diff --git a/rules_windows_generic_full.json b/rules_windows_generic_full.json index 2d2f211..37869ba 100755 --- a/rules_windows_generic_full.json +++ b/rules_windows_generic_full.json @@ -37654,6 +37654,27 @@ ], "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, + { + "title": "Compressed File Creation Via Tar.EXE", + "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9", + "status": "experimental", + "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3", + "tags": [ + "attack.collection", + "attack.exfiltration", + "attack.t1560", + "attack.t1560.001" + ], + "falsepositives": [ + "Likely" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName = 'bsdtar') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\' OR CommandLine LIKE '%-u%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_tar_compression.yml" + }, { "title": "Renamed Plink Execution", "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", @@ -38769,6 +38790,27 @@ ], "filename": "proc_creation_win_dsacls_abuse_permissions.yml" }, + { + "title": "Compressed File Extraction Via Tar.EXE", + "id": "bf361876-6620-407a-812f-bfe11e51e924", + "status": "experimental", + "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n", + "author": "AdmU3", + "tags": [ + "attack.collection", + "attack.exfiltration", + "attack.t1560", + "attack.t1560.001" + ], + "falsepositives": [ + "Likely" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName = 'bsdtar') AND CommandLine LIKE '%-x%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_tar_extraction.yml" + }, { "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", "id": "a58353df-af43-4753-bad0-cd83ef35eef5", diff --git a/rules_windows_generic_pysigma.json b/rules_windows_generic_pysigma.json index 1b4b0f2..2d8c8b1 100644 --- a/rules_windows_generic_pysigma.json +++ b/rules_windows_generic_pysigma.json @@ -30497,6 +30497,27 @@ ], "filename": "" }, + { + "title": "Compressed File Creation Via Tar.EXE", + "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9", + "status": "experimental", + "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3", + "tags": [ + "attack.collection", + "attack.exfiltration", + "attack.t1560", + "attack.t1560.001" + ], + "falsepositives": [ + "Likely" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName='bsdtar') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\' OR CommandLine LIKE '%-u%' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Files And Subdirectories Listing Using Dir", "id": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", @@ -30516,6 +30537,27 @@ ], "filename": "" }, + { + "title": "Compressed File Extraction Via Tar.EXE", + "id": "bf361876-6620-407a-812f-bfe11e51e924", + "status": "experimental", + "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n", + "author": "AdmU3", + "tags": [ + "attack.collection", + "attack.exfiltration", + "attack.t1560", + "attack.t1560.001" + ], + "falsepositives": [ + "Likely" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName='bsdtar') AND CommandLine LIKE '%-x%' ESCAPE '\\'))" + ], + "filename": "" + }, { "title": "Suspicious Network Command", "id": "a29c1813-ab1f-4dde-b489-330b952e91ae", diff --git a/rules_windows_sysmon_full.json b/rules_windows_sysmon_full.json index 506ea88..02f4aa5 100755 --- a/rules_windows_sysmon_full.json +++ b/rules_windows_sysmon_full.json @@ -37654,6 +37654,27 @@ ], "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, + { + "title": "Compressed File Creation Via Tar.EXE", + "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9", + "status": "experimental", + "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3", + "tags": [ + "attack.collection", + "attack.exfiltration", + "attack.t1560", + "attack.t1560.001" + ], + "falsepositives": [ + "Likely" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName = 'bsdtar') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\' OR CommandLine LIKE '%-u%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_tar_compression.yml" + }, { "title": "Renamed Plink Execution", "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", @@ -38769,6 +38790,27 @@ ], "filename": "proc_creation_win_dsacls_abuse_permissions.yml" }, + { + "title": "Compressed File Extraction Via Tar.EXE", + "id": "bf361876-6620-407a-812f-bfe11e51e924", + "status": "experimental", + "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n", + "author": "AdmU3", + "tags": [ + "attack.collection", + "attack.exfiltration", + "attack.t1560", + "attack.t1560.001" + ], + "falsepositives": [ + "Likely" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName = 'bsdtar') AND CommandLine LIKE '%-x%' ESCAPE '\\')" + ], + "filename": "proc_creation_win_tar_extraction.yml" + }, { "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", "id": "a58353df-af43-4753-bad0-cd83ef35eef5", diff --git a/rules_windows_sysmon_pysigma.json b/rules_windows_sysmon_pysigma.json index e1f8912..1a77415 100644 --- a/rules_windows_sysmon_pysigma.json +++ b/rules_windows_sysmon_pysigma.json @@ -30497,6 +30497,27 @@ ], "filename": "" }, + { + "title": "Compressed File Creation Via Tar.EXE", + "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9", + "status": "experimental", + "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3", + "tags": [ + "attack.collection", + "attack.exfiltration", + "attack.t1560", + "attack.t1560.001" + ], + "falsepositives": [ + "Likely" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName='bsdtar') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\' OR CommandLine LIKE '%-u%' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Files And Subdirectories Listing Using Dir", "id": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", @@ -30516,6 +30537,27 @@ ], "filename": "" }, + { + "title": "Compressed File Extraction Via Tar.EXE", + "id": "bf361876-6620-407a-812f-bfe11e51e924", + "status": "experimental", + "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n", + "author": "AdmU3", + "tags": [ + "attack.collection", + "attack.exfiltration", + "attack.t1560", + "attack.t1560.001" + ], + "falsepositives": [ + "Likely" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\tar.exe' ESCAPE '\\' OR OriginalFileName='bsdtar') AND CommandLine LIKE '%-x%' ESCAPE '\\'))" + ], + "filename": "" + }, { "title": "Suspicious Network Command", "id": "a29c1813-ab1f-4dde-b489-330b952e91ae", diff --git a/sigma b/sigma index 412edd1..6bab8fe 160000 --- a/sigma +++ b/sigma @@ -1 +1 @@ -Subproject commit 412edd1e1abb29a021e51d2aca7abbbe47afca25 +Subproject commit 6bab8fe4dc3fd1b48ab7bea3f9533afbabb20be2