forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
/
godmode_sigma_rule.yml
150 lines (149 loc) · 4.96 KB
/
godmode_sigma_rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# _____ __ __ ___ __
# / ___/__ ___/ / / |/ /__ ___/ /__
# / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
# _\ \/ / _ `/ ' \/ _ `/ / , _/ // / / -_)
# /___/_/\_, /_/_/_/\_,_/ /_/|_|\_,_/_/\__/
# /___/ IDDQD
#
# Florian Roth
# May 2020
# v0.3
#
# A Proof-of-Concept with the most effective search queries
title: Godmode Sigma Rule
id: def6caac-a999-4fc9-8800-cfeff700ba98
description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?'
status: experimental
author: Florian Roth
date: 2019/12/22
modified: 2020/05/18
level: high
action: global
---
logsource:
category: process_creation
product: windows
detection:
# Different suspicious or malicious command line parameters
selection_plain:
CommandLine|contains:
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell encoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM\SAM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'schtasks* /create *AppData' # Scheduled task creation pointing to AppData
- ' comsvcs.dll,MiniDump' # Process dumping method apart from procdump
- ' comsvcs.dll,#24' # Process dumping method apart from procdump
selection_parent_child:
ParentImage|contains:
# Office Dropper Detection
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\OUTLOOK.EXE'
Image|contains:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\schtasks.exe'
- '*\scrcons.exe'
- '\regsvr32.exe'
- '\hh.exe'
- '\wmic.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\forfiles.exe'
- '\AppData\'
selection_webshells:
Image|contains:
- '\apache*'
- '\tomcat*'
- '\w3wp.exe'
- '\php-cgi.exe'
- '\nginx.exe'
- '\httpd.exe'
CommandLine|contains:
- 'whoami'
- 'net user '
- 'ping -n '
- 'systeminfo'
- '&cd&echo'
- 'cd /d ' # https://www.computerhope.com/cdhlp.htm
# Running whoami as LOCAL_SYSTEM (usually after privilege escalation)
selection_whoami:
Image|contains: '\whoami.exe'
User: 'NT AUTHORITY\SYSTEM'
condition: 1 of them
---
logsource:
product: windows
service: sysmon
detection:
selection_file_creation:
EventID: 11
TargetFilename|contains:
- '.dmp' # dump process memory
- 'Desktop\how' # Ransomware
- 'Desktop\decrypt' # Ransomware
selection_registry_modifications:
EventID:
- 12
- 13
TargetObject|contains:
- 'UserInitMprLogonScript' # persistence
- '\CurrentVersion\Image File Execution Options\' # persistence
selection_registry_run:
EventID:
- 12
- 13
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\Run\' # persistence
- '\Microsoft\Windows\CurrentVersion\RunOnce\' # persistence
Details|contains:
- 'AppData'
- '\Users\Public\'
- '\Temp\'
- 'powershell'
- 'wscript'
- 'cscript'
condition: 1 of them
---
logsource:
product: windows
service: system
detection:
# Malicious service installs
selection:
EventID: 7045
ServiceName|contains:
- 'WCESERVICE'
- 'WCE SERVICE'
- 'winexesvc'
- 'DumpSvc'
- 'pwdump'
- 'gsecdump'
- 'cachedump'
condition:
1 of them