Documentation

Contents
Contents
Contents
Contents

uberAgent-ESA-am-sigma-proc-creation-low.conf

The following is the uberAgent-ESA-am-sigma-proc-creation-low.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: low
#

[ActivityMonitoringRule]
# Detects PsExec service installation and execution events (service and Sysmon)
RuleName = PsExec Tool Execution
EventType = Process.Start
Tag = proc-start-psexec-tool-execution
RiskScore = 25
Query = (Process.Path like r"%\\PSEXESVC.exe" and Process.User like r"NT AUTHORITY\\SYSTEM")

[ActivityMonitoringRule]
# Detects usage of attrib.exe to hide files from users.
RuleName = Hiding Files with Attrib.exe
EventType = Process.Start
Tag = proc-start-hiding-files-with-attrib.exe
RiskScore = 25
Query = ((Process.Path like r"%\\attrib.exe" and Process.CommandLine like r"% +h %") and not ((Process.CommandLine like r"%\\desktop.ini %" or (Parent.Path like r"%\\cmd.exe" and Process.CommandLine like r"+R +H +S +A \\%.cui" and Parent.CommandLine like r"C:\\WINDOWS\\system32\\%.bat"))))

[ActivityMonitoringRule]
# When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
RuleName = Change Default File Association
EventType = Process.Start
Tag = proc-start-change-default-file-association
RiskScore = 25
Query = (Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%assoc%")

[ActivityMonitoringRule]
# Detects usage of cmdkey to look for cached credentials
RuleName = Cmdkey Cached Credentials Recon
EventType = Process.Start
Tag = proc-start-cmdkey-cached-credentials-recon
RiskScore = 25
Query = (Process.Path like r"%\\cmdkey.exe" and Process.CommandLine like r"% /list %")

[ActivityMonitoringRule]
# An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
RuleName = Data Compressed - rar.exe
EventType = Process.Start
Tag = proc-start-data-compressed-rar.exe
RiskScore = 25
Query = (Process.Path like r"%\\rar.exe" and Process.CommandLine like r"% a %")

[ActivityMonitoringRule]
# Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
RuleName = Indirect Command Execution
EventType = Process.Start
Tag = proc-start-indirect-command-execution
RiskScore = 25
Query = (Parent.Path like r"%\\pcalua.exe" or Parent.Path like r"%\\forfiles.exe")

[ActivityMonitoringRule]
# Local accounts, System Owner/User discovery using operating systems utilities
RuleName = Local Accounts Discovery
EventType = Process.Start
Tag = proc-start-local-accounts-discovery
RiskScore = 25
Query = (((Process.Path like r"%\\whoami.exe" or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%useraccount%" and Process.CommandLine like r"%get%") or (Process.Path like r"%\\quser.exe" or Process.Path like r"%\\qwinsta.exe") or (Process.Path like r"%\\cmdkey.exe" and Process.CommandLine like r"%/list%") or (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%dir %" and Process.CommandLine like r"%\\Users\\%")) and not ((Process.CommandLine like r"% rmdir %"))) or (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%user%") and not ((Process.CommandLine like r"%/domain%" or Process.CommandLine like r"%/add%" or Process.CommandLine like r"%/delete%" or Process.CommandLine like r"%/active%" or Process.CommandLine like r"%/expires%" or Process.CommandLine like r"%/passwordreq%" or Process.CommandLine like r"%/scriptpath%" or Process.CommandLine like r"%/times%" or Process.CommandLine like r"%/workstations%"))))

[ActivityMonitoringRule]
# Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
RuleName = Network Sniffing
EventType = Process.Start
Tag = proc-start-network-sniffing
RiskScore = 25
Query = ((Process.Path like r"%\\tshark.exe" and Process.CommandLine like r"%-i%") or Process.Path like r"%\\windump.exe")

[ActivityMonitoringRule]
# Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
RuleName = Windows Network Enumeration
EventType = Process.Start
Tag = proc-start-windows-network-enumeration
RiskScore = 25
Query = (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%view%") and not (Process.CommandLine like r"%\\%"))

[ActivityMonitoringRule]
# Detects creation of a new service
RuleName = New Service Creation
EventType = Process.Start
Tag = proc-start-new-service-creation
RiskScore = 25
Query = ((Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%binpath%") or (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%new-service%"))

