Skip to main content

uberAgent-ESA-am-sigma-proc-creation-critical.conf

The following is the uberAgent-ESA-am-sigma-proc-creation-critical.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: critical
#

[ActivityMonitoringRule]
# Detects suspicious DNS queries known from Cobalt Strike beacons
RuleName = Cobalt Strike DNS Beaconing
EventType = Dns.Query
Tag = cobalt-strike-dns-beaconing
RiskScore = 100
Query = (Dns.QueryRequest like r"aaa.stage.%" or Dns.QueryRequest like r"post.1%")
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
RuleName = Dumpert Process Dumper
EventType = Process.Start
Tag = proc-start-dumpert-process-dumper
RiskScore = 100
Query = Process.Hash.IMP == "09D278F9DE118EF09163C6140255C690"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects DarkSide Ransomware and helpers
RuleName = DarkSide Ransomware Pattern
EventType = Process.Start
Tag = proc-start-darkside-ransomware-pattern
RiskScore = 100
Query = ((Process.CommandLine like r"%=[char][byte]('0x'+%" or Process.CommandLine like r"% -work worker0 -path %") or ((Parent.CommandLine like r"%DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%") and (Process.Path like r"%\\AppData\\Local\\Temp\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects LockerGoga Ransomware command line.
RuleName = LockerGoga Ransomware
EventType = Process.Start
Tag = proc-start-lockergoga-ransomware
RiskScore = 100
Query = Process.CommandLine like r"%-i SM-tgytutrc -s%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Ryuk Ransomware command lines
RuleName = Ryuk Ransomware
EventType = Process.Start
Tag = proc-start-ryuk-ransomware
RiskScore = 100
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%stop%" and (Process.CommandLine like r"%samss%" or Process.CommandLine like r"%audioendpointbuilder%" or Process.CommandLine like r"%unistoresvc\______%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detecting DNS tunnel activity for Muddywater actor
RuleName = DNS Tunnel Technique from MuddyWater
EventType = Process.Start
Tag = proc-start-dns-tunnel-technique-from-muddywater
RiskScore = 100
Query = ((Process.Path like r"%\\powershell.exe") and (Parent.Path like r"%\\excel.exe") and (Process.CommandLine like r"%DataExchange.dll%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server’s Unified Messaging service
RuleName = CVE-2021-26857 Exchange Exploitation
EventType = Process.Start
Tag = proc-start-cve-2021-26857-exchange-exploitation
RiskScore = 100
Query = (Parent.Path like r"%UMWorkerProcess.exe" and not ((Process.Path like r"%wermgr.exe" or Process.Path like r"%WerFault.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Windows Credential Editor (WCE)
RuleName = Windows Credential Editor
EventType = Process.Start
Tag = proc-start-windows-credential-editor
RiskScore = 100
Query = (Process.Hash.IMP in ["a53a02b997935fd8eedcb5f7abab9b9f", "e96a73c7bf33a464c510ede582318bf2"] or (Process.CommandLine like r"%.exe -S" and Parent.Path like r"%\\services.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.
RuleName = Proxy Execution via Wuauclt
EventType = Process.Start
Tag = proc-start-proxy-execution-via-wuauclt
RiskScore = 100
Query = (((Process.Path like r"%wuauclt%" or Process.Name == "wuauclt.exe") and (Process.CommandLine like r"%UpdateDeploymentProvider%" and Process.CommandLine like r"%.dll%" and Process.CommandLine like r"%RunHandlerComServer%")) and not ((Process.CommandLine like r"% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %" or Process.CommandLine like r"% wuaueng.dll %")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
RuleName = APT29
EventType = Process.Start
Tag = proc-start-apt29
RiskScore = 100
Query = (Process.CommandLine like r"%-noni%" and Process.CommandLine like r"%-ep%" and Process.CommandLine like r"%bypass%" and Process.CommandLine like r"%$%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
RuleName = Judgement Panda Credential Access Activity
EventType = Process.Start
Tag = proc-start-judgement-panda-credential-access-activity
RiskScore = 100
Query = ((Process.Path like r"%\\xcopy.exe" and Process.CommandLine like r"%/S%" and Process.CommandLine like r"%/E%" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%/Q%" and Process.CommandLine like r"%/H%" and Process.CommandLine like r"%\\\*") or (Process.Path like r"%\\adexplorer.exe" and Process.CommandLine like r"%-snapshot%" and Process.CommandLine like r"%\"\"%" and Process.CommandLine like r"%c:\\users\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
