This site provides users with searches/configurations/queries/alerts for common security tools that usually cost a fortune to get running properly. In order to get top quality alerts and monitoring configured in your environment, you usually have to pay a fortune for enterprise licenses or support, but, with augmentd, you can grab what you need and put community generated alerts in place right away!

Product Name Tags Author Submitter
osquery Hacking Team Persistence IR Endpoint  osquery @brian_warehime
select * from file where directory like '/Users/%/Library/Preferences/8pHbqThW%';

Reference: https://osquery.io/docs/packs/#osx-attacks

osquery Detect OSX Pirrit IR Endpoint Malware  osquery @brian_warehime
select * from preferences where path = '/Library/Preferences/com.common.plist' and key = 'net_pref';

Reference: https://osquery.io/docs/packs/#osx-attacks

osquery Detect Spigot Malware IR Endpoint Malware  osquery @brian_warehime
select * from launchd where name like 'com.spigot.%.plist';

Reference: https://osquery.io/docs/packs/#osx-attacks

splunk Detect Account Crawling (>2 Hosts) IR UBA  @hackerhurricane @brian_warehime
index=windows LogName=Security EventCode=4624 NOT (host=“DC1" OR host=“DC2" OR host=“DC…”) NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON") NOT (Account_Name=“Service_Account") | eval Account_Domain=(mvindex(Account_Domain,1)) | eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="*$",(mvindex(Account_Name,1)), Account_Name) | eval Time=strWime(_Ome,"%Y/%m/%d%T") |.stats countvalues(Account_Domain) AS Domain, values(host) AS Host,dc(host) ASHost_Count,values(Logon_Type) AS Logon_Type, values Workstation_Name) AS WS_Name, values(Source_Network_Address) AS Source_IP, values(Process_Name) AS Process_Name by Account_Name | where Host_Count > 2

Reference: https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf

sigma Detect Known Malicious PowerShell Commandlets Endpoint Powershell Windows  Sean Metcalf, Florian Roth @swannysec
title: Malicious PowerShell Commandlets
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
platform: windows
product: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- Invoke-DllInjection
- Invoke-Shellcode
- Invoke-WmiCommand
- Get-GPPPassword
- Get-Keystrokes
- Get-TimedScreenshot
- Get-VaultCredential
- Invoke-CredentialInjection
- Invoke-Mimikatz
- Invoke-NinjaCopy
- Invoke-TokenManipulation
- Out-Minidump
- VolumeShadowCopyTools
- Invoke-ReflectivePEInjection
- Invoke-UserHunter
- Find-GPOLocation
- Invoke-ACLScanner
- Invoke-DowngradeAccount
- Get-ServiceUnquoted
- Get-ServiceFilePermission
- Get-ServicePermission
- Invoke-ServiceAbuse
- Install-ServiceBinary
- Get-RegAutoLogon
- Get-VulnAutoRun
- Get-VulnSchTask
- Get-UnattendedInstallFile
- Get-WebConfig
- Get-ApplicationHost
- Get-RegAlwaysInstallElevated
- Get-Unconstrained
- Add-RegBackdoor
- Add-ScrnSaveBackdoor
- Gupt-Backdoor
- Invoke-ADSBackdoor
- Enabled-DuplicateToken
- Invoke-PsUaCme
- Remove-Update
- Check-VM
- Get-LSASecret
- Get-PassHashes
- Invoke-Mimikatz
- Show-TargetScreen
- Port-Scan
- Invoke-PoshRatHttp
- Invoke-PowerShellTCP
- Invoke-PowerShellWMI
- Add-Exfiltration
- Add-Persistence
- Do-Exfiltration
- Start-CaptureServer
- Invoke-DllInjection
- Invoke-ReflectivePEInjection
- Invoke-ShellCode
- Get-ChromeDump
- Get-ClipboardContents
- Get-FoxDump
- Get-IndexedItem
- Get-Keystrokes
- Get-Screenshot
- Invoke-Inveigh
- Invoke-NetRipper
- Invoke-NinjaCopy
- Out-Minidump
- Invoke-EgressCheck
- Invoke-PostExfil
- Invoke-PSInject
- Invoke-RunAs
- MailRaider
- New-HoneyHash
- Set-MacAttribute
- Get-VaultCredential
- Invoke-DCSync
- Invoke-Mimikatz
- Invoke-PowerDump
- Invoke-TokenManipulation
- Exploit-Jboss
- Invoke-ThunderStruck
- Invoke-VoiceTroll
- Set-Wallpaper
- Invoke-InveighRelay
- Invoke-PsExec
- Invoke-SSHCommand
- Get-SecurityPackages
- Install-SSP
- Invoke-BackdoorLNK
- PowerBreach
- Get-GPPPassword
- Get-SiteListPassword
- Get-System
- Invoke-BypassUAC
- Invoke-Tater
- Invoke-WScriptBypassUAC
- PowerUp
- PowerView
- Get-RickAstley
- Find-Fruit
- HTTP-Login
- Find-TrustedDocuments
- Invoke-Paranoia
- Invoke-WinEnum
- Invoke-ARPScan
- Invoke-PortScan
- Invoke-ReverseDNSLookup
- Invoke-SMBScanner
- Invoke-Mimikittenz
condition: keywords
falsepositives:
- Penetration testing
level: high

Reference: https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_commandlets.yml

sigma Detect Powershell Called by Executable Endpoint Powershell Windows  Sean Metcalf, Florian Roth @swannysec
title: PowerShell called from an Executable Version Mismatch
status: experimental
description: Detects PowerShell called from an executable by the version mismatch method
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
platform: windows
product: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
selection1:
EventID: 400
EngineVersion:
- '2.*'
- '4.*'
- '5.*'
HostVersion: '3.*'
condition: selection1
falsepositives:
- Pentesters
level: high

Reference: https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_exe_calling_ps.yml

sigma Malicious PowerShell Keywords Endpoint Powershell Windows  Sean Metcalf, Florian Roth @swannysec
title: Malicious PowerShell Commandlets
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
platform: windows
product: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- AdjustTokenPrivileges
- IMAGE_NT_OPTIONAL_HDR64_MAGIC
- Management.Automation.RuntimeException
- Microsoft.Win32.UnsafeNativeMethods
- ReadProcessMemory.Invoke
- Runtime.InteropServices
- SE_PRIVILEGE_ENABLED
- System.Security.Cryptography
- System.Runtime.InteropServices
- LSA_UNICODE_STRING
- MiniDumpWriteDump
- PAGE_EXECUTE_READ
- Net.Sockets.SocketFlags
- Reflection.Assembly
- SECURITY_DELEGATION
- TOKEN_ADJUST_PRIVILEGES
- TOKEN_ALL_ACCESS
- TOKEN_ASSIGN_PRIMARY
- TOKEN_DUPLICATE
- TOKEN_ELEVATION
- TOKEN_IMPERSONATE
- TOKEN_INFORMATION_CLASS
- TOKEN_PRIVILEGES
- TOKEN_QUERY
- Metasploit
- Mimikatz
condition: keywords
falsepositives:
- Penetration tests
level: high

Reference: https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_keywords.yml

sigma PowerShell PSAttack Usage Endpoint Powershell Windows  Sean Metcalf, Florian Roth @swannysec
title: PowerShell PSAttack 
status: experimental
description: Detects the use of PSAttack PowerShell hack tool
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
platform: windows
product: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
EventID: 4103
keywords:
- 'PS ATTACK!!!'
condition: keywords
falsepositives:
- Pentesters
level: high

Reference: https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_psattack.yml

sysmon SwiftOnSecurity Sysmon Config Windows threat-hunting logging  @SwiftOnSecurity @brian_warehime
<!--
  sysmon-config | A sysmon configuration focused on default high-quality event tracing and easy customization by the community
  Master version:	51 | Date: 2017-03-14
  Master author:	@SwiftOnSecurity, other contributors also credited in-line or on Git.
  Master project:	https://github.com/SwiftOnSecurity/sysmon-config
  Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.

  Fork version:	<N/A>
  Fork author:	<N/A>
  Fork project:	<N/A>
  Fork license:	<N/A>

  REQUIRED: Sysmon version 6.00 or higher (due to changes in registry syntax)
	https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx

  NOTE: Do not let the imposing size and complexity of this configuration scare you off building your own or customizing it.
	This configuration is based around known high-quality event tracing, and thus looks extremely complicated.
	Sysmon configurations only have to be a few lines, but significant effort has been invested in front-loading as
	much filtering as possible onto the client. This is to make analysis of intrusions possible by hand, and try to
	surface anomalous activity as quickly as possible to any technician armed only with Event Viewer.

