npm - @panguard-ai/panguard-guard - Versions diffs - 0.2.6 → 0.5.0 - Mend

@panguard-ai/panguard-guard 0.2.6 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (806) hide show

package/bundled-rules/sigma-rules/community/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml ADDED Viewed

@@ -0,0 +1,26 @@
+title: CVE-2010-5278 Exploitation Attempt
+id: a4a899e8-fd7a-49dd-b5a8-7044def72d61
+status: test
+description: |
+  MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,
+  when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
+references:
+    - https://github.com/projectdiscovery/nuclei-templates
+author: Subhash Popuri (@pbssubhash)
+date: 2021-08-25
+modified: 2023-01-02
+tags:
+    - attack.initial-access
+    - attack.t1190
+    - cve.2010-5278
+    - detection.emerging-threats
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-uri-query|contains: /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00
+    condition: selection
+falsepositives:
+    - Scanning from Nuclei
+    - Unknown
+level: critical

package/bundled-rules/sigma-rules/community/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml ADDED Viewed

@@ -0,0 +1,40 @@
+title: Rejetto HTTP File Server RCE
+id: a133193c-2daa-4a29-8022-018695fcf0ae
+status: test
+description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
+references:
+    - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/
+    - https://www.exploit-db.com/exploits/39161
+    - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2022-07-19
+modified: 2023-01-02
+tags:
+    - attack.persistence
+    - attack.initial-access
+    - attack.t1190
+    - attack.t1505.003
+    - cve.2014-6287
+    - detection.emerging-threats
+logsource:
+    category: webserver
+detection:
+    selection_search:
+        cs-uri-query|contains: '?search=%00{.'
+    selection_payload:
+        cs-uri-query|contains:
+            - 'save|' # Indication of saving a file which shouldn't be tested by vuln scanners
+            - 'powershell'
+            - 'cmd.exe'
+            - 'cmd /c'
+            - 'cmd /r'
+            - 'cmd /k'
+            - 'cscript'
+            - 'wscript'
+            - 'python'
+            - 'C:\Users\Public\'
+            - '%comspec%'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

package/bundled-rules/sigma-rules/community/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml ADDED Viewed

@@ -0,0 +1,31 @@
+title: ZxShell Malware
+id: f0b70adb-0075-43b0-9745-e82a1c608fcc
+status: test
+description: Detects a ZxShell start by the called and well-known function name
+references:
+    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+    - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
+author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
+date: 2017-07-20
+modified: 2021-11-27
+tags:
+    - attack.execution
+    - attack.t1059.003
+    - attack.defense-evasion
+    - attack.t1218.011
+    - attack.s0412
+    - attack.g0001
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\rundll32.exe'
+        CommandLine|contains:
+            - 'zxFunction'
+            - 'RemoteDiskXXXXX'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical

package/bundled-rules/sigma-rules/community/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml ADDED Viewed

@@ -0,0 +1,32 @@
+title: Turla Group Lateral Movement
+id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
+status: test
+description: Detects automated lateral movement by Turla group
+references:
+    - https://securelist.com/the-epic-turla-operation/65545/
+author: Markus Neis
+date: 2017-11-07
+modified: 2022-10-09
+tags:
+    - attack.g0010
+    - attack.execution
+    - attack.t1059
+    - attack.lateral-movement
+    - attack.t1021.002
+    - attack.discovery
+    - attack.t1083
+    - attack.t1135
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - 'net use \\\\%DomainController%\C$ "P@ssw0rd" *'
+            - 'dir c:\\*.doc* /s'
+            - 'dir %TEMP%\\*.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

package/bundled-rules/sigma-rules/community/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml ADDED Viewed

@@ -0,0 +1,35 @@
+title: Turla Group Commands May 2020
+id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
+status: test
+description: Detects commands used by Turla group as reported by ESET in May 2020
+references:
+    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
+author: Florian Roth (Nextron Systems)
+date: 2020-05-26
+modified: 2025-10-19
+tags:
+    - attack.privilege-escalation
+    - attack.persistence
+    - attack.defense-evasion
+    - attack.g0010
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1053.005
+    - attack.t1027
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cli_1:
+        CommandLine|contains:
+            - 'tracert -h 10 yahoo.com'
+            - '.WSqmCons))|iex;'
+            - 'Fr`omBa`se6`4Str`ing'
+    selection_cli_2:
+        CommandLine|re: 'net\s+use\s+https://docs.live.net'
+        CommandLine|contains: '@aol.co.uk'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: critical

package/bundled-rules/sigma-rules/community/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml ADDED Viewed

@@ -0,0 +1,26 @@
+title: Exploit for CVE-2015-1641
+id: 7993792c-5ce2-4475-a3db-a3a5539827ef
+status: stable
+description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
+references:
+    - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
+    - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
+author: Florian Roth (Nextron Systems)
+date: 2018-02-22
+modified: 2021-11-27
+tags:
+    - attack.defense-evasion
+    - attack.t1036.005
+    - cve.2015-1641
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\WINWORD.EXE'
+        Image|endswith: '\MicroScMgmt.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

package/bundled-rules/sigma-rules/community/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml ADDED Viewed

@@ -0,0 +1,28 @@
+title: Exploit for CVE-2017-0261
+id: 864403a1-36c9-40a2-a982-4c9a45f7d833
+status: test
+description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
+author: Florian Roth (Nextron Systems)
+date: 2018-02-22
+modified: 2021-11-27
+tags:
+    - attack.execution
+    - attack.t1203
+    - attack.t1204.002
+    - attack.initial-access
+    - attack.t1566.001
+    - cve.2017-0261
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\WINWORD.EXE'
+        Image|contains: '\FLTLDR.exe'
+    condition: selection
+falsepositives:
+    - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
+level: medium

package/bundled-rules/sigma-rules/community/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml ADDED Viewed

@@ -0,0 +1,29 @@
+title: Droppers Exploiting CVE-2017-11882
+id: 678eb5f4-8597-4be6-8be7-905e4234b53a
+status: stable
+description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
+references:
+    - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
+    - https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-
+    - https://github.com/embedi/CVE-2017-11882
+author: Florian Roth (Nextron Systems)
+date: 2017-11-23
+modified: 2021-11-27
+tags:
+    - attack.execution
+    - attack.t1203
+    - attack.t1204.002
+    - attack.initial-access
+    - attack.t1566.001
+    - cve.2017-11882
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\EQNEDT32.EXE'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

package/bundled-rules/sigma-rules/community/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml ADDED Viewed

@@ -0,0 +1,29 @@
+title: Exploit for CVE-2017-8759
+id: fdd84c68-a1f6-47c9-9477-920584f94905
+status: test
+description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
+references:
+    - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+    - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+author: Florian Roth (Nextron Systems)
+date: 2017-09-15
+modified: 2021-11-27
+tags:
+    - attack.execution
+    - attack.t1203
+    - attack.t1204.002
+    - attack.initial-access
+    - attack.t1566.001
+    - cve.2017-8759
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\WINWORD.EXE'
+        Image|endswith: '\csc.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

package/bundled-rules/sigma-rules/community/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml ADDED Viewed

@@ -0,0 +1,30 @@
+title: Adwind RAT / JRAT
+id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
+status: test
+description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
+references:
+    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
+    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
+author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
+date: 2017-11-10
+modified: 2022-10-09
+tags:
+    - attack.execution
+    - attack.t1059.005
+    - attack.t1059.007
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - CommandLine|contains|all:
+              - '\AppData\Roaming\Oracle'
+              - '\java'
+              - '.exe '
+        - CommandLine|contains|all:
+              - 'cscript.exe'
+              - 'Retrive'
+              - '.vbs '
+    condition: selection
+level: high

package/bundled-rules/sigma-rules/community/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml ADDED Viewed

@@ -0,0 +1,33 @@
+title: CosmicDuke Service Installation
+id: cb062102-587e-4414-8efa-dbe3c7bf19c6
+related:
+    - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
+      type: derived
+status: test
+description: |
+    Detects the installation of a service named "javamtsup" on the system.
+    The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
+references:
+    - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
+author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
+date: 2017-03-27
+modified: 2022-10-09
+tags:
+    - attack.privilege-escalation
+    - attack.execution
+    - attack.persistence
+    - attack.t1543.003
+    - attack.t1569.002
+    - detection.emerging-threats
+logsource:
+    product: windows
+    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
+detection:
+    selection:
+        EventID: 4697
+        ServiceName: 'javamtsup'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical

package/bundled-rules/sigma-rules/community/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml ADDED Viewed

@@ -0,0 +1,27 @@
+title: Fireball Archer Install
+id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
+status: test
+description: Detects Archer malware invocation via rundll32
+references:
+    - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
+    - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
+author: Florian Roth (Nextron Systems)
+date: 2017-06-03
+modified: 2021-11-27
+tags:
+    - attack.execution
+    - attack.defense-evasion
+    - attack.t1218.011
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'rundll32.exe'
+            - 'InstallArcherSvc'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

package/bundled-rules/sigma-rules/community/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml ADDED Viewed

@@ -0,0 +1,33 @@
+title: Malware Shellcode in Verclsid Target Process
+id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
+status: test
+description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
+references:
+    - https://twitter.com/JohnLaTwC/status/837743453039534080
+author: John Lambert (tech), Florian Roth (Nextron Systems)
+date: 2017-03-04
+modified: 2021-11-27
+tags:
+    - attack.defense-evasion
+    - attack.privilege-escalation
+    - attack.t1055
+    - detection.emerging-threats
+logsource:
+    category: process_access
+    product: windows
+    definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+detection:
+    selection_target:
+        TargetImage|endswith: '\verclsid.exe'
+        GrantedAccess: '0x1FFFFF'
+    selection_calltrace_1:
+        CallTrace|contains|all:
+            - '|UNKNOWN('
+            - 'VBE7.DLL'
+    selection_calltrace_2:
+        SourceImage|contains: '\Microsoft Office\'
+        CallTrace|contains: '|UNKNOWN'
+    condition: selection_target and 1 of selection_calltrace_*
+falsepositives:
+    - Unknown
+level: high

package/bundled-rules/sigma-rules/community/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml ADDED Viewed

@@ -0,0 +1,38 @@
+title: NotPetya Ransomware Activity
+id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
+status: test
+description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
+references:
+    - https://securelist.com/schroedingers-petya/78870/
+    - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
+author: Florian Roth (Nextron Systems), Tom Ueltschi
+date: 2019-01-16
+modified: 2022-12-15
+tags:
+    - attack.defense-evasion
+    - attack.t1218.011
+    - attack.t1070.001
+    - attack.credential-access
+    - attack.t1003.001
+    - car.2016-04-002
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_specific_pattern:
+        CommandLine|contains:
+            - 'wevtutil cl Application & fsutil usn deletejournal /D C:'
+            - 'dllhost.dat %WINDIR%\ransoms'
+    selection_rundll32:
+        Image|endswith: '\rundll32.exe'
+        CommandLine|endswith:
+            - '.dat,#1'
+            - '.dat #1' # Sysmon removes comma
+            - '.zip.dll",#1'
+    selection_perfc_keyword:
+        - '\perfc.dat'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: critical

package/bundled-rules/sigma-rules/community/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml ADDED Viewed

