Advertisement
JohnGalt14

Translate Examples for GodMode Rule

May 18th, 2020
2,055
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 9.52 KB | None | 0 0
  1. # Target: Splunk
  2. # Config: Splunk Windows
  3.  
  4. prometheus:sigma neo$ ./tools/sigmac -t splunk -c splunk-windows ./other/godmode_sigma_rule.yml
  5.  
  6. ((CommandLine="* -NoP *" OR CommandLine="* -W Hidden *" OR CommandLine="* -decode *" OR CommandLine="* /decode *" OR CommandLine="* -e* JAB*" OR CommandLine="* -e* SUVYI*" OR CommandLine="* -e* SQBFAFgA*" OR CommandLine="* -e* aWV4I*" OR CommandLine="* -e* IAB*" OR CommandLine="* -e* PAA*" OR CommandLine="* -e* aQBlAHgA*" OR CommandLine="*vssadmin delete shadows*" OR CommandLine="*reg SAVE HKLM\\SAM*" OR CommandLine="* -ma *" OR CommandLine="*Microsoft\\Windows\\CurrentVersion\\Run*" OR CommandLine="*.downloadstring(*" OR CommandLine="*.downloadfile(*" OR CommandLine="* /ticket:*" OR CommandLine="* sekurlsa*" OR CommandLine="* p::d *" OR CommandLine="*;iex(*" OR CommandLine="*schtasks* /create *AppData*" OR CommandLine="* comsvcs.dll,MiniDump*" OR CommandLine="* comsvcs.dll,#24*") OR ((ParentImage="*\\WINWORD.EXE*" OR ParentImage="*\\EXCEL.EXE*" OR ParentImage="*\\POWERPNT.exe*" OR ParentImage="*\\MSPUB.exe*" OR ParentImage="*\\VISIO.exe*" OR ParentImage="*\\OUTLOOK.EXE*") (Image="*\\cmd.exe*" OR Image="*\\powershell.exe*" OR Image="*\\wscript.exe*" OR Image="*\\cscript.exe*" OR Image="*\\schtasks.exe*" OR Image="*\\scrcons.exe*" OR Image="*\\regsvr32.exe*" OR Image="*\\hh.exe*" OR Image="*\\wmic.exe*" OR Image="*\\mshta.exe*" OR Image="*\\msiexec.exe*" OR Image="*\\forfiles.exe*" OR Image="*\\AppData\\*")) OR ((Image="*\\apache*" OR Image="*\\tomcat*" OR Image="*\\w3wp.exe*" OR Image="*\\php-cgi.exe*" OR Image="*\\nginx.exe*" OR Image="*\\httpd.exe*") (CommandLine="*whoami*" OR CommandLine="*net user *" OR CommandLine="*ping -n *" OR CommandLine="*systeminfo*" OR CommandLine="*&cd&echo*" OR CommandLine="*cd /d *")) OR (Image="*\\whoami.exe*" User="NT AUTHORITY\\SYSTEM"))
  7.  
  8. (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" ((EventCode="11" (TargetFileName="*.dmp*" OR TargetFileName="*Desktop\\how*" OR TargetFileName="*Desktop\\decrypt*")) OR ((EventCode="12" OR EventCode="13") (TargetObject="*UserInitMprLogonScript*" OR TargetObject="*\\CurrentVersion\\Image File Execution Options\\*")) OR ((EventCode="12" OR EventCode="13") (TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\Run\\*" OR TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*") (Details="*AppData*" OR Details="*\\Users\\Public\\*" OR Details="*\\Temp\\*" OR Details="*powershell*" OR Details="*wscript*" OR Details="*cscript*"))))
  9.  
  10. (source="WinEventLog:System" EventCode="7045" (ServiceName="*WCESERVICE*" OR ServiceName="*WCE SERVICE*" OR ServiceName="*winexesvc*" OR ServiceName="*DumpSvc*" OR ServiceName="*pwdump*" OR ServiceName="*gsecdump*" OR ServiceName="*cachedump*"))
  11.  
  12. # Target: Splunk
  13. # Config: Sysmon
  14.  
  15. prometheus:sigma neo$ ./tools/sigmac -t splunk -c sysmon ./other/godmode_sigma_rule.yml
  16.  
