[
  {
    "instruction": "How can I detect: Log4J Wstomcat process execution as seen in Mint Sandstorm activity",
    "context": "",
    "output": "In order to detect Log4J Wstomcat process execution as seen in Mint Sandstorm activity, you should: Focus on monitoring process creation events within Windows systems. Specifically, look for instances where the Wstomcat service ('ws_tomcatservice.exe') is listed as the parent image and is responsible for starting the 'repadmin.exe' process. This particular pattern of activity is indicative of the tactics and techniques associated with Mint Sandstorm activity, where adversaries might exploit Log4J vulnerabilities through specific process execution chains. It is important to pay close attention to these events, although be mindful that there might be cases where similar activity does not signify malicious intent, but such instances are currently unknown. The severity of detecting this activity is considered high, underscoring the potential risk involved.",
    "category": "SigmaFlan",
    "instruction_type": "rule_goal_to_description",
    "parsed_raw_data": {
      "question": "Log4J Wstomcat process execution as seen in Mint Sandstorm activity",
      "answer": "In order to detect Log4J Wstomcat process execution as seen in Mint Sandstorm activity, you should: Focus on monitoring process creation events within Windows systems. Specifically, look for instances where the Wstomcat service ('ws_tomcatservice.exe') is listed as the parent image and is responsible for starting the 'repadmin.exe' process. This particular pattern of activity is indicative of the tactics and techniques associated with Mint Sandstorm activity, where adversaries might exploit Log4J vulnerabilities through specific process execution chains. It is important to pay close attention to these events, although be mindful that there might be cases where similar activity does not signify malicious intent, but such instances are currently unknown. The severity of detecting this activity is considered high, underscoring the potential risk involved."
    }
  },
  {
    "instruction": "Please help me detect the following: execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.",
    "context": "",
    "output": "Sure!\nIn order to detect execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files, you should: monitor the creation of processes on Windows systems for occurrences of the GUP.exe (the Notepad++ updater) being executed. Specifically, look for cases where the executable image name ends with '\\GUP.exe' or the original file name is identified as 'gup.exe'. Additionally, pay attention to the command line arguments used during the process creation, especially if it includes both ' -unzipTo ' and an 'http' indicating an attempt to download files from the internet. However, you should exclude any instances where the GUP.exe is launched by Notepad++ itself, as indicated by having Notepad++ (notepad++.exe) as the parent process. Be aware that there could be false positives if there are legitimate uses of the GUP outside of notepad++ that aren't currently identified. This approach is crucial for identifying instances where the Notepad++ updater might be abused to download malicious files onto a system, which is a high-severity security concern.",
    "category": "SigmaFlan",
    "instruction_type": "rule_goal_to_description",
    "parsed_raw_data": {
      "question": "execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.",
      "answer": "In order to detect execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files, you should: monitor the creation of processes on Windows systems for occurrences of the GUP.exe (the Notepad++ updater) being executed. Specifically, look for cases where the executable image name ends with '\\GUP.exe' or the original file name is identified as 'gup.exe'. Additionally, pay attention to the command line arguments used during the process creation, especially if it includes both ' -unzipTo ' and an 'http' indicating an attempt to download files from the internet. However, you should exclude any instances where the GUP.exe is launched by Notepad++ itself, as indicated by having Notepad++ (notepad++.exe) as the parent process. Be aware that there could be false positives if there are legitimate uses of the GUP outside of notepad++ that aren't currently identified. This approach is crucial for identifying instances where the Notepad++ updater might be abused to download malicious files onto a system, which is a high-severity security concern."
    }
  },
  {
    "instruction": "How can I detect: process, such as mimikatz, accesses the memory of svchost to dump credentials",
    "context": "",
    "output": "In order to detect when a process, such as mimikatz, accesses the memory of svchost to dump credentials, you should: Focus on Windows process access logs and look for events where a process targets the 'svchost.exe' file. Specifically, you should look for any process that has been granted access with the permissions '0x143a' to the memory of 'svchost.exe'. However, you must exclude any access instances where the source of the access is a known and trusted process, notably 'services.exe' or 'msiexec.exe'. This approach is designed to elevate the detection accuracy by minimizing false positives from legitimate executable accesses while ensuring high sensitivity to potentially malicious activities like credential dumping by targeting system processes.",
    "category": "SigmaFlan",
    "instruction_type": "rule_goal_to_description",
    "parsed_raw_data": {
      "question": "process, such as mimikatz, accesses the memory of svchost to dump credentials",
      "answer": "In order to detect when a process, such as mimikatz, accesses the memory of svchost to dump credentials, you should: Focus on Windows process access logs and look for events where a process targets the 'svchost.exe' file. Specifically, you should look for any process that has been granted access with the permissions '0x143a' to the memory of 'svchost.exe'. However, you must exclude any access instances where the source of the access is a known and trusted process, notably 'services.exe' or 'msiexec.exe'. This approach is designed to elevate the detection accuracy by minimizing false positives from legitimate executable accesses while ensuring high sensitivity to potentially malicious activities like credential dumping by targeting system processes."
    }
  },
  {
    "instruction": "Explain how should I detect the following: usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)",
    "context": "",
    "output": "In order to detect the usage of the \"Squirrel.exe\" binary as a LOLBIN, which is part of multiple software installations such as Slack, Teams, and Discord, you should: Monitor the creation of processes on Windows systems, particularly focusing on the execution of 'squirrel.exe' and 'update.exe'. Pay attention to command line parameters that indicate downloading or updating actions, such as '--download', '--update', '--updateRollback=' along with command lines containing 'http' to catch potential remote fetching activities. Additionally, watch for execution flags like '--processStart', '--processStartAndWait', and '--createShortcut' that could be indicative of suspicious activities. It's important to filter out legitimate use cases of these binaries by applications like Discord, GitHub Desktop, Microsoft Teams, and Yammer based on specific command line patterns that are characteristic of normal operations. For instance, exceptions for Discord would involve its update executable path in 'C:\\Users\\[Username]\\AppData\\Local\\Discord\\Update.exe' with command lines that include '--processStart Discord.exe', and similar filters for GitHub Desktop, Teams, and Yammer, identifying genuine shortcuts and process starts. Be aware that there might be false positives, especially with electron-based applications, so a medium level of caution is advised while interpreting the results.",
    "category": "SigmaFlan",
    "instruction_type": "rule_goal_to_description",
    "parsed_raw_data": {
      "question": "usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)",
      "answer": "In order to detect the usage of the \"Squirrel.exe\" binary as a LOLBIN, which is part of multiple software installations such as Slack, Teams, and Discord, you should: Monitor the creation of processes on Windows systems, particularly focusing on the execution of 'squirrel.exe' and 'update.exe'. Pay attention to command line parameters that indicate downloading or updating actions, such as '--download', '--update', '--updateRollback=' along with command lines containing 'http' to catch potential remote fetching activities. Additionally, watch for execution flags like '--processStart', '--processStartAndWait', and '--createShortcut' that could be indicative of suspicious activities. It's important to filter out legitimate use cases of these binaries by applications like Discord, GitHub Desktop, Microsoft Teams, and Yammer based on specific command line patterns that are characteristic of normal operations. For instance, exceptions for Discord would involve its update executable path in 'C:\\Users\\[Username]\\AppData\\Local\\Discord\\Update.exe' with command lines that include '--processStart Discord.exe', and similar filters for GitHub Desktop, Teams, and Yammer, identifying genuine shortcuts and process starts. Be aware that there might be false positives, especially with electron-based applications, so a medium level of caution is advised while interpreting the results."
    }
  },
  {
    "instruction": "How can I detect: usage of the \"Import-Module\" cmdlet in order to add new Cmdlets to the current PowerShell session",
    "context": "",
    "output": "In order to detect usage of the \"Import-Module\" cmdlet in order to add new Cmdlets to the current PowerShell session, you should: focus on monitoring process creation within Windows environments. Specifically, keep an eye out for any instances where PowerShell (either through 'powershell.exe' or 'pwsh.exe') is invoked, as well as cases where the original file names 'PowerShell.EXE' or 'pwsh.dll' are used. Additionally, pay attention to command lines that contain the strings 'Import-Module ' or 'ipmo ', as these are indicative of attempts to import modules into the PowerShell session. It is important to apply this detection across all processes meeting these criteria. However, be aware that in many legitimate scenarios, scripts may import modules inline, meaning that this behavior is not exclusively malicious but should rather be used for hunting purposes with a low alert level.",
    "category": "SigmaFlan",
    "instruction_type": "rule_goal_to_description",
    "parsed_raw_data": {
      "question": "usage of the \"Import-Module\" cmdlet in order to add new Cmdlets to the current PowerShell session",
      "answer": "In order to detect usage of the \"Import-Module\" cmdlet in order to add new Cmdlets to the current PowerShell session, you should: focus on monitoring process creation within Windows environments. Specifically, keep an eye out for any instances where PowerShell (either through 'powershell.exe' or 'pwsh.exe') is invoked, as well as cases where the original file names 'PowerShell.EXE' or 'pwsh.dll' are used. Additionally, pay attention to command lines that contain the strings 'Import-Module ' or 'ipmo ', as these are indicative of attempts to import modules into the PowerShell session. It is important to apply this detection across all processes meeting these criteria. However, be aware that in many legitimate scenarios, scripts may import modules inline, meaning that this behavior is not exclusively malicious but should rather be used for hunting purposes with a low alert level."