RuleName = BlueMashroom DLL Load
EventType = Process.Start
Tag = proc-start-bluemashroom-dll-load
RiskScore = 100
Query = (Process.CommandLine like r"%\\AppData\\Local\\%" and (Process.CommandLine like r"%\\regsvr32%" or Process.CommandLine like r"%,DllEntry%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
RuleName = Chafer Activity
EventType = Process.Start
Tag = proc-start-chafer-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%\\Service.exe%" and (Process.CommandLine like r"%i" or Process.CommandLine like r"%u")) or (Process.CommandLine like r"%\\microsoft\\Taskbar\\autoit3.exe" or Process.CommandLine like r"C:\\wsc.exe%") or (Process.Path like r"%\\Windows\\Temp\\DB\\%" and Process.Path like r"%.exe") or (Process.CommandLine like r"%\\nslookup.exe%" and Process.CommandLine like r"%-q=TXT%" and Parent.Path like r"%\\Autoit%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious file execution by wscript and cscript
RuleName = WMIExec VBS Script
EventType = Process.Start
Tag = proc-start-wmiexec-vbs-script
RiskScore = 100
Query = (Process.Path like r"%\\cscript.exe" and Process.CommandLine like r"%.vbs%" and Process.CommandLine like r"%/shell%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects CrackMapExecWin Activity as Described by NCSC
RuleName = CrackMapExecWin
EventType = Process.Start
Tag = proc-start-crackmapexecwin
RiskScore = 100
Query = (Process.Path like r"%\\crackmapexec.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Elise backdoor acitivty as used by APT32
RuleName = Elise Backdoor
EventType = Process.Start
Tag = proc-start-elise-backdoor
RiskScore = 100
Query = ((Process.Path like r"C:\\Windows\\SysWOW64\\cmd.exe" and Process.CommandLine like r"%\\Windows\\Caches\\NavShExt.dll %") or Process.CommandLine like r"%\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
RuleName = Emissary Panda Malware SLLauncher
EventType = Process.Start
Tag = proc-start-emissary-panda-malware-sllauncher
RiskScore = 100
Query = (Parent.Path like r"%\\sllauncher.exe" and Process.Path like r"%\\svchost.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a specific tool and export used by EquationGroup
RuleName = Equation Group DLL_U Load
EventType = Process.Start
Tag = proc-start-equation-group-dll_u-load
RiskScore = 100
Query = ((Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%,dll\_u") or Process.CommandLine like r"% -export dll\_u %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020
RuleName = EvilNum Golden Chickens Deployment via OCX Files
EventType = Process.Start
Tag = proc-start-evilnum-golden-chickens-deployment-via-ocx-files
RiskScore = 100
Query = (Process.CommandLine like r"%regsvr32%" and Process.CommandLine like r"%/s%" and Process.CommandLine like r"%/i%" and Process.CommandLine like r"%\\AppData\\Roaming\\%" and Process.CommandLine like r"%.ocx%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects tools and process executions as observed in a Greenbug campaign in May 2020
RuleName = Greenbug Campaign Indicators
EventType = Process.Start
Tag = proc-start-greenbug-campaign-indicators
RiskScore = 100
Query = ((Process.CommandLine like r"%bitsadmin%" and Process.CommandLine like r"%/transfer%" and Process.CommandLine like r"%CSIDL\_APPDATA%") or (Process.CommandLine like r"%CSIDL\_SYSTEM\_DRIVE%") or (Process.CommandLine like r"%\\msf.ps1%" or Process.CommandLine like r"%8989 -e cmd.exe%" or Process.CommandLine like r"%system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill%" or Process.CommandLine like r"%-nop -w hidden -c $k=new-object%" or Process.CommandLine like r"%[Net.CredentialCache]::DefaultCredentials;IEX %" or Process.CommandLine like r"% -nop -w hidden -c $m=new-object net.webclient;$m%" or Process.CommandLine like r"%-noninteractive -executionpolicy bypass whoami%" or Process.CommandLine like r"%-noninteractive -executionpolicy bypass netstat -a%" or Process.CommandLine like r"%L3NlcnZlc%") or (Process.Path like r"%\\adobe\\Adobe.exe" or Process.Path like r"%\\oracle\\local.exe" or Process.Path like r"%\\revshell.exe" or Process.Path like r"%infopagesbackup\\ncat.exe" or Process.Path like r"%CSIDL\_SYSTEM\\cmd.exe" or Process.Path like r"%\\programdata\\oracle\\java.exe" or Process.Path like r"%CSIDL\_COMMON\_APPDATA\\comms\\comms.exe" or Process.Path like r"%\\Programdata\\VMware\\Vmware.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
