SigmaHQ/tools/config/thor.yml

310 lines
6.9 KiB
YAML
Raw Normal View History

2019-05-16 21:33:51 +00:00
title: THOR
order: 20
backends:
- thor
# this configuration differs from other configurations and can not be used
# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.
2018-06-29 14:42:16 +00:00
logsources:
# log source configurations for generic sigma rules
process_creation_1:
category: process_creation
product: windows
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
process_creation_2:
category: process_creation
product: windows
conditions:
EventID: 4688
rewrite:
product: windows
service: security
fieldmappings:
Image: NewProcessName
ParentImage: ParentProcessName
2021-04-23 15:47:09 +00:00
network_connection:
category: network_connection
product: windows
conditions:
EventID: 3
rewrite:
product: windows
service: sysmon
sysmon_status1:
category: sysmon_status
product: windows
conditions:
EventID: 4
rewrite:
product: windows
service: sysmon
sysmon_status2:
category: sysmon_status
product: windows
conditions:
EventID: 16
rewrite:
product: windows
service: sysmon
2021-04-23 15:47:09 +00:00
process_terminated:
category: process_termination
product: windows
conditions:
EventID: 5
rewrite:
product: windows
service: sysmon
driver_loaded:
category: driver_load
product: windows
conditions:
EventID: 6
rewrite:
product: windows
service: sysmon
image_loaded:
category: image_load
product: windows
conditions:
EventID: 7
rewrite:
product: windows
service: sysmon
create_remote_thread:
category: create_remote_thread
product: windows
conditions:
EventID: 8
rewrite:
product: windows
service: sysmon
raw_access_thread:
category: raw_access_thread
product: windows
conditions:
EventID: 9
rewrite:
product: windows
service: sysmon
process_access:
category: process_access
product: windows
conditions:
EventID: 10
rewrite:
product: windows
service: sysmon
file_creation:
category: file_event
product: windows
conditions:
EventID: 11
rewrite:
product: windows
service: sysmon
2021-07-08 12:51:49 +00:00
registry_event1:
2021-04-23 15:47:09 +00:00
category: registry_event
product: windows
conditions:
2021-07-08 12:51:49 +00:00
EventID: 12
rewrite:
product: windows
service: sysmon
registry_event2:
category: registry_event
product: windows
conditions:
EventID: 13
rewrite:
product: windows
service: sysmon
registry_event3:
category: registry_event
product: windows
conditions:
EventID: 14
2021-04-23 15:47:09 +00:00
rewrite:
product: windows
service: sysmon
create_stream_hash:
category: create_stream_hash
product: windows
conditions:
EventID: 15
rewrite:
product: windows
service: sysmon
2021-07-08 12:51:49 +00:00
pipe_created1:
category: pipe_created
product: windows
conditions:
EventID: 17
rewrite:
product: windows
service: sysmon
pipe_created2:
2021-04-23 15:47:09 +00:00
category: pipe_created
product: windows
conditions:
2021-07-08 12:51:49 +00:00
EventID: 18
rewrite:
product: windows
service: sysmon
wmi_event1:
category: wmi_event
product: windows
conditions:
EventID: 19
rewrite:
product: windows
service: sysmon
wmi_event2:
category: wmi_event
product: windows
conditions:
EventID: 20
2021-04-23 15:47:09 +00:00
rewrite:
product: windows
service: sysmon
2021-07-08 12:51:49 +00:00
wmi_event3:
2021-04-23 15:47:09 +00:00
category: wmi_event
product: windows
conditions:
2021-07-08 12:51:49 +00:00
EventID: 21
2021-04-23 15:47:09 +00:00
rewrite:
product: windows
service: sysmon
dns_query:
category: dns_query
product: windows
conditions:
EventID: 22
rewrite:
product: windows
service: sysmon
file_delete:
category: file_delete
product: windows
conditions:
EventID: 23
rewrite:
product: windows
service: sysmon
sysmon_error:
2021-07-22 08:14:54 +00:00
category: sysmon_error
product: windows
conditions:
EventID: 255
rewrite:
product: windows
service: sysmon
# target system configurations
2018-06-29 14:42:16 +00:00
windows-application:
product: windows
service: application
sources:
- "WinEventLog:Application"
2018-06-29 14:42:16 +00:00
windows-security:
product: windows
service: security
sources:
- "WinEventLog:Security"
2018-11-27 13:05:13 +00:00
windows-system:
2018-06-29 14:42:16 +00:00
product: windows
service: system
sources:
- "WinEventLog:System"
2020-07-06 15:07:06 +00:00
windows-ntlm:
product: windows
service: ntlm
sources:
- "WinEventLog:Microsoft-Windows-NTLM/Operational"
2018-06-29 14:42:16 +00:00
windows-sysmon:
product: windows
service: sysmon
sources:
- "WinEventLog:Microsoft-Windows-Sysmon/Operational"
2018-06-29 14:42:16 +00:00
windows-powershell:
product: windows
service: powershell
sources:
- "WinEventLog:Microsoft-Windows-PowerShell/Operational"
2021-07-02 12:14:48 +00:00
windows-classicpowershell:
product: windows
service: powershell-classic
sources:
- "WinEventLog:Windows PowerShell"
2018-11-27 13:05:13 +00:00
windows-taskscheduler:
2018-06-29 14:42:16 +00:00
product: windows
service: taskscheduler
sources:
- "WinEventLog:Microsoft-Windows-TaskScheduler/Operational"
2018-06-29 14:42:16 +00:00
windows-wmi:
product: windows
service: wmi
sources:
- "WinEventLog:Microsoft-Windows-WMI-Activity/Operational"
windows-dhcp:
product: windows
service: dhcp
sources:
- "WinEventLog:Microsoft-Windows-DHCP-Server/Operational"
2021-06-30 12:22:40 +00:00
windows-printservice-admin:
product: windows
2021-06-30 12:22:40 +00:00
service: printservice-admin
sources:
2021-06-30 12:22:40 +00:00
- "WinEventLog:Microsoft-Windows-PrintService/Admin"
windows-smbclient-security:
product: windows
service: smbclient-security
sources:
2021-07-01 07:55:15 +00:00
- "WinEventLog:Microsoft-Windows-SmbClient/Security"
windows-printservice-operational:
product: windows
service: printservice-operational
sources:
- "WinEventLog:Microsoft-Windows-PrintService/Operational"
2020-07-13 20:23:42 +00:00
windows-applocker:
product: windows
service: applocker
sources:
2021-03-20 07:52:55 +00:00
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
sources:
2021-03-20 07:52:55 +00:00
- 'WinEventLog:MSExchange Management'
windows-defender:
product: windows
service: windefend
sources:
- 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
2018-06-29 14:42:16 +00:00
apache:
category: webserver
sources:
- "File:/var/log/apache/*.log"
- "File:/var/log/apache2/*.log"
- "File:/var/log/httpd/*.log"
2018-06-29 14:42:16 +00:00
linux-auth:
product: linux
service: auth
sources:
- "File:/var/log/auth.log"
- "File:/var/log/auth.log.?"
2018-06-29 14:42:16 +00:00
linux-syslog:
product: linux
service: syslog
sources:
- "File:/var/log/syslog"
- "File:/var/log/syslog.?"
logfiles:
category: logfile
sources:
- "File:*.log"