  NOTE:	Sysmon is not hardened against a determined attacker with admin rights. Also, this configuration offers an attacker, willing
	to study it closely, several ways to evade some of the alerting. If you are in a high-threat environment and have significant 
	security staff, you should consider a much broader log-all approach. However, in the vast majority of cases, an attacker
	will bumble along through multiple behavioral traps which this configuration monitors, especially in the first minutes.

  NOTE:	"Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
		"ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches.
		"LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions.
-->

<Sysmon schemaversion="3.30">
	<HashAlgorithms>md5,sha256</HashAlgorithms>
	<EventFiltering>

	<!--SYSMON EVENT ID 1 : PROCESS CREATION-->
		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
		<ProcessCreate onmatch="exclude">
		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
				avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
				Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.-->
			<!--SECTION: Microsoft Windows-->
			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image> <!--Microsoft:Windows: Update popups-->
			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> <!--Microsoft:Windows: Update popups-->
			<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
			<Image condition="is">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
			<Image condition="is">C:\Windows\System32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
			<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
			<!--SECTION: Microsoft:Windows:Defender-->
			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
			<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Defender: Full signature updates-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image> <!--Microsoft:Defender: Delta signature updates-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image> <!--Microsoft:Defender: Engine updates-->
			<!--SECTION: Microsoft:Windows:svchost-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k appmodel</CommandLine> <!--Microsoft:Windows 10-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k dcomLaunch</CommandLine> <!--Microsoft:Windows dervices-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k defragsvc</CommandLine> <!--Microsoft:Windows defrag-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k imgsvc</CommandLine> <!--Microsoft:The Windows Image Acquisition Service-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k localServiceAndNoImpersonation</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k rPCSS</CommandLine> <!--Microsoft:Windows Services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Microsoft:Windows 10-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k utcsvc</CommandLine> <!--Microsoft:Windows Services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Microsoft:Windows Services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx</CommandLine> <!--Microsoft:Windows 10-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\windows\System32\svchost.exe -k werSvcGroup</CommandLine> <!--Microsoft:Windows: ErrorReporting-->
			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine> <!--Microsoft:Windows: Network services: Spawns Consent.exe-->
			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine> <!--Microsoft:Windows: Network services-->
			<!--SECTION: Microsoft:dotNet-->
			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet: Spawns thousands of ngen.exe processes-->
			<!--SECTION: Microsoft:Office-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
			<!--SECTION: Microsoft:Office:Click2Run-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
			<!--SECTION: Google-->
			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
			<!--SECTION: Firefox-->
			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
			<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
			<!--SECTION: Adobe-->
			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
			<!--SECTION: Adobe:Flash-->
			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
			<!--SECTION: Adobe:Updater-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<!--SECTION: Adobe:Supporting processes-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
			<!--SECTION: Adobe:Creative Cloud-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
			<!--SECTION: Drivers-->
			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
			<!--SECTION: Dropbox-->
			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
			<!--SECTION: Dell-->
			<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
		</ProcessCreate>

	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
		<FileCreateTime onmatch="include">
			<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
		</FileCreateTime>
		<FileCreateTime onmatch="exclude">
			<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
			<Image condition="contains">setup</Image> <!--Ignore setups-->
		</FileCreateTime>

