import: sigmaHQ windows process creation rules (#1182)

* import: sigmaHQ windows process creation rules

---------

Co-authored-by: GitHub Action <[email protected]>
Co-authored-by: marco <[email protected]>
Co-authored-by: Sebastien Blot <[email protected]>

.github/workflows/update-index.yml

@@ -38,6 +38,8 @@ jobs:
         run: |
           go build
           ./main -target configs
+          grep -v <.index.json >.index2.json '"classification": null'
+          mv .index2.json .index.json
       - uses: nelonoel/[email protected]
       - name: Commit files
         if: ${{ github.event_name == 'push'}}

collections/sigmahq/windows_proc_creation.md

@@ -0,0 +1,24 @@
+## Windows Suspicious Process Creation
+
+This collection is an import from SigmaHQ (core) project rules related to Windows Process Creation.
+
+Release: `r2024-11-10`
+
+## Pre Requisites
+
+The process creation detection relies on Sysmon.
+
+ - [Sysmon Download & Installation](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)
+ - [Example Sysmon configuration by @SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
+
+## Acquisition template
+
+Example acquisition for this collection:
+
+```yaml
+source: wineventlog
+pretty_name: sysmon
+event_channel: "Microsoft-Windows-Sysmon/Operational"
+labels:
+ type: sysmon
+```

contexts/crowdsecurity/sysmon_base.yaml

@@ -0,0 +1,12 @@
+#Context for sysmon events, mainly intended to be used with the sigma collection
+context:
+  command_line:
+    - evt.Meta.CommandLine
+  current_directory:
+    - evt.Meta.CurrentDirectory
+  user:
+    - evt.Meta.User
+  hashes:
+    - evt.Meta.Hashes
+  parent_image:
+    - evt.Meta.ParentImage

parsers/s01-parse/crowdsecurity/sysmon-logs.yaml

@@ -47,6 +47,16 @@ nodes:
         expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ParentUser']")
       - meta: SysmonEventType
         value: ProcessCreation
+      - meta: CommandLine
+        expression: evt.Parsed.CommandLine
+      - meta: CurrentDirectory
+        expression: evt.Parsed.CurrentDirectory
+      - meta: User
+        expression: evt.Parsed.User
+      - meta: Hashes
+        expression: evt.Parsed.Hashes
+      - meta: ParentImage
+        expression: evt.Parsed.ParentImage
   - filter: evt.Parsed.EventID == '2'
     statics:
       - parsed: ProcessGuid

scenarios/sigmahq/proc_creation_win_addinutil_suspicious_cmdline.yml

@@ -0,0 +1,23 @@
+type: trigger
+name: sigmahq/proc_creation_win_addinutil_suspicious_cmdline
+description: |
+  Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. 
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\addinutil.exe' || evt.Parsed.OriginalFileName == 'AddInUtil.exe') && ((evt.Parsed.CommandLine contains '-AddInRoot:' || evt.Parsed.CommandLine contains '-PipelineRoot:') && (evt.Parsed.CommandLine contains '\\AppData\\Local\\Temp\\' || evt.Parsed.CommandLine contains '\\Desktop\\' || evt.Parsed.CommandLine contains '\\Downloads\\' || evt.Parsed.CommandLine contains '\\Users\\Public\\' || evt.Parsed.CommandLine contains '\\Windows\\Temp\\') || (evt.Parsed.CommandLine contains '-AddInRoot:.' || evt.Parsed.CommandLine contains '-AddInRoot:"."' || evt.Parsed.CommandLine contains '-PipelineRoot:.' || evt.Parsed.CommandLine contains '-PipelineRoot:"."') && (evt.Parsed.CurrentDirectory contains '\\AppData\\Local\\Temp\\' || evt.Parsed.CurrentDirectory contains '\\Desktop\\' || evt.Parsed.CurrentDirectory contains '\\Downloads\\' || evt.Parsed.CurrentDirectory contains '\\Users\\Public\\' || evt.Parsed.CurrentDirectory contains '\\Windows\\Temp\\')))
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1218
+
+  label: "Suspicious AddinUtil.EXE CommandLine Execution"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_adplus_memory_dump.yml