  17. (EventID="1" ((CommandLine="* -NoP *" OR CommandLine="* -W Hidden *" OR CommandLine="* -decode *" OR CommandLine="* /decode *" OR CommandLine="* -e* JAB*" OR CommandLine="* -e* SUVYI*" OR CommandLine="* -e* SQBFAFgA*" OR CommandLine="* -e* aWV4I*" OR CommandLine="* -e* IAB*" OR CommandLine="* -e* PAA*" OR CommandLine="* -e* aQBlAHgA*" OR CommandLine="*vssadmin delete shadows*" OR CommandLine="*reg SAVE HKLM\\SAM*" OR CommandLine="* -ma *" OR CommandLine="*Microsoft\\Windows\\CurrentVersion\\Run*" OR CommandLine="*.downloadstring(*" OR CommandLine="*.downloadfile(*" OR CommandLine="* /ticket:*" OR CommandLine="* sekurlsa*" OR CommandLine="* p::d *" OR CommandLine="*;iex(*" OR CommandLine="*schtasks* /create *AppData*" OR CommandLine="* comsvcs.dll,MiniDump*" OR CommandLine="* comsvcs.dll,#24*") OR ((ParentImage="*\\WINWORD.EXE*" OR ParentImage="*\\EXCEL.EXE*" OR ParentImage="*\\POWERPNT.exe*" OR ParentImage="*\\MSPUB.exe*" OR ParentImage="*\\VISIO.exe*" OR ParentImage="*\\OUTLOOK.EXE*") (Image="*\\cmd.exe*" OR Image="*\\powershell.exe*" OR Image="*\\wscript.exe*" OR Image="*\\cscript.exe*" OR Image="*\\schtasks.exe*" OR Image="*\\scrcons.exe*" OR Image="*\\regsvr32.exe*" OR Image="*\\hh.exe*" OR Image="*\\wmic.exe*" OR Image="*\\mshta.exe*" OR Image="*\\msiexec.exe*" OR Image="*\\forfiles.exe*" OR Image="*\\AppData\\*")) OR ((Image="*\\apache*" OR Image="*\\tomcat*" OR Image="*\\w3wp.exe*" OR Image="*\\php-cgi.exe*" OR Image="*\\nginx.exe*" OR Image="*\\httpd.exe*") (CommandLine="*whoami*" OR CommandLine="*net user *" OR CommandLine="*ping -n *" OR CommandLine="*systeminfo*" OR CommandLine="*&cd&echo*" OR CommandLine="*cd /d *")) OR (Image="*\\whoami.exe*" User="NT AUTHORITY\\SYSTEM")))
  18.  
  19. ((EventID="11" (TargetFileName="*.dmp*" OR TargetFileName="*Desktop\\how*" OR TargetFileName="*Desktop\\decrypt*")) OR ((EventID="12" OR EventID="13") (TargetObject="*UserInitMprLogonScript*" OR TargetObject="*\\CurrentVersion\\Image File Execution Options\\*")) OR ((EventID="12" OR EventID="13") (TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\Run\\*" OR TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*") (Details="*AppData*" OR Details="*\\Users\\Public\\*" OR Details="*\\Temp\\*" OR Details="*powershell*" OR Details="*wscript*" OR Details="*cscript*")))
  20.  
  21. (EventID="7045" (ServiceName="*WCESERVICE*" OR ServiceName="*WCE SERVICE*" OR ServiceName="*winexesvc*" OR ServiceName="*DumpSvc*" OR ServiceName="*pwdump*" OR ServiceName="*gsecdump*" OR ServiceName="*cachedump*"))
  22.  
  23. # Target: ElasticSearch Query String
  24. # Config: Winlogbeat  
  25.  
  26. prometheus:sigma neo$ ./tools/sigmac -t es-qs -c winlogbeat ./other/godmode_sigma_rule.yml
  27.  
  28. (winlog.event_data.CommandLine.keyword:(*\ \-NoP\ * OR *\ \-W\ Hidden\ * OR *\ \-decode\ * OR *\ \/decode\ * OR *\ \-e*\ JAB* OR *\ \-e*\ SUVYI* OR *\ \-e*\ SQBFAFgA* OR *\ \-e*\ aWV4I* OR *\ \-e*\ IAB* OR *\ \-e*\ PAA* OR *\ \-e*\ aQBlAHgA* OR *vssadmin\ delete\ shadows* OR *reg\ SAVE\ HKLM\\SAM* OR *\ \-ma\ * OR *Microsoft\\Windows\\CurrentVersion\\Run* OR *.downloadstring\(* OR *.downloadfile\(* OR *\ \/ticket\:* OR *\ sekurlsa* OR *\ p\:\:d\ * OR *;iex\(* OR *schtasks*\ \/create\ *AppData* OR *\ comsvcs.dll,MiniDump* OR *\ comsvcs.dll,#24*) OR (winlog.event_data.ParentImage.keyword:(*\\WINWORD.EXE* OR *\\EXCEL.EXE* OR *\\POWERPNT.exe* OR *\\MSPUB.exe* OR *\\VISIO.exe* OR *\\OUTLOOK.EXE*) AND winlog.event_data.Image.keyword:(*\\cmd.exe* OR *\\powershell.exe* OR *\\wscript.exe* OR *\\cscript.exe* OR *\\schtasks.exe* OR *\\scrcons.exe* OR *\\regsvr32.exe* OR *\\hh.exe* OR *\\wmic.exe* OR *\\mshta.exe* OR *\\msiexec.exe* OR *\\forfiles.exe* OR *\\AppData\\*)) OR (winlog.event_data.Image.keyword:(*\\apache* OR *\\tomcat* OR *\\w3wp.exe* OR *\\php\-cgi.exe* OR *\\nginx.exe* OR *\\httpd.exe*) AND winlog.event_data.CommandLine.keyword:(*whoami* OR *net\ user\ * OR *ping\ \-n\ * OR *systeminfo* OR *&cd&echo* OR *cd\ \/d\ *)) OR (winlog.event_data.Image.keyword:*\\whoami.exe* AND winlog.event_data.User:"NT\ AUTHORITY\\SYSTEM"))
  29.  