@@ -0,0 +1,96 @@
+title: Potential PlugX Activity
+id: aeab5ec5-be14-471a-80e8-e344418305c2
+status: test
+description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
+references:
+    - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
+    - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
+author: Florian Roth (Nextron Systems)
+date: 2017-06-12
+modified: 2023-02-03
+tags:
+    - attack.privilege-escalation
+    - attack.persistence
+    - attack.s0013
+    - attack.defense-evasion
+    - attack.t1574.001
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cammute:
+        Image|endswith: '\CamMute.exe'
+    filter_cammute:
+        Image|contains:
+            - '\Lenovo\Communication Utility\'
+            - '\Lenovo\Communications Utility\'
+    selection_chrome_frame:
+        Image|endswith: '\chrome_frame_helper.exe'
+    filter_chrome_frame:
+        Image|contains: '\Google\Chrome\application\'
+    selection_devemu:
+        Image|endswith: '\dvcemumanager.exe'
+    filter_devemu:
+        Image|contains: '\Microsoft Device Emulator\'
+    selection_gadget:
+        Image|endswith: '\Gadget.exe'
+    filter_gadget:
+        Image|contains: '\Windows Media Player\'
+    selection_hcc:
+        Image|endswith: '\hcc.exe'
+    filter_hcc:
+        Image|contains: '\HTML Help Workshop\'
+    selection_hkcmd:
+        Image|endswith: '\hkcmd.exe'
+    filter_hkcmd:
+        Image|contains:
+            - '\System32\'
+            - '\SysNative\'
+            - '\SysWow64\'
+    selection_mc:
+        Image|endswith: '\Mc.exe'
+    filter_mc:
+        Image|contains:
+            - '\Microsoft Visual Studio'
+            - '\Microsoft SDK'
+            - '\Windows Kit'
+    selection_msmpeng:
+        Image|endswith: '\MsMpEng.exe'
+    filter_msmpeng:
+        Image|contains:
+            - '\Microsoft Security Client\'
+            - '\Windows Defender\'
+            - '\AntiMalware\'
+    selection_msseces:
+        Image|endswith: '\msseces.exe'
+    filter_msseces:
+        Image|contains:
+            - '\Microsoft Security Center\'
+            - '\Microsoft Security Client\'
+            - '\Microsoft Security Essentials\'
+    selection_oinfo:
+        Image|endswith: '\OInfoP11.exe'
+    filter_oinfo:
+        Image|contains: '\Common Files\Microsoft Shared\'
+    selection_oleview:
+        Image|endswith: '\OleView.exe'
+    filter_oleview:
+        Image|contains:
+            - '\Microsoft Visual Studio'
+            - '\Microsoft SDK'
+            - '\Windows Kit'
+            - '\Windows Resource Kit\'
+    selection_rc:
+        Image|endswith: '\rc.exe'
+    filter_rc:
+        Image|contains:
+            - '\Microsoft Visual Studio'
+            - '\Microsoft SDK'
+            - '\Windows Kit'
+            - '\Windows Resource Kit\'
+            - '\Microsoft.NET\'
+    condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
+falsepositives:
+    - Unknown
+level: high

package/bundled-rules/sigma-rules/community/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml ADDED Viewed

@@ -0,0 +1,28 @@
+title: StoneDrill Service Install
+id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
+status: test
+description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
+references:
+    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+author: Florian Roth (Nextron Systems)
+date: 2017-03-07
+modified: 2021-11-30
+tags:
+    - attack.privilege-escalation
+    - attack.persistence
+    - attack.g0064
+    - attack.t1543.003
+    - detection.emerging-threats
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
+        ServiceName: NtsSrv
+        ImagePath|endswith: ' LocalService'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

package/bundled-rules/sigma-rules/community/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml ADDED Viewed

@@ -0,0 +1,44 @@
+title: WannaCry Ransomware Activity
+id: 41d40bff-377a-43e2-8e1b-2e543069e079
+status: test
+description: Detects WannaCry ransomware activity
+references:
+    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+    - https://x.com/nas_bench/status/1868639048484425963
+author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
+date: 2019-01-16
+modified: 2025-10-18
+tags:
+    - attack.lateral-movement
+    - attack.t1210
+    - attack.discovery
+    - attack.t1083
+    - attack.defense-evasion
+    - attack.t1222.001
+    - attack.impact
+    - attack.t1486
+    - attack.t1490
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\tasksche.exe'
+              - '\mssecsvc.exe'
+              - '\taskdl.exe'
+              - '\taskhsvc.exe'
+              - '\taskse.exe'
+              - '\111.exe'
+              - '\lhdfrgui.exe'
+              # - '\diskpart.exe'  # cannot be used in a rule of level critical
+              - '\linuxnew.exe'
+              - '\wannacry.exe'
+        - Image|contains: 'WanaDecryptor'
+    selection_cmd:
+        CommandLine|contains: '@Please_Read_Me@.txt'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: critical

package/bundled-rules/sigma-rules/community/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml ADDED Viewed

@@ -0,0 +1,29 @@
+title: Potential APT10 Cloud Hopper Activity
+id: 966e4016-627f-44f7-8341-f394905c361f
+status: test
+description: Detects potential process and execution activity related to APT10 Cloud Hopper operation
+references:
+    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+author: Florian Roth (Nextron Systems)
+date: 2017-04-07
+modified: 2023-03-08
+tags:
+    - attack.execution
+    - attack.g0045
+    - attack.t1059.005
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cscript:
+        Image|endswith: '\cscript.exe'
+        CommandLine|contains: '.vbs /shell '
+    selection_csvde:
+        CommandLine|contains|all:
+            - 'csvde -f C:\windows\web\'
+            - '.log'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high