Skip to content

Commit

Permalink
Updated converted sigma rules for version version/7.4
Browse files Browse the repository at this point in the history
  • Loading branch information
vastlimits committed Feb 18, 2025
1 parent 1be7f5f commit 417de23
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions config/uberAgent-ESA-am-sigma-high-windows.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3186,7 +3186,7 @@ EventType = Process.Start
Tag = proc-start-schtasks-creation-or-modification-with-system-privileges
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"}
Query = Process.Path like r"%\\schtasks.exe" and (Process.CommandLine like r"% /change %" or Process.CommandLine like r"% /create %") and Process.CommandLine like r"%/ru %" and (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM %") and not (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/TN TVInstallRestore%" and Process.CommandLine like r"%\\TeamViewer\_.exe%" or Process.CommandLine like r"%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %" or Process.CommandLine like r"%:\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira\_speedup\_setup.exe%" or Process.CommandLine like r"%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%")
Query = Process.Path like r"%\\schtasks.exe" and (Process.CommandLine like r"% /change %" or Process.CommandLine like r"% /create %") and Process.CommandLine like r"%/ru %" and (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM %") and not (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/TN TVInstallRestore%" and Process.CommandLine like r"%\\TeamViewer\_.exe%" or Process.CommandLine like r"%Subscription Heartbeat%" and Process.CommandLine like r"%\\HeartbeatConfig.xml%" and Process.CommandLine like r"%\\Microsoft Shared\\OFFICE%" or Process.CommandLine like r"%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %" or Process.CommandLine like r"%:\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira\_speedup\_setup.exe%" or Process.CommandLine like r"%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%")


[ThreatDetectionRule platform=Windows]
Expand Down Expand Up @@ -7210,14 +7210,14 @@ Query = Process.CommandLine like r"%Add-Exfiltration%" or Process.CommandLine li

[ThreatDetectionRule platform=Windows]
# Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
# Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)
# Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
RuleId = c86500e9-a645-4680-98d7-f882c70c1ea3
RuleName = AADInternals PowerShell Cmdlets Execution - ProccessCreation
EventType = Process.Start
Tag = proc-start-aadinternals-powershell-cmdlets-execution-proccesscreation
RiskScore = 75
Annotation = {"author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)"}
Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.Exe", "pwsh.dll"]) and (Process.CommandLine like r"%Add-AADInt%" or Process.CommandLine like r"%ConvertTo-AADInt%" or Process.CommandLine like r"%Disable-AADInt%" or Process.CommandLine like r"%Enable-AADInt%" or Process.CommandLine like r"%Export-AADInt%" or Process.CommandLine like r"%Get-AADInt%" or Process.CommandLine like r"%Grant-AADInt%" or Process.CommandLine like r"%Install-AADInt%" or Process.CommandLine like r"%Invoke-AADInt%" or Process.CommandLine like r"%Join-AADInt%" or Process.CommandLine like r"%New-AADInt%" or Process.CommandLine like r"%Open-AADInt%" or Process.CommandLine like r"%Read-AADInt%" or Process.CommandLine like r"%Register-AADInt%" or Process.CommandLine like r"%Remove-AADInt%" or Process.CommandLine like r"%Restore-AADInt%" or Process.CommandLine like r"%Search-AADInt%" or Process.CommandLine like r"%Send-AADInt%" or Process.CommandLine like r"%Set-AADInt%" or Process.CommandLine like r"%Start-AADInt%" or Process.CommandLine like r"%Update-AADInt%")
Annotation = {"author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)"}
Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.Exe", "pwsh.dll"]) and (Process.CommandLine like r"%Add-AADInt%" or Process.CommandLine like r"%ConvertTo-AADInt%" or Process.CommandLine like r"%Disable-AADInt%" or Process.CommandLine like r"%Enable-AADInt%" or Process.CommandLine like r"%Export-AADInt%" or Process.CommandLine like r"%Find-AADInt%" or Process.CommandLine like r"%Get-AADInt%" or Process.CommandLine like r"%Grant-AADInt%" or Process.CommandLine like r"%Initialize-AADInt%" or Process.CommandLine like r"%Install-AADInt%" or Process.CommandLine like r"%Invoke-AADInt%" or Process.CommandLine like r"%Join-AADInt%" or Process.CommandLine like r"%New-AADInt%" or Process.CommandLine like r"%Open-AADInt%" or Process.CommandLine like r"%Read-AADInt%" or Process.CommandLine like r"%Register-AADInt%" or Process.CommandLine like r"%Remove-AADInt%" or Process.CommandLine like r"%Reset-AADInt%" or Process.CommandLine like r"%Resolve-AADInt%" or Process.CommandLine like r"%Restore-AADInt%" or Process.CommandLine like r"%Save-AADInt%" or Process.CommandLine like r"%Search-AADInt%" or Process.CommandLine like r"%Send-AADInt%" or Process.CommandLine like r"%Set-AADInt%" or Process.CommandLine like r"%Start-AADInt%" or Process.CommandLine like r"%Unprotect-AADInt%" or Process.CommandLine like r"%Update-AADInt%")


[ThreatDetectionRule platform=Windows]
Expand Down Expand Up @@ -7741,8 +7741,8 @@ RuleName = Windows Event Log Access Tampering Via Registry
EventType = Reg.Any
Tag = windows-event-log-access-tampering-via-registry
RiskScore = 75
Annotation = {"mitre_attack": ["T1547.001"], "author": "X__Junior"}
Query = (Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\System%" and Reg.TargetObject like r"%\\CustomSD" or (Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows\\EventLog\\Setup%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels%") and Reg.TargetObject like r"%\\ChannelAccess") and (Reg.Value.Data like r"%D:(D;%" or Reg.Value.Data like r"%D:(%" and Reg.Value.Data like r"%)(D;%")
Annotation = {"mitre_attack": ["T1547.001", "T1112"], "author": "X__Junior"}
Query = (Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\%" and Reg.TargetObject like r"%\\CustomSD" or (Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows\\EventLog\\%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels%") and Reg.TargetObject like r"%\\ChannelAccess") and (Reg.Value.Data like r"%D:(D;%" or Reg.Value.Data like r"%D:(%" and Reg.Value.Data like r"%)(D;%")
Hive = HKLM,HKU
GenericProperty1 = Reg.TargetObject
GenericProperty2 = Reg.Value.Data
Expand Down

0 comments on commit 417de23

Please sign in to comment.