Skip to content

Commit e6e09d0

Browse files
author
vastlimits
committed
Updated converted sigma rules for version version/7.2
1 parent 1292cbf commit e6e09d0

File tree

1 file changed

+20
-3
lines changed

1 file changed

+20
-3
lines changed

config/uberAgent-ESA-am-sigma-high-windows.conf

+20-3
Original file line numberDiff line numberDiff line change
@@ -6083,6 +6083,23 @@ Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"}
60836083
Query = (Process.Path like r"%\\curl.exe" or Process.Name == "curl.exe") and Process.CommandLine regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and Process.CommandLine like r"%http%" and (Process.CommandLine like r"% -O%" or Process.CommandLine like r"%--remote-name%" or Process.CommandLine like r"%--output%") and (Process.CommandLine like r"%.bat" or Process.CommandLine like r"%.bat\"" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.dat\"" or Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.dll\"" or Process.CommandLine like r"%.exe" or Process.CommandLine like r"%.exe\"" or Process.CommandLine like r"%.gif" or Process.CommandLine like r"%.gif\"" or Process.CommandLine like r"%.hta" or Process.CommandLine like r"%.hta\"" or Process.CommandLine like r"%.jpeg" or Process.CommandLine like r"%.jpeg\"" or Process.CommandLine like r"%.log" or Process.CommandLine like r"%.log\"" or Process.CommandLine like r"%.msi" or Process.CommandLine like r"%.msi\"" or Process.CommandLine like r"%.png" or Process.CommandLine like r"%.png\"" or Process.CommandLine like r"%.ps1" or Process.CommandLine like r"%.ps1\"" or Process.CommandLine like r"%.psm1" or Process.CommandLine like r"%.psm1\"" or Process.CommandLine like r"%.vbe" or Process.CommandLine like r"%.vbe\"" or Process.CommandLine like r"%.vbs" or Process.CommandLine like r"%.vbs\"" or Process.CommandLine like r"%.bat'" or Process.CommandLine like r"%.dat'" or Process.CommandLine like r"%.dll'" or Process.CommandLine like r"%.exe'" or Process.CommandLine like r"%.gif'" or Process.CommandLine like r"%.hta'" or Process.CommandLine like r"%.jpeg'" or Process.CommandLine like r"%.log'" or Process.CommandLine like r"%.msi'" or Process.CommandLine like r"%.png'" or Process.CommandLine like r"%.ps1'" or Process.CommandLine like r"%.psm1'" or Process.CommandLine like r"%.vbe'" or Process.CommandLine like r"%.vbs'")
60846084

60856085

6086+
[ThreatDetectionRule platform=Windows]
6087+
# Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
6088+
# Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
6089+
# The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
6090+
# This rule flags suspicious use of such padding observed in real-world attacks.
6091+
# Author: Swachchhanda Shrawan Poudel (Nextron Systems)
6092+
RuleId = dd8756e7-a3a0-4768-b47e-8f545d1a751c
6093+
RuleName = Suspicious LNK Command-Line Padding with Whitespace Characters
6094+
EventType = Process.Start
6095+
Tag = proc-start-suspicious-lnk-command-line-padding-with-whitespace-characters
6096+
RiskScore = 75
6097+
Annotation = {"mitre_attack": ["T1204.002"], "author": "Swachchhanda Shrawan Poudel (Nextron Systems)"}
6098+
Query = (Parent.Path like r"%\\explorer.exe" or Parent.CommandLine like r"%.lnk%") and (Process.CommandLine like r"% %" or Process.CommandLine like r"%\\u0009%" or Process.CommandLine like r"%\\u000A%" or Process.CommandLine like r"%\\u0011%" or Process.CommandLine like r"%\\u0012%" or Process.CommandLine like r"%\\u0013%" or Process.CommandLine like r"%\\u000B%" or Process.CommandLine like r"%\\u000C%" or Process.CommandLine like r"%\\u000D%" or Process.CommandLine regex "\\n\\n\\n\\n\\n\\n")
6099+
GenericProperty1 = Parent.Path
6100+
GenericProperty2 = Parent.CommandLine
6101+
6102+
60866103
[ThreatDetectionRule platform=Windows]
60876104
# Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
60886105
# Author: Florian Roth (Nextron Systems)
@@ -6177,14 +6194,14 @@ Query = Process.CommandLine like r"%Add-Exfiltration%" or Process.CommandLine li
61776194
[ThreatDetectionRule platform=Windows]
61786195
# Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
61796196
# This technique were seen used by threat actors and ransomware strains in order to evade defenses.
6180-
# Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
6197+
# Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
61816198
RuleId = cc36992a-4671-4f21-a91d-6c2b72a2edf5
61826199
RuleName = Suspicious Eventlog Clearing or Configuration Change Activity
61836200
EventType = Process.Start
61846201
Tag = proc-start-suspicious-eventlog-clearing-or-configuration-change-activity
61856202
RiskScore = 75
6186-
Annotation = {"mitre_attack": ["T1070.001", "T1562.002"], "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105"}
6187-
Query = (Process.Path like r"%\\wevtutil.exe" and (Process.CommandLine like r"%clear-log %" or Process.CommandLine like r"% cl %" or Process.CommandLine like r"%set-log %" or Process.CommandLine like r"% sl %" or Process.CommandLine like r"%lfn:%") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%Clear-EventLog %" or Process.CommandLine like r"%Remove-EventLog %" or Process.CommandLine like r"%Limit-EventLog %" or Process.CommandLine like r"%Clear-WinEvent %") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wmic.exe") and Process.CommandLine like r"%ClearEventLog%") and not ((Parent.Path in ["C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"]) and Process.CommandLine like r"% sl %")
6203+
Annotation = {"mitre_attack": ["T1070.001", "T1562.002"], "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)"}
6204+
Query = (Process.Path like r"%\\wevtutil.exe" or Process.Name == "wevtutil.exe") and (Process.CommandLine like r"%clear-log %" or Process.CommandLine like r"% cl %" or Process.CommandLine like r"%set-log %" or Process.CommandLine like r"% sl %" or Process.CommandLine like r"%lfn:%") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%Clear-EventLog %" or Process.CommandLine like r"%Remove-EventLog %" or Process.CommandLine like r"%Limit-EventLog %" or Process.CommandLine like r"%Clear-WinEvent %" or Process.CommandLine like r"%Eventing.Reader.EventLogSession%" and Process.CommandLine like r"%ClearLog%" or Process.CommandLine like r"%Diagnostics.EventLog%" and Process.CommandLine like r"%Clear%") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wmic.exe") and Process.CommandLine like r"%ClearEventLog%" and not ((Parent.Path in ["C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"]) and Process.CommandLine like r"% sl %")
61886205
GenericProperty1 = Parent.Path
61896206

61906207

0 commit comments

Comments
 (0)