    }
  },
  {
    "instruction": "Can you explain how to detect: Identifies when DNS zone is modified or deleted.",
    "context": "",
    "output": "Certainly!\n\nIn order to identifies when DNS zone is modified or deleted, you should: focus on monitoring Azure activity logs for events where the operation name starts with 'MICROSOFT.NETWORK/DNSZONES' and ends with '/WRITE' or '/DELETE'. This approach helps in identifying potentially malicious activities aimed at altering or removing DNS zones, which could lead to various security issues such as redirecting users to malicious sites or disrupting network operations. It's important to consider that while these modifications can be legitimate actions performed by system administrators, any DNS zone modification or deletion that appears unfamiliar or unauthorized should be promptly investigated. Verify the identity of the user making changes, the user agent, and hostname involved to ensure they should have access to make such changes in your environment. This monitoring is categorized with a medium level of importance and is associated with tactics and techniques such as DNS modification and deletion. To minimize false positives, known administrator behaviors that frequently modify or delete DNS zones can be exempted from monitoring.",
    "category": "SigmaFlan",
    "instruction_type": "rule_goal_to_description",
    "parsed_raw_data": {
      "question": "Identifies when DNS zone is modified or deleted.",
      "answer": "In order to identifies when DNS zone is modified or deleted, you should: focus on monitoring Azure activity logs for events where the operation name starts with 'MICROSOFT.NETWORK/DNSZONES' and ends with '/WRITE' or '/DELETE'. This approach helps in identifying potentially malicious activities aimed at altering or removing DNS zones, which could lead to various security issues such as redirecting users to malicious sites or disrupting network operations. It's important to consider that while these modifications can be legitimate actions performed by system administrators, any DNS zone modification or deletion that appears unfamiliar or unauthorized should be promptly investigated. Verify the identity of the user making changes, the user agent, and hostname involved to ensure they should have access to make such changes in your environment. This monitoring is categorized with a medium level of importance and is associated with tactics and techniques such as DNS modification and deletion. To minimize false positives, known administrator behaviors that frequently modify or delete DNS zones can be exempted from monitoring."
    }
  },
  {
    "instruction": "How can I detect: powershell scripts that import modules from suspicious directories",
    "context": "",
    "output": "In order to detect PowerShell scripts that import modules from suspicious directories, you should monitor process creation events on Windows systems for command lines that contain specific patterns indicating an import operation targeting unusual or risky file paths. Specifically, watch for the PowerShell \"Import-Module\" command or its alias \"ipmo,\" used with paths pointing to temporary directories (accessible via environment variables like \"$Env:Temp\" and \"$Env:Appdata\"), or the \"C:\\Users\\Public\\\" directory. These command lines might appear in various forms, including with and without quotation marks around the path, and with the paths being directly called or referenced through environment variables. This monitoring is crucial due to the common abuse of these directories by attackers to execute malicious PowerShell modules as part of their tactics. The tactics often associated with this behavior include execution and persistence, as attackers leverage this method to run code and maintain their foothold within a compromised system. Be aware that while monitoring for these patterns, there may be legitimate uses of these commands that could generate false positives, which are marked as \"Unknown\". The overall risk level for this type of activity is considered medium, underscoring the importance of vigilance without overestimating the threat.",
    "category": "SigmaFlan",
    "instruction_type": "rule_goal_to_description",
    "parsed_raw_data": {
      "question": "powershell scripts that import modules from suspicious directories",
      "answer": "In order to detect PowerShell scripts that import modules from suspicious directories, you should monitor process creation events on Windows systems for command lines that contain specific patterns indicating an import operation targeting unusual or risky file paths. Specifically, watch for the PowerShell \"Import-Module\" command or its alias \"ipmo,\" used with paths pointing to temporary directories (accessible via environment variables like \"$Env:Temp\" and \"$Env:Appdata\"), or the \"C:\\Users\\Public\\\" directory. These command lines might appear in various forms, including with and without quotation marks around the path, and with the paths being directly called or referenced through environment variables. This monitoring is crucial due to the common abuse of these directories by attackers to execute malicious PowerShell modules as part of their tactics. The tactics often associated with this behavior include execution and persistence, as attackers leverage this method to run code and maintain their foothold within a compromised system. Be aware that while monitoring for these patterns, there may be legitimate uses of these commands that could generate false positives, which are marked as \"Unknown\". The overall risk level for this type of activity is considered medium, underscoring the importance of vigilance without overestimating the threat."
