Process.CommandLine like r"%net use https://docs.live.net%" and Process.CommandLine like r"%@aol.co.uk%"))

[ActivityMonitoringRule]
# Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
RuleName = Winnti Malware HK University Campaign
EventType = Process.Start
Tag = proc-start-winnti-malware-hk-university-campaign
RiskScore = 100
Query = (((Parent.Path like r"%C:\\Windows\\Temp%" or Parent.Path like r"%\\hpqhvind.exe%") and Process.Path like r"C:\\ProgramData\\DRM%") or (Parent.Path like r"C:\\ProgramData\\DRM%" and Process.Path like r"%\\wmplayer.exe") or (Parent.Path like r"%\\Test.exe" and Process.Path like r"%\\wmplayer.exe") or Process.Path like r"C:\\ProgramData\\DRM\\CLR\\CLR.exe" or (Parent.Path like r"C:\\ProgramData\\DRM\\Windows%" and Process.Path like r"%\\SearchFilterHost.exe"))

[ActivityMonitoringRule]
# Detects specific process characteristics of Winnti Pipemon malware reported by ESET
RuleName = Winnti Pipemon Characteristics
EventType = Process.Start
Tag = proc-start-winnti-pipemon-characteristics
RiskScore = 100
Query = ((Process.CommandLine like r"%setup0.exe -p%") or (Process.CommandLine like r"%setup.exe -x:0" or Process.CommandLine like r"%setup.exe -x:1" or Process.CommandLine like r"%setup.exe -x:2"))

[ActivityMonitoringRule]
# Detects a ZxShell start by the called and well-known function name
RuleName = ZxShell Malware
EventType = Process.Start
Tag = proc-start-zxshell-malware
RiskScore = 100
Query = (Process.CommandLine like r"%rundll32.exe %,zxFunction%" or Process.CommandLine like r"%rundll32.exe %,RemoteDiskXXXXX%")

[ActivityMonitoringRule]
# Detects the malicious use of a control panel item
RuleName = Control Panel Items
EventType = Process.Start
Tag = proc-start-control-panel-items
RiskScore = 100
Query = ((Process.CommandLine like r"%.cpl" and not ((Process.CommandLine like r"%\\System32\\%" or Process.CommandLine like r"%\%System\%%"))) or ((Process.CommandLine like r"%reg add%") and (Process.CommandLine like r"%CurrentVersion\\Control Panel\\CPLs%")))

[ActivityMonitoringRule]
# Detects specific process characteristics of Maze ransomware word document droppers
RuleName = Maze Ransomware
EventType = Process.Start
Tag = proc-start-maze-ransomware
RiskScore = 100
Query = (((Parent.Path like r"%\\WINWORD.exe") and (Process.Path like r"%.tmp")) or (Process.Path like r"%\\wmic.exe" and Parent.Path like r"%\\Temp\\%" and Process.CommandLine like r"%shadowcopy delete") or (Process.CommandLine like r"%shadowcopy delete" and Process.CommandLine like r"%\\..\\..\\system32%"))

[ActivityMonitoringRule]
# Detects specific process characteristics of Snatch ransomware word document droppers
RuleName = Snatch Ransomware
EventType = Process.Start
Tag = proc-start-snatch-ransomware
RiskScore = 100
Query = (Process.CommandLine like r"%shutdown /r /f /t 00%" or Process.CommandLine like r"%net stop SuperBackupMan%")

[ActivityMonitoringRule]
# Detects a base64 encoded FromBase64String keyword in a process command line
RuleName = Encoded FromBase64String
EventType = Process.Start
Tag = proc-start-encoded-frombase64string
RiskScore = 100
Query = (Process.CommandLine like r"%OjpGcm9tQmFzZTY0U3RyaW5n%" or Process.CommandLine like r"%o6RnJvbUJhc2U2NFN0cmluZ%" or Process.CommandLine like r"%6OkZyb21CYXNlNjRTdHJpbm%")

[ActivityMonitoringRule]
# Detects a base64 encoded IEX command string in a process command line
RuleName = Encoded IEX
EventType = Process.Start
Tag = proc-start-encoded-iex
RiskScore = 100
Query = (Process.CommandLine like r"%SUVYIChb%" or Process.CommandLine like r"%lFWCAoW%" or Process.CommandLine like r"%JRVggKF%" or Process.CommandLine like r"%aWV4IChb%" or Process.CommandLine like r"%lleCAoW%" or Process.CommandLine like r"%pZXggKF%" or Process.CommandLine like r"%aWV4IChOZX%" or Process.CommandLine like r"%lleCAoTmV3%" or Process.CommandLine like r"%pZXggKE5ld%" or Process.CommandLine like r"%SUVYIChOZX%" or Process.CommandLine like r"%lFWCAoTmV3%" or Process.CommandLine like r"%JRVggKE5ld%")

