diff --git a/sigma/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/sigma/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml index fccaa093e..75bcd3cd1 100644 --- a/sigma/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml +++ b/sigma/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml @@ -10,7 +10,7 @@ references: - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege author: Florian Roth (Nextron Systems) date: 2019-11-20 -modified: 2022-05-27 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1068 @@ -23,17 +23,18 @@ detection: process_creation: EventID: 4688 Channel: Security - selection: + selection_img: CommandLine|contains: ' http' ParentProcessName|endswith: \consent.exe NewProcessName|endswith: \iexplore.exe - rights1: - MandatoryLabel: S-1-16-16384 - rights2: - SubjectUserName|contains: # covers many language settings - - AUTHORI - - AUTORI - condition: process_creation and (selection and ( rights1 or rights2 )) + selection_rights: + - MandatoryLabel: + - S-1-16-16384 + - None + - SubjectUserName|contains: # covers many language settings + - AUTHORI + - AUTORI + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: critical diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml index 6f6333dad..8cebef16b 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml @@ -12,7 +12,7 @@ references: - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/ author: Florian Roth (Nextron Systems) date: 2021-11-22 -modified: 2023-02-13 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1068 @@ -36,7 +36,9 @@ detection: - pwsh.dll selection_parent: ParentProcessName|endswith: \elevation_service.exe - MandatoryLabel: S-1-16-16384 + MandatoryLabel: + - S-1-16-16384 + - None condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/sigma/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index 3c7d88257..33426c002 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -10,7 +10,7 @@ references: - https://streamable.com/q2dsji author: Florian Roth (Nextron Systems), Maxime Thiebaut date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1553 @@ -24,10 +24,12 @@ detection: Channel: Security selection: ParentProcessName|endswith: \RazerInstaller.exe - MandatoryLabel: S-1-16-16384 - filter: + MandatoryLabel: + - S-1-16-16384 + - None + filter_main_razer: NewProcessName|startswith: C:\Windows\Installer\Razer\Installer\ - condition: process_creation and (selection and not filter) + condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml b/sigma/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml index 84c1417d1..fe7f83bcd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml +++ b/sigma/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml @@ -11,6 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 date: 2022-12-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1202 @@ -26,7 +27,9 @@ detection: - conhost.exe - '0xffffffff' - -ForceV1 - MandatoryLabel: S-1-16-12288 + MandatoryLabel: + - S-1-16-12288 + - None condition: process_creation and selection falsepositives: - Very Likely, including launching cmd.exe via Run As Administrator diff --git a/sigma/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml b/sigma/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml index 96aafc26e..d8f4c4408 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -13,7 +13,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914244344799235 author: frack113 date: 2022-01-16 -modified: 2024-03-13 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1218.007 @@ -45,7 +45,9 @@ detection: ParentProcessName|startswith: C:\Windows\Temp\ filter_ccm: ParentProcessName: C:\Windows\CCM\Ccm32BitLauncher.exe - MandatoryLabel: S-1-16-16384 + MandatoryLabel: + - S-1-16-16384 + - None condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - WindowsApps installing updates via the quiet flag diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/sigma/builtin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index 323eae1de..d971d79f6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -10,7 +10,7 @@ references: - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ author: Teymur Kheirkhabarov date: 2019-10-26 -modified: 2023-01-30 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1574.011 @@ -29,7 +29,9 @@ detection: - \ImagePath - \FailureCommand - \ServiceDll - MandatoryLabel: S-1-16-8192 + MandatoryLabel: + - S-1-16-8192 + - None condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml b/sigma/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml index 8e995385f..65d9cd732 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml @@ -10,7 +10,7 @@ references: - https://pentestlab.blog/2017/03/30/weak-service-permissions/ author: Teymur Kheirkhabarov date: 2019-10-26 -modified: 2022-07-14 +modified: 2024-12-01 tags: - attack.persistence - attack.defense-evasion @@ -25,7 +25,9 @@ detection: Channel: Security scbynonadmin: NewProcessName|endswith: \sc.exe - MandatoryLabel: S-1-16-8192 + MandatoryLabel: + - S-1-16-8192 + - None selection_binpath: CommandLine|contains|all: - config diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index c79a5014e..fb85404b3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -10,6 +10,7 @@ references: - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml author: Swachchhanda Shrawan Poudel, Elastic (idea) date: 2023-04-20 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.persistence @@ -36,7 +37,9 @@ detection: filter_main_extension_xml: CommandLine|contains: .xml filter_main_system_process: - MandatoryLabel: S-1-16-16384 + MandatoryLabel: + - S-1-16-16384 + - None filter_main_rundll32: ParentCommandLine|contains|all: - :\WINDOWS\Installer\MSI diff --git a/sigma/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml index bd93c4e61..117f6898e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml @@ -9,7 +9,7 @@ references: - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) date: 2021-07-11 -modified: 2023-02-09 +modified: 2024-12-01 tags: - attack.execution - attack.t1203 @@ -24,7 +24,9 @@ detection: Channel: Security spoolsv: ParentProcessName|endswith: \spoolsv.exe - MandatoryLabel: S-1-16-16384 + MandatoryLabel: + - S-1-16-16384 + - None suspicious_unrestricted: NewProcessName|endswith: - \gpupdate.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/sigma/builtin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index ef72d12a1..30a7cfc6e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -9,7 +9,7 @@ references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020-10-13 -modified: 2023-03-23 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1548.002 @@ -31,7 +31,9 @@ detection: NewProcessName|endswith: tmp selection_image_2: NewProcessName|endswith: \msiexec.exe - MandatoryLabel: S-1-16-16384 + MandatoryLabel: + - S-1-16-16384 + - None filter_installer: ParentProcessName: C:\Windows\System32\services.exe filter_repair: diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/sigma/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index 75ba61141..5ccaff3ce 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -9,7 +9,7 @@ references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community date: 2020-10-05 -modified: 2022-07-07 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1112 @@ -20,17 +20,16 @@ detection: process_creation: EventID: 4688 Channel: Security - reg: - CommandLine|contains|all: - - 'reg ' - - add - powershell: - CommandLine|contains: - - powershell - - set-itemproperty - - ' sp ' - - new-itemproperty - select_data: + selection_cli: + - CommandLine|contains|all: + - 'reg ' + - add + - CommandLine|contains: + - powershell + - set-itemproperty + - ' sp ' + - new-itemproperty + selection_data: CommandLine|contains|all: - ControlSet - Services @@ -38,12 +37,10 @@ detection: - ImagePath - FailureCommand - ServiceDLL - MandatoryLabel: S-1-16-8192 - condition: process_creation and ((reg or powershell) and select_data) -fields: - - MandatoryLabel - - EventID - - CommandLine + MandatoryLabel: + - S-1-16-8192 + - None + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml index a90c45829..ed9d09478 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -10,7 +10,7 @@ references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2021-12-20 -modified: 2024-11-11 +modified: 2024-12-01 tags: - attack.credential-access - attack.defense-evasion @@ -26,7 +26,9 @@ detection: EventID: 4688 Channel: Security selection: - MandatoryLabel: S-1-16-16384 + MandatoryLabel: + - S-1-16-16384 + - None SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml index 43034519e..4395366ee 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml @@ -37,11 +37,6 @@ detection: - 'qwsu ' - 'uwdqs ' condition: process_creation and (all of selection*) -fields: - - MandatoryLabel - - Product - - Description - - CommandLine falsepositives: - System administrator Usage level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index 14fa84d40..81ddd3c5b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -9,6 +9,7 @@ references: - https://twitter.com/Moti_B/status/909449115477659651 author: '@juju4' date: 2022-12-27 +modified: 2024-12-01 tags: - attack.execution logsource: @@ -22,7 +23,9 @@ detection: - NewProcessName|endswith: \tscon.exe - OriginalFileName: tscon.exe selection_integrity: - MandatoryLabel: S-1-16-16384 + MandatoryLabel: + - S-1-16-16384 + - None condition: process_creation and (all of selection_*) falsepositives: - Administrative activity diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml index 07e213fd1..c69520767 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml @@ -11,7 +11,7 @@ references: - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -29,6 +29,8 @@ detection: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 + - None + - None condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml index 464c844c8..43b70b015 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-31 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -25,6 +25,8 @@ detection: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 + - None + - None NewProcessName: C:\Windows\System32\ComputerDefaults.exe filter: ParentProcessName|contains: diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml index 2b56e3544..55e789573 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -27,6 +27,8 @@ detection: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 + - None + - None condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml index f6b79e55c..2301c0648 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -29,6 +29,8 @@ detection: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 + - None + - None condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ieinstal.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ieinstal.yml index ada958326..d1d362b5c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ieinstal.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ieinstal.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -25,6 +25,8 @@ detection: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 + - None + - None ParentProcessName|endswith: \ieinstal.exe NewProcessName|contains: \AppData\Local\Temp\ NewProcessName|endswith: consent.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml index fa7d43ece..658e4f2d7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -26,6 +26,8 @@ detection: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 + - None + - None ParentProcessName|endswith: \AppData\Local\Temp\pkgmgr.exe condition: process_creation and selection falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml index 970874448..ee3922e45 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -27,6 +27,8 @@ detection: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 + - None + - None selection2: ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' CommandLine|contains|all: diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml index 84597ae87..74a49ffae 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -27,6 +27,8 @@ detection: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 + - None + - None condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_sdclt.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_sdclt.yml index f67942f1a..d4236eb98 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_sdclt.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_sdclt.yml @@ -10,7 +10,7 @@ references: - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 -modified: 2023-02-14 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.defense-evasion @@ -24,7 +24,9 @@ detection: Channel: Security selection: NewProcessName|endswith: sdclt.exe - MandatoryLabel: S-1-16-12288 + MandatoryLabel: + - S-1-16-12288 + - None condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wmp.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wmp.yml index 6ef67b39c..d8263f877 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wmp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wmp.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,18 +21,18 @@ detection: process_creation: EventID: 4688 Channel: Security - selection1: + selection_img_1: NewProcessName: C:\Program Files\Windows Media Player\osk.exe - MandatoryLabel: - - S-1-16-12288 - - S-1-16-16384 - selection2: + selection_img_2: ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' NewProcessName: C:\Windows\System32\cmd.exe + selection_integrity: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 - condition: process_creation and (1 of selection*) + - None + - None + condition: process_creation and (1 of selection_img_* and selection_integrity) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml index 13c16d146..1f48240c2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -11,7 +11,7 @@ references: - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -28,6 +28,8 @@ detection: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 + - None + - None condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index 41fd28efb..5af422f08 100644 --- a/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml +++ b/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -10,7 +10,7 @@ references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019-01-16 -modified: 2023-11-11 +modified: 2024-11-26 tags: - attack.persistence - attack.t1505.003 @@ -65,7 +65,7 @@ detection: - \netdom.exe - \netsh.exe - \nltest.exe - - \ntdutil.exe + - \ntdsutil.exe - \powershell_ise.exe - \powershell.exe - \pwsh.exe diff --git a/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml index 5112b4b53..7bfe492ad 100644 --- a/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml +++ b/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml @@ -10,7 +10,7 @@ references: - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege author: Florian Roth (Nextron Systems) date: 2019-11-20 -modified: 2022-05-27 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1068 @@ -24,17 +24,18 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - selection: + selection_img: ParentImage|endswith: \consent.exe Image|endswith: \iexplore.exe CommandLine|contains: ' http' - rights1: - IntegrityLevel: System # for Sysmon users - rights2: - User|contains: # covers many language settings - - AUTHORI - - AUTORI - condition: process_creation and (selection and ( rights1 or rights2 )) + selection_rights: + - IntegrityLevel: + - System # for Sysmon users + - S-1-16-16384 # System + - User|contains: # covers many language settings + - AUTHORI + - AUTORI + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: critical diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml index c67820d64..516e6ab96 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml @@ -12,7 +12,7 @@ references: - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/ author: Florian Roth (Nextron Systems) date: 2021-11-22 -modified: 2023-02-13 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1068 @@ -37,7 +37,9 @@ detection: - pwsh.dll selection_parent: ParentImage|endswith: \elevation_service.exe - IntegrityLevel: System + IntegrityLevel: + - System + - S-1-16-16384 # System condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/sigma/sysmon/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index 9997a171c..89ad76343 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -10,7 +10,7 @@ references: - https://streamable.com/q2dsji author: Florian Roth (Nextron Systems), Maxime Thiebaut date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1553 @@ -25,10 +25,12 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: ParentImage|endswith: \RazerInstaller.exe - IntegrityLevel: System - filter: + IntegrityLevel: + - System + - S-1-16-16384 # System + filter_main_razer: Image|startswith: C:\Windows\Installer\Razer\Installer\ - condition: process_creation and (selection and not filter) + condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_conhost_legacy_option.yml b/sigma/sysmon/process_creation/proc_creation_win_conhost_legacy_option.yml index 99fa7807f..ace8603df 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_conhost_legacy_option.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_conhost_legacy_option.yml @@ -11,6 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 date: 2022-12-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1202 @@ -23,7 +24,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - IntegrityLevel: High + IntegrityLevel: + - High + - S-1-16-12288 CommandLine|contains|all: - conhost.exe - '0xffffffff' diff --git a/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_quiet.yml b/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_quiet.yml index 726aeeed1..888120d3d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -13,7 +13,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914244344799235 author: frack113 date: 2022-01-16 -modified: 2024-03-13 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1218.007 @@ -46,7 +46,9 @@ detection: ParentImage|startswith: C:\Windows\Temp\ filter_ccm: ParentImage: C:\Windows\CCM\Ccm32BitLauncher.exe - IntegrityLevel: System + IntegrityLevel: + - System + - S-1-16-16384 condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - WindowsApps installing updates via the quiet flag diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index 1435810dd..dcc811437 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -10,7 +10,7 @@ references: - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ author: Teymur Kheirkhabarov date: 2019-10-26 -modified: 2023-01-30 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1574.011 @@ -23,7 +23,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - IntegrityLevel: Medium + IntegrityLevel: + - Medium + - S-1-16-8192 CommandLine|contains|all: - ControlSet - services diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml index 2d7a4745f..dea90f0c2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml @@ -10,7 +10,7 @@ references: - https://pentestlab.blog/2017/03/30/weak-service-permissions/ author: Teymur Kheirkhabarov date: 2019-10-26 -modified: 2022-07-14 +modified: 2024-12-01 tags: - attack.persistence - attack.defense-evasion @@ -26,7 +26,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational scbynonadmin: Image|endswith: \sc.exe - IntegrityLevel: Medium + IntegrityLevel: + - Medium + - S-1-16-8192 selection_binpath: CommandLine|contains|all: - config diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index f3e315255..82ef45fbe 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -10,6 +10,7 @@ references: - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml author: Swachchhanda Shrawan Poudel, Elastic (idea) date: 2023-04-20 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.persistence @@ -37,7 +38,9 @@ detection: filter_main_extension_xml: CommandLine|contains: .xml filter_main_system_process: - IntegrityLevel: System + IntegrityLevel: + - System + - S-1-16-16384 filter_main_rundll32: ParentImage|endswith: \rundll32.exe ParentCommandLine|contains|all: diff --git a/sigma/sysmon/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml index 5913e8fa2..54a9bc9a9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml @@ -9,7 +9,7 @@ references: - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) date: 2021-07-11 -modified: 2023-02-09 +modified: 2024-12-01 tags: - attack.execution - attack.t1203 @@ -25,7 +25,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational spoolsv: ParentImage|endswith: \spoolsv.exe - IntegrityLevel: System + IntegrityLevel: + - System + - S-1-16-16384 suspicious_unrestricted: Image|endswith: - \gpupdate.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index 2c9214d4d..9e69ca8f3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -9,7 +9,7 @@ references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020-10-13 -modified: 2023-03-23 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1548.002 @@ -32,7 +32,9 @@ detection: Image|endswith: tmp selection_image_2: Image|endswith: \msiexec.exe - IntegrityLevel: System + IntegrityLevel: + - System + - S-1-16-16384 filter_installer: ParentImage: C:\Windows\System32\services.exe filter_repair: diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_child_process_as_system_.yml index 556b404ed..708b22057 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -12,7 +12,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) date: 2019-10-26 -modified: 2022-12-15 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1134.002 @@ -39,7 +39,9 @@ detection: - \SYSTEM - \Système - \СИСТЕМА - IntegrityLevel: System + IntegrityLevel: + - System + - S-1-16-16384 filter_rundll32: Image|endswith: \rundll32.exe CommandLine|contains: DavSetCookie diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index 46e0f5d6e..74754cb29 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -9,7 +9,7 @@ references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community date: 2020-10-05 -modified: 2022-07-07 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1112 @@ -21,18 +21,19 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - reg: - CommandLine|contains|all: - - 'reg ' - - add - powershell: - CommandLine|contains: - - powershell - - set-itemproperty - - ' sp ' - - new-itemproperty - select_data: - IntegrityLevel: Medium + selection_cli: + - CommandLine|contains|all: + - 'reg ' + - add + - CommandLine|contains: + - powershell + - set-itemproperty + - ' sp ' + - new-itemproperty + selection_data: + IntegrityLevel: + - Medium + - S-1-16-8192 CommandLine|contains|all: - ControlSet - Services @@ -40,11 +41,7 @@ detection: - ImagePath - FailureCommand - ServiceDLL - condition: process_creation and ((reg or powershell) and select_data) -fields: - - EventID - - IntegrityLevel - - CommandLine + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 6f27e68cf..f41731dfd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -10,7 +10,7 @@ references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2021-12-20 -modified: 2024-11-11 +modified: 2024-12-01 tags: - attack.credential-access - attack.defense-evasion @@ -27,7 +27,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - IntegrityLevel: System + IntegrityLevel: + - System + - S-1-16-16384 User|contains: # covers many language settings - AUTHORI - AUTORI diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml index a3aa25283..7d238aebd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml @@ -38,11 +38,6 @@ detection: - 'qwsu ' - 'uwdqs ' condition: process_creation and (all of selection*) -fields: - - IntegrityLevel - - Product - - Description - - CommandLine falsepositives: - System administrator Usage level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index 1ce9c2c8f..77fe05585 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -9,6 +9,7 @@ references: - https://twitter.com/Moti_B/status/909449115477659651 author: '@juju4' date: 2022-12-27 +modified: 2024-12-01 tags: - attack.execution - sysmon @@ -23,7 +24,9 @@ detection: - Image|endswith: \tscon.exe - OriginalFileName: tscon.exe selection_integrity: - IntegrityLevel: SYSTEM + IntegrityLevel: + - System + - S-1-16-16384 condition: process_creation and (all of selection_*) falsepositives: - Administrative activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml index 66c742c7d..b00277d65 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml @@ -11,7 +11,7 @@ references: - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -30,6 +30,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml index 2708e58d7..98511b1d2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -28,6 +28,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml index 02b849d77..984fd21d8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml @@ -12,7 +12,7 @@ references: - https://github.com/hfiref0x/UACME author: Nik Seetharaman, Christian Burkard (Nextron Systems) date: 2019-07-31 -modified: 2022-09-21 +modified: 2024-12-01 tags: - attack.execution - attack.defense-evasion @@ -40,6 +40,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High condition: process_creation and selection falsepositives: - Legitimate CMSTP use (unlikely in modern enterprise environments) diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml index 3da8ab77b..f02c19faf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-31 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -26,6 +26,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High Image: C:\Windows\System32\ComputerDefaults.exe filter: ParentImage|contains: diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml index d450fa5a8..c69744c33 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -28,6 +28,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_dismhost.yml index 9f60f259d..375fe9488 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_dismhost.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_dismhost.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -30,6 +30,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml index ce050b5fb..60d260e34 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml @@ -9,6 +9,7 @@ references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-03 +modified: 2024-12-01 tags: - attack.execution - attack.defense-evasion @@ -28,6 +29,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ieinstal.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ieinstal.yml index d42eec072..d29194f1c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ieinstal.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ieinstal.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -26,6 +26,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High ParentImage|endswith: \ieinstal.exe Image|contains: \AppData\Local\Temp\ Image|endswith: consent.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml index 2e05b3a80..5fb8acbbc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -26,6 +26,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High ParentImage|endswith: \AppData\Local\Temp\pkgmgr.exe CommandLine: '"C:\Windows\system32\msconfig.exe" -5' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml index 1d6440805..10bf55c94 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -28,6 +28,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High selection2: ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' IntegrityLevel: diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml index ee6ee495e..f9a1dfd9e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -28,6 +28,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_sdclt.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_sdclt.yml index f980761a0..d947598c9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_sdclt.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_sdclt.yml @@ -10,7 +10,7 @@ references: - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 -modified: 2023-02-14 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.defense-evasion @@ -25,7 +25,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: sdclt.exe - IntegrityLevel: High + IntegrityLevel: + - High + - S-1-16-12288 # High condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_winsat.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_winsat.yml index 0fd0944e0..6139bed86 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_winsat.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_winsat.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -26,6 +26,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High ParentImage|endswith: \AppData\Local\Temp\system32\winsat.exe ParentCommandLine|contains: C:\Windows \system32\winsat.exe condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wmp.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wmp.yml index f9fbd4d2b..21b3caaa2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wmp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wmp.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -22,18 +22,18 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - selection1: + selection_img_1: Image: C:\Program Files\Windows Media Player\osk.exe - IntegrityLevel: - - High - - System - selection2: + selection_img_2: Image: C:\Windows\System32\cmd.exe ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' + selection_integrity: IntegrityLevel: - High - System - condition: process_creation and (1 of selection*) + - S-1-16-16384 # System + - S-1-16-12288 # High + condition: process_creation and (1 of selection_img_* and selection_integrity) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml index d33dc27e0..bb49bef20 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -11,7 +11,7 @@ references: - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -29,6 +29,8 @@ detection: IntegrityLevel: - High - System + - S-1-16-16384 # System + - S-1-16-12288 # High condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index b8a265d29..5dd4dc841 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -10,7 +10,7 @@ references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019-01-16 -modified: 2023-11-11 +modified: 2024-11-26 tags: - attack.persistence - attack.t1505.003 @@ -66,7 +66,7 @@ detection: - \netdom.exe - \netsh.exe - \nltest.exe - - \ntdutil.exe + - \ntdsutil.exe - \powershell_ise.exe - \powershell.exe - \pwsh.exe