diff --git a/config/uberAgent-ESA-am-sigma-high-windows.conf b/config/uberAgent-ESA-am-sigma-high-windows.conf index 7a6fab2d..7be5a4f3 100644 --- a/config/uberAgent-ESA-am-sigma-high-windows.conf +++ b/config/uberAgent-ESA-am-sigma-high-windows.conf @@ -3186,7 +3186,7 @@ EventType = Process.Start Tag = proc-start-schtasks-creation-or-modification-with-system-privileges RiskScore = 75 Annotation = {"mitre_attack": ["T1053.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\schtasks.exe" and (Process.CommandLine like r"% /change %" or Process.CommandLine like r"% /create %") and Process.CommandLine like r"%/ru %" and (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM %") and not (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/TN TVInstallRestore%" and Process.CommandLine like r"%\\TeamViewer\_.exe%" or Process.CommandLine like r"%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %" or Process.CommandLine like r"%:\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira\_speedup\_setup.exe%" or Process.CommandLine like r"%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%") +Query = Process.Path like r"%\\schtasks.exe" and (Process.CommandLine like r"% /change %" or Process.CommandLine like r"% /create %") and Process.CommandLine like r"%/ru %" and (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM %") and not (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/TN TVInstallRestore%" and Process.CommandLine like r"%\\TeamViewer\_.exe%" or Process.CommandLine like r"%Subscription Heartbeat%" and Process.CommandLine like r"%\\HeartbeatConfig.xml%" and Process.CommandLine like r"%\\Microsoft Shared\\OFFICE%" or Process.CommandLine like r"%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %" or Process.CommandLine like r"%:\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira\_speedup\_setup.exe%" or Process.CommandLine like r"%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%") [ThreatDetectionRule platform=Windows] @@ -7210,14 +7210,14 @@ Query = Process.CommandLine like r"%Add-Exfiltration%" or Process.CommandLine li [ThreatDetectionRule platform=Windows] # Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. -# Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) +# Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) RuleId = c86500e9-a645-4680-98d7-f882c70c1ea3 RuleName = AADInternals PowerShell Cmdlets Execution - ProccessCreation EventType = Process.Start Tag = proc-start-aadinternals-powershell-cmdlets-execution-proccesscreation RiskScore = 75 -Annotation = {"author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.Exe", "pwsh.dll"]) and (Process.CommandLine like r"%Add-AADInt%" or Process.CommandLine like r"%ConvertTo-AADInt%" or Process.CommandLine like r"%Disable-AADInt%" or Process.CommandLine like r"%Enable-AADInt%" or Process.CommandLine like r"%Export-AADInt%" or Process.CommandLine like r"%Get-AADInt%" or Process.CommandLine like r"%Grant-AADInt%" or Process.CommandLine like r"%Install-AADInt%" or Process.CommandLine like r"%Invoke-AADInt%" or Process.CommandLine like r"%Join-AADInt%" or Process.CommandLine like r"%New-AADInt%" or Process.CommandLine like r"%Open-AADInt%" or Process.CommandLine like r"%Read-AADInt%" or Process.CommandLine like r"%Register-AADInt%" or Process.CommandLine like r"%Remove-AADInt%" or Process.CommandLine like r"%Restore-AADInt%" or Process.CommandLine like r"%Search-AADInt%" or Process.CommandLine like r"%Send-AADInt%" or Process.CommandLine like r"%Set-AADInt%" or Process.CommandLine like r"%Start-AADInt%" or Process.CommandLine like r"%Update-AADInt%") +Annotation = {"author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.Exe", "pwsh.dll"]) and (Process.CommandLine like r"%Add-AADInt%" or Process.CommandLine like r"%ConvertTo-AADInt%" or Process.CommandLine like r"%Disable-AADInt%" or Process.CommandLine like r"%Enable-AADInt%" or Process.CommandLine like r"%Export-AADInt%" or Process.CommandLine like r"%Find-AADInt%" or Process.CommandLine like r"%Get-AADInt%" or Process.CommandLine like r"%Grant-AADInt%" or Process.CommandLine like r"%Initialize-AADInt%" or Process.CommandLine like r"%Install-AADInt%" or Process.CommandLine like r"%Invoke-AADInt%" or Process.CommandLine like r"%Join-AADInt%" or Process.CommandLine like r"%New-AADInt%" or Process.CommandLine like r"%Open-AADInt%" or Process.CommandLine like r"%Read-AADInt%" or Process.CommandLine like r"%Register-AADInt%" or Process.CommandLine like r"%Remove-AADInt%" or Process.CommandLine like r"%Reset-AADInt%" or Process.CommandLine like r"%Resolve-AADInt%" or Process.CommandLine like r"%Restore-AADInt%" or Process.CommandLine like r"%Save-AADInt%" or Process.CommandLine like r"%Search-AADInt%" or Process.CommandLine like r"%Send-AADInt%" or Process.CommandLine like r"%Set-AADInt%" or Process.CommandLine like r"%Start-AADInt%" or Process.CommandLine like r"%Unprotect-AADInt%" or Process.CommandLine like r"%Update-AADInt%") [ThreatDetectionRule platform=Windows] @@ -7741,8 +7741,8 @@ RuleName = Windows Event Log Access Tampering Via Registry EventType = Reg.Any Tag = windows-event-log-access-tampering-via-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001"], "author": "X__Junior"} -Query = (Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\System%" and Reg.TargetObject like r"%\\CustomSD" or (Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows\\EventLog\\Setup%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels%") and Reg.TargetObject like r"%\\ChannelAccess") and (Reg.Value.Data like r"%D:(D;%" or Reg.Value.Data like r"%D:(%" and Reg.Value.Data like r"%)(D;%") +Annotation = {"mitre_attack": ["T1547.001", "T1112"], "author": "X__Junior"} +Query = (Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\%" and Reg.TargetObject like r"%\\CustomSD" or (Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows\\EventLog\\%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels%") and Reg.TargetObject like r"%\\ChannelAccess") and (Reg.Value.Data like r"%D:(D;%" or Reg.Value.Data like r"%D:(%" and Reg.Value.Data like r"%)(D;%") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data