[ActivityMonitoringRule]
# Potential adversaries stopping ETW providers recording loaded .NET assemblies.
RuleName = COMPlus_ETWEnabled Command Line Arguments
EventType = Process.Start
Tag = proc-start-complus_etwenabled-command-line-arguments
RiskScore = 100
Query = Process.CommandLine like r"%COMPlus\_ETWEnabled=0%"

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
RuleName = Exploit for CVE-2015-1641
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2015-1641
RiskScore = 100
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\MicroScMgmt.exe")

[ActivityMonitoringRule]
# Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
RuleName = Droppers Exploiting CVE-2017-11882
EventType = Process.Start
Tag = proc-start-droppers-exploiting-cve-2017-11882
RiskScore = 100
Query = Parent.Path like r"%\\EQNEDT32.EXE"

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
RuleName = Exploit for CVE-2017-8759
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2017-8759
RiskScore = 100
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\csc.exe")

[ActivityMonitoringRule]
# Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
RuleName = Exploited CVE-2020-10189 Zoho ManageEngine
EventType = Process.Start
Tag = proc-start-exploited-cve-2020-10189-zoho-manageengine
RiskScore = 100
Query = (Parent.Path like r"%DesktopCentral\_Server\\jre\\bin\\java.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\bitsadmin.exe"))

[ActivityMonitoringRule]
# Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
RuleName = DNS RCE CVE-2020-1350
EventType = Process.Start
Tag = proc-start-dns-rce-cve-2020-1350
RiskScore = 100
Query = (Parent.Path like r"%\\System32\\dns.exe" and not ((Process.Path like r"%\\System32\\werfault.exe" or Process.Path like r"%\\System32\\conhost.exe" or Process.Path like r"%\\System32\\dnscmd.exe")))

[ActivityMonitoringRule]
# Detects command line parameters used by Rubeus hack tool
RuleName = Rubeus Hack Tool
EventType = Process.Start
Tag = proc-start-rubeus-hack-tool
RiskScore = 100
Query = (Process.CommandLine like r"% asreproast %" or Process.CommandLine like r"% dump /service:krbtgt %" or Process.CommandLine like r"% kerberoast %" or Process.CommandLine like r"% createnetonly /program:%" or Process.CommandLine like r"% ptt /ticket:%" or Process.CommandLine like r"% /impersonateuser:%" or Process.CommandLine like r"% renew /ticket:%" or Process.CommandLine like r"% asktgt /user:%" or Process.CommandLine like r"% harvest /interval:%")

[ActivityMonitoringRule]
# Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
RuleName = Impacket Lateralization Detection
EventType = Process.Start
Tag = proc-start-impacket-lateralization-detection
RiskScore = 100
Query = (((Parent.Path like r"%\\wmiprvse.exe" or Parent.Path like r"%\\mmc.exe" or Parent.Path like r"%\\explorer.exe" or Parent.Path like r"%\\services.exe") and (Process.CommandLine like r"%cmd.exe% /Q /c % \\\\127.0.0.1\\%&1%")) or ((Parent.CommandLine like r"%svchost.exe -k netsvcs" or Parent.CommandLine like r"taskeng.exe%") and (Process.CommandLine like r"cmd.exe /C %Windows\\Temp\\%&1")))

[ActivityMonitoringRule]
# Detects typical Dridex process patterns
RuleName = Dridex Process Pattern
EventType = Process.Start
Tag = proc-start-dridex-process-pattern
RiskScore = 100
Query = (Process.CommandLine like r"%\\svchost.exe C:\\Users\\%\\Desktop\\%" or (Parent.Path like r"%\\svchost.exe%" and (Process.CommandLine like r"%whoami.exe /all" or Process.CommandLine like r"%net.exe view")))

[ActivityMonitoringRule]
# Detects specific process parameters as seen in DTRACK infections
RuleName = DTRACK Process Creation
EventType = Process.Start
Tag = proc-start-dtrack-process-creation
RiskScore = 100
Query = Process.CommandLine like r"% echo EEEE > %"

[ActivityMonitoringRule]
# Detects all Emotet like process executions that are not covered by the more generic rules
RuleName = Emotet Process Creation
EventType = Process.Start
Tag = proc-start-emotet-process-creation
RiskScore = 100
Query = (Process.CommandLine like r"% -e% PAA%" or Process.CommandLine like r"%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%" or Process.CommandLine like r"%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%" or Process.CommandLine like r"%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%" or Process.CommandLine like r"%IgAoACcAKgAnACkAOwAkA%" or Process.CommandLine like r"%IAKAAnACoAJwApADsAJA%" or Process.CommandLine like r"%iACgAJwAqACcAKQA7ACQA%" or Process.CommandLine like r"%JABGAGwAeAByAGgAYwBmAGQ%")

