File: windows-sysmon.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (79 lines) | stat: -rw-r--r-- 13,967 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# Sagan windows-sysmon.rules  
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>  
# All rights reserved.
#  
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list  
#
#*************************************************************  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the  
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following  
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR  
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,  
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  
#  
#*************************************************************

# Sysmon| 1: Process Create: UtcTime: 2016-04-08 03:54:58.330 ProcessGuid: {E67F94C7-2B92-5707-0000-001050880400} ProcessId: 2004 Image: C:\Windows\System32\audiodg.exe CommandLine: C:\Windows\system32\AUDIODG.EXE 0x74c CurrentDirectory: C:\Windows User: NT AUTHORITY\LOCAL SERVICE LogonGuid: {E67F94C7-2A7B-5707-0000-0020E5030000} LogonId: 0x3e5 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA1=F033FD30AACD0183BFC30861891A92B56AC2468B,MD5=D5CCA1453B98A5801E6D5FF0FF89DC6C,SHA256=85F2C2480AAC31B6092187B431A562D79D4CFB1324F925C85055ABAB2483264B ParentProcessGuid: {E67F94C7-2A7B-5707-0000-00102A9E0000} ParentProcessId: 772 ParentImage: C:\Windows\System32\svchost.exe ParentCommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

# Created by Champ Clark 04/08/2016.  You'll need PSEXEC_MD5 defined in your sagan.conf!

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] PSExec execution detected"; content: " 1: "; meta_content: "MD5=%sagan%,",$PSEXEC_MD5; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002799; sid:5002799; rev:2;)


# Locky Ransomware
# Champ Clark 04/08/2016

# Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:29:03.829 ProcessGuid: {E67F94C7-419F-5707-0000-00103FB11D00} ProcessId: 2920 Image: C:\Windows\System32\notepad.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\frankw\Desktop\_HELP_instructions.txt CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=7EB0139D2175739B3CCB0D1110067820BE6ABD29,MD5=F2C7BB8ACC97F92E987A2D4087D021B1,SHA256=142E1D688EF0568370C37187FD9F2351D7DDEDA574F8BFA9B0FA4EF42DB85AA2 ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe" 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Locky ransomware instructions detected!"; content: " 1: "; content: "notepad.exe"; nocase; content: "_HELP_instructions.txt "; classtype: trojan-activity; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002802; sid:5002802; rev:2;)

# vssadmin.exe is sometimes used by malware to delete shadow volume copied.  Below is Locky:
# Champ Clark 04/08/2016

# 1: Process Create: UtcTime: 2016-04-08 05:28:44.314 ProcessGuid: {E67F94C7-418C-5707-0000-00103EB31C00} ProcessId: 2404 Image: C:\Windows\System32\vssadmin.exe CommandLine: vssadmin.exe Delete Shadows /All /Quiet CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=09FAFEB1B8404124B33C44440BE7E3FDB6105F8A,MD5=E23DD973E1444684EB36365DEFF1FC74,SHA256=4DE7FA20E3224382D8C4A81017E5BDD4673AFBEF9C0F017E203D7B78977FBF8C ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe" 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] vssadmin.exe execution. Possible ransomware"; content: " 1: "; content: "vssadmin.exe"; nocase; content: "Delete Shadows"; nocase; classtype: trojan-activity; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002803; sid:5002803; rev:2;)

# NEW RULES:

# daemon|notice|notice|1d|2016-04-08|05:52:28|Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:52:28.315 ProcessGuid: {E67F94C7-471C-5707-0000-0010FB0B1A00} ProcessId: 688 Image: C:\Windows\System32\wbem\WMIC.exe CommandLine: "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=071A645A88E4236281E58B90A5D50A2AC80E26E5,MD5=FD902835DEAEF4091799287736F3A028,SHA256=DA3AD32583644BD20116F0479C178F7C7C0B730728F4C02A438C0D19378C83D9 ParentProcessGuid: {E67F94C7-471A-5707-0000-0010DAF41900} ParentProcessId: 2796 ParentImage: C:\Windows\jacjfunqpvji.exe ParentCommandLine: C:\Windows\jacjfunqpvji.exe 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - shadowcopy delete"; content: " 1: "; content: "wmic"; nocase; content: "shadowcopy delete"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002810; sid:5002810; rev:2;)

# daemon|notice|notice|1d|2016-04-09|03:56:50|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:50.199 ProcessGuid: {E67F94C7-7D82-5708-0000-001042E21B00} ProcessId: 2628 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF4 1A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe" 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct GET UUID"; content: " 1: "; content: "wmic"; nocase; content: "csproduct Get UUID"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002811; sid:5002811; rev:2;)

# daemon|notice|notice|1d|2016-04-09|03:56:50|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:50.870 ProcessGuid: {E67F94C7-7D82-5708-0000-0010C8731C00} ProcessId: 768 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF41A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe" 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; content: " 1: "; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002812; sid:5002812; rev:2;)

# daemon|notice|notice|1d|2016-04-09|03:56:51|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:51.432 ProcessGuid: {E67F94C7-7D83-5708-0000-001007D91C00} ProcessId: 2256 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get Version /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF41A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe"

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get Version"; content: " 1: "; content: "wmic"; nocase; content: "bios Get Version"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002813; sid:5002813; rev:2;)

# daemon|notice|notice|1d|2016-04-09|03:57:49|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:57:49.213 ProcessGuid: {E67F94C7-7DBD-5708-0000-001099CD0600} ProcessId: 1420 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nsh1DDF.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-333C-5707-0000-0020CFB40100} LogonId: 0x1b4cf TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7DB4-5708-0000-00100B100600} ParentProcessId: 2628 ParentImage: C:\Users\frankw\AppData\Local\Temp\39e67671f65fae38e065f5db614f679c.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\39e67671f65fae38e065f5db614f679c.exe"

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; content: " 1: "; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002814; sid:5002814; rev:2;)

# daemon|notice|notice|1d|2016-04-09|03:57:49|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:57:49.068 ProcessGuid: {E67F94C7-7DBD-5708-0000-0010AF1D0700} ProcessId: 668 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC csproduct Get Name /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nsj3A92.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-333C-5707-0000-0020DCBC0100} LogonId: 0x1bcdc TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7DB3-5708-0000-0010143A0600} ParentProcessId: 592 ParentImage: C:\Users\frankw\AppData\Local\Temp\3f6811d8687a30b68fa02d6eb5536493.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\3f6811d8687a30b68fa02d6eb5536493.exe" 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct Get Name"; content: " 1: "; content: "wmic"; nocase; content: "csproduct Get Name"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002815; sid:5002815; rev:2;)

# daemon|notice|notice|1d|2016-04-09|03:55:09|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:55:09.240 ProcessGuid: {E67F94C7-7D1D-5708-0000-001041E40700} ProcessId: 1556 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: wmic computersystem get model /format:list CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32FD-5707-0000-00203DB30100} LogonId: 0x1b33d TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D1C-5708-0000-0010CDC80700} ParentProcessId: 2936 ParentImage: C:\Windows\SysWOW64\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe" /C wmic computersystem get model /format:list

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - computersystem get model"; content: " 1: "; content: "wmic"; nocase; content: "computersystem get model"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002816; sid:5002816; rev:2;)