RuleName = Judgement Panda Exfil Activity
EventType = Process.Start
Tag = proc-start-judgement-panda-exfil-activity
RiskScore = 100
Query = (Process.CommandLine like r"%eprod.ldf" or (Process.CommandLine like r"%\\ldifde.exe -f -n %" or Process.CommandLine like r"%\\7za.exe a 1.7z %" or Process.CommandLine like r"%\\aaaa\\procdump64.exe%" or Process.CommandLine like r"%\\aaaa\\netsess.exe%" or Process.CommandLine like r"%\\aaaa\\7za.exe%" or Process.CommandLine like r"%copy .\\1.7z \\%" or Process.CommandLine like r"%copy \\client\\c$\\aaaa\\%") or Process.Path like r"C:\\Users\\Public\\7za.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020
RuleName = Ke3chang Registry Key Modifications
EventType = Process.Start
Tag = proc-start-ke3chang-registry-key-modifications
RiskScore = 100
Query = (Process.CommandLine like r"%-Property DWORD -name DisableFirstRunCustomize -value 2 -Force%" or Process.CommandLine like r"%-Property String -name Check\_Associations -value%" or Process.CommandLine like r"%-Property DWORD -name IEHarden -value 0 -Force%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
RuleName = Lazarus Activity
EventType = Process.Start
Tag = proc-start-lazarus-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%mshta%" and Process.CommandLine like r"%.zip%") or ((Parent.Path like r"C:\\Windows\\System32\\wbem\\wmiprvse.exe") and (Process.Path like r"C:\\Windows\\System32\\mshta.exe")) or ((Parent.Path like r"C:\\Users\\Public\*") and (Process.Path like r"C:\\Windows\\System32\\rundll32.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects different process creation events as described in various threat reports on Lazarus group activity
RuleName = Lazarus Activity
EventType = Process.Start
Tag = proc-start-lazarus-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%reg.exe save hklm\\sam \%temp\%\\~reg\_sam.save%" or Process.CommandLine like r"%[email protected]#[email protected]#[email protected]#$%" or Process.CommandLine like r"% -hp1q2w3e4 %" or Process.CommandLine like r"%.dat data03 10000 -p %") or (Process.CommandLine like r"%process call create%" and Process.CommandLine like r"% > \%temp\%\\~%") or (Process.CommandLine like r"%netstat -aon | find %" and Process.CommandLine like r"% > \%temp\%\\~%") or (Process.CommandLine like r"%.255 10 C:\\ProgramData\\\*"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects different loaders as described in various threat reports on Lazarus group activity
RuleName = Lazarus Loaders
EventType = Process.Start
Tag = proc-start-lazarus-loaders
RiskScore = 100
Query = ((Process.CommandLine like r"%cmd.exe /c %" and Process.CommandLine like r"% -p 0x%" and (Process.CommandLine like r"%C:\\ProgramData\\\*" or Process.CommandLine like r"%C:\\RECYCLER\\\*")) or (Process.CommandLine like r"%rundll32.exe %" and Process.CommandLine like r"%C:\\ProgramData\\\*" and (Process.CommandLine like r"%.bin,%" or Process.CommandLine like r"%.tmp,%" or Process.CommandLine like r"%.dat,%" or Process.CommandLine like r"%.io,%" or Process.CommandLine like r"%.ini,%" or Process.CommandLine like r"%.db,%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Trojan loader acitivty as used by APT28
RuleName = Sofacy Trojan Loader Activity
EventType = Process.Start
Tag = proc-start-sofacy-trojan-loader-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%\%APPDATA\%\\%") and (Process.CommandLine like r"%.dat\",%" or Process.CommandLine like r"%.dll\",#1"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
RuleName = TA505 Dropper Load Pattern
EventType = Process.Start
Tag = proc-start-ta505-dropper-load-pattern
RiskScore = 100
Query = (Process.Path like r"%\\mshta.exe" and Parent.Path like r"%\\wmiprvse.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process characteristics of Chinese TAIDOOR RAT malware load
RuleName = TAIDOOR RAT DLL Load
EventType = Process.Start
Tag = proc-start-taidoor-rat-dll-load
RiskScore = 100
Query = ((Process.CommandLine like r"%dll,MyStart%" or Process.CommandLine like r"%dll MyStart%") or ((Process.CommandLine like r"% MyStart") and (Process.CommandLine like r"%rundll32.exe%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects automated lateral movement by Turla group
RuleName = Turla Group Lateral Movement
EventType = Process.Start
Tag = proc-start-turla-group-lateral-movement
RiskScore = 100
Query = (Process.CommandLine like r"net use \\\%DomainController\%\\C$ \"[email protected]\" %" or Process.CommandLine like r"dir c:\\%.doc% /s" or Process.CommandLine like r"dir \%TEMP\%\\%.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects commands used by Turla group as reported by ESET in May 2020
RuleName = Turla Group Commands May 2020
EventType = Process.Start
Tag = proc-start-turla-group-commands-may-2020
RiskScore = 100
Query = ((Process.CommandLine like r"%tracert -h 10 yahoo.com%" or Process.CommandLine like r"%.WSqmCons))|iex;%" or Process.CommandLine like r"%Fr`omBa`se6`4Str`ing%") or (Process.CommandLine like r"%net use https://docs.live.net%" and Process.CommandLine like r"%@aol.co.uk%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
RuleName = UNC2452 Process Creation Patterns
EventType = Process.Start
Tag = proc-start-unc2452-process-creation-patterns
RiskScore = 100
Query = (((((Process.CommandLine like r"%7z.exe a -v500m -mx9 -r0 -p%") or (Parent.CommandLine like r"%wscript.exe%" and Parent.CommandLine like r"%.vbs%" and Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%C:\\Windows%" and Process.CommandLine like r"%.dll,Tk\_%")) or (Parent.Path like r"%\\rundll32.exe" and Parent.CommandLine like r"%C:\\Windows%" and Process.CommandLine like r"%cmd.exe /C %")) or (Process.CommandLine like r"%rundll32 c:\\windows\\\*" and Process.CommandLine like r"%.dll %")) or ((Parent.Path like r"%\\rundll32.exe" and Process.Path like r"%\\dllhost.exe") and not (Process.CommandLine in [" ", ""])))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
RuleName = UNC2452 PowerShell Pattern
EventType = Process.Start
Tag = proc-start-unc2452-powershell-pattern
RiskScore = 100
Query = ((Process.CommandLine like r"%Invoke-WMIMethod win32\_process -name create -argumentlist%" and Process.CommandLine like r"%rundll32 c:\\windows%") or (Process.CommandLine like r"%wmic /node:%" and Process.CommandLine like r"%process call create \"rundll32 c:\\windows%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
RuleName = Winnti Malware HK University Campaign
EventType = Process.Start
Tag = proc-start-winnti-malware-hk-university-campaign
RiskScore = 100
Query = (((Parent.Path like r"%C:\\Windows\\Temp%" or Parent.Path like r"%\\hpqhvind.exe%") and Process.Path like r"C:\\ProgramData\\DRM%") or (Parent.Path like r"C:\\ProgramData\\DRM%" and Process.Path like r"%\\wmplayer.exe") or (Parent.Path like r"%\\Test.exe" and Process.Path like r"%\\wmplayer.exe") or Process.Path like r"C:\\ProgramData\\DRM\\CLR\\CLR.exe" or (Parent.Path like r"C:\\ProgramData\\DRM\\Windows%" and Process.Path like r"%\\SearchFilterHost.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process characteristics of Winnti Pipemon malware reported by ESET
RuleName = Winnti Pipemon Characteristics
EventType = Process.Start
Tag = proc-start-winnti-pipemon-characteristics
RiskScore = 100
Query = ((Process.CommandLine like r"%setup0.exe -p%") or (Process.CommandLine like r"%setup.exe%" and (Process.CommandLine like r"%-x:0" or Process.CommandLine like r"%-x:1" or Process.CommandLine like r"%-x:2")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a ZxShell start by the called and well-known function name
RuleName = ZxShell Malware
EventType = Process.Start
Tag = proc-start-zxshell-malware
RiskScore = 100
Query = ((Process.Path like r"%\\rundll32.exe") and (Process.CommandLine like r"%zxFunction%" or Process.CommandLine like r"%RemoteDiskXXXXX%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the malicious use of a control panel item
RuleName = Control Panel Items
EventType = Process.Start
Tag = proc-start-control-panel-items
RiskScore = 100
Query = ((Process.CommandLine like r"%.cpl" and not ((Process.CommandLine like r"%\\System32\\%" or Process.CommandLine like r"%\%System\%%"))) or (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%add%" and (Process.CommandLine like r"%CurrentVersion\\Control Panel\\CPLs%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process characteristics of Maze ransomware word document droppers
RuleName = Maze Ransomware
EventType = Process.Start
Tag = proc-start-maze-ransomware
RiskScore = 100
Query = (((Parent.Path like r"%\\WINWORD.exe") and (Process.Path like r"%.tmp")) or (Process.Path like r"%\\wmic.exe" and Parent.Path like r"%\\Temp\\%" and Process.CommandLine like r"%shadowcopy delete") or (Process.CommandLine like r"%shadowcopy delete" and Process.CommandLine like r"%\\..\\..\\system32%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process characteristics of Snatch ransomware word document droppers
RuleName = Snatch Ransomware
EventType = Process.Start
Tag = proc-start-snatch-ransomware
RiskScore = 100
Query = (Process.CommandLine like r"%shutdown /r /f /t 00%" or Process.CommandLine like r"%net stop SuperBackupMan%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a base64 encoded FromBase64String keyword in a process command line
RuleName = Encoded FromBase64String
EventType = Process.Start
Tag = proc-start-encoded-frombase64string
RiskScore = 100
Query = (Process.CommandLine like r"%OjpGcm9tQmFzZTY0U3RyaW5n%" or Process.CommandLine like r"%o6RnJvbUJhc2U2NFN0cmluZ%" or Process.CommandLine like r"%6OkZyb21CYXNlNjRTdHJpbm%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a base64 encoded IEX command string in a process command line
RuleName = Encoded IEX
EventType = Process.Start
Tag = proc-start-encoded-iex
RiskScore = 100
Query = (Process.CommandLine like r"%SUVYIChb%" or Process.CommandLine like r"%lFWCAoW%" or Process.CommandLine like r"%JRVggKF%" or Process.CommandLine like r"%aWV4IChb%" or Process.CommandLine like r"%lleCAoW%" or Process.CommandLine like r"%pZXggKF%" or Process.CommandLine like r"%aWV4IChOZX%" or Process.CommandLine like r"%lleCAoTmV3%" or Process.CommandLine like r"%pZXggKE5ld%" or Process.CommandLine like r"%SUVYIChOZX%" or Process.CommandLine like r"%lFWCAoTmV3%" or Process.CommandLine like r"%JRVggKE5ld%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Potential adversaries stopping ETW providers recording loaded .NET assemblies.
RuleName = COMPlus_ETWEnabled Command Line Arguments
EventType = Process.Start
Tag = proc-start-complus_etwenabled-command-line-arguments
RiskScore = 100
Query = Process.CommandLine like r"%COMPlus\_ETWEnabled=0%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
RuleName = Exploit for CVE-2015-1641
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2015-1641
RiskScore = 100
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\MicroScMgmt.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
RuleName = Droppers Exploiting CVE-2017-11882
EventType = Process.Start
Tag = proc-start-droppers-exploiting-cve-2017-11882
RiskScore = 100
Query = Parent.Path like r"%\\EQNEDT32.EXE"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
RuleName = Exploit for CVE-2017-8759
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2017-8759
RiskScore = 100
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\csc.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
RuleName = Exploited CVE-2020-10189 Zoho ManageEngine
EventType = Process.Start
Tag = proc-start-exploited-cve-2020-10189-zoho-manageengine
RiskScore = 100
Query = (Parent.Path like r"%DesktopCentral\_Server\\jre\\bin\\java.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\bitsadmin.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
RuleName = DNS RCE CVE-2020-1350
EventType = Process.Start
Tag = proc-start-dns-rce-cve-2020-1350
RiskScore = 100
Query = (Parent.Path like r"%\\System32\\dns.exe" and not ((Process.Path like r"%\\System32\\werfault.exe" or Process.Path like r"%\\System32\\conhost.exe" or Process.Path like r"%\\System32\\dnscmd.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command line parameters used by Rubeus hack tool
RuleName = Rubeus Hack Tool
EventType = Process.Start
Tag = proc-start-rubeus-hack-tool
RiskScore = 100
Query = (Process.CommandLine like r"% asreproast %" or Process.CommandLine like r"% dump /service:krbtgt %" or Process.CommandLine like r"% kerberoast %" or Process.CommandLine like r"% createnetonly /program:%" or Process.CommandLine like r"% ptt /ticket:%" or Process.CommandLine like r"% /impersonateuser:%" or Process.CommandLine like r"% renew /ticket:%" or Process.CommandLine like r"% asktgt /user:%" or Process.CommandLine like r"% harvest /interval:%" or Process.CommandLine like r"% s4u /user:%" or Process.CommandLine like r"% s4u /ticket:%" or Process.CommandLine like r"% hash /password:%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of SecurityXploded Tools
RuleName = SecurityXploded Tool
EventType = Process.Start
Tag = proc-start-securityxploded-tool
RiskScore = 100
Query = (Process.Company == "SecurityXploded" or Process.Path like r"%PasswordDump.exe" or Process.Name like r"%PasswordDump.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
RuleName = Impacket Lateralization Detection
EventType = Process.Start
Tag = proc-start-impacket-lateralization-detection
RiskScore = 100
Query = (Process.CommandLine like r"%cmd.exe%" and Process.CommandLine like r"%&1%" and (((Parent.Path like r"%\\wmiprvse.exe" or Parent.Path like r"%\\mmc.exe" or Parent.Path like r"%\\explorer.exe" or Parent.Path like r"%\\services.exe") and Process.CommandLine like r"%/Q%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%\\\\127.0.0.1\\%") or ((Parent.CommandLine like r"%svchost.exe -k netsvcs%" or Parent.CommandLine like r"%taskeng.exe%") and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%Windows\\Temp\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects typical Dridex process patterns
RuleName = Dridex Process Pattern
EventType = Process.Start
Tag = proc-start-dridex-process-pattern
RiskScore = 100
Query = ((Process.Path like r"%\\svchost.exe" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\Desktop\\%") or (Parent.Path like r"%\\svchost.exe" and ((Process.Path like r"%\\whoami.exe" and Process.CommandLine like r"%all%") or ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%view%"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process parameters as seen in DTRACK infections
RuleName = DTRACK Process Creation
EventType = Process.Start
Tag = proc-start-dtrack-process-creation
RiskScore = 100
Query = Process.CommandLine like r"% echo EEEE > %"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects all Emotet like process executions that are not covered by the more generic rules
RuleName = Emotet Process Creation
EventType = Process.Start
Tag = proc-start-emotet-process-creation
RiskScore = 100
Query = (Process.CommandLine like r"% -e% PAA%" or Process.CommandLine like r"%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%" or Process.CommandLine like r"%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%" or Process.CommandLine like r"%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%" or Process.CommandLine like r"%IgAoACcAKgAnACkAOwAkA%" or Process.CommandLine like r"%IAKAAnACoAJwApADsAJA%" or Process.CommandLine like r"%iACgAJwAqACcAKQA7ACQA%" or Process.CommandLine like r"%JABGAGwAeAByAGgAYwBmAGQ%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
RuleName = Formbook Process Creation
EventType = Process.Start
Tag = proc-start-formbook-process-creation
RiskScore = 100
Query = ((Parent.CommandLine like r"C:\\Windows\\System32\\%" or Parent.CommandLine like r"C:\\Windows\\SysWOW64\\%") and (Parent.CommandLine like r"%.exe") and Process.CommandLine like r"%C:\\Users\\%" and ((Process.CommandLine like r"%/c%" and Process.CommandLine like r"%del%" and Process.CommandLine like r"%\\AppData\\Local\\Temp\\%") or (Process.CommandLine like r"%/c%" and Process.CommandLine like r"%del%" and Process.CommandLine like r"%\\Desktop\\%") or (Process.CommandLine like r"%/C%" and Process.CommandLine like r"%type nul >%" and Process.CommandLine like r"%\\Desktop\\%")) and Process.CommandLine like r"%.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
RuleName = NotPetya Ransomware Activity
EventType = Process.Start
Tag = proc-start-notpetya-ransomware-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" and Process.CommandLine like r"%\\.\\pipe\\\*") or (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%.dat,#1") or "\\perfc.dat")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects QBot like process executions
RuleName = QBot Process Creation
EventType = Process.Start
Tag = proc-start-qbot-process-creation
RiskScore = 100
Query = (((Parent.Path like r"%\\WinRAR.exe" and Process.Path like r"%\\wscript.exe") or Process.CommandLine like r"% /c ping.exe -n 6 127.0.0.1 & type %") or (Process.CommandLine like r"%regsvr32.exe%" and Process.CommandLine like r"%C:\\ProgramData%" and Process.CommandLine like r"%.tmp%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Ryuk ransomware activity
RuleName = Ryuk Ransomware
EventType = Process.Start
Tag = proc-start-ryuk-ransomware
RiskScore = 100
Query = (Process.CommandLine like r"%Microsoft\\Windows\\CurrentVersion\\Run%" and Process.CommandLine like r"%C:\\users\\Public\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
RuleName = Trickbot Malware Recon Activity
EventType = Process.Start
Tag = proc-start-trickbot-malware-recon-activity
RiskScore = 100
Query = ((Parent.Path like r"%\\cmd.exe") and (Process.Path like r"%\\nltest.exe") and (Process.CommandLine like r"%/domain\_trusts /all\_trusts%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe
RuleName = Trickbot Malware Activity
EventType = Process.Start
Tag = proc-start-trickbot-malware-activity
RiskScore = 100
Query = ((Process.Path like r"%\\wermgr.exe") and (Parent.Path like r"%\\rundll32.exe") and (Parent.CommandLine like r"%DllRegisterServer%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WannaCry ransomware activity
RuleName = WannaCry Ransomware
EventType = Process.Start
Tag = proc-start-wannacry-ransomware
RiskScore = 100
Query = ((Process.Path like r"%\\tasksche.exe" or Process.Path like r"%\\mssecsvc.exe" or Process.Path like r"%\\taskdl.exe" or Process.Path like r"%\\taskhsvc.exe" or Process.Path like r"%\\taskse.exe" or Process.Path like r"%\\111.exe" or Process.Path like r"%\\lhdfrgui.exe" or Process.Path like r"%\\diskpart.exe" or Process.Path like r"%\\linuxnew.exe" or Process.Path like r"%\\wannacry.exe") or Process.Path like r"%WanaDecryptor%" or (Process.CommandLine like r"%icacls%" and Process.CommandLine like r"%/grant%" and Process.CommandLine like r"%Everyone:F%" and Process.CommandLine like r"%/T%" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%/Q%") or (Process.CommandLine like r"%bcdedit%" and Process.CommandLine like r"%/set%" and Process.CommandLine like r"%{default}%" and Process.CommandLine like r"%recoveryenabled%" and Process.CommandLine like r"%no%") or (Process.CommandLine like r"%wbadmin%" and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%catalog%" and Process.CommandLine like r"%-quiet%") or Process.CommandLine like r"%@Please\_Read\[email protected]%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects process injection using the signed Windows tool Mavinject32.exe
RuleName = MavInject Process Injection
EventType = Process.Start
Tag = proc-start-mavinject-process-injection
RiskScore = 100
Query = Process.CommandLine like r"% /INJECTRUNNING %"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Base64 encoded Shellcode
RuleName = PowerShell Base64 Encoded Shellcode
EventType = Process.Start
Tag = proc-start-powershell-base64-encoded-shellcode
RiskScore = 100
Query = (Process.CommandLine like r"%AAAAYInlM%" and (Process.CommandLine like r"%OiCAAAAYInlM%" or Process.CommandLine like r"%OiJAAAAYInlM%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of a renamed ProcDump executable often used by attackers or malware
RuleName = Renamed ProcDump
EventType = Process.Start
Tag = proc-start-renamed-procdump
RiskScore = 100
Query = ((Process.Name == "procdump" and not ((Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe"))) or ((Process.CommandLine like r"% -ma %" and Process.CommandLine like r"% -accepteula %") and not ((Process.CommandLine like r"%\\procdump.exe%" or Process.CommandLine like r"%\\procdump64.exe%"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Shadow Copies deletion using operating systems utilities
RuleName = Shadow Copies Deletion Using Operating Systems Utilities
EventType = Process.Start
Tag = proc-start-shadow-copies-deletion-using-operating-systems-utilities
RiskScore = 100
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\vssadmin.exe") and Process.CommandLine like r"%shadow%" and Process.CommandLine like r"%delete%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# The Devtoolslauncher.exe executes other binary
RuleName = Devtoolslauncher.exe Executes Specified Binary
EventType = Process.Start
Tag = proc-start-devtoolslauncher.exe-executes-specified-binary
RiskScore = 100
Query = (Process.Path like r"%\\devtoolslauncher.exe" and Process.CommandLine like r"%LaunchForDeploy%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
RuleName = Suspicious Double Extension
EventType = Process.Start
Tag = proc-start-suspicious-double-extension
RiskScore = 100
Query = (Process.Path like r"%.doc.exe" or Process.Path like r"%.docx.exe" or Process.Path like r"%.xls.exe" or Process.Path like r"%.xlsx.exe" or Process.Path like r"%.ppt.exe" or Process.Path like r"%.pptx.exe" or Process.Path like r"%.rtf.exe" or Process.Path like r"%.pdf.exe" or Process.Path like r"%.txt.exe" or Process.Path like r"%      .exe" or Process.Path like r"%\_\_\_\_\_\_.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,#1
RuleName = Emotet RunDLL32 Process Creation
EventType = Process.Start
Tag = proc-start-emotet-rundll32-process-creation
RiskScore = 100
Query = (((Process.Path like r"%\\rundll32.exe") and (Process.CommandLine like r"%,RunDLL")) and not ((Parent.Path like r"%\\tracker.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious powershell command line parameters used in Empire
RuleName = Empire PowerShell Launch Parameters
EventType = Process.Start
Tag = proc-start-empire-powershell-launch-parameters
RiskScore = 100
Query = (Process.CommandLine like r"% -NoP -sta -NonI -W Hidden -Enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc %" or Process.CommandLine like r"% -NoP -NonI -W Hidden -enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc%" or Process.CommandLine like r"% -enc  SQB%" or Process.CommandLine like r"% -nop -exec bypass -EncodedCommand SQB%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects some Empire PowerShell UAC bypass methods
RuleName = Empire PowerShell UAC Bypass
EventType = Process.Start
Tag = proc-start-empire-powershell-uac-bypass
RiskScore = 100
Query = (Process.CommandLine like r"% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)%" or Process.CommandLine like r"% -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
RuleName = Suspicious Use of Procdump on LSASS
EventType = Process.Start
Tag = proc-start-suspicious-use-of-procdump-on-lsass
RiskScore = 100
Query = (Process.CommandLine like r"% -ma %" and (Process.CommandLine like r"% lsass%" or Process.CommandLine like r"% ls%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection
RuleName = Suspicious Shells Spawn by SQL Server
EventType = Process.Start
Tag = proc-start-suspicious-shells-spawn-by-sql-server
RiskScore = 100
Query = (Parent.Path like r"%\\sqlservr.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\bitsadmin.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects actions that clear the local ShimCache and remove forensic evidence
RuleName = ShimCache Flush
EventType = Process.Start
Tag = proc-start-shimcache-flush
RiskScore = 100
Query = (Process.CommandLine like r"%rundll32%" and ((Process.CommandLine like r"%apphelp.dll%" and (Process.CommandLine like r"%ShimFlushCache%" or Process.CommandLine like r"%#250%")) or (Process.CommandLine like r"%kernel32.dll%" and (Process.CommandLine like r"%BaseFlushAppcompatCache%" or Process.CommandLine like r"%#46%"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
RuleName = Suspect Svchost Activity
EventType = Process.Start
Tag = proc-start-suspect-svchost-activity
RiskScore = 100
Query = ((Process.CommandLine like r"%svchost.exe" and Process.Path like r"%\\svchost.exe") and not ((Parent.Path like r"%\\rpcnet.exe" or Parent.Path like r"%\\rpcnetp.exe") or Process.CommandLine == ''))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
RuleName = WMI Backdoor Exchange Transport Agent
EventType = Process.Start
Tag = proc-start-wmi-backdoor-exchange-transport-agent
RiskScore = 100
Query = Parent.Path like r"%\\EdgeTransport.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Pandemic Windows Implant
RuleName = Pandemic Registry Key
EventType = Process.Start
Tag = proc-start-pandemic-registry-key
RiskScore = 100
Query = Process.CommandLine like r"%loaddll -a %"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
RuleName = Sticky Key Like Backdoor Usage
EventType = Process.Start
Tag = proc-start-sticky-key-like-backdoor-usage
RiskScore = 100
Query = (Parent.Path like r"%\\winlogon.exe" and Process.Path like r"%\\cmd.exe" and (Process.CommandLine like r"%sethc.exe%" or Process.CommandLine like r"%utilman.exe%" or Process.CommandLine like r"%osk.exe%" or Process.CommandLine like r"%Magnify.exe%" or Process.CommandLine like r"%Narrator.exe%" or Process.CommandLine like r"%DisplaySwitch.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects UAC bypass method using Windows event viewer
RuleName = UAC Bypass via Event Viewer
EventType = Process.Start
Tag = proc-start-uac-bypass-via-event-viewer
RiskScore = 100
Query = (Parent.Path like r"%\\eventvwr.exe" and not (Process.Path like r"%\\mmc.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP


Comments

Your email address will not be published. Required fields are marked *