[T1566.001] Spearphishing Attachment - Opened ``` `indextime` `sysmon` event_id=13 registry_key_path="*trustrecords*" OR registry_key_path="*TargetObject=*Software\\Microsoft\\VBA\\7.1\\Common*" | eval hash_sha256= lower(hash_sha256), hunting_trigger="Macro enabled for document", mitre_category="Initial_Access", mitre_technique="Phishing", mitre_technique_id="T1566", mitre_subtechnique="Spearphishing Attachment", mitre_subtechnique_id="T1566.001", apt="", mitre_link="https://attack.mitre.org/techniques/T1566/001/", creator="Cpl Iverson", last_tested="", upload_date="2024-01-01", last_modify_date="2025-01-09", mitre_version="v16", priority="" | `registry_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority | collect `jarvis_index` ``` [T1050] New Service - Process ``` `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="sc.exe" OR process_name="powershell.exe" OR process_name="cmd.exe") AND (process_command_line="*New-Service*BinaryPathName*" OR process_command_line="*sc*create*binpath*" OR process_command_line="*Get-WmiObject*Win32_Service*create*") | eval hash_sha256= lower(hash_sha256), hunting_trigger="Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.", mitre_category=mvappend("Persistence","Privilege_Escalation"), mitre_technique="Create or Modify System Process", mitre_technique_id="T1543", mitre_subtechnique="Windows Service", mitre_subtechnique_id="T1543.003", apt="", mitre_link="https://attack.mitre.org/techniques/T1543/003/", creator="Cpl Iverson", upload_date="2024-01-01", last_modify_date="2025-01-08", mitre_version="v16", priority="" | `process_create_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | collect `jarvis_index` ``` [T1053] Scheduled Task - FileAccess ``` `indextime` `sysmon` event_id=11 process_path!="C:\\WINDOWS\\system32\\svchost.exe" (file_path="C:\\Windows\\System32\\Tasks\\*" OR file_path="C:\\Windows\\Tasks\\*") | eval mitre_technique="Scheduled Task" | eval mitre_technique_id="T1053" | eval apt=mvappend("Volt Typhoon") | `file_create_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger | collect `jarvis_index` ``` [T1087.003] Email Account ``` `indextime` (`sysmon` OR `windows`) AND ('powershell /c' AND ('Get-ADUser -Filter * -Properties EmailAddress' OR 'Select-Object Name, EmailAddress') OR 'powershell /c Get-ADUser') | eval hash_sha256= lower(hash_sha256), hunting_trigger="Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).", mitre_category="Discovery", mitre_technique="Account Discovery", mitre_technique_id="T1087", mitre_subtechnique="Email Account", mitre_subtechnique_id="T1087.003", apt="Magic Hound", mitre_link="https://attack.mitre.org/techniques/T1087/003", creator="Cpl Iverson", upload_date="2025-01-08", last_modify_date="2025-01-08", mitre_version="v16", priority="" | `process_create_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | collect `jarvis_index` ``` [T1087] Account Discovery - net group ``` `indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND (Image= "\winword.exe" OR Image= "\excel.exe" OR Image= "\powerpnt.exe") AND (CommandLine= "macro" OR CommandLine= "automation" OR CommandLine= "shellcode") AND ParentCommandLine= "open*" | eval hash_sha256= lower(hash_sha256), hunting_trigger="Office Application Process Execution", mitre_category="Execution", mitre_technique="Exploitation for Client Execution", mitre_technique_id="T1203", mitre_subtechnique="", mitre_subtechnique_id="" cve=mvappend("CVE-2020-0938","CVE-2020-1020"), apt="", mitre_link="https://attack.mitre.org/techniques/T1203/", creator="Cpl Iverson", upload_date="2024-12-11", last_modify_date="2024-12-11", mitre_version="v16", priority="" | `process_create_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger | collect `jarvis_index` ``` [T1010] Application Window Discovery_Analytic_1 ``` `indextime` `powershell` EventCode="4103" | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%" | eval hash_sha256= lower(hash_sha256), hunting_trigger="Suspicious Commands", mitre_category="Discovery", mitre_technique="Application Window Discovery", mitre_technique_id="T1010", mitre_subtechnique="", mitre_subtechnique_id="", apt=mvappend("HEXANE","Lazarus Group","Volt Typhoon"), mitre_link="https://attack.mitre.org/techniques/T1010/", creator="Cpl Iverson", last_tested="", upload_date="2024-12-04", last_modify_date="2024-12-04", mitre_version="v16", priority="" | `process_create_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority | collect `jarvis_index` ``` [T1010] Application Window Discovery_Analytic_2 ``` `indextime` (`sysmon` EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%" | eval hash_sha256= lower(hash_sha256), hunting_trigger="Suspicious Processes", mitre_category="Discovery", mitre_technique="Application Window Discovery", mitre_technique_id="T1010", mitre_subtechnique="", mitre_subtechnique_id="", apt=mvappend("HEXANE","Lazarus Group","Volt Typhoon"), mitre_link="https://attack.mitre.org/techniques/T1010/", creator="Cpl Iverson", last_tested="", upload_date="2024-12-04", last_modify_date="2024-12-04", mitre_version="v16", priority="" | `process_create_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority | collect `jarvis_index` ``` [T1560.001] Archive via Utility ``` `indextime` (`sysmon` OR `windows`) AND ("powershell /c 'Compress-Archive" AND "zip") | eval hash_sha256= lower(hash_sha256), hunting_trigger="Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration.", mitre_category="Collection", mitre_technique="Archive Collected Data", mitre_technique_id="T1560", mitre_subtechnique="Archive via Utility", mitre_subtechnique_id="T1560.001", apt="Magic Hound", mitre_link="https://attack.mitre.org/techniques/T1560/001/", creator="Cpl Iverson", upload_date="2025-01-08", last_modify_date="2025-01-08", mitre_version="v16", priority="" | `process_create_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority | collect `jarvis_index` ``` [T1560] Archive Collected Data ``` `indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="powershell.exe" AND process_command_line="*-Recurse | Compress-Archive*") OR (process_name="rar.exe" AND process_command_line="rar*a*") OR process_name="7z.exe" OR process_name="*zip.exe" | eval hash_sha256= lower(hash_sha256), hunting_trigger="Command Line Usage of Archiving Software", mitre_category="Collection", mitre_technique="Archive Collected Data", mitre_technique_id="T1560", mitre_subtechnique="Archive via Utility", mitre_subtechnique_id="T1560.001", apt=mvappend("APT1","APT28","APT3","APT33","APT39","APT41","APT5","Agrius","Akira","Aquatic Panda","BRONZE BUTLER","Chimera","CopyKittens","Earth Lusca","FIN13","FIN8","Fox Kitten","GALLIUM","Gallmaker","HAFNIUM","INC Ransom","Ke3chang","Kimsuky","Magic Hound","MuddyWater","Mustang Panda","Play","RedCurl","Sowbug","ToddyCat","Turla","Volt Typhoon","Wizard Spider","menuPass"), mitre_link="https://attack.mitre.org/techniques/T1560/001/", creator="Cpl Iverson", last_tested="", upload_date="2024-12-04", last_modify_date="2024-12-04", mitre_version="v16", priority="" | `process_create_whitelist` | `file_create_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger | collect `jarvis_index` ``` [T1560] LOLBAS Chinese APT Creating a 7z Archive in temp ``` `indextime` `windows-security` AND ((Image="*\\7z.exe" OR OriginalFileName="7z.exe") AND CommandLine="*a -p*" AND CommandLine="*c:\\windows\\temp\\*") ``` name: LOLBAS Chinese APT Creating a 7z Archive in temp ``` ``` uuid: 805be6dd-20d2-42dc-b70a-b058ae83002b ``` ``` author: SIMKRA, @SIMKRA202 ``` | eval hash_sha256= lower(hash_sha256), hunting_trigger="Detects the suspicious creation of a 7z achrive into the c:\windows\temp\ folder.", mitre_category="Collection", mitre_technique="OS Credential Dumping", mitre_technique_id="T1560", mitre_subtechnique="", mitre_subtechnique_id="", apt="Volt Typhoon", mitre_link="https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Creating%20a%207z%20Archive%20in%20temp.yml", creator="Cpl Iverson", last_tested="", upload_date="2025-01-07", last_modify_date="2025-01-07", mitre_version="v16", priority="high" | `process_create_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority | collect `jarvis_index` ```