	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIP, DestinationHostname, DestinationPort, DestinationPortName-->
		<NetworkConnect onmatch="include">
		<!--COMMENT:	Takes a very conservative approach to network logging, limit to extremely high-signal events.-->
		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which may not always have the information or may be a CDN. Using that field is best-effort only.-->
		<!--TECHNICAL:	These exe's do not initiate their connections, and cannot be included: BITSADMIN-->
			<!--Suspicious sources-->
			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
			<!--Suspicious Windows tools-->
			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
			<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
			<Image condition="image">java.exe</Image> <!--Java: Monitor usage of vulnerable application | Credit @ion-storm -->
			<Image condition="image">mshta.exe</Image> <!--Microsoft:Windows: HTML application executes scripts without IE protections | Credit @ion-storm [ https://en.wikipedia.org/wiki/HTML_Application ] -->
			<Image condition="image">msiexec.exe</Image> <!--Microsoft:Windows: Can install from http:// paths | Credit @vector-sec -->
			<Image condition="image">net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
			<Image condition="image">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
			<Image condition="image">qwinsta.exe</Image> <!--Microsoft:Windows: Remotely query login sessions on a server or workstation | Credit @ion-storm -->
			<Image condition="image">reg.exe</Image> <!--Microsoft:Windows: Remote Registry | Credit @ion-storm -->
			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
			<Image condition="image">sc.exe</Image> <!--Microsoft:Windows: Remotely change Windows service settings from command line | Credit @ion-storm -->
			<Image condition="image">wmic.exe</Image> <!--Microsoft:WindowsManagementInstrumentation: Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
			<Image condition="image">tor.exe</Image> <!--Tor [ https://www.hybrid-analysis.com/sample/800bf028a23440134fc834efc5c1e02cc70f05b2e800bbc285d7c92a4b126b1c?environmentId=100 ] -->
			<!--Ports: Suspicious-->
			<DestinationPort condition="is">22</DestinationPort> <!--SSH protocol-->
			<DestinationPort condition="is">23</DestinationPort> <!--Telnet protocol-->
			<DestinationPort condition="is">25</DestinationPort> <!--SMTP mail protocol-->
			<DestinationPort condition="is">3389</DestinationPort> <!--Microsoft:Windows:RDP-->
			<DestinationPort condition="is">5800</DestinationPort> <!--VNC protocol-->
			<DestinationPort condition="is">5900</DestinationPort> <!--VNC protocol-->
			<!--Ports: Proxy-->
			<DestinationPort condition="is">1080</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->
			<DestinationPort condition="is">3128</DestinationPort> <!--Socks proyx port | Credit @ion-storm-->
			<DestinationPort condition="is">8080</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->
			<!--Ports: Tor-->
			<DestinationPort condition="is">1723</DestinationPort> <!--Tor protocol | Credit @ion-storm-->
			<DestinationPort condition="is">4500</DestinationPort> <!--Tor protocol | Credit @ion-storm-->
			<DestinationPort condition="is">9001</DestinationPort> <!--Tor protocol [ http://www.computerworlduk.com/tutorial/security/tor-enterprise-2016-blocking-malware-darknet-use-rogue-nodes-3633907/ ] -->
			<DestinationPort condition="is">9030</DestinationPort> <!--Tor protocol [ http://www.computerworlduk.com/tutorial/security/tor-enterprise-2016-blocking-malware-darknet-use-rogue-nodes-3633907/ ] -->
		</NetworkConnect>
		<NetworkConnect onmatch="exclude">
			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
			<!--SECTION: Microsoft-->
			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
		</NetworkConnect>

	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->
		<!--DATA: UtcTime, State, Version, SchemaVersion-->
		<!--Cannot be filtered.-->

	<!--SYSMON EVENT ID 5 : PROCESS ENDED-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
		<ProcessTerminate onmatch="include">
		<!--COMMENT:	Useful data in building infection timelines.-->
			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
		</ProcessTerminate>

	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL-->
		<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
		<DriverLoad onmatch="exclude">
		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
			<Signature condition="begin with">Intel </Signature> <!--Exclude signed Intel drivers-->
		</DriverLoad>

	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
		<ImageLoad onmatch="include">
		<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
		</ImageLoad>

	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
		<CreateRemoteThread onmatch="exclude">
		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions.
				Exclude mostly-safe sources and log anything else.-->
			<SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\System32\wininit.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\System32\services.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\System32\winlogon.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\System32\audiodg.exe</SourceImage>
			<StartModule condition="is">C:\windows\system32\kernel32.dll</StartModule>
			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
		</CreateRemoteThread>

	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
		<RawAccessRead onmatch="include">
		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
				Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
				Encourage you to experiment with this feature yourself.-->
		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
		</RawAccessRead>

	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS-->
		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
		<ProcessAccess onmatch="include">
		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause a huge number of events.-->
		</ProcessAccess>

	<!--SYSMON EVENT ID 11 : FILE CREATED-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
		<FileCreate onmatch="include">
			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
			<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks-->
			<TargetFilename condition="begin with">C:\Windows\System32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
			<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks-->
		</FileCreate>
		<FileCreate onmatch="exclude">
			<!--SECTION: Microsoft:Office:Click2Run-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!-- Microsoft:Office Click2Run-->
			<!--SECTION: Microsoft:Windows-->
			<Image condition="is">C:\Windows\System32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
			<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image> <!-- Microsoft:Windows: WMI Performance updates-->
			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
			<!--SECTION: Microsoft:Windows:Updates-->
			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
			<Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
			<!--SECTION: Dell-->
			<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
			<!--SECTION: Intel-->
			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
		</FileCreate>