    }
  },
  {
    "instruction": "Please help me detect the following: creation of files that look like exports of the local SAM (Security Account Manager)",
    "context": "",
    "output": "Sure!\nIn order to detect the creation of files that look like exports of the local SAM (Security Account Manager), you should: Monitor Windows file events for any creation or modification activities where filenames end with specific patterns such as '\\Temp\\sam', '\\sam.sav', '\\Intel\\sam', '\\sam.hive', '\\Perflogs\\sam', '\\ProgramData\\sam', '\\Users\\Public\\sam', '\\AppData\\Local\\sam', '\\AppData\\Roaming\\sam', and '_ShadowSteal.zip', which is associated with the ShadowSteal malware. Also, watch for filenames that contain patterns like '\\hive_sam_', indicating the use of tools like hivenightmare, as well as variations including '\\sam.save', '\\sam.export', '\\~reg_sam.save', '\\sam_backup', '\\sam.bck', and '\\sam.backup'. These indicators suggest an attempt to export or backup the Security Account Manager (SAM) file, which contains sensitive system and user account information. Note that there might be rare instances where similar file activity is part of legitimate administrative activities, however, under a high alert level, these should be scrutinized closely.",
    "category": "SigmaFlan",
    "instruction_type": "rule_goal_to_description",
    "parsed_raw_data": {
      "question": "creation of files that look like exports of the local SAM (Security Account Manager)",
      "answer": "In order to detect the creation of files that look like exports of the local SAM (Security Account Manager), you should: Monitor Windows file events for any creation or modification activities where filenames end with specific patterns such as '\\Temp\\sam', '\\sam.sav', '\\Intel\\sam', '\\sam.hive', '\\Perflogs\\sam', '\\ProgramData\\sam', '\\Users\\Public\\sam', '\\AppData\\Local\\sam', '\\AppData\\Roaming\\sam', and '_ShadowSteal.zip', which is associated with the ShadowSteal malware. Also, watch for filenames that contain patterns like '\\hive_sam_', indicating the use of tools like hivenightmare, as well as variations including '\\sam.save', '\\sam.export', '\\~reg_sam.save', '\\sam_backup', '\\sam.bck', and '\\sam.backup'. These indicators suggest an attempt to export or backup the Security Account Manager (SAM) file, which contains sensitive system and user account information. Note that there might be rare instances where similar file activity is part of legitimate administrative activities, however, under a high alert level, these should be scrutinized closely."