[ActivityMonitoringRule]
# Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
RuleName = Formbook Process Creation
EventType = Process.Start
Tag = proc-start-formbook-process-creation
RiskScore = 100
Query = ((Parent.CommandLine like r"C:\\Windows\\System32\\%.exe" or Parent.CommandLine like r"C:\\Windows\\SysWOW64\\%.exe") and (Process.CommandLine like r"% /c del \"C:\\Users\\%\\AppData\\Local\\Temp\\%.exe" or Process.CommandLine like r"% /c del \"C:\\Users\\%\\Desktop\\%.exe" or Process.CommandLine like r"% /C type nul > \"C:\\Users\\%\\Desktop\\%.exe"))

[ActivityMonitoringRule]
# Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
RuleName = NotPetya Ransomware Activity
EventType = Process.Start
Tag = proc-start-notpetya-ransomware-activity
RiskScore = 100
Query = (Process.CommandLine like r"%\\AppData\\Local\\Temp\\% \\.\\pipe\\%" or (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%.dat,#1") or "%\\perfc.dat%")

[ActivityMonitoringRule]
# Detects QBot like process executions
RuleName = QBot Process Creation
EventType = Process.Start
Tag = proc-start-qbot-process-creation
RiskScore = 100
Query = ((Parent.Path like r"%\\WinRAR.exe" and Process.Path like r"%\\wscript.exe") or Process.CommandLine like r"% /c ping.exe -n 6 127.0.0.1 & type %")

[ActivityMonitoringRule]
# Detects Ryuk ransomware activity
RuleName = Ryuk Ransomware
EventType = Process.Start
Tag = proc-start-ryuk-ransomware
RiskScore = 100
Query = (Process.CommandLine like r"%Microsoft\\Windows\\CurrentVersion\\Run%" and Process.CommandLine like r"%C:\\users\\Public\\%")

[ActivityMonitoringRule]
# Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
RuleName = Trickbot Malware Recon Activity
EventType = Process.Start
Tag = proc-start-trickbot-malware-recon-activity
RiskScore = 100
Query = ((Process.Path like r"%\\nltest.exe") and (Process.CommandLine like r"/domain\_trusts /all\_trusts" or Process.CommandLine like r"/domain\_trusts"))

[ActivityMonitoringRule]
# Detects WannaCry ransomware activity
RuleName = WannaCry Ransomware
EventType = Process.Start
Tag = proc-start-wannacry-ransomware
RiskScore = 100
Query = ((Process.Path like r"%\\tasksche.exe" or Process.Path like r"%\\mssecsvc.exe" or Process.Path like r"%\\taskdl.exe" or Process.Path like r"%\\@[email protected]%" or Process.Path like r"%\\WanaDecryptor%" or Process.Path like r"%\\taskhsvc.exe" or Process.Path like r"%\\taskse.exe" or Process.Path like r"%\\111.exe" or Process.Path like r"%\\lhdfrgui.exe" or Process.Path like r"%\\diskpart.exe" or Process.Path like r"%\\linuxnew.exe" or Process.Path like r"%\\wannacry.exe") or (Process.CommandLine like r"%icacls % /grant Everyone:F /T /C /Q%" or Process.CommandLine like r"%bcdedit /set {default} recoveryenabled no%" or Process.CommandLine like r"%wbadmin delete catalog -quiet%" or Process.CommandLine like r"%@Please\_Read\[email protected]%"))

[ActivityMonitoringRule]
# Detects process injection using the signed Windows tool Mavinject32.exe
RuleName = MavInject Process Injection
EventType = Process.Start
Tag = proc-start-mavinject-process-injection
RiskScore = 100
Query = Process.CommandLine like r"% /INJECTRUNNING %"

[ActivityMonitoringRule]
# Detects Base64 encoded Shellcode
RuleName = PowerShell Base64 Encoded Shellcode
EventType = Process.Start
Tag = proc-start-powershell-base64-encoded-shellcode
RiskScore = 100
Query = (Process.CommandLine like r"%AAAAYInlM%" and (Process.CommandLine like r"%OiCAAAAYInlM%" or Process.CommandLine like r"%OiJAAAAYInlM%"))

[ActivityMonitoringRule]
# Detects the execution of a renamed ProcDump executable often used by attackers or malware
RuleName = Renamed ProcDump
EventType = Process.Start
Tag = proc-start-renamed-procdump
RiskScore = 100
Query = (Process.Name == "procdump" and not ((Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe")))

[ActivityMonitoringRule]
# Shadow Copies deletion using operating systems utilities
RuleName = Shadow Copies Deletion Using Operating Systems Utilities
EventType = Process.Start
Tag = proc-start-shadow-copies-deletion-using-operating-systems-utilities
RiskScore = 100
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\vssadmin.exe") and Process.CommandLine like r"%shadow%" and Process.CommandLine like r"%delete%")

[ActivityMonitoringRule]
# The Devtoolslauncher.exe executes other binary
RuleName = Devtoolslauncher.exe Executes Specified Binary
EventType = Process.Start
Tag = proc-start-devtoolslauncher.exe-executes-specified-binary
RiskScore = 100
Query = (Process.Path like r"%\\devtoolslauncher.exe" and Process.CommandLine like r"%LaunchForDeploy%")

[ActivityMonitoringRule]
# Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
RuleName = Suspicious Double Extension
EventType = Process.Start
Tag = proc-start-suspicious-double-extension
RiskScore = 100
Query = (Process.Path like r"%.doc.exe" or Process.Path like r"%.docx.exe" or Process.Path like r"%.xls.exe" or Process.Path like r"%.xlsx.exe" or Process.Path like r"%.ppt.exe" or Process.Path like r"%.pptx.exe" or Process.Path like r"%.rtf.exe" or Process.Path like r"%.pdf.exe" or Process.Path like r"%.txt.exe" or Process.Path like r"%      .exe" or Process.Path like r"%\_\_\_\_\_\_.exe")

[ActivityMonitoringRule]
# Detects suspicious powershell command line parameters used in Empire
RuleName = Empire PowerShell Launch Parameters
EventType = Process.Start
Tag = proc-start-empire-powershell-launch-parameters
RiskScore = 100
Query = (Process.CommandLine like r"% -NoP -sta -NonI -W Hidden -Enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc %" or Process.CommandLine like r"% -NoP -NonI -W Hidden -enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc%" or Process.CommandLine like r"% -enc  SQB%" or Process.CommandLine like r"% -nop -exec bypass -EncodedCommand SQB%")

[ActivityMonitoringRule]
# Detects some Empire PowerShell UAC bypass methods
RuleName = Empire PowerShell UAC Bypass
EventType = Process.Start
Tag = proc-start-empire-powershell-uac-bypass
RiskScore = 100
Query = (Process.CommandLine like r"% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)%" or Process.CommandLine like r"% -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);%")

[ActivityMonitoringRule]
# It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
RuleName = Suspect Svchost Activity
EventType = Process.Start
Tag = proc-start-suspect-svchost-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%svchost.exe" and Process.Path like r"%\\svchost.exe") and not ((Parent.Path like r"%\\rpcnet.exe" or Parent.Path like r"%\\rpcnetp.exe")))

[ActivityMonitoringRule]
# Detects a WMi backdoor in Exchange Transport Agents via WMi event filters
RuleName = WMI Backdoor Exchange Transport Agent
EventType = Process.Start
Tag = proc-start-wmi-backdoor-exchange-transport-agent
RiskScore = 100
Query = Parent.Path like r"%\\EdgeTransport.exe"

[ActivityMonitoringRule]
# Detects Pandemic Windows Implant
RuleName = Pandemic Registry Key
EventType = Process.Start
Tag = proc-start-pandemic-registry-key
RiskScore = 100
Query = Process.CommandLine like r"%loaddll -a %"

[ActivityMonitoringRule]
# Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
RuleName = Sticky Key Like Backdoor Usage
EventType = Process.Start
Tag = proc-start-sticky-key-like-backdoor-usage
RiskScore = 100
Query = ((Parent.Path like r"%\\winlogon.exe") and (Process.CommandLine like r"%cmd.exe sethc.exe %" or Process.CommandLine like r"%cmd.exe utilman.exe %" or Process.CommandLine like r"%cmd.exe osk.exe %" or Process.CommandLine like r"%cmd.exe Magnify.exe %" or Process.CommandLine like r"%cmd.exe Narrator.exe %" or Process.CommandLine like r"%cmd.exe DisplaySwitch.exe %"))

[ActivityMonitoringRule]
# Detects UAC bypass method using Windows event viewer
RuleName = UAC Bypass via Event Viewer
EventType = Process.Start
Tag = proc-start-uac-bypass-via-event-viewer
RiskScore = 100
Query = (Parent.Path like r"%\\eventvwr.exe" and not (Process.Path like r"%\\mmc.exe"))


Leave a Reply

Your email address will not be published. Required fields are marked *