[ActivityMonitoringRule]
# Detects execution of executables that can be used to bypass Applocker whitelisting
RuleName = Possible Applocker Bypass
EventType = Process.Start
Tag = proc-start-possible-applocker-bypass
RiskScore = 25
Query = (Process.CommandLine like r"%\\msdt.exe%" or Process.CommandLine like r"%\\installutil.exe%" or Process.CommandLine like r"%\\regsvcs.exe%" or Process.CommandLine like r"%\\regasm.exe%" or Process.CommandLine like r"%\\msbuild.exe%" or Process.CommandLine like r"%\\ieexec.exe%")

[ActivityMonitoringRule]
# Detects a PsExec service start
RuleName = PsExec Service Start
EventType = Process.Start
Tag = proc-start-psexec-service-start
RiskScore = 25
Query = Process.CommandLine like r"C:\\Windows\\PSEXESVC.exe"

[ActivityMonitoringRule]
# Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
RuleName = Query Registry
EventType = Process.Start
Tag = proc-start-query-registry
RiskScore = 25
Query = (Process.Path like r"%\\reg.exe" and (Process.CommandLine like r"%query%" or Process.CommandLine like r"%save%" or Process.CommandLine like r"%export%") and (Process.CommandLine like r"%currentVersion\\windows%" or Process.CommandLine like r"%currentVersion\\runServicesOnce%" or Process.CommandLine like r"%currentVersion\\runServices%" or Process.CommandLine like r"%winlogon\\%" or Process.CommandLine like r"%currentVersion\\shellServiceObjectDelayLoad%" or Process.CommandLine like r"%currentVersion\\runOnce%" or Process.CommandLine like r"%currentVersion\\runOnceEx%" or Process.CommandLine like r"%currentVersion\\run%" or Process.CommandLine like r"%currentVersion\\policies\\explorer\\run%" or Process.CommandLine like r"%currentcontrolset\\services%"))

[ActivityMonitoringRule]
# Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
RuleName = Discovery of a System Time
EventType = Process.Start
Tag = proc-start-discovery-of-a-system-time
RiskScore = 25
Query = (((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%time%") or (Process.Path like r"%\\w32tm.exe" and Process.CommandLine like r"%tz%") or (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%Get-Date%"))

[ActivityMonitoringRule]
# Detects manual service execution (start) via system utilities
RuleName = Service Execution
EventType = Process.Start
Tag = proc-start-service-execution
RiskScore = 25
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"% start %")

[ActivityMonitoringRule]
# Detects a windows service to be stopped
RuleName = Stop Windows Service
EventType = Process.Start
Tag = proc-start-stop-windows-service
RiskScore = 25
Query = ((Process.Path like r"%\\sc.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%stop%")

[ActivityMonitoringRule]
# Detects suspicious process that use escape characters
RuleName = Suspicious Commandline Escape
EventType = Process.Start
Tag = proc-start-suspicious-commandline-escape
RiskScore = 25
Query = (Process.CommandLine like r"%h^t^t^p%" or Process.CommandLine like r"%h\"t\"t\"p%")

[ActivityMonitoringRule]
# Detects execution of Net.exe, whether suspicious or benign.
RuleName = Net.exe Execution
EventType = Process.Start
Tag = proc-start-net.exe-execution
RiskScore = 25
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and (Process.CommandLine like r"% group%" or Process.CommandLine like r"% localgroup%" or Process.CommandLine like r"% user%" or Process.CommandLine like r"% view%" or Process.CommandLine like r"% share" or Process.CommandLine like r"% accounts%" or Process.CommandLine like r"% use%" or Process.CommandLine like r"% stop %"))

[ActivityMonitoringRule]
# Detects the creation of scheduled tasks in user session
RuleName = Scheduled Task Creation
EventType = Process.Start
Tag = proc-start-scheduled-task-creation
RiskScore = 25
Query = ((Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %") and not (Process.User like r"NT AUTHORITY\\SYSTEM"))

[ActivityMonitoringRule]
# Detects the creation of a process from Windows task manager
RuleName = Taskmgr as Parent
EventType = Process.Start
Tag = proc-start-taskmgr-as-parent
RiskScore = 25
Query = (Parent.Path like r"%\\taskmgr.exe" and not ((Process.Path like r"%\\resmon.exe" or Process.Path like r"%\\mmc.exe" or Process.Path like r"%\\taskmgr.exe")))

[ActivityMonitoringRule]
# Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
RuleName = Usage of Sysinternals Tools
EventType = Process.Start
Tag = proc-start-usage-of-sysinternals-tools
RiskScore = 25
Query = Process.CommandLine like r"% -accepteula%"

Leave a Reply

Your email address will not be published. Required fields are marked *