@@ -0,0 +1,23 @@
+type: trigger
+name: sigmahq/proc_creation_win_adplus_memory_dump
+description: |
+  Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\adplus.exe' || evt.Parsed.OriginalFileName == 'Adplus.exe') && (evt.Parsed.CommandLine contains ' -hang ' || evt.Parsed.CommandLine contains ' -pn ' || evt.Parsed.CommandLine contains ' -pmn ' || evt.Parsed.CommandLine contains ' -p ' || evt.Parsed.CommandLine contains ' -po ' || evt.Parsed.CommandLine contains ' -c ' || evt.Parsed.CommandLine contains ' -sc '))
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1003.001
+
+  label: "Potential Adplus.EXE Abuse"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_agentexecutor_susp_usage.yml

@@ -0,0 +1,23 @@
+type: trigger
+name: sigmahq/proc_creation_win_agentexecutor_susp_usage
+description: |
+  Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\AgentExecutor.exe' || evt.Parsed.OriginalFileName == 'AgentExecutor.exe') && (evt.Parsed.CommandLine contains ' -powershell' || evt.Parsed.CommandLine contains ' -remediationScript') && not (evt.Parsed.CommandLine contains 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\' || evt.Parsed.CommandLine contains 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\' || evt.Parsed.ParentImage endsWith '\\Microsoft.Management.Services.IntuneWindowsAgent.exe'))
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1218
+
+  label: "Suspicious AgentExecutor PowerShell Execution"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_aspnet_compiler_susp_child_process.yml

@@ -0,0 +1,23 @@
+type: trigger
+name: sigmahq/proc_creation_win_aspnet_compiler_susp_child_process
+description: |
+  Detects potentially suspicious child processes of "aspnet_compiler.exe".
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.ParentImage endsWith '\\aspnet_compiler.exe' && (evt.Parsed.Image endsWith '\\calc.exe' || evt.Parsed.Image endsWith '\\notepad.exe' || evt.Parsed.Image contains '\\Users\\Public\\' || evt.Parsed.Image contains '\\AppData\\Local\\Temp\\' || evt.Parsed.Image contains '\\AppData\\Local\\Roaming\\' || evt.Parsed.Image contains ':\\Temp\\' || evt.Parsed.Image contains ':\\Windows\\Temp\\' || evt.Parsed.Image contains ':\\Windows\\System32\\Tasks\\' || evt.Parsed.Image contains ':\\Windows\\Tasks\\'))
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1127
+
+  label: "Suspicious Child Process of AspNetCompiler"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_aspnet_compiler_susp_paths.yml

@@ -0,0 +1,23 @@
+type: trigger
+name: sigmahq/proc_creation_win_aspnet_compiler_susp_paths
+description: |
+  Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image contains 'C:\\Windows\\Microsoft.NET\\Framework\\' || evt.Parsed.Image contains 'C:\\Windows\\Microsoft.NET\\Framework64\\') && evt.Parsed.Image endsWith '\\aspnet_compiler.exe' && (evt.Parsed.CommandLine contains '\\Users\\Public\\' || evt.Parsed.CommandLine contains '\\AppData\\Local\\Temp\\' || evt.Parsed.CommandLine contains '\\AppData\\Local\\Roaming\\' || evt.Parsed.CommandLine contains ':\\Temp\\' || evt.Parsed.CommandLine contains ':\\Windows\\Temp\\' || evt.Parsed.CommandLine contains ':\\Windows\\System32\\Tasks\\' || evt.Parsed.CommandLine contains ':\\Windows\\Tasks\\'))
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1127
+
+  label: "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_at_interactive_execution.yml

@@ -0,0 +1,23 @@
+type: trigger
+name: sigmahq/proc_creation_win_at_interactive_execution
+description: |
+  Detects an interactive AT job, which may be used as a form of privilege escalation.
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.Image endsWith '\\at.exe' && evt.Parsed.CommandLine contains 'interactive')
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1053.002
+
+  label: "Interactive AT Job"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_attrib_system_susp_paths.yml

@@ -0,0 +1,23 @@
+type: trigger
+name: sigmahq/proc_creation_win_attrib_system_susp_paths
+description: |
+  Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs 
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\attrib.exe' || evt.Parsed.OriginalFileName == 'ATTRIB.EXE') && evt.Parsed.CommandLine contains ' +s' && (evt.Parsed.CommandLine contains ' %' || evt.Parsed.CommandLine contains '\\Users\\Public\\' || evt.Parsed.CommandLine contains '\\AppData\\Local\\' || evt.Parsed.CommandLine contains '\\ProgramData\\' || evt.Parsed.CommandLine contains '\\Downloads\\' || evt.Parsed.CommandLine contains '\\Windows\\Temp\\') && (evt.Parsed.CommandLine contains '.bat' || evt.Parsed.CommandLine contains '.dll' || evt.Parsed.CommandLine contains '.exe' || evt.Parsed.CommandLine contains '.hta' || evt.Parsed.CommandLine contains '.ps1' || evt.Parsed.CommandLine contains '.vbe' || evt.Parsed.CommandLine contains '.vbs') && not (evt.Parsed.CommandLine contains '\\Windows\\TEMP\\' && evt.Parsed.CommandLine contains '.exe'))
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1564.001
+
+  label: "Set Suspicious Files as System Files Using Attrib.EXE"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_auditpol_nt_resource_kit_usage.yml

@@ -0,0 +1,23 @@
+type: trigger
+name: sigmahq/proc_creation_win_auditpol_nt_resource_kit_usage
+description: |
+  Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. 
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.CommandLine contains '/logon:none' || evt.Parsed.CommandLine contains '/system:none' || evt.Parsed.CommandLine contains '/sam:none' || evt.Parsed.CommandLine contains '/privilege:none' || evt.Parsed.CommandLine contains '/object:none' || evt.Parsed.CommandLine contains '/process:none' || evt.Parsed.CommandLine contains '/policy:none')
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1562.002
+
+  label: "Audit Policy Tampering Via NT Resource Kit Auditpol"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_auditpol_susp_execution.yml

@@ -0,0 +1,23 @@
+type: trigger
+name: sigmahq/proc_creation_win_auditpol_susp_execution
+description: |
+  Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. 
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\auditpol.exe' || evt.Parsed.OriginalFileName == 'AUDITPOL.EXE') && (evt.Parsed.CommandLine contains 'disable' || evt.Parsed.CommandLine contains 'clear' || evt.Parsed.CommandLine contains 'remove' || evt.Parsed.CommandLine contains 'restore'))
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1562.002
+
+  label: "Audit Policy Tampering Via Auditpol"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_bcdedit_boot_conf_tamper.yml

@@ -0,0 +1,23 @@
+type: trigger
+name: sigmahq/proc_creation_win_bcdedit_boot_conf_tamper
+description: |
+  Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\bcdedit.exe' || evt.Parsed.OriginalFileName == 'bcdedit.exe') && evt.Parsed.CommandLine contains 'set' && (evt.Parsed.CommandLine contains 'bootstatuspolicy' && evt.Parsed.CommandLine contains 'ignoreallfailures' || evt.Parsed.CommandLine contains 'recoveryenabled' && evt.Parsed.CommandLine contains 'no'))
+blackhole: 2m
+#status: stable
+labels:
+  service: windows
+  confidence: 2
+  spoofable: 0
+  classification:
+   - attack.t1490
+
+  label: "Boot Configuration Tampering Via Bcdedit.EXE"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_bginfo_suspicious_child_process.yml

@@ -0,0 +1,25 @@
+type: trigger
+name: sigmahq/proc_creation_win_bginfo_suspicious_child_process
+description: |
+  Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.ParentImage endsWith '\\bginfo.exe' || evt.Parsed.ParentImage endsWith '\\bginfo64.exe') && (evt.Parsed.Image endsWith '\\calc.exe' || evt.Parsed.Image endsWith '\\cmd.exe' || evt.Parsed.Image endsWith '\\cscript.exe' || evt.Parsed.Image endsWith '\\mshta.exe' || evt.Parsed.Image endsWith '\\notepad.exe' || evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.Image endsWith '\\pwsh.exe' || evt.Parsed.Image endsWith '\\wscript.exe' || evt.Parsed.Image contains '\\AppData\\Local\\' || evt.Parsed.Image contains '\\AppData\\Roaming\\' || evt.Parsed.Image contains ':\\Users\\Public\\' || evt.Parsed.Image contains ':\\Temp\\' || evt.Parsed.Image contains ':\\Windows\\Temp\\' || evt.Parsed.Image contains ':\\PerfLogs\\'))
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1059.005
+   - attack.t1218
+   - attack.t1202
+
+  label: "Suspicious Child Process Of BgInfo.EXE"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_bitsadmin_download_direct_ip.yml

@@ -0,0 +1,24 @@
+type: trigger
+name: sigmahq/proc_creation_win_bitsadmin_download_direct_ip
+description: |
+  Detects usage of bitsadmin downloading a file using an URL that contains an IP
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\bitsadmin.exe' || evt.Parsed.OriginalFileName == 'bitsadmin.exe') && (evt.Parsed.CommandLine contains ' /transfer ' || evt.Parsed.CommandLine contains ' /create ' || evt.Parsed.CommandLine contains ' /addfile ') && (evt.Parsed.CommandLine contains '://1' || evt.Parsed.CommandLine contains '://2' || evt.Parsed.CommandLine contains '://3' || evt.Parsed.CommandLine contains '://4' || evt.Parsed.CommandLine contains '://5' || evt.Parsed.CommandLine contains '://6' || evt.Parsed.CommandLine contains '://7' || evt.Parsed.CommandLine contains '://8' || evt.Parsed.CommandLine contains '://9') && not (evt.Parsed.CommandLine contains '://7-'))
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1197
+   - attack.t1036.003
+
+  label: "Suspicious Download From Direct IP Via Bitsadmin"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+

scenarios/sigmahq/proc_creation_win_bitsadmin_download_susp_extensions.yml

@@ -0,0 +1,24 @@
+type: trigger
+name: sigmahq/proc_creation_win_bitsadmin_download_susp_extensions
+description: |
+  Detects usage of bitsadmin downloading a file with a suspicious extension
+filter: |
+  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\bitsadmin.exe' || evt.Parsed.OriginalFileName == 'bitsadmin.exe') && (evt.Parsed.CommandLine contains ' /transfer ' || evt.Parsed.CommandLine contains ' /create ' || evt.Parsed.CommandLine contains ' /addfile ') && (evt.Parsed.CommandLine contains '.7z' || evt.Parsed.CommandLine contains '.asax' || evt.Parsed.CommandLine contains '.ashx' || evt.Parsed.CommandLine contains '.asmx' || evt.Parsed.CommandLine contains '.asp' || evt.Parsed.CommandLine contains '.aspx' || evt.Parsed.CommandLine contains '.bat' || evt.Parsed.CommandLine contains '.cfm' || evt.Parsed.CommandLine contains '.cgi' || evt.Parsed.CommandLine contains '.chm' || evt.Parsed.CommandLine contains '.cmd' || evt.Parsed.CommandLine contains '.dll' || evt.Parsed.CommandLine contains '.gif' || evt.Parsed.CommandLine contains '.jpeg' || evt.Parsed.CommandLine contains '.jpg' || evt.Parsed.CommandLine contains '.jsp' || evt.Parsed.CommandLine contains '.jspx' || evt.Parsed.CommandLine contains '.log' || evt.Parsed.CommandLine contains '.png' || evt.Parsed.CommandLine contains '.ps1' || evt.Parsed.CommandLine contains '.psm1' || evt.Parsed.CommandLine contains '.rar' || evt.Parsed.CommandLine contains '.scf' || evt.Parsed.CommandLine contains '.sct' || evt.Parsed.CommandLine contains '.txt' || evt.Parsed.CommandLine contains '.vbe' || evt.Parsed.CommandLine contains '.vbs' || evt.Parsed.CommandLine contains '.war' || evt.Parsed.CommandLine contains '.wsf' || evt.Parsed.CommandLine contains '.wsh' || evt.Parsed.CommandLine contains '.xll' || evt.Parsed.CommandLine contains '.zip'))
+blackhole: 2m
+#status: test
+labels:
+  service: windows
+  confidence: 1
+  spoofable: 0
+  classification:
+   - attack.t1197
+   - attack.t1036.003
+
+  label: "File With Suspicious Extension Downloaded Via Bitsadmin"
+  behavior : "windows:audit"
+  remediation: false
+
+scope:
+  type: ParentProcessId
+  expression: evt.Parsed.ParentProcessId
+