	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION-->
		<!--NOTE:	It may appear this section is missing important entries, but many of them match multiple areas, so look carefully to see if something is already covered.-->
		<!--NOTE:	"contains" conditions below are formatted to reduce CPU load, so they may appear written inconsis

Reference: https://github.com/SwiftOnSecurity/sysmon-config

sigma PowerShell Downloads Endpoint Powershell Windows  Florian Roth @swannysec
title: Suspicious PowerShell Download
status: experimental
description: Detects suspicious PowerShell download command
author: Florian Roth
logsource:
platform: windows
product: powershell
detection:
keywords:
- 'System.Net.WebClient).DownloadString('
- 'system.net.webclient).downloadfile('
condition: keywords
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium

Reference: https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_download.yml

sigma Generic Suspicious PowerShell Invocations Endpoint Powershell Windows   Florian Roth @swannysec
title: Suspicious PowerShell Invocations - Generic
status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth (rule)
logsource:
platform: windows
product: powershell
detection:
encoded:
- ' -enc '
- ' -EncodedCommand '
hidden:
- ' -w hidden '
- ' -window hidden '
- ' - windowstyle hidden '
noninteractive:
- ' -noni '
- ' -noninteractive '
condition: encoded and hidden and noninteractive
falsepositives:
- Penetration tests
level: high

Reference: https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_generic.yml

sigma Specific Suspicious PowerShell Invocations Endpoint Powershell Windows  Florian Roth @swannysec
title: Suspicious PowerShell Invocations - Specific
status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth (rule)
logsource:
platform: windows
product: powershell
detection:
keywords:
- ' -nop -w hidden -c * [Convert]::FromBase64String'
- ' -w hidden -noni -nop -c "iex(New-Object'
- ' -w hidden -ep bypass -Enc'
- 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run'
- 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download'
- 'iex(New-Object Net.WebClient).Download'
condition: keywords
falsepositives:
- Penetration tests
level: high

Reference: https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_specific.yml

sigma Linux Buffer Overflow Endpoint Linux  Florian Roth @swannysec
title: Buffer Overflow Attempts
description: Detects buffer overflow attempts in Linux system log files
reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
logsource:
product: linux
detection:
keywords:
- 'attempt to execute code on stack by'
- 'FTP LOGIN FROM .* 0bin0sh'
- 'rpc.statd[\d+]: gethostbyname error for'
- 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
condition: keywords
falsepositives:
- Unkown
level: high
tags = Endpoint, Linux

Reference: https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_buffer_overflows.yml

sigma Meaningful ClamAV Logs Endpoint Linux  Florian Roth @swannysec
title: Relevant ClamAV Message
description: Detects relevant ClamAV messages
reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
logsource:
product: linux
service: clamav
detection:
keywords:
- 'Trojan*FOUND'
- 'VirTool*FOUND'
- 'Webshell*FOUND'
- 'Rootkit*FOUND'
- 'Htran*FOUND'
condition: keywords
falsepositives:
- Unknown
level: high

Reference: https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_clamav.yml

sigma Suspicious Shell Commands Endpoint Linux  Florian Roth @swannysec
title: Suspicious Activity in Shell Commands
description: Detects suspicious shell commands used in various exploit codes (see references)
reference:
- http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
logsource:
product: linux
detection:
keywords:
# Generic suspicious commands
- 'wget * - http* | perl'
- 'wget * - http* | sh'
- 'wget * - http* | bash'
- 'python -m SimpleHTTPServer'
# Apache Struts in-the-wild exploit codes
- 'stop;service iptables stop;'
- 'stop;SuSEfirewall2 stop;'
- 'chmod 777 2020'
- '">>/etc/rc.local;'
- 'wget -c *;chmod 777'
# Metasploit framework exploit codes
- 'base64 -d /tmp/'
- ' | base64 -d'
- '/bin/chmod u+s'
- 'chmod +s /tmp/'
- 'chmod u+s /tmp/'
- '/tmp/haxhax'
- '/tmp/ns_sploit'
- 'nc -l -p '
- 'cp /bin/ksh '
- 'cp /bin/sh '
- ' /tmp/*.b64 '
- '/tmp/4bUIkbrG.c'
- '/tmp/ysocereal.jar'
condition: keywords
falsepositives:
- Unknown
level: high

Reference: https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_shell_susp_activity.yml

osquery Detect WireLurker Malware IR Endpoint  osquery @brian_warehime
select * from launchd where name = 'com.apple.machook_damon.plist' OR name = 'com.apple.globalupdate.plist' OR name = 'com.apple.appstore.plughelper.plist' OR name = 'com.apple.MailServiceAgentHelper.plist' OR name = 'com.apple.systemkeychain-helper.plist' OR name = 'com.apple.periodic-dd-mm-yy.plist';

Reference: https://osquery.io/docs/packs/#osx-attacks_WireLurker

osquery List Open Sockets Network IR Endpoint  osquery @brian_warehime
select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';

Reference: https://osquery.io/docs/packs/#incident-response_open_sockets

osquery Get all extended attributes from all user's download folders Endpoint OSX IR  osquery obelisk
select path, key, value, base64  from extended_attributes where path in (select path from file where directory like '/Users/%/Downloads/'); 

Reference: https://osquery.io/docs/tables/#extended_attributes

sigma Detects Suspicious Process Creations Endpoint IR Windows  Florian Roth @brian_warehime
title: Detects Suspicious Process Creations
description: Detects suspicious process starts on Windows systems bsed on keywords
status: experimental
reference:
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
author: Florian Roth
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
# Hacking activity
- 'vssadmin.exe delete shadows*'
- 'vssadmin delete shadows*'
- 'certutil.exe -decode *'
- 'vssadmin create shadow /for=C:*'
- 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
- 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
- 'reg SAVE HKLM\SYSTEM *'
- '* sekurlsa:*'
- 'net localgroup adminstrators * /add'
- 'net group "Domain Admins" * /ADD /DOMAIN'
# Malware
- 'netsh advfirewall firewall *\AppData\*'
- 'attrib +S +H +R *\AppData\*'
- 'schtasks* /create *\AppData\*'
- '*\Regasm.exe *\AppData\*'
- '*\Regasm *\AppData\*'
- '*\bitsadmin* /transfer*'
- '*\certutil.exe * -decode *'
- '*\certutil.exe * -decodehex *'
# Scripts
- '*\wscript.exe *.jse'
- '*\wscript.exe *.js'
- '*\wscript.exe *.vba'
- '*\wscript.exe *.vbe'
- '*\cscript.exe *.jse'
- '*\cscript.exe *.js'
- '*\cscript.exe *.vba'
- '*\cscript.exe *.vbe'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium

Reference: https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/

sigma Malicious Service Installs Endpoint IR Windows  Florian Roth @brian_warehime
title: Malicious Service Installs
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
author: Florian Roth
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
wce:
ServiceName:
- 'WCESERVICE'
- 'WCE SERVICE'
paexec:
ServiceFileName: '*\PAExec*'
winexe:
ServiceFileName: 'winexesvc.exe*'
pwdumpx:
ServiceFileName: '*\DumpSvc.exe'
others:
ServiceName:
- 'pwdump*'
- 'gsecdump*'
- 'cachedump*'
condition: selection and ( wce or paexec or winexe or pwdumpx or others )
falsepositives:
- Penetration testing
level: critical

Reference: https://github.com/Neo23x0/sigma/blob/707e5a948fec69afdec03c5ab33287adac0304d0/rules/windows/builtin/win_mal_service_installs.yml

osquery Identify All Network Communications Netstat Linux OS X  @pathcl @pathcl
select pr.name AS protocol, pos.local_address || ':' || pos.local_port AS 'Local Address', pos.remote_address || ':' || pos.remote_port AS 'Foreign Address', p.pid || '/' || p.name AS 'PID/Program name' FROM process_open_sockets AS pos JOIN processes AS p ON p.pid = pos.pid JOIN etc_protocols pr ON pos.protocol = pr.number WHERE (pos.path <> '' OR pos.remote_address <> '') AND (pr.number = 6 OR pr.number = 17) AND pos.local_port > 0 ORDER BY pos.family, pos.local_address; 

Reference: