docs: 📚 Add more sigma rule

frack113 · May 20, 2024 · 8bfd957 · 8bfd957
1 parent 8575fb5
commit 8bfd957
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 22 deletions.
diff --git a/Full_tests.csv b/Full_tests.csv
@@ -677,7 +677,7 @@ privilege-escalation;T1053.003;sh;['linux'];Cron - Add script to /etc/cron.d fol
 privilege-escalation;T1053.003;bash;['linux'];Cron - Add script to /var/spool/cron/crontabs/ folder;2d943c18-e74a-44bf-936f-25ade6cccab4;False;4
 privilege-escalation;T1098.003;powershell;['azure-ad'];Azure AD - Add Company Administrator Role to a user;4d77f913-56f5-4a14-b4b1-bf7bb24298ad;False;1
 privilege-escalation;T1098.003;powershell;['azure-ad'];Simulate - Post BEC persistence via user password reset followed by user added to company administrator role;14f3af20-61f1-45b8-ad31-4637815f3f44;False;2
-privilege-escalation;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;False;1
+privilege-escalation;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;True;1
 privilege-escalation;T1574.001;command_prompt;['windows'];DLL Search Order Hijacking - amsi.dll;8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3;True;1
 privilege-escalation;T1055.003;powershell;['windows'];Thread Execution Hijacking;578025d5-faa9-4f6d-8390-aae527d503e1;True;1
 privilege-escalation;T1546.011;command_prompt;['windows'];Application Shim Installation;9ab27e22-ee62-4211-962b-d36d9a0e6a18;True;1
@@ -744,7 +744,7 @@ privilege-escalation;T1546.012;powershell;['windows'];GlobalFlags in Image File
 privilege-escalation;T1546.008;powershell;['windows'];Attaches Command Prompt as a Debugger to a List of Target Processes;3309f53e-b22b-4eb6-8fd2-a6cf58b355a9;True;1
 privilege-escalation;T1546.008;command_prompt;['windows'];Replace binary of sticky keys;934e90cf-29ca-48b3-863c-411737ad44e3;True;2
 privilege-escalation;T1546.008;command_prompt;['windows'];Create Symbolic Link From osk.exe to cmd.exe;51ef369c-5e87-4f33-88cd-6d61be63edf2;True;3
-privilege-escalation;T1546.008;command_prompt;['windows'];Atbroker.exe (AT) Executes Arbitrary Command via Registry Key;444ff124-4c83-4e28-8df6-6efd3ece6bd4;False;4
+privilege-escalation;T1546.008;command_prompt;['windows'];Atbroker.exe (AT) Executes Arbitrary Command via Registry Key;444ff124-4c83-4e28-8df6-6efd3ece6bd4;True;4
 privilege-escalation;T1055.004;command_prompt;['windows'];Process Injection via C#;611b39b7-e243-4c81-87a4-7145a90358b1;True;1
 privilege-escalation;T1055.004;powershell;['windows'];EarlyBird APC Queue Injection in Go;73785dd2-323b-4205-ab16-bb6f06677e14;False;2
 privilege-escalation;T1055.004;powershell;['windows'];Remote Process Injection with Go using NtQueueApcThreadEx WinAPI;4cc571b1-f450-414a-850f-879baf36aa06;False;3
@@ -996,7 +996,7 @@ execution;T1569.002;bash;['linux'];psexec.py (Impacket);edbcd8c9-3639-4844-afad-
 execution;T1569.002;powershell;['windows'];BlackCat pre-encryption cmds with Lateral Movement;31eb7828-97d7-4067-9c1e-c6feb85edc4b;True;4
 execution;T1569.002;command_prompt;['windows'];Use RemCom to execute a command on a remote host;a5d8cdeb-be90-43a9-8b26-cc618deac1e0;True;5
 execution;T1569.002;command_prompt;['windows'];Snake Malware Service Create;b8db787e-dbea-493c-96cb-9272296ddc49;True;6
-execution;T1569.002;command_prompt;['windows'];Modifying ACL of Service Control Manager via SDET;bf07f520-3909-4ef5-aa22-877a50f2f77b;False;7
+execution;T1569.002;command_prompt;['windows'];Modifying ACL of Service Control Manager via SDET;bf07f520-3909-4ef5-aa22-877a50f2f77b;True;7
 execution;T1053.002;command_prompt;['windows'];At.exe Scheduled task;4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8;True;1
 execution;T1053.002;sh;['linux'];At - Schedule a job;7266d898-ac82-4ec0-97c7-436075d0d08e;False;2
 persistence;T1053.005;command_prompt;['windows'];Scheduled Task Startup Script;fec27f65-db86-4c2d-b66c-61945aee87c2;True;1
@@ -1036,7 +1036,7 @@ persistence;T1053.003;bash;['linux'];Cron - Add script to /var/spool/cron/cronta
 persistence;T1137;command_prompt;['windows'];Office Application Startup - Outlook as a C2;bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c;True;1
 persistence;T1098.003;powershell;['azure-ad'];Azure AD - Add Company Administrator Role to a user;4d77f913-56f5-4a14-b4b1-bf7bb24298ad;False;1
 persistence;T1098.003;powershell;['azure-ad'];Simulate - Post BEC persistence via user password reset followed by user added to company administrator role;14f3af20-61f1-45b8-ad31-4637815f3f44;False;2
-persistence;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;False;1
+persistence;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;True;1
 persistence;T1574.001;command_prompt;['windows'];DLL Search Order Hijacking - amsi.dll;8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3;True;1
 persistence;T1137.006;powershell;['windows'];Code Executed Via Excel Add-in File (XLL);441b1a0f-a771-428a-8af0-e99e4698cda3;True;1
 persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via Excel Add-in File (XLL);9c307886-9fef-41d5-b344-073a0f5b2f5f;False;2
@@ -1045,8 +1045,8 @@ persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via Excel
 persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM);f89e58f9-2b49-423b-ac95-1f3e7cfd8277;False;5
 persistence;T1505.002;powershell;['windows'];Install MS Exchange Transport Agent Persistence;43e92449-ff60-46e9-83a3-1a38089df94d;True;1
 persistence;T1556.002;powershell;['windows'];Install and Register Password Filter DLL;a7961770-beb5-4134-9674-83d7e1fa865c;True;1
-persistence;T1505.005;powershell;['windows'];Simulate Patching termsrv.dll;0b2eadeb-4a64-4449-9d43-3d999f4a317b;False;1
-persistence;T1505.005;powershell;['windows'];Modify Terminal Services DLL Path;18136e38-0530-49b2-b309-eed173787471;False;2
+persistence;T1505.005;powershell;['windows'];Simulate Patching termsrv.dll;0b2eadeb-4a64-4449-9d43-3d999f4a317b;True;1
+persistence;T1505.005;powershell;['windows'];Modify Terminal Services DLL Path;18136e38-0530-49b2-b309-eed173787471;True;2
 persistence;T1176;manual;['linux', 'windows', 'macos'];Chrome/Chromium (Developer Mode);3ecd790d-2617-4abf-9a8c-4e8d47da9ee1;False;1
 persistence;T1176;manual;['linux', 'windows', 'macos'];Chrome/Chromium (Chrome Web Store);4c83940d-8ca5-4bb2-8100-f46dc914bc3f;False;2
 persistence;T1176;manual;['linux', 'windows', 'macos'];Firefox;cb790029-17e6-4c43-b96f-002ce5f10938;False;3
@@ -1097,7 +1097,7 @@ persistence;T1546.012;powershell;['windows'];GlobalFlags in Image File Execution
 persistence;T1546.008;powershell;['windows'];Attaches Command Prompt as a Debugger to a List of Target Processes;3309f53e-b22b-4eb6-8fd2-a6cf58b355a9;True;1
 persistence;T1546.008;command_prompt;['windows'];Replace binary of sticky keys;934e90cf-29ca-48b3-863c-411737ad44e3;True;2
 persistence;T1546.008;command_prompt;['windows'];Create Symbolic Link From osk.exe to cmd.exe;51ef369c-5e87-4f33-88cd-6d61be63edf2;True;3
-persistence;T1546.008;command_prompt;['windows'];Atbroker.exe (AT) Executes Arbitrary Command via Registry Key;444ff124-4c83-4e28-8df6-6efd3ece6bd4;False;4
+persistence;T1546.008;command_prompt;['windows'];Atbroker.exe (AT) Executes Arbitrary Command via Registry Key;444ff124-4c83-4e28-8df6-6efd3ece6bd4;True;4
 persistence;T1136.002;command_prompt;['windows'];Create a new Windows domain admin user;fcec2963-9951-4173-9bfa-98d8b7834e62;True;1
 persistence;T1136.002;command_prompt;['windows'];Create a new account similar to ANONYMOUS LOGON;dc7726d2-8ccb-4cc6-af22-0d5afb53a548;True;2
 persistence;T1136.002;powershell;['windows'];Create a new Domain Account using PowerShell;5a3497a4-1568-4663-b12a-d4a5ed70c7d7;True;3

diff --git a/sigma_rule.csv b/sigma_rule.csv
@@ -1580,7 +1580,7 @@ proc_creation_win_appvlp_uncommon_child_process.yml;False
 proc_creation_win_aspnet_compiler_exectuion.yml;False
 proc_creation_win_aspnet_compiler_susp_child_process.yml;False
 proc_creation_win_aspnet_compiler_susp_paths.yml;False
-proc_creation_win_atbroker_uncommon_ats_execution.yml;False
+proc_creation_win_atbroker_uncommon_ats_execution.yml;True
 proc_creation_win_attrib_hiding_files.yml;True
 proc_creation_win_attrib_system_susp_paths.yml;False
 proc_creation_win_at_interactive_execution.yml;True
@@ -2111,7 +2111,7 @@ proc_creation_win_powershell_run_script_from_input_stream.yml;False
 proc_creation_win_powershell_sam_access.yml;True
 proc_creation_win_powershell_script_engine_parent.yml;True
 proc_creation_win_powershell_service_dacl_modification_set_service.yml;False
-proc_creation_win_powershell_set_acl.yml;False
+proc_creation_win_powershell_set_acl.yml;True
 proc_creation_win_powershell_set_acl_susp_location.yml;False
 proc_creation_win_powershell_set_policies_to_unsecure_level.yml;True
 proc_creation_win_powershell_set_service_disabled.yml;False
@@ -2349,10 +2349,10 @@ proc_creation_win_sc_create_service.yml;True
 proc_creation_win_sc_disable_service.yml;False
 proc_creation_win_sc_new_kernel_driver.yml;False
 proc_creation_win_sc_query_interesting_services.yml;False
-proc_creation_win_sc_sdset_allow_service_changes.yml;False
+proc_creation_win_sc_sdset_allow_service_changes.yml;True
 proc_creation_win_sc_sdset_deny_service_access.yml;True
 proc_creation_win_sc_sdset_hide_sevices.yml;True
-proc_creation_win_sc_sdset_modification.yml;False
+proc_creation_win_sc_sdset_modification.yml;True
 proc_creation_win_sc_service_path_modification.yml;True
 proc_creation_win_sc_service_tamper_for_persistence.yml;True
 proc_creation_win_sc_stop_service.yml;True
@@ -2692,7 +2692,7 @@ registry_event_shell_open_keys_manipulation.yml;True
 registry_event_silentprocessexit_lsass.yml;False
 registry_event_ssp_added_lsa_config.yml;True
 registry_event_stickykey_like_backdoor.yml;True
-registry_event_susp_atbroker_change.yml;False
+registry_event_susp_atbroker_change.yml;True
 registry_event_susp_download_run_key.yml;False
 registry_event_susp_lsass_dll_load.yml;True
 registry_event_susp_mic_cam_access.yml;True

diff --git a/yml/0b2eadeb-4a64-4449-9d43-3d999f4a317b.yml b/yml/0b2eadeb-4a64-4449-9d43-3d999f4a317b.yml
@@ -17,5 +17,11 @@ description: |
   Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards.
   Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions.
 executor: powershell
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: fff9d2b7-e11c-4a69-93d3-40ef66189767
+    name: proc_creation_win_susp_copy_system_dir.yml
+  - id: bdeb2cff-af74-4094-8426-724dc937f20a
+    name: proc_creation_win_powershell_set_acl.yml
+  - id: 7047d730-036f-4f40-b9d8-1c63e36d5e62
+    name: file_event_win_powershell_drop_binary_or_script.yml
diff --git a/yml/18136e38-0530-49b2-b309-eed173787471.yml b/yml/18136e38-0530-49b2-b309-eed173787471.yml
@@ -16,5 +16,11 @@ os:
 description: This atomic test simulates the modification of the ServiceDll value in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique may be leveraged by adversaries to establish
   persistence by loading a patched version of the DLL containing malicious code.
 executor: powershell
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: bdeb2cff-af74-4094-8426-724dc937f20a
+    name: proc_creation_win_powershell_set_acl.yml
+  - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
+    name: registry_set_terminal_server_tampering.yml
+  - id: 612e47e9-8a59-43a6-b404-f48683f45bd6
+    name: registry_set_servicedll_hijack.yml
diff --git a/yml/444ff124-4c83-4e28-8df6-6efd3ece6bd4.yml b/yml/444ff124-4c83-4e28-8df6-6efd3ece6bd4.yml
@@ -28,5 +28,9 @@ description: 'Executes code specified in the registry for a new AT (Assistive Te
 
   '
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
+    name: registry_event_susp_atbroker_change.yml
+  - id: f24bcaea-0cd1-11eb-adc1-0242ac120002
+    name: proc_creation_win_atbroker_uncommon_ats_execution.yml
diff --git a/yml/bf07f520-3909-4ef5-aa22-877a50f2f77b.yml b/yml/bf07f520-3909-4ef5-aa22-877a50f2f77b.yml
@@ -16,5 +16,9 @@ os:
 description: "Modify permissions of Service Control Manager via SDSET. This allows any administrative user to escalate privilege and create a service with SYSTEM level privileges.Restart is required.\n\
   [Blog](https://0xv1n.github.io/posts/scmanager/)  \n"
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47
+    name: proc_creation_win_sc_sdset_allow_service_changes.yml
+  - id: 98c5aeef-32d5-492f-b174-64a691896d25
+    name: proc_creation_win_sc_sdset_modification.yml
diff --git a/yml/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.yml b/yml/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.yml
@@ -24,5 +24,7 @@ description: |
 
   The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
 executor: powershell
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e
+    name: registry_set_add_port_monitor.yml