  30. (winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND ((winlog.event_id:"11" AND TargetFileName.keyword:(*.dmp* OR *Desktop\\how* OR *Desktop\\decrypt*)) OR (winlog.event_id:("12" OR "13") AND winlog.event_data.TargetObject.keyword:(*UserInitMprLogonScript* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\*)) OR (winlog.event_id:("12" OR "13") AND winlog.event_data.TargetObject.keyword:(*\\Microsoft\\Windows\\CurrentVersion\\Run\\* OR *\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*) AND winlog.event_data.Details.keyword:(*AppData* OR *\\Users\\Public\\* OR *\\Temp\\* OR *powershell* OR *wscript* OR *cscript*))))
  31.  
  32. (winlog.event_id:"7045" AND winlog.event_data.ServiceName.keyword:(*WCESERVICE* OR *WCE\ SERVICE* OR *winexesvc* OR *DumpSvc* OR *pwdump* OR *gsecdump* OR *cachedump*))
  33.  
  34. # Target: ElasticSearch Query String
  35. # Config: Sysmon
  36.  
  37. prometheus:sigma neo$ ./tools/sigmac -t es-qs -c sysmon ./other/godmode_sigma_rule.yml
  38.  
  39. (EventID:"1" AND (CommandLine.keyword:(*\ \-NoP\ * OR *\ \-W\ Hidden\ * OR *\ \-decode\ * OR *\ \/decode\ * OR *\ \-e*\ JAB* OR *\ \-e*\ SUVYI* OR *\ \-e*\ SQBFAFgA* OR *\ \-e*\ aWV4I* OR *\ \-e*\ IAB* OR *\ \-e*\ PAA* OR *\ \-e*\ aQBlAHgA* OR *vssadmin\ delete\ shadows* OR *reg\ SAVE\ HKLM\\SAM* OR *\ \-ma\ * OR *Microsoft\\Windows\\CurrentVersion\\Run* OR *.downloadstring\(* OR *.downloadfile\(* OR *\ \/ticket\:* OR *\ sekurlsa* OR *\ p\:\:d\ * OR *;iex\(* OR *schtasks*\ \/create\ *AppData* OR *\ comsvcs.dll,MiniDump* OR *\ comsvcs.dll,#24*) OR (ParentImage.keyword:(*\\WINWORD.EXE* OR *\\EXCEL.EXE* OR *\\POWERPNT.exe* OR *\\MSPUB.exe* OR *\\VISIO.exe* OR *\\OUTLOOK.EXE*) AND Image.keyword:(*\\cmd.exe* OR *\\powershell.exe* OR *\\wscript.exe* OR *\\cscript.exe* OR *\\schtasks.exe* OR *\\scrcons.exe* OR *\\regsvr32.exe* OR *\\hh.exe* OR *\\wmic.exe* OR *\\mshta.exe* OR *\\msiexec.exe* OR *\\forfiles.exe* OR *\\AppData\\*)) OR (Image.keyword:(*\\apache* OR *\\tomcat* OR *\\w3wp.exe* OR *\\php\-cgi.exe* OR *\\nginx.exe* OR *\\httpd.exe*) AND CommandLine.keyword:(*whoami* OR *net\ user\ * OR *ping\ \-n\ * OR *systeminfo* OR *&cd&echo* OR *cd\ \/d\ *)) OR (Image.keyword:*\\whoami.exe* AND User:"NT\ AUTHORITY\\SYSTEM")))
  40.  
  41. ((EventID:"11" AND TargetFileName.keyword:(*.dmp* OR *Desktop\\how* OR *Desktop\\decrypt*)) OR (EventID:("12" OR "13") AND TargetObject.keyword:(*UserInitMprLogonScript* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\*)) OR (EventID:("12" OR "13") AND TargetObject.keyword:(*\\Microsoft\\Windows\\CurrentVersion\\Run\\* OR *\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*) AND Details.keyword:(*AppData* OR *\\Users\\Public\\* OR *\\Temp\\* OR *powershell* OR *wscript* OR *cscript*)))
  42.  
  43. (EventID:"7045" AND ServiceName.keyword:(*WCESERVICE* OR *WCE\ SERVICE* OR *winexesvc* OR *DumpSvc* OR *pwdump* OR *gsecdump* OR *cachedump*))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement