sigconverter.io - sigma rule converter

Target:

Format:

Pipeline:

CLI:

run this cli command for the same result

rule.yml pipeline.yml

title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
    - Internal Research
    - https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (rule), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2022-04-27
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel: System
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_special:
        - Image|endswith:
            - '\calc.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\hh.exe'
            - '\mshta.exe'
            - '\forfiles.exe'
            - '\ping.exe'
        - CommandLine|contains:
            # - 'sc stop ' # stops a system service # causes FPs
            - ' -NoP '  # Often used in malicious PowerShell commands
            - ' -W Hidden '  # Often used in malicious PowerShell commands
            - ' -decode '  # Used with certutil
            - ' /decode '  # Used with certutil
            - ' /urlcache '  # Used with certutil
            - ' -urlcache '  # Used with certutil
            - ' -e* JAB'  # PowerShell encoded commands
            - ' -e* SUVYI'  # PowerShell encoded commands
            - ' -e* SQBFAFgA'  # PowerShell encoded commands
            - ' -e* aWV4I'  # PowerShell encoded commands
            - ' -e* IAB'  # PowerShell ncoded commands
            - ' -e* PAA'  # PowerShell encoded commands
            - ' -e* aQBlAHgA'  # PowerShell encoded commands
            - 'vssadmin delete shadows'  # Ransomware
            - 'reg SAVE HKLM'  # save registry SAM - syskey extraction
            - ' -ma '  # ProcDump
            - 'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD
            - '.downloadstring('  # PowerShell download command
            - '.downloadfile('  # PowerShell download command
            - ' /ticket:'  # Rubeus
            - 'dpapi::'     #Mimikatz
            - 'event::clear'        #Mimikatz
            - 'event::drop'     #Mimikatz
            - 'id::modify'      #Mimikatz
            - 'kerberos::'       #Mimikatz
            - 'lsadump::'      #Mimikatz
            - 'misc::'     #Mimikatz
            - 'privilege::'       #Mimikatz
            - 'rpc::'      #Mimikatz
            - 'sekurlsa::'       #Mimikatz
            - 'sid::'        #Mimikatz
            - 'token::'      #Mimikatz
            - 'vault::cred'     #Mimikatz
            - 'vault::list'     #Mimikatz
            - ' p::d '  # Mimikatz
            - ';iex('  # PowerShell IEX
            - 'MiniDump'  # Process dumping method apart from procdump
            - 'net user '
    condition: all of selection*
falsepositives:
    - Administrative activity
    - Scripts and administrative tools used in the monitored environment
    - Monitoring activity
level: high

query

            the generated query should be displayed here :)

Settings