    }
  },
  {
    "instruction": "Can you explain how to detect: attack technique pass the hash which is used to move laterally inside the network",
    "context": "",
    "output": "Certainly!\n\nIn order to detect the attack technique pass the hash which is used to move laterally inside the network, you should monitor specific events and conditions within Windows security logs. Focus on capturing event IDs 4624, which signify a successful logon, and 4625, which indicate a failed logon attempt. These events are particularly relevant when the logon type is 3, representing a network logon which is commonly used during lateral movement attempts. Additionally, the logon process name should be 'NtLmSsp', which is indicative of NTLM (NT LAN Manager) authentication, often exploited in pass the hash attacks.\n\nIt is crucial to pay attention to the originating and target workstation names in these events. The condition implies that both the workstation from where the logon attempt was made and the target computer should match your network's workstation naming conventions (referred here as '%Workstations%'). This helps in pinpointing the attempts that are specifically targeted at moving laterally within your network.\n\nHowever, it's important to exclude any logon attempts that are recorded with the target username as 'ANONYMOUS LOGON'. These might not be related to malicious activity and can lead to false positives. Speaking of which, legitimate administrator activities could also trigger these conditions and should be considered when evaluating alerts.\n\nThis focused monitoring approach, by analyzing network logon attempts via the NTLM authentication involving specific workstations, aids in discerning potential lateral movement activities facilitated by pass the hash attacks. It stands on the medium level of alert severity due to the balance between the necessity of detecting malicious activities and the potential for false positives, such as routine administrator tasks.",
    "category": "SigmaFlan",
    "instruction_type": "rule_goal_to_description",
    "parsed_raw_data": {
      "question": "attack technique pass the hash which is used to move laterally inside the network",
      "answer": "In order to detect the attack technique pass the hash which is used to move laterally inside the network, you should monitor specific events and conditions within Windows security logs. Focus on capturing event IDs 4624, which signify a successful logon, and 4625, which indicate a failed logon attempt. These events are particularly relevant when the logon type is 3, representing a network logon which is commonly used during lateral movement attempts. Additionally, the logon process name should be 'NtLmSsp', which is indicative of NTLM (NT LAN Manager) authentication, often exploited in pass the hash attacks.\n\nIt is crucial to pay attention to the originating and target workstation names in these events. The condition implies that both the workstation from where the logon attempt was made and the target computer should match your network's workstation naming conventions (referred here as '%Workstations%'). This helps in pinpointing the attempts that are specifically targeted at moving laterally within your network.\n\nHowever, it's important to exclude any logon attempts that are recorded with the target username as 'ANONYMOUS LOGON'. These might not be related to malicious activity and can lead to false positives. Speaking of which, legitimate administrator activities could also trigger these conditions and should be considered when evaluating alerts.\n\nThis focused monitoring approach, by analyzing network logon attempts via the NTLM authentication involving specific workstations, aids in discerning potential lateral movement activities facilitated by pass the hash attacks. It stands on the medium level of alert severity due to the balance between the necessity of detecting malicious activities and the potential for false positives, such as routine administrator tasks."
    }
  },
  {
    "instruction": "Please help me detect the following: Obfuscated use of Clip.exe to execute PowerShell",
    "context": "",
    "output": "Sure!\nIn order to Detect Obfuscated use of Clip.exe to execute PowerShell, you should: Monitor Windows system logs for events that signify the unusual use of the Clip.exe by scrutinizing activities logged by the Service Control Manager. Specifically, look for event ID 7045, which represents a service installation. The critical aspect to watch for in these logs is the execution path that includes 'cmd' (indicating command prompt usage), '&&' (a method to chain commands together), and 'clipboard]::' (suggesting an attempt to interact with the clipboard in a potentially obfuscated manner). Such a combination of elements in the ImagePath indicates an attempt to leverage the clipboard utility (Clip.exe) to execute PowerShell commands, possibly in a concealed way. The level of concern for such findings is high, although there might be instances where similar patterns arise without malicious intent (known as unknown false positives). This detection strategy is aligned with identifying tactics and techniques like Execution, Obfuscation, and Command and Scripting Interpreter within the framework of understanding cyber threats.",
    "category": "SigmaFlan",
    "instruction_type": "rule_goal_to_description",
    "parsed_raw_data": {
      "question": "Obfuscated use of Clip.exe to execute PowerShell",
      "answer": "In order to Detect Obfuscated use of Clip.exe to execute PowerShell, you should: Monitor Windows system logs for events that signify the unusual use of the Clip.exe by scrutinizing activities logged by the Service Control Manager. Specifically, look for event ID 7045, which represents a service installation. The critical aspect to watch for in these logs is the execution path that includes 'cmd' (indicating command prompt usage), '&&' (a method to chain commands together), and 'clipboard]::' (suggesting an attempt to interact with the clipboard in a potentially obfuscated manner). Such a combination of elements in the ImagePath indicates an attempt to leverage the clipboard utility (Clip.exe) to execute PowerShell commands, possibly in a concealed way. The level of concern for such findings is high, although there might be instances where similar patterns arise without malicious intent (known as unknown false positives). This detection strategy is aligned with identifying tactics and techniques like Execution, Obfuscation, and Command and Scripting Interpreter within the framework of understanding cyber threats."
    }
  }
]