Skip to content

Commit 60d919d

Browse files
author
vastlimits
committed
Updated converted sigma rules for version version/7.1
1 parent b6c9182 commit 60d919d

File tree

1 file changed

+19
-2
lines changed

1 file changed

+19
-2
lines changed

config/uberAgent-ESA-am-sigma-high-windows.conf

+19-2
Original file line numberDiff line numberDiff line change
@@ -4838,6 +4838,23 @@ RiskScore = 75
48384838
Query = (Process.Path like r"%\\curl.exe" or Process.Name == "curl.exe") and regex_match(Process.CommandLine, "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") and Process.CommandLine like r"%http%" and (Process.CommandLine like r"% -O%" or Process.CommandLine like r"%--remote-name%" or Process.CommandLine like r"%--output%") and (Process.CommandLine like r"%.bat" or Process.CommandLine like r"%.bat\"" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.dat\"" or Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.dll\"" or Process.CommandLine like r"%.exe" or Process.CommandLine like r"%.exe\"" or Process.CommandLine like r"%.gif" or Process.CommandLine like r"%.gif\"" or Process.CommandLine like r"%.hta" or Process.CommandLine like r"%.hta\"" or Process.CommandLine like r"%.jpeg" or Process.CommandLine like r"%.jpeg\"" or Process.CommandLine like r"%.log" or Process.CommandLine like r"%.log\"" or Process.CommandLine like r"%.msi" or Process.CommandLine like r"%.msi\"" or Process.CommandLine like r"%.png" or Process.CommandLine like r"%.png\"" or Process.CommandLine like r"%.ps1" or Process.CommandLine like r"%.ps1\"" or Process.CommandLine like r"%.psm1" or Process.CommandLine like r"%.psm1\"" or Process.CommandLine like r"%.vbe" or Process.CommandLine like r"%.vbe\"" or Process.CommandLine like r"%.vbs" or Process.CommandLine like r"%.vbs\"" or Process.CommandLine like r"%.bat'" or Process.CommandLine like r"%.dat'" or Process.CommandLine like r"%.dll'" or Process.CommandLine like r"%.exe'" or Process.CommandLine like r"%.gif'" or Process.CommandLine like r"%.hta'" or Process.CommandLine like r"%.jpeg'" or Process.CommandLine like r"%.log'" or Process.CommandLine like r"%.msi'" or Process.CommandLine like r"%.png'" or Process.CommandLine like r"%.ps1'" or Process.CommandLine like r"%.psm1'" or Process.CommandLine like r"%.vbe'" or Process.CommandLine like r"%.vbs'")
48394839

48404840

4841+
[ActivityMonitoringRule platform=Windows]
4842+
# Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
4843+
# Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
4844+
# The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
4845+
# This rule flags suspicious use of such padding observed in real-world attacks.
4846+
# Author: Swachchhanda Shrawan Poudel (Nextron Systems)
4847+
RuleId = dd8756e7-a3a0-4768-b47e-8f545d1a751c
4848+
RuleName = Suspicious LNK Command-Line Padding with Whitespace Characters
4849+
EventType = Process.Start
4850+
Tag = proc-start-suspicious-lnk-command-line-padding-with-whitespace-characters
4851+
RiskScore = 75
4852+
Annotation = {"mitre_attack": ["T1204.002"]}
4853+
Query = (Parent.Path like r"%\\explorer.exe" or Parent.CommandLine like r"%.lnk%") and (Process.CommandLine like r"% %" or Process.CommandLine like r"%\\u0009%" or Process.CommandLine like r"%\\u000A%" or Process.CommandLine like r"%\\u0011%" or Process.CommandLine like r"%\\u0012%" or Process.CommandLine like r"%\\u0013%" or Process.CommandLine like r"%\\u000B%" or Process.CommandLine like r"%\\u000C%" or Process.CommandLine like r"%\\u000D%" or regex_match(Process.CommandLine, "\\n\\n\\n\\n\\n\\n"))
4854+
GenericProperty1 = Parent.Path
4855+
GenericProperty2 = Parent.CommandLine
4856+
4857+
48414858
[ActivityMonitoringRule platform=Windows]
48424859
# Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
48434860
# Author: Florian Roth (Nextron Systems)
@@ -4916,14 +4933,14 @@ Query = Process.CommandLine like r"%Add-Exfiltration%" or Process.CommandLine li
49164933
[ActivityMonitoringRule platform=Windows]
49174934
# Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
49184935
# This technique were seen used by threat actors and ransomware strains in order to evade defenses.
4919-
# Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
4936+
# Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
49204937
RuleId = cc36992a-4671-4f21-a91d-6c2b72a2edf5
49214938
RuleName = Suspicious Eventlog Clearing or Configuration Change Activity
49224939
EventType = Process.Start
49234940
Tag = proc-start-suspicious-eventlog-clearing-or-configuration-change-activity
49244941
RiskScore = 75
49254942
Annotation = {"mitre_attack": ["T1070.001", "T1562.002"]}
4926-
Query = (Process.Path like r"%\\wevtutil.exe" and (Process.CommandLine like r"%clear-log %" or Process.CommandLine like r"% cl %" or Process.CommandLine like r"%set-log %" or Process.CommandLine like r"% sl %" or Process.CommandLine like r"%lfn:%") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%Clear-EventLog %" or Process.CommandLine like r"%Remove-EventLog %" or Process.CommandLine like r"%Limit-EventLog %" or Process.CommandLine like r"%Clear-WinEvent %") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wmic.exe") and Process.CommandLine like r"%ClearEventLog%") and not ((Parent.Path in ["C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"]) and Process.CommandLine like r"% sl %")
4943+
Query = (Process.Path like r"%\\wevtutil.exe" or Process.Name == "wevtutil.exe") and (Process.CommandLine like r"%clear-log %" or Process.CommandLine like r"% cl %" or Process.CommandLine like r"%set-log %" or Process.CommandLine like r"% sl %" or Process.CommandLine like r"%lfn:%") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%Clear-EventLog %" or Process.CommandLine like r"%Remove-EventLog %" or Process.CommandLine like r"%Limit-EventLog %" or Process.CommandLine like r"%Clear-WinEvent %" or Process.CommandLine like r"%Eventing.Reader.EventLogSession%" and Process.CommandLine like r"%ClearLog%" or Process.CommandLine like r"%Diagnostics.EventLog%" and Process.CommandLine like r"%Clear%") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wmic.exe") and Process.CommandLine like r"%ClearEventLog%" and not ((Parent.Path in ["C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"]) and Process.CommandLine like r"% sl %")
49274944
GenericProperty1 = Parent.Path
49284945

49294946

0 commit comments

Comments
 (0)