diff --git a/.DS_Store b/.DS_Store index d7b52c5d..fc3660a0 100644 Binary files a/.DS_Store and b/.DS_Store differ diff --git a/elastalert_rules/sigma_av_exploiting.yml b/elastalert_rules/sigma_av_exploiting.yml deleted file mode 100644 index 8e5f2843..00000000 --- a/elastalert_rules/sigma_av_exploiting.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a highly relevant Antivirus alert that reports an exploitation framework -filter: -- query: - query_string: - query: data.win.eventdata.signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*) -index: wazuh-alerts-3.x-* -name: sigma_av_exploiting -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_av_password_dumper.yml b/elastalert_rules/sigma_av_password_dumper.yml deleted file mode 100644 index 2ee1df34..00000000 --- a/elastalert_rules/sigma_av_password_dumper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a highly relevant Antivirus alert that reports a password dumper -filter: -- query: - query_string: - query: data.win.eventdata.signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*) -index: wazuh-alerts-3.x-* -name: sigma_av_password_dumper -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_av_relevant_files.yml b/elastalert_rules/sigma_av_relevant_files.yml deleted file mode 100644 index 396a0c8a..00000000 --- a/elastalert_rules/sigma_av_relevant_files.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name -filter: -- query: - query_string: - query: data.win.eventdata.originalFileName.keyword:(C\:\\Windows\\Temp\\* OR C\:\\Temp\\* OR *\\Client\\* OR C\:\\PerfLogs\\* OR C\:\\Users\\Public\\* OR C\:\\Users\\Default\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.sct OR *.vbe OR *.wsf OR *.wsh) -index: wazuh-alerts-3.x-* -name: sigma_av_relevant_files -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_av_webshell.yml b/elastalert_rules/sigma_av_webshell.yml deleted file mode 100644 index 7fd7dfde..00000000 --- a/elastalert_rules/sigma_av_webshell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a highly relevant Antivirus alert that reports a web shell -filter: -- query: - query_string: - query: data.win.eventdata.signature.keyword:(PHP\/Backdoor* OR JSP\/Backdoor* OR ASP\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*) -index: wazuh-alerts-3.x-* -name: sigma_av_webshell -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_mal_azorult_reg.yml b/elastalert_rules/sigma_mal_azorult_reg.yml deleted file mode 100644 index aaec4797..00000000 --- a/elastalert_rules/sigma_mal_azorult_reg.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the presence of a registry key created during Azorult execution -filter: -- query: - query_string: - query: (data.win.system.eventID:("12" OR "13") AND data.win.eventdata.targetObject.keyword:(*SYSTEM\\*\\services\\localNETService)) -index: wazuh-alerts-3.x-* -name: sigma_mal_azorult_reg -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_alternate_powershell_hosts.yml b/elastalert_rules/sigma_powershell_alternate_powershell_hosts.yml deleted file mode 100644 index 6d55bff3..00000000 --- a/elastalert_rules/sigma_powershell_alternate_powershell_hosts.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe -filter: -- query: - query_string: - query: ((data.win.system.eventID:("4103" OR "400") AND ContextInfo.keyword:*) AND (NOT (ContextInfo:"powershell.exe" OR data.win.system.message:"powershell.exe"))) -index: wazuh-alerts-3.x-* -name: sigma_powershell_alternate_powershell_hosts -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_clear_powershell_history.yml b/elastalert_rules/sigma_powershell_clear_powershell_history.yml deleted file mode 100644 index e409d790..00000000 --- a/elastalert_rules/sigma_powershell_clear_powershell_history.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects keywords that could indicate clearing PowerShell history -filter: -- query: - query_string: - query: "\\*.keyword:(*del\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *Set\\-PSReadlineOption\\ \u2013HistorySaveStyle\\ SaveNothing* OR *Remove\\-Item\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *rm\\ \\(Get\\-PSReadlineOption\\).HistorySavePath*)" -index: wazuh-alerts-3.x-* -name: sigma_powershell_clear_powershell_history -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_create_local_user.yml b/elastalert_rules/sigma_powershell_create_local_user.yml deleted file mode 100644 index b66216a3..00000000 --- a/elastalert_rules/sigma_powershell_create_local_user.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects creation of a local user via PowerShell -filter: -- query: - query_string: - query: (data.win.system.eventID:"4104" AND data.win.system.message.keyword:(*New\-LocalUser*)) -index: wazuh-alerts-3.x-* -name: sigma_powershell_create_local_user -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_data_compressed.yml b/elastalert_rules/sigma_powershell_data_compressed.yml deleted file mode 100644 index 0f5f9862..00000000 --- a/elastalert_rules/sigma_powershell_data_compressed.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network -filter: -- query: - query_string: - query: (data.win.system.eventID:"4104" AND keywords.keyword:*\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\-Archive*) -index: wazuh-alerts-3.x-* -name: sigma_powershell_data_compressed -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_dnscat_execution.yml b/elastalert_rules/sigma_powershell_dnscat_execution.yml deleted file mode 100644 index f986842e..00000000 --- a/elastalert_rules/sigma_powershell_dnscat_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Dnscat exfiltration tool execution -filter: -- query: - query_string: - query: (data.win.system.eventID:"4104" AND ScriptBlockText.keyword:*Start\-Dnscat2*) -index: wazuh-alerts-3.x-* -name: sigma_powershell_dnscat_execution -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_downgrade_attack.yml b/elastalert_rules/sigma_powershell_downgrade_attack.yml deleted file mode 100644 index c1715915..00000000 --- a/elastalert_rules/sigma_powershell_downgrade_attack.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -filter: -- query: - query_string: - query: ((data.win.system.eventID:"400" AND data.win.eventdata.engine Version.keyword:2.*) AND (NOT (powershell.host.version.keyword:2.*))) -index: wazuh-alerts-3.x-* -name: sigma_powershell_downgrade_attack -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_exe_calling_ps.yml b/elastalert_rules/sigma_powershell_exe_calling_ps.yml deleted file mode 100644 index 219de2f1..00000000 --- a/elastalert_rules/sigma_powershell_exe_calling_ps.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PowerShell called from an executable by the version mismatch method -filter: -- query: - query_string: - query: (data.win.system.eventID:"400" AND data.win.eventdata.engine Version.keyword:(2.* OR 4.* OR 5.*) AND powershell.host.version.keyword:3.*) -index: wazuh-alerts-3.x-* -name: sigma_powershell_exe_calling_ps -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_invoke_obfuscation_obfuscated_iex.yml b/elastalert_rules/sigma_powershell_invoke_obfuscation_obfuscated_iex.yml deleted file mode 100644 index 0662c8e2..00000000 --- a/elastalert_rules/sigma_powershell_invoke_obfuscation_obfuscated_iex.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4104" AND (ScriptBlockText:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ScriptBlockText:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ScriptBlockText:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ScriptBlockText:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ScriptBlockText:/\*mdr\*\W\s*\)\.Name/ OR ScriptBlockText:/\$VerbosePreference\.ToString\(/ OR ScriptBlockText:/\String\]\s*\$VerbosePreference/)) OR (data.win.system.eventID:"4103" AND (Payload:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR Payload:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR Payload:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR Payload:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR Payload:/\*mdr\*\W\s*\)\.Name/ OR Payload:/\$VerbosePreference\.ToString\(/ OR Payload:/\String\]\s*\$VerbosePreference/))) -index: wazuh-alerts-3.x-* -name: sigma_powershell_invoke_obfuscation_obfuscated_iex -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_malicious_commandlets.yml b/elastalert_rules/sigma_powershell_malicious_commandlets.yml deleted file mode 100644 index 61ab809f..00000000 --- a/elastalert_rules/sigma_powershell_malicious_commandlets.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Commandlet names from well-known PowerShell exploitation frameworks -filter: -- query: - query_string: - query: (data.win.system.message.keyword:(*Invoke\-DllInjection* OR *Invoke\-Shellcode* OR *Invoke\-WmiCommand* OR *Get\-GPPPassword* OR *Get\-Keystrokes* OR *Get\-TimedScreenshot* OR *Get\-VaultCredential* OR *Invoke\-CredentialInjection* OR *Invoke\-Mimikatz* OR *Invoke\-NinjaCopy* OR *Invoke\-TokenManipulation* OR *Out\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\-ReflectivePEInjection* OR *Invoke\-UserHunter* OR *Find\-GPOLocation* OR *Invoke\-ACLScanner* OR *Invoke\-DowngradeAccount* OR *Get\-ServiceUnquoted* OR *Get\-ServiceFilePermission* OR *Get\-ServicePermission* OR *Invoke\-ServiceAbuse* OR *Install\-ServiceBinary* OR *Get\-RegAutoLogon* OR *Get\-VulnAutoRun* OR *Get\-VulnSchTask* OR *Get\-UnattendedInstallFile* OR *Get\-ApplicationHost* OR *Get\-RegAlwaysInstallElevated* OR *Get\-Unconstrained* OR *Add\-RegBackdoor* OR *Add\-ScrnSaveBackdoor* OR *Gupt\-Backdoor* OR *Invoke\-ADSBackdoor* OR *Enabled\-DuplicateToken* OR *Invoke\-PsUaCme* OR *Remove\-Update* OR *Check\-VM* OR *Get\-LSASecret* OR *Get\-PassHashes* OR *Show\-TargetScreen* OR *Port\-Scan* OR *Invoke\-PoshRatHttp* OR *Invoke\-PowerShellTCP* OR *Invoke\-PowerShellWMI* OR *Add\-Exfiltration* OR *Add\-Persistence* OR *Do\-Exfiltration* OR *Start\-CaptureServer* OR *Get\-ChromeDump* OR *Get\-ClipboardContents* OR *Get\-FoxDump* OR *Get\-IndexedItem* OR *Get\-Screenshot* OR *Invoke\-Inveigh* OR *Invoke\-NetRipper* OR *Invoke\-EgressCheck* OR *Invoke\-PostExfil* OR *Invoke\-PSInject* OR *Invoke\-RunAs* OR *MailRaider* OR *New\-HoneyHash* OR *Set\-MacAttribute* OR *Invoke\-DCSync* OR *Invoke\-PowerDump* OR *Exploit\-Jboss* OR *Invoke\-ThunderStruck* OR *Invoke\-VoiceTroll* OR *Set\-Wallpaper* OR *Invoke\-InveighRelay* OR *Invoke\-PsExec* OR *Invoke\-SSHCommand* OR *Get\-SecurityPackages* OR *Install\-SSP* OR *Invoke\-BackdoorLNK* OR *PowerBreach* OR *Get\-SiteListPassword* OR *Get\-System* OR *Invoke\-BypassUAC* OR *Invoke\-Tater* OR *Invoke\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\-RickAstley* OR *Find\-Fruit* OR *HTTP\-Login* OR *Find\-TrustedDocuments* OR *Invoke\-Paranoia* OR *Invoke\-WinEnum* OR *Invoke\-ARPScan* OR *Invoke\-PortScan* OR *Invoke\-ReverseDNSLookup* OR *Invoke\-SMBScanner* OR *Invoke\-Mimikittenz* OR *Invoke\-AllChecks*) AND (NOT \*.keyword:(*Get\-SystemDriveInfo*))) -index: wazuh-alerts-3.x-* -name: sigma_powershell_malicious_commandlets -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_malicious_keywords.yml b/elastalert_rules/sigma_powershell_malicious_keywords.yml deleted file mode 100644 index aa628c80..00000000 --- a/elastalert_rules/sigma_powershell_malicious_keywords.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects keywords from well-known PowerShell exploitation frameworks -filter: -- query: - query_string: - query: data.win.system.message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*) -index: wazuh-alerts-3.x-* -name: sigma_powershell_malicious_keywords -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_nishang_malicious_commandlets.yml b/elastalert_rules/sigma_powershell_nishang_malicious_commandlets.yml deleted file mode 100644 index 8be95f62..00000000 --- a/elastalert_rules/sigma_powershell_nishang_malicious_commandlets.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Commandlet names and arguments from the Nishang exploitation framework -filter: -- query: - query_string: - query: \*.keyword:(*Add\-ConstrainedDelegationBackdoor* OR *Set\-DCShadowPermissions* OR *DNS_TXT_Pwnage* OR *Execute\-OnTime* OR *HTTP\-Backdoor* OR *Set\-RemotePSRemoting* OR *Set\-RemoteWMI* OR *Invoke\-AmsiBypass* OR *Out\-CHM* OR *Out\-HTA* OR *Out\-SCF* OR *Out\-SCT* OR *Out\-Shortcut* OR *Out\-WebQuery* OR *Out\-Word* OR *Enable\-Duplication* OR *Remove\-Update* OR *Download\-Execute\-PS* OR *Download_Execute* OR *Execute\-Command\-MSSQL* OR *Execute\-DNSTXT\-Code* OR *Out\-RundllCommand* OR *Copy\-VSS* OR *FireBuster* OR *FireListener* OR *Get\-Information* OR *Get\-PassHints* OR *Get\-WLAN\-Keys* OR *Get\-Web\-Credentials* OR *Invoke\-CredentialsPhish* OR *Invoke\-MimikatzWDigestDowngrade* OR *Invoke\-SSIDExfil* OR *Invoke\-SessionGopher* OR *Keylogger* OR *Invoke\-Interceptor* OR *Create\-MultipleSessions* OR *Invoke\-NetworkRelay* OR *Run\-EXEonRemote* OR *Invoke\-Prasadhak* OR *Invoke\-BruteForce* OR *Password\-List* OR *Invoke\-JSRatRegsvr* OR *Invoke\-JSRatRundll* OR *Invoke\-PoshRatHttps* OR *Invoke\-PowerShellIcmp* OR *Invoke\-PowerShellUdp* OR *Invoke\-PSGcat* OR *Invoke\-PsGcatAgent* OR *Remove\-PoshRat* OR *Add\-Persistance* OR *ExetoText* OR *Invoke\-Decode* OR *Invoke\-Encode* OR *Parse_Keys* OR *Remove\-Persistence* OR *StringtoBase64* OR *TexttoExe* OR *Powerpreter* OR *Nishang* OR *DataToEncode* OR *LoggedKeys* OR *OUT\-DNSTXT* OR *Jitter* OR *ExfilOption* OR *Tamper* OR *DumpCerts* OR *DumpCreds* OR *Shellcode32* OR *Shellcode64* OR *NotAllNameSpaces* OR *exfill* OR *FakeDC*) -index: wazuh-alerts-3.x-* -name: sigma_powershell_nishang_malicious_commandlets -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_ntfs_ads_access.yml b/elastalert_rules/sigma_powershell_ntfs_ads_access.yml deleted file mode 100644 index f6893fa6..00000000 --- a/elastalert_rules/sigma_powershell_ntfs_ads_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. -filter: -- query: - query_string: - query: (\*.keyword:(*set\-content* OR *add\-content*) AND "\-stream") -index: wazuh-alerts-3.x-* -name: sigma_powershell_ntfs_ads_access -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_prompt_credentials.yml b/elastalert_rules/sigma_powershell_prompt_credentials.yml deleted file mode 100644 index 8971b9c5..00000000 --- a/elastalert_rules/sigma_powershell_prompt_credentials.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PowerShell calling a credential prompt -filter: -- query: - query_string: - query: (data.win.system.eventID:"4104" AND data.win.system.message.keyword:(*PromptForCredential*)) -index: wazuh-alerts-3.x-* -name: sigma_powershell_prompt_credentials -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_psattack.yml b/elastalert_rules/sigma_powershell_psattack.yml deleted file mode 100644 index 30673149..00000000 --- a/elastalert_rules/sigma_powershell_psattack.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of PSAttack PowerShell hack tool -filter: -- query: - query_string: - query: (data.win.system.eventID:"4103" AND "PS\ ATTACK\!\!\!") -index: wazuh-alerts-3.x-* -name: sigma_powershell_psattack -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_remote_powershell_session.yml b/elastalert_rules/sigma_powershell_remote_powershell_session.yml deleted file mode 100644 index 37206201..00000000 --- a/elastalert_rules/sigma_powershell_remote_powershell_session.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects remote PowerShell sessions -filter: -- query: - query_string: - query: (data.win.system.eventID:("4103" OR "400") AND HostName:"ServerRemoteHost" AND HostApplication.keyword:*wsmprovhost.exe*) -index: wazuh-alerts-3.x-* -name: sigma_powershell_remote_powershell_session -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_shellcode_b64.yml b/elastalert_rules/sigma_powershell_shellcode_b64.yml deleted file mode 100644 index 138db9e8..00000000 --- a/elastalert_rules/sigma_powershell_shellcode_b64.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Base64 encoded Shellcode -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4104" AND "*AAAAYInlM*") AND \*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*)) -index: wazuh-alerts-3.x-* -name: sigma_powershell_shellcode_b64 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_suspicious_download.yml b/elastalert_rules/sigma_powershell_suspicious_download.yml deleted file mode 100644 index 4e99e29d..00000000 --- a/elastalert_rules/sigma_powershell_suspicious_download.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious PowerShell download command -filter: -- query: - query_string: - query: (data.win.system.message.keyword:*System.Net.WebClient* AND (data.win.system.message.keyword:*.DownloadFile\(* OR data.win.system.message.keyword:*.DownloadString\(*)) -index: wazuh-alerts-3.x-* -name: sigma_powershell_suspicious_download -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_suspicious_invocation_generic.yml b/elastalert_rules/sigma_powershell_suspicious_invocation_generic.yml deleted file mode 100644 index 3619d66e..00000000 --- a/elastalert_rules/sigma_powershell_suspicious_invocation_generic.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious PowerShell invocation command parameters -filter: -- query: - query_string: - query: (\*.keyword:(*\ \-enc\ * OR *\ \-EncodedCommand\ *) AND \*.keyword:(*\ \-w\ hidden\ * OR *\ \-window\ hidden\ * OR *\ \-windowstyle\ hidden\ *) AND \*.keyword:(*\ \-noni\ * OR *\ \-noninteractive\ *)) -index: wazuh-alerts-3.x-* -name: sigma_powershell_suspicious_invocation_generic -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_suspicious_invocation_specific.yml b/elastalert_rules/sigma_powershell_suspicious_invocation_specific.yml deleted file mode 100644 index 80ca3773..00000000 --- a/elastalert_rules/sigma_powershell_suspicious_invocation_specific.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious PowerShell invocation command parameters -filter: -- query: - query_string: - query: data.win.system.message.keyword:(*\ \-nop\ \-w\ hidden\ \-c\ *\ \[Convert\]\:\:FromBase64String* OR *\ \-w\ hidden\ \-noni\ \-nop\ \-c\ \"iex\(New\-Object* OR *\ \-w\ hidden\ \-ep\ bypass\ \-Enc* OR *powershell.exe\ reg\ add\ HKCU\\software\\microsoft\\windows\\currentversion\\run* OR *bypass\ \-noprofile\ \-windowstyle\ hidden\ \(new\-object\ system.net.webclient\).download* OR *iex\(New\-Object\ Net.WebClient\).Download*) -index: wazuh-alerts-3.x-* -name: sigma_powershell_suspicious_invocation_specific -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_suspicious_keywords.yml b/elastalert_rules/sigma_powershell_suspicious_keywords.yml deleted file mode 100644 index 6df902b5..00000000 --- a/elastalert_rules/sigma_powershell_suspicious_keywords.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects keywords that could indicate the use of some PowerShell exploitation framework -filter: -- query: - query_string: - query: data.win.system.message:("System.Reflection.Assembly.Load" OR "\[System.Reflection.Assembly\]\:\:Load" OR "\[Reflection.Assembly\]\:\:Load" OR "System.Reflection.AssemblyName" OR "Reflection.Emit.AssemblyBuilderAccess" OR "Runtime.InteropServices.DllImportAttribute" OR "SuspendThread") -index: wazuh-alerts-3.x-* -name: sigma_powershell_suspicious_keywords -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_suspicious_profile_create.yml b/elastalert_rules/sigma_powershell_suspicious_profile_create.yml deleted file mode 100644 index 5ff94f68..00000000 --- a/elastalert_rules/sigma_powershell_suspicious_profile_create.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a change in profile.ps1 of the Powershell profile -filter: -- query: - query_string: - query: (data.win.system.eventID:"11" AND data.win.eventdata.targetFilename.keyword:*\\profile.ps1* AND (data.win.eventdata.targetFilename.keyword:*\\My\ Documents\\PowerShell\\* OR data.win.eventdata.targetFilename.keyword:*C\:\\Windows\\System32\\WindowsPowerShell\\v1.0\\*)) -index: wazuh-alerts-3.x-* -name: sigma_powershell_suspicious_profile_create -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_winlogon_helper_dll.yml b/elastalert_rules/sigma_powershell_winlogon_helper_dll.yml deleted file mode 100644 index af526f5c..00000000 --- a/elastalert_rules/sigma_powershell_winlogon_helper_dll.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4104" AND \*.keyword:(*Set\-ItemProperty* OR *New\-Item*) AND "*CurrentVersion\\Winlogon*") -index: wazuh-alerts-3.x-* -name: sigma_powershell_winlogon_helper_dll -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_wmimplant.yml b/elastalert_rules/sigma_powershell_wmimplant.yml deleted file mode 100644 index 4e796b1f..00000000 --- a/elastalert_rules/sigma_powershell_wmimplant.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects parameters used by WMImplant -filter: -- query: - query_string: - query: ScriptBlockText.keyword:(*WMImplant* OR *\ change_user\ * OR *\ gen_cli\ * OR *\ command_exec\ * OR *\ disable_wdigest\ * OR *\ disable_winrm\ * OR *\ enable_wdigest\ * OR *\ enable_winrm\ * OR *\ registry_mod\ * OR *\ remote_posh\ * OR *\ sched_job\ * OR *\ service_mod\ * OR *\ process_kill\ * OR *\ active_users\ * OR *\ basic_info\ * OR *\ power_off\ * OR *\ vacant_system\ * OR *\ logon_events\ *) -index: wazuh-alerts-3.x-* -name: sigma_powershell_wmimplant -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_powershell_xor_commandline.yml b/elastalert_rules/sigma_powershell_xor_commandline.yml deleted file mode 100644 index 1110df7a..00000000 --- a/elastalert_rules/sigma_powershell_xor_commandline.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. -filter: -- query: - query_string: - query: (data.win.system.eventID:"400" AND HostName:"ConsoleHost" AND data.win.eventdata.commandLine.keyword:(*bxor* OR *join* OR *char*)) -index: wazuh-alerts-3.x-* -name: sigma_powershell_xor_commandline -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_abusing_azure_browser_sso.yml b/elastalert_rules/sigma_sysmon_abusing_azure_browser_sso.yml deleted file mode 100644 index a930eb6c..00000000 --- a/elastalert_rules/sigma_sysmon_abusing_azure_browser_sso.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user. -filter: -- query: - query_string: - query: ((data.win.system.eventID:"7" AND data.win.eventdata.imageLoaded.keyword:*MicrosoftAccountTokenProvider.dll) AND (NOT (data.win.eventdata.image.keyword:(*BackgroundTaskHost.exe OR *devenv.exe OR *iexplore.exe OR *MicrosoftEdge.exe)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_abusing_azure_browser_sso -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_ads_executable.yml b/elastalert_rules/sigma_sysmon_ads_executable.yml deleted file mode 100644 index dbf27790..00000000 --- a/elastalert_rules/sigma_sysmon_ads_executable.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash) -filter: -- query: - query_string: - query: (data.win.system.eventID:"15" AND (NOT ((hash_imphash:("00000000000000000000000000000000" OR "00000000000000000000000000000000")) OR (NOT _exists_:hash_imphash)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_ads_executable -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_alternate_powershell_hosts_pipe.yml b/elastalert_rules/sigma_sysmon_alternate_powershell_hosts_pipe.yml deleted file mode 100644 index 79153ef4..00000000 --- a/elastalert_rules/sigma_sysmon_alternate_powershell_hosts_pipe.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe -filter: -- query: - query_string: - query: ((data.win.system.eventID:"17" AND data.win.eventdata.pipeName.keyword:\\PSHost*) AND (NOT (data.win.eventdata.image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_alternate_powershell_hosts_pipe -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_apt_muddywater_dnstunnel.yml b/elastalert_rules/sigma_sysmon_apt_muddywater_dnstunnel.yml deleted file mode 100644 index 6c7af998..00000000 --- a/elastalert_rules/sigma_sysmon_apt_muddywater_dnstunnel.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detecting DNS tunnel activity for Muddywater actor -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\powershell.exe) AND data.win.eventdata.parentImage.keyword:(*\\excel.exe) AND data.win.eventdata.commandLine.keyword:(*DataExchange.dll*)) -index: wazuh-alerts-3.x-* -name: 36222790-0d43-4fe8-86e4-674b27809543_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_apt_oceanlotus_registry.yml b/elastalert_rules/sigma_sysmon_apt_oceanlotus_registry.yml deleted file mode 100644 index 9b43aaa1..00000000 --- a/elastalert_rules/sigma_sysmon_apt_oceanlotus_registry.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects registry keys created in OceanLotus (also known as APT32) attacks -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:(HKCR\\CLSID\\\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\Model OR HKU\\*_Classes\\CLSID\\\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\Model OR *\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application OR *\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon OR *\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application OR *\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon OR *\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application OR *\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon OR HKU\\*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\* OR HKU\\*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\* OR HKU\\*_Classes\\CLSID\\\{E3517E26\-8E93\-458D\-A6DF\-8030BC80528B\}\\*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_apt_oceanlotus_registry -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_apt_pandemic1.yml b/elastalert_rules/sigma_sysmon_apt_pandemic1.yml deleted file mode 100644 index abdf55be..00000000 --- a/elastalert_rules/sigma_sysmon_apt_pandemic1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Pandemic Windows Implant -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:*\\SYSTEM\\CurrentControlSet\\services\\null\\Instance* -index: wazuh-alerts-3.x-* -name: sigma_sysmon_apt_pandemic -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_apt_pandemic2.yml b/elastalert_rules/sigma_sysmon_apt_pandemic2.yml deleted file mode 100644 index 054e6f33..00000000 --- a/elastalert_rules/sigma_sysmon_apt_pandemic2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Pandemic Windows Implant -filter: -- query: - query_string: - query: data.win.eventdata.commandLine.keyword:*loaddll\ \-a\ * -index: wazuh-alerts-3.x-* -name: sigma_sysmon_apt_pandemic -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_apt_turla_namedpipes.yml b/elastalert_rules/sigma_sysmon_apt_turla_namedpipes.yml deleted file mode 100644 index f2921bcc..00000000 --- a/elastalert_rules/sigma_sysmon_apt_turla_namedpipes.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a named pipe used by Turla group samples -filter: -- query: - query_string: - query: (data.win.system.eventID:("17" OR "18") AND data.win.eventdata.pipeName:("\\atctl" OR "\\userpipe" OR "\\iehelper" OR "\\sdlrpc" OR "\\comnap")) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_apt_turla_namedpipes -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_asep_reg_keys_modification.yml b/elastalert_rules/sigma_sysmon_asep_reg_keys_modification.yml deleted file mode 100644 index 5fc305a7..00000000 --- a/elastalert_rules/sigma_sysmon_asep_reg_keys_modification.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects modification of autostart extensibility point (ASEP) in registry -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:(*\\software\\Microsoft\\Windows\\CurrentVersion\\Run* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Userinit* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Shell* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_DLLs* OR *\\software\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_DLLs* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Load* OR *\\software\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Load* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Run* OR *\\software\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Run* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User\ Shell\ Folders*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_asep_reg_keys_modification -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_cactustorch.yml b/elastalert_rules/sigma_sysmon_cactustorch.yml deleted file mode 100644 index b96494a2..00000000 --- a/elastalert_rules/sigma_sysmon_cactustorch.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects remote thread creation from CACTUSTORCH as described in references. -filter: -- query: - query_string: - query: (data.win.system.eventID:"8" AND process_path.keyword:(*\\System32\\cscript.exe OR *\\System32\\wscript.exe OR *\\System32\\mshta.exe OR *\\winword.exe OR *\\excel.exe) AND data.win.eventdata.targetImage.keyword:*\\SysWOW64\\* AND NOT _exists_:thread_start_module) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_cactustorch -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_cmstp_execution1.yml b/elastalert_rules/sigma_sysmon_cmstp_execution1.yml deleted file mode 100644 index b49f0643..00000000 --- a/elastalert_rules/sigma_sysmon_cmstp_execution1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -filter: -- query: - query_string: - query: ((data.win.system.eventID:"12" AND data.win.eventdata.targetObject.keyword:*\\cmmgr32.exe* AND data.win.eventdata.eventType:"CreateKey") OR (data.win.system.eventID:"13" AND data.win.eventdata.targetObject.keyword:*\\cmmgr32.exe*) OR (data.win.system.eventID:"10" AND data.win.eventdata.callTrace.keyword:*cmlua.dll*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_cmstp_execution -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_cmstp_execution2.yml b/elastalert_rules/sigma_sysmon_cmstp_execution2.yml deleted file mode 100644 index efd3dea4..00000000 --- a/elastalert_rules/sigma_sysmon_cmstp_execution2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -filter: -- query: - query_string: - query: data.win.eventdata.parentImage.keyword:*\\cmstp.exe -index: wazuh-alerts-3.x-* -name: sigma_sysmon_cmstp_execution -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_cobaltstrike_process_injection.yml b/elastalert_rules/sigma_sysmon_cobaltstrike_process_injection.yml deleted file mode 100644 index 2c34fe9d..00000000 --- a/elastalert_rules/sigma_sysmon_cobaltstrike_process_injection.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons -filter: -- query: - query_string: - query: (data.win.system.eventID:"8" AND thread_start_address.keyword:(*0B80 OR *0C7C OR *0C88)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_cobaltstrike_process_injection -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_comhijack_sdclt.yml b/elastalert_rules/sigma_sysmon_comhijack_sdclt.yml deleted file mode 100644 index 7e632677..00000000 --- a/elastalert_rules/sigma_sysmon_comhijack_sdclt.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject:("HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute") AND data.win.eventdata.eventType:("SetValue")) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_comhijack_sdclt -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_createremotethread_loadlibrary.yml b/elastalert_rules/sigma_sysmon_createremotethread_loadlibrary.yml deleted file mode 100644 index c95a860f..00000000 --- a/elastalert_rules/sigma_sysmon_createremotethread_loadlibrary.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process -filter: -- query: - query_string: - query: (data.win.system.eventID:"8" AND thread_start_module.keyword:*\\kernel32.dll AND thread_start_function:"LoadLibraryA") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_createremotethread_loadlibrary -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_creation_system_file.yml b/elastalert_rules/sigma_sysmon_creation_system_file.yml deleted file mode 100644 index b69e15a9..00000000 --- a/elastalert_rules/sigma_sysmon_creation_system_file.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of a executable with a system process name in a suspicious folder -filter: -- query: - query_string: - query: (data.win.eventdata.targetFilename.keyword:(*\\svchost.exe OR *\\rundll32.exe OR *\\services.exe OR *\\powershell.exe OR *\\regsvr32.exe OR *\\spoolsv.exe OR *\\lsass.exe OR *\\smss.exe OR *\\csrss.exe OR *\\conhost.exe OR *\\wininit.exe OR *\\lsm.exe OR *\\winlogon.exe OR *\\explorer.exe OR *\\taskhost.exe OR *\\Taskmgr.exe OR *\\taskmgr.exe OR *\\sihost.exe OR *\\RuntimeBroker.exe OR *\\runtimebroker.exe OR *\\smartscreen.exe OR *\\dllhost.exe OR *\\audiodg.exe OR *\\wlanext.exe) AND (NOT (data.win.eventdata.targetFilename.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\system32\\* OR C\:\\Windows\\SysWow64\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\winsxs\\* OR C\:\\Windows\\WinSxS\\* OR \\SystemRoot\\System32\\*)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_creation_system_file -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_cred_dump_lsass_access.yml b/elastalert_rules/sigma_sysmon_cred_dump_lsass_access.yml deleted file mode 100644 index 40070c07..00000000 --- a/elastalert_rules/sigma_sysmon_cred_dump_lsass_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process access LSASS memory which is typical for credentials dumping tools -filter: -- query: - query_string: - query: ((data.win.eventdata.targetImage.keyword:*\\lsass.exe AND data.win.eventdata.grantedAccess.keyword:(*0x40* OR *0x1000* OR *0x1400* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) AND (NOT (data.win.eventdata.processName.keyword:(*\\wmiprvse.exe OR *\\taskmgr.exe OR *\\procexp64.exe OR *\\procexp.exe OR *\\lsm.exe OR *\\csrss.exe OR *\\wininit.exe OR *\\vmtoolsd.exe)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_cred_dump_lsass_access -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_cred_dump_tools_dropped_files.yml b/elastalert_rules/sigma_sysmon_cred_dump_tools_dropped_files.yml deleted file mode 100644 index 13bd51a5..00000000 --- a/elastalert_rules/sigma_sysmon_cred_dump_tools_dropped_files.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Files with well-known filenames (parts of credential dump software or files produced by them) creation -filter: -- query: - query_string: - query: (data.win.eventdata.targetFilename.keyword:(*\\pwdump* OR *\\kirbi* OR *\\pwhashes* OR *\\wce_ccache* OR *\\wce_krbtkts* OR *\\fgdump\-log*) AND data.win.eventdata.targetFilename.keyword:(*\\test.pwd OR *\\lsremora64.dll OR *\\lsremora.dll OR *\\fgexec.exe OR *\\wceaux.dll OR *\\SAM.out OR *\\SECURITY.out OR *\\SYSTEM.out OR *\\NTDS.out OR *\\DumpExt.dll OR *\\DumpSvc.exe OR *\\cachedump64.exe OR *\\cachedump.exe OR *\\pstgdump.exe OR *\\servpw.exe OR *\\servpw64.exe OR *\\pwdump.exe OR *\\procdump64.exe)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_cred_dump_tools_dropped_files -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_cred_dump_tools_named_pipes.yml b/elastalert_rules/sigma_sysmon_cred_dump_tools_named_pipes.yml deleted file mode 100644 index d2ad8d26..00000000 --- a/elastalert_rules/sigma_sysmon_cred_dump_tools_named_pipes.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects well-known credential dumping tools execution via specific named pipes -filter: -- query: - query_string: - query: (data.win.system.eventID:"17" AND data.win.eventdata.pipeName.keyword:(*\\lsadump* OR *\\cachedump* OR *\\wceservicepipe*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_cred_dump_tools_named_pipes -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_cve-2020-1048.yml b/elastalert_rules/sigma_sysmon_cve-2020-1048.yml deleted file mode 100644 index 95186e13..00000000 --- a/elastalert_rules/sigma_sysmon_cve-2020-1048.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048 -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:HKLM\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Ports* AND data.win.eventdata.eventType:("SetValue" OR "DeleteValue" OR "CreateValue") AND Details.keyword:(*.dll* OR *.exe* OR *.bat* OR *.com* OR *C\:*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_cve-2020-1048 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_dhcp_calloutdll.yml b/elastalert_rules/sigma_sysmon_dhcp_calloutdll.yml deleted file mode 100644 index a6b29b3d..00000000 --- a/elastalert_rules/sigma_sysmon_dhcp_calloutdll.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:(*\\Services\\DHCPServer\\Parameters\\CalloutDlls OR *\\Services\\DHCPServer\\Parameters\\CalloutEnabled) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_dhcp_calloutdll -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/elastalert_rules/sigma_sysmon_disable_security_events_logging_adding_reg_key_minint.yml deleted file mode 100644 index d05ec0e3..00000000 --- a/elastalert_rules/sigma_sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. -filter: -- query: - query_string: - query: ((data.win.eventdata.targetObject:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" AND data.win.eventdata.eventType:"CreateKey") OR NewName:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_disable_security_events_logging_adding_reg_key_minint -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_dllhost_net_connections.yml b/elastalert_rules/sigma_sysmon_dllhost_net_connections.yml deleted file mode 100644 index 4c289ecf..00000000 --- a/elastalert_rules/sigma_sysmon_dllhost_net_connections.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Dllhost that communicates with public IP addresses -filter: -- query: - query_string: - query: ((data.win.eventdata.image.keyword:*\\dllhost.exe AND Initiated:"true") AND (NOT (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_dllhost_net_connections -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_dns_serverlevelplugindll1.yml b/elastalert_rules/sigma_sysmon_dns_serverlevelplugindll1.yml deleted file mode 100644 index 6ca765a2..00000000 --- a/elastalert_rules/sigma_sysmon_dns_serverlevelplugindll1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:*\\services\\DNS\\Parameters\\ServerLevelPluginDll -index: wazuh-alerts-3.x-* -name: sigma_sysmon_dns_serverlevelplugindll -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_dns_serverlevelplugindll2.yml b/elastalert_rules/sigma_sysmon_dns_serverlevelplugindll2.yml deleted file mode 100644 index 76d65c57..00000000 --- a/elastalert_rules/sigma_sysmon_dns_serverlevelplugindll2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) -filter: -- query: - query_string: - query: data.win.eventdata.commandLine.keyword:dnscmd.exe\ \/config\ \/serverlevelplugindll\ * -index: wazuh-alerts-3.x-* -name: sigma_sysmon_dns_serverlevelplugindll -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_etw_disabled.yml b/elastalert_rules/sigma_sysmon_etw_disabled.yml deleted file mode 100644 index 07937780..00000000 --- a/elastalert_rules/sigma_sysmon_etw_disabled.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:*SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled AND Details:"DWORD\ \(0x00000000\)") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_etw_disabled -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_ghostpack_safetykatz.yml b/elastalert_rules/sigma_sysmon_ghostpack_safetykatz.yml deleted file mode 100644 index c3708ef1..00000000 --- a/elastalert_rules/sigma_sysmon_ghostpack_safetykatz.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects possible SafetyKatz Behaviour -filter: -- query: - query_string: - query: data.win.eventdata.targetFilename.keyword:*\\Temp\\debug.bin -index: wazuh-alerts-3.x-* -name: sigma_sysmon_ghostpack_safetykatz -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_hack_dumpert1.yml b/elastalert_rules/sigma_sysmon_hack_dumpert1.yml deleted file mode 100644 index 9ec9c8d6..00000000 --- a/elastalert_rules/sigma_sysmon_hack_dumpert1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory -filter: -- query: - query_string: - query: hash_imphash:("09D278F9DE118EF09163C6140255C690" OR "09d278f9de118ef09163c6140255c690") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_hack_dumpert -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_hack_dumpert2.yml b/elastalert_rules/sigma_sysmon_hack_dumpert2.yml deleted file mode 100644 index d82e3323..00000000 --- a/elastalert_rules/sigma_sysmon_hack_dumpert2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory -filter: -- query: - query_string: - query: data.win.eventdata.targetFilename:"C\:\\Windows\\Temp\\dumpert.dmp" -index: wazuh-alerts-3.x-* -name: sigma_sysmon_hack_dumpert -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_hack_wce.yml b/elastalert_rules/sigma_sysmon_hack_wce.yml deleted file mode 100644 index 1fd7a65f..00000000 --- a/elastalert_rules/sigma_sysmon_hack_wce.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of Windows Credential Editor (WCE) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (hash_imphash:("a53a02b997935fd8eedcb5f7abab9b9f" OR "A53A02B997935FD8EEDCB5F7ABAB9B9F" OR "e96a73c7bf33a464c510ede582318bf2" OR "E96A73C7BF33A464C510EDE582318BF2") OR (data.win.eventdata.commandLine.keyword:*.exe\ \-S AND data.win.eventdata.parentImage.keyword:*\\services.exe))) -index: wazuh-alerts-3.x-* -name: 7aa7009a-28b9-4344-8c1f-159489a390df_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_hack_wce_reg.yml b/elastalert_rules/sigma_sysmon_hack_wce_reg.yml deleted file mode 100644 index 3c5ed768..00000000 --- a/elastalert_rules/sigma_sysmon_hack_wce_reg.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of Windows Credential Editor (WCE) -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:*Services\\WCESERVICE\\Start* -index: wazuh-alerts-3.x-* -name: sigma_sysmon_hack_wce_reg -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_in_memory_assembly_execution.yml b/elastalert_rules/sigma_sysmon_in_memory_assembly_execution.yml deleted file mode 100644 index 77f8a9a6..00000000 --- a/elastalert_rules/sigma_sysmon_in_memory_assembly_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. -filter: -- query: - query_string: - query: (data.win.eventdata.callTrace.keyword:(C\:\\Windows\\SYSTEM32\\ntdll.dll\+*|C\:\\Windows\\System32\\KERNELBASE.dll\+*|UNKNOWN\(*\) OR *UNKNOWN\(*\)|UNKNOWN\(*\)) OR (data.win.eventdata.callTrace.keyword:*UNKNOWN* AND data.win.eventdata.grantedAccess:("0x1F0FFF" OR "0x1F1FFF" OR "0x143A" OR "0x1410" OR "0x1010" OR "0x1F2FFF" OR "0x1F3FFF" OR "0x1FFFFF"))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_in_memory_assembly_execution -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_in_memory_powershell.yml b/elastalert_rules/sigma_sysmon_in_memory_powershell.yml deleted file mode 100644 index 28ebf43e..00000000 --- a/elastalert_rules/sigma_sysmon_in_memory_powershell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. -filter: -- query: - query_string: - query: (ImageLoaded.keyword:(*\\System.Management.Automation.Dll OR *\\System.Management.Automation.ni.Dll) AND (NOT (data.win.eventdata.image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe OR *\\WINDOWS\\System32\\sdiagnhost.exe OR *\\mscorsvw.exe OR *\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_in_memory_powershell -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_invoke_phantom.yml b/elastalert_rules/sigma_sysmon_invoke_phantom.yml deleted file mode 100644 index 7740a375..00000000 --- a/elastalert_rules/sigma_sysmon_invoke_phantom.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. -filter: -- query: - query_string: - query: (data.win.eventdata.targetImage.keyword:*\\windows\\system32\\svchost.exe AND data.win.eventdata.grantedAccess:"0x1f3fff" AND data.win.eventdata.callTrace.keyword:(*unknown*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_invoke_phantom -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_lazagne_cred_dump_lsass_access.yml b/elastalert_rules/sigma_sysmon_lazagne_cred_dump_lsass_access.yml deleted file mode 100644 index 450662af..00000000 --- a/elastalert_rules/sigma_sysmon_lazagne_cred_dump_lsass_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects LSASS process access by LaZagne for credential dumping. -filter: -- query: - query_string: - query: (data.win.eventdata.targetImage.keyword:*\\lsass.exe AND data.win.eventdata.callTrace.keyword:C\:\\Windows\\SYSTEM32\\ntdll.dll\+*|C\:\\Windows\\System32\\KERNELBASE.dll\+*_ctypes.pyd\+*python27.dll\+* AND data.win.eventdata.grantedAccess:"0x1FFFFF") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_lazagne_cred_dump_lsass_access -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/elastalert_rules/sigma_sysmon_logon_scripts_userinitmprlogonscript_proc.yml deleted file mode 100644 index 3ac30130..00000000 --- a/elastalert_rules/sigma_sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects creation or execution of UserInitMprLogonScript persistence method -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.system.eventID:"1" AND (data.win.eventdata.parentImage.keyword:*\\userinit.exe AND (NOT (data.win.eventdata.image.keyword:*\\explorer.exe))) AND (NOT (data.win.eventdata.commandLine.keyword:(*netlogon.bat* OR *UsrLogon.cmd*)))) OR data.win.eventdata.commandLine.keyword:*UserInitMprLogonScript*)) -index: wazuh-alerts-3.x-* -name: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/elastalert_rules/sigma_sysmon_logon_scripts_userinitmprlogonscript_reg.yml deleted file mode 100644 index 702bc7bf..00000000 --- a/elastalert_rules/sigma_sysmon_logon_scripts_userinitmprlogonscript_reg.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects creation or execution of UserInitMprLogonScript persistence method -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:*UserInitMprLogonScript* -index: wazuh-alerts-3.x-* -name: sigma_sysmon_logon_scripts_userinitmprlogonscript_reg -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_lsass_memdump.yml b/elastalert_rules/sigma_sysmon_lsass_memdump.yml deleted file mode 100644 index 289df124..00000000 --- a/elastalert_rules/sigma_sysmon_lsass_memdump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 -filter: -- query: - query_string: - query: (data.win.eventdata.targetImage:"C\:\\windows\\system32\\lsass.exe" AND data.win.eventdata.grantedAccess:"0x1fffff" AND data.win.eventdata.callTrace.keyword:(*dbghelp.dll* OR *dbgcore.dll*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_lsass_memdump -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_lsass_memory_dump_file_creation.yml b/elastalert_rules/sigma_sysmon_lsass_memory_dump_file_creation.yml deleted file mode 100644 index 1cd220a0..00000000 --- a/elastalert_rules/sigma_sysmon_lsass_memory_dump_file_creation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified -filter: -- query: - query_string: - query: (data.win.eventdata.targetFilename.keyword:*lsass* AND data.win.eventdata.targetFilename.keyword:*dmp) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_lsass_memory_dump_file_creation -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_mal_namedpipes.yml b/elastalert_rules/sigma_sysmon_mal_namedpipes.yml deleted file mode 100644 index 6b813e89..00000000 --- a/elastalert_rules/sigma_sysmon_mal_namedpipes.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of a named pipe used by known APT malware -filter: -- query: - query_string: - query: (data.win.system.eventID:("17" OR "18") AND data.win.eventdata.pipeName.keyword:(\\isapi_http OR \\isapi_dg OR \\isapi_dg2 OR \\sdlrpc OR \\ahexec OR \\winsession OR \\lsassw OR \\46a676ab7f179e511e30dd2dc41bd388 OR \\9f81f59bc58452127884ce513865ed20 OR \\e710f28d59aa529d6792ca6ff0ca1b34 OR \\rpchlp_3 OR \\NamePipe_MoreWindows OR \\pcheap_reuse OR \\msagent_* OR \\gruntsvc)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_mal_namedpipes -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_malware_backconnect_ports.yml b/elastalert_rules/sigma_sysmon_malware_backconnect_ports.yml deleted file mode 100644 index 37418b17..00000000 --- a/elastalert_rules/sigma_sysmon_malware_backconnect_ports.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases -filter: -- query: - query_string: - query: ((Initiated:"true" AND data.win.eventdata.destinationPort:("4443" OR "2448" OR "8143" OR "1777" OR "1443" OR "243" OR "65535" OR "13506" OR "3360" OR "200" OR "198" OR "49180" OR "13507" OR "6625" OR "4444" OR "4438" OR "1904" OR "13505" OR "13504" OR "12102" OR "9631" OR "5445" OR "2443" OR "777" OR "13394" OR "13145" OR "12103" OR "5552" OR "3939" OR "3675" OR "666" OR "473" OR "5649" OR "4455" OR "4433" OR "1817" OR "100" OR "65520" OR "1960" OR "1515" OR "743" OR "700" OR "14154" OR "14103" OR "14102" OR "12322" OR "10101" OR "7210" OR "4040" OR "9943")) AND (NOT ((data.win.eventdata.image.keyword:*\\Program\ Files* OR (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:"false"))))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_malware_backconnect_ports -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_malware_verclsid_shellcode.yml b/elastalert_rules/sigma_sysmon_malware_verclsid_shellcode.yml deleted file mode 100644 index 052a079a..00000000 --- a/elastalert_rules/sigma_sysmon_malware_verclsid_shellcode.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro -filter: -- query: - query_string: - query: ((data.win.eventdata.targetImage.keyword:*\\verclsid.exe AND data.win.eventdata.grantedAccess:"0x1FFFFF") AND (data.win.eventdata.callTrace.keyword:*|UNKNOWN\(*VBE7.DLL* OR (process_path.keyword:*\\Microsoft\ Office\\* AND data.win.eventdata.callTrace.keyword:*|UNKNOWN*))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_malware_verclsid_shellcode -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_mimikatz_detection_lsass.yml b/elastalert_rules/sigma_sysmon_mimikatz_detection_lsass.yml deleted file mode 100644 index 878b7e7c..00000000 --- a/elastalert_rules/sigma_sysmon_mimikatz_detection_lsass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) -filter: -- query: - query_string: - query: (data.win.system.eventID:"10" AND data.win.eventdata.targetImage:"C\:\\windows\\system32\\lsass.exe" AND data.win.eventdata.grantedAccess:("0x1410" OR "0x1010")) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_mimikatz_detection_lsass -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_mimikatz_trough_winrm.yml b/elastalert_rules/sigma_sysmon_mimikatz_trough_winrm.yml deleted file mode 100644 index 3e09350b..00000000 --- a/elastalert_rules/sigma_sysmon_mimikatz_trough_winrm.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. -filter: -- query: - query_string: - query: (data.win.eventdata.targetImage:"C\:\\windows\\system32\\lsass.exe" AND process_path:"C\:\\Windows\\system32\\wsmprovhost.exe") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_mimikatz_trough_winrm -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_narrator_feedback_persistance.yml b/elastalert_rules/sigma_sysmon_narrator_feedback_persistance.yml deleted file mode 100644 index 8f26e991..00000000 --- a/elastalert_rules/sigma_sysmon_narrator_feedback_persistance.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects abusing Windows 10 Narrator's Feedback-Hub -filter: -- query: - query_string: - query: ((data.win.eventdata.eventType:"DeleteValue" AND data.win.eventdata.targetObject.keyword:*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute) OR data.win.eventdata.targetObject.keyword:*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\\(Default\)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_narrator_feedback_persistance -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/elastalert_rules/sigma_sysmon_new_dll_added_to_appcertdlls_registry_key.yml deleted file mode 100644 index 52a28323..00000000 --- a/elastalert_rules/sigma_sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session\ Manager\\AppCertDlls" OR NewName:"HKLM\\SYSTEM\\CurentControlSet\\Control\\Session\ Manager\\AppCertDlls") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_new_dll_added_to_appcertdlls_registry_key -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/elastalert_rules/sigma_sysmon_new_dll_added_to_appinit_dlls_registry_key.yml deleted file mode 100644 index 3f4a9c16..00000000 --- a/elastalert_rules/sigma_sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:(*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls OR *\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls) OR NewName.keyword:(*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls OR *\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_new_dll_added_to_appinit_dlls_registry_key -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_notepad_network_connection.yml b/elastalert_rules/sigma_sysmon_notepad_network_connection.yml deleted file mode 100644 index 20d9ec4a..00000000 --- a/elastalert_rules/sigma_sysmon_notepad_network_connection.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious network connection by Notepad -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:*\\notepad.exe AND (NOT (data.win.eventdata.destinationPort:"9100"))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_notepad_network_connection -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_office_persistence.yml b/elastalert_rules/sigma_sysmon_office_persistence.yml deleted file mode 100644 index 3d293f85..00000000 --- a/elastalert_rules/sigma_sysmon_office_persistence.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel). -filter: -- query: - query_string: - query: (((data.win.eventdata.targetFilename.keyword:*\\Microsoft\\Word\\Startup\\* AND data.win.eventdata.targetFilename.keyword:*.wll) OR (data.win.eventdata.targetFilename.keyword:*\\Microsoft\\Excel\\Startup\\* AND data.win.eventdata.targetFilename.keyword:*.xll)) OR (data.win.eventdata.targetFilename.keyword:*\\Microsoft\\Addins\\* AND data.win.eventdata.targetFilename.keyword:(*.xlam OR *.xla))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_office_persistence -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_password_dumper_lsass.yml b/elastalert_rules/sigma_sysmon_password_dumper_lsass.yml deleted file mode 100644 index b7fbbd4a..00000000 --- a/elastalert_rules/sigma_sysmon_password_dumper_lsass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. -filter: -- query: - query_string: - query: (data.win.system.eventID:"8" AND data.win.eventdata.targetImage:"C\:\\Windows\\System32\\lsass.exe" AND thread_start_module:"") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_password_dumper_lsass -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_possible_dns_rebinding.yml b/elastalert_rules/sigma_sysmon_possible_dns_rebinding.yml deleted file mode 100644 index fbbd9398..00000000 --- a/elastalert_rules/sigma_sysmon_possible_dns_rebinding.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - seconds: 30 -description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). -doc_type: doc -filter: -- query: - query_string: - query: (data.win.system.eventID:"22" AND QueryName.keyword:* AND QueryStatus:"0" AND QueryResults.keyword:(\(\:\:ffff\:\)?10.* OR \(\:\:ffff\:\)?192.168.* OR \(\:\:ffff\:\)?172.16.* OR \(\:\:ffff\:\)?172.17.* OR \(\:\:ffff\:\)?172.18.* OR \(\:\:ffff\:\)?172.19.* OR \(\:\:ffff\:\)?172.20.* OR \(\:\:ffff\:\)?172.21.* OR \(\:\:ffff\:\)?172.22.* OR \(\:\:ffff\:\)?172.23.* OR \(\:\:ffff\:\)?172.24.* OR \(\:\:ffff\:\)?172.25.* OR \(\:\:ffff\:\)?172.26.* OR \(\:\:ffff\:\)?172.27.* OR \(\:\:ffff\:\)?172.28.* OR \(\:\:ffff\:\)?172.29.* OR \(\:\:ffff\:\)?172.30.* OR \(\:\:ffff\:\)?172.31.* OR \(\:\:ffff\:\)?127.*) AND (data.win.system.eventID:"22" AND QueryName.keyword:* AND QueryStatus:"0") AND (NOT (QueryResults.keyword:(\(\:\:ffff\:\)?10.* OR \(\:\:ffff\:\)?192.168.* OR \(\:\:ffff\:\)?172.16.* OR \(\:\:ffff\:\)?172.17.* OR \(\:\:ffff\:\)?172.18.* OR \(\:\:ffff\:\)?172.19.* OR \(\:\:ffff\:\)?172.20.* OR \(\:\:ffff\:\)?172.21.* OR \(\:\:ffff\:\)?172.22.* OR \(\:\:ffff\:\)?172.23.* OR \(\:\:ffff\:\)?172.24.* OR \(\:\:ffff\:\)?172.25.* OR \(\:\:ffff\:\)?172.26.* OR \(\:\:ffff\:\)?172.27.* OR \(\:\:ffff\:\)?172.28.* OR \(\:\:ffff\:\)?172.29.* OR \(\:\:ffff\:\)?172.30.* OR \(\:\:ffff\:\)?172.31.* OR \(\:\:ffff\:\)?127.*)))) -index: wazuh-alerts-3.x-* -max_threshold: 3 -metric_agg_key: QueryName.keyword -metric_agg_type: cardinality -name: sigma_sysmon_possible_dns_rebinding -priority: 3 -query_key: data.win.system.computer.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/elastalert_rules/sigma_sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml deleted file mode 100644 index af186072..00000000 --- a/elastalert_rules/sigma_sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level -filter: -- query: - query_string: - query: (IntegrityLevel:"Medium" AND data.win.eventdata.targetObject.keyword:*\\services\\* AND data.win.eventdata.targetObject.keyword:(*\\ImagePath OR *\\FailureCommand OR *\\Parameters\\ServiceDll)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_powershell_execution_moduleload.yml b/elastalert_rules/sigma_sysmon_powershell_execution_moduleload.yml deleted file mode 100644 index 3df55f5a..00000000 --- a/elastalert_rules/sigma_sysmon_powershell_execution_moduleload.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of PowerShell -filter: -- query: - query_string: - query: (data.win.eventdata.description:"system.management.automation" AND ImageLoaded.keyword:*system.management.automation*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_powershell_execution_moduleload -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_powershell_exploit_scripts.yml b/elastalert_rules/sigma_sysmon_powershell_exploit_scripts.yml deleted file mode 100644 index a5e30f5f..00000000 --- a/elastalert_rules/sigma_sysmon_powershell_exploit_scripts.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of known powershell scripts for exploitation -filter: -- query: - query_string: - query: data.win.eventdata.targetFilename.keyword:(*\\Invoke\-DllInjection.ps1 OR *\\Invoke\-WmiCommand.ps1 OR *\\Get\-GPPPassword.ps1 OR *\\Get\-Keystrokes.ps1 OR *\\Get\-VaultCredential.ps1 OR *\\Invoke\-CredentialInjection.ps1 OR *\\Invoke\-Mimikatz.ps1 OR *\\Invoke\-NinjaCopy.ps1 OR *\\Invoke\-TokenManipulation.ps1 OR *\\Out\-Minidump.ps1 OR *\\VolumeShadowCopyTools.ps1 OR *\\Invoke\-ReflectivePEInjection.ps1 OR *\\Get\-TimedScreenshot.ps1 OR *\\Invoke\-UserHunter.ps1 OR *\\Find\-GPOLocation.ps1 OR *\\Invoke\-ACLScanner.ps1 OR *\\Invoke\-DowngradeAccount.ps1 OR *\\Get\-ServiceUnquoted.ps1 OR *\\Get\-ServiceFilePermission.ps1 OR *\\Get\-ServicePermission.ps1 OR *\\Invoke\-ServiceAbuse.ps1 OR *\\Install\-ServiceBinary.ps1 OR *\\Get\-RegAutoLogon.ps1 OR *\\Get\-VulnAutoRun.ps1 OR *\\Get\-VulnSchTask.ps1 OR *\\Get\-UnattendedInstallFile.ps1 OR *\\Get\-WebConfig.ps1 OR *\\Get\-ApplicationHost.ps1 OR *\\Get\-RegAlwaysInstallElevated.ps1 OR *\\Get\-Unconstrained.ps1 OR *\\Add\-RegBackdoor.ps1 OR *\\Add\-ScrnSaveBackdoor.ps1 OR *\\Gupt\-Backdoor.ps1 OR *\\Invoke\-ADSBackdoor.ps1 OR *\\Enabled\-DuplicateToken.ps1 OR *\\Invoke\-PsUaCme.ps1 OR *\\Remove\-Update.ps1 OR *\\Check\-VM.ps1 OR *\\Get\-LSASecret.ps1 OR *\\Get\-PassHashes.ps1 OR *\\Show\-TargetScreen.ps1 OR *\\Port\-Scan.ps1 OR *\\Invoke\-PoshRatHttp.ps1 OR *\\Invoke\-PowerShellTCP.ps1 OR *\\Invoke\-PowerShellWMI.ps1 OR *\\Add\-Exfiltration.ps1 OR *\\Add\-Persistence.ps1 OR *\\Do\-Exfiltration.ps1 OR *\\Start\-CaptureServer.ps1 OR *\\Invoke\-ShellCode.ps1 OR *\\Get\-ChromeDump.ps1 OR *\\Get\-ClipboardContents.ps1 OR *\\Get\-FoxDump.ps1 OR *\\Get\-IndexedItem.ps1 OR *\\Get\-Screenshot.ps1 OR *\\Invoke\-Inveigh.ps1 OR *\\Invoke\-NetRipper.ps1 OR *\\Invoke\-EgressCheck.ps1 OR *\\Invoke\-PostExfil.ps1 OR *\\Invoke\-PSInject.ps1 OR *\\Invoke\-RunAs.ps1 OR *\\MailRaider.ps1 OR *\\New\-HoneyHash.ps1 OR *\\Set\-MacAttribute.ps1 OR *\\Invoke\-DCSync.ps1 OR *\\Invoke\-PowerDump.ps1 OR *\\Exploit\-Jboss.ps1 OR *\\Invoke\-ThunderStruck.ps1 OR *\\Invoke\-VoiceTroll.ps1 OR *\\Set\-Wallpaper.ps1 OR *\\Invoke\-InveighRelay.ps1 OR *\\Invoke\-PsExec.ps1 OR *\\Invoke\-SSHCommand.ps1 OR *\\Get\-SecurityPackages.ps1 OR *\\Install\-SSP.ps1 OR *\\Invoke\-BackdoorLNK.ps1 OR *\\PowerBreach.ps1 OR *\\Get\-SiteListPassword.ps1 OR *\\Get\-System.ps1 OR *\\Invoke\-BypassUAC.ps1 OR *\\Invoke\-Tater.ps1 OR *\\Invoke\-WScriptBypassUAC.ps1 OR *\\PowerUp.ps1 OR *\\PowerView.ps1 OR *\\Get\-RickAstley.ps1 OR *\\Find\-Fruit.ps1 OR *\\HTTP\-Login.ps1 OR *\\Find\-TrustedDocuments.ps1 OR *\\Invoke\-Paranoia.ps1 OR *\\Invoke\-WinEnum.ps1 OR *\\Invoke\-ARPScan.ps1 OR *\\Invoke\-PortScan.ps1 OR *\\Invoke\-ReverseDNSLookup.ps1 OR *\\Invoke\-SMBScanner.ps1 OR *\\Invoke\-Mimikittenz.ps1) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_powershell_exploit_scripts -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_powershell_network_connection.yml b/elastalert_rules/sigma_sysmon_powershell_network_connection.yml deleted file mode 100644 index 37180a3e..00000000 --- a/elastalert_rules/sigma_sysmon_powershell_network_connection.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') -filter: -- query: - query_string: - query: ((data.win.eventdata.image.keyword:*\\powershell.exe AND Initiated:"true") AND (NOT (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:"false" AND user_account:"NT\ AUTHORITY\\SYSTEM"))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_powershell_network_connection -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_quarkspw_filedump.yml b/elastalert_rules/sigma_sysmon_quarkspw_filedump.yml deleted file mode 100644 index f2f8d99e..00000000 --- a/elastalert_rules/sigma_sysmon_quarkspw_filedump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a dump file written by QuarksPwDump password dumper -filter: -- query: - query_string: - query: data.win.eventdata.targetFilename.keyword:*\\AppData\\Local\\Temp\\SAM\-*.dmp* -index: wazuh-alerts-3.x-* -name: sigma_sysmon_quarkspw_filedump -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_raw_disk_access_using_illegitimate_tools.yml b/elastalert_rules/sigma_sysmon_raw_disk_access_using_illegitimate_tools.yml deleted file mode 100644 index 60e03579..00000000 --- a/elastalert_rules/sigma_sysmon_raw_disk_access_using_illegitimate_tools.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Raw disk access using illegitimate tools, possible defence evasion -filter: -- query: - query_string: - query: ((data.win.system.eventID:"9" AND (NOT (data.win.eventdata.deviceName.keyword:*floppy*))) AND (NOT (data.win.eventdata.image.keyword:(*\\wmiprvse.exe OR *\\sdiagnhost.exe OR *\\searchindexer.exe OR *\\csrss.exe OR *\\defrag.exe OR *\\smss.exe OR *\\vssvc.exe OR *\\compattelrunner.exe OR *\\wininit.exe OR *\\autochk.exe OR *\\taskhost.exe OR *\\dfsrs.exe OR *\\vds.exe OR *\\lsass.exe)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_raw_disk_access_using_illegitimate_tools -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_rdp_registry_modification.yml b/elastalert_rules/sigma_sysmon_rdp_registry_modification.yml deleted file mode 100644 index 14801550..00000000 --- a/elastalert_rules/sigma_sysmon_rdp_registry_modification.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections. -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:(*\\CurrentControlSet\\Control\\Terminal\ Server\\WinStations\\RDP\-Tcp\\UserAuthentication OR *\\CurrentControlSet\\Control\\Terminal\ Server\\fDenyTSConnections) AND Details:"DWORD\ \(0x00000000\)") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_rdp_registry_modification -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_rdp_reverse_tunnel.yml b/elastalert_rules/sigma_sysmon_rdp_reverse_tunnel.yml deleted file mode 100644 index 878c65f0..00000000 --- a/elastalert_rules/sigma_sysmon_rdp_reverse_tunnel.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:*\\svchost.exe AND Initiated:"true" AND data.win.eventdata.sourcePort:"3389" AND data.win.eventdata.destinationIp.keyword:(127.* OR \:\:1)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_rdp_reverse_tunnel -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_rdp_settings_hijack.yml b/elastalert_rules/sigma_sysmon_rdp_settings_hijack.yml deleted file mode 100644 index ea63288d..00000000 --- a/elastalert_rules/sigma_sysmon_rdp_settings_hijack.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects changes to RDP terminal service sensitive settings -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:(*\\services\\TermService\\Parameters\\ServiceDll* OR *\\Control\\Terminal\ Server\\fSingleSessionPerUser* OR *\\Control\\Terminal\ Server\\fDenyTSConnections*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_rdp_settings_hijack -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_redmimicry_winnti_filedrop.yml b/elastalert_rules/sigma_sysmon_redmimicry_winnti_filedrop.yml deleted file mode 100644 index 34bc2b60..00000000 --- a/elastalert_rules/sigma_sysmon_redmimicry_winnti_filedrop.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects actions caused by the RedMimicry Winnti playbook -filter: -- query: - query_string: - query: data.win.eventdata.targetFilename.keyword:(*gthread\-3.6.dll* OR *sigcmm\-2.4.dll* OR *\\Windows\\Temp\\tmp.bat*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_redmimicry_winnti_filedrop -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_redmimicry_winnti_reg.yml b/elastalert_rules/sigma_sysmon_redmimicry_winnti_reg.yml deleted file mode 100644 index 0bb90597..00000000 --- a/elastalert_rules/sigma_sysmon_redmimicry_winnti_reg.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects actions caused by the RedMimicry Winnti playbook -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:*HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data* -index: wazuh-alerts-3.x-* -name: sigma_sysmon_redmimicry_winnti_reg -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_reg_office_security.yml b/elastalert_rules/sigma_sysmon_reg_office_security.yml deleted file mode 100644 index 859b1293..00000000 --- a/elastalert_rules/sigma_sysmon_reg_office_security.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects registry changes to Office macro settings -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:(*\\Security\\Trusted\ Documents\\TrustRecords OR *\\Security\\AccessVBOM OR *\\Security\\VBAWarnings) AND data.win.eventdata.eventType:("SetValue" OR "DeleteValue" OR "CreateValue")) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_reg_office_security -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_registry_persistence_key_linking.yml b/elastalert_rules/sigma_sysmon_registry_persistence_key_linking.yml deleted file mode 100644 index 1a7b4dd3..00000000 --- a/elastalert_rules/sigma_sysmon_registry_persistence_key_linking.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects COM object hijacking via TreatAs subkey -filter: -- query: - query_string: - query: (data.win.eventdata.eventType:"CreateKey" AND data.win.eventdata.targetObject.keyword:HKU\\*_Classes\\CLSID\\*\\TreatAs) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_registry_persistence_key_linking -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_registry_persistence_search_order.yml b/elastalert_rules/sigma_sysmon_registry_persistence_search_order.yml deleted file mode 100644 index 31cc59df..00000000 --- a/elastalert_rules/sigma_sysmon_registry_persistence_search_order.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects potential COM object hijacking leveraging the COM Search Order -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:HKU\\*_Classes\\CLSID\\*\\InProcServer32\\\(Default\) AND (NOT (Details.keyword:(%%systemroot%%\\system32\\* OR %%systemroot%%\\SysWow64\\* OR *\\AppData\\Local\\Microsoft\\OneDrive\\*\\FileCoAuthLib64.dll OR *\\AppData\\Local\\Microsoft\\OneDrive\\*\\FileSyncShell64.dll OR *\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\*\\Microsoft.Teams.AddinLoader.dll)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_registry_persistence_search_order -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_registry_trust_record_modification.yml b/elastalert_rules/sigma_sysmon_registry_trust_record_modification.yml deleted file mode 100644 index 3f24a0ba..00000000 --- a/elastalert_rules/sigma_sysmon_registry_trust_record_modification.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Alerts on trust record modification within the registry, indicating usage of macros -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:*TrustRecords* -index: wazuh-alerts-3.x-* -name: sigma_sysmon_registry_trust_record_modification -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_regsvr32_network_activity1.yml b/elastalert_rules/sigma_sysmon_regsvr32_network_activity1.yml deleted file mode 100644 index 94d4377b..00000000 --- a/elastalert_rules/sigma_sysmon_regsvr32_network_activity1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects network connections and DNS queries initiated by Regsvr32.exe -filter: -- query: - query_string: - query: data.win.eventdata.image.keyword:*\\regsvr32.exe -index: wazuh-alerts-3.x-* -name: sigma_sysmon_regsvr32_network_activity -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_regsvr32_network_activity2.yml b/elastalert_rules/sigma_sysmon_regsvr32_network_activity2.yml deleted file mode 100644 index 94d4377b..00000000 --- a/elastalert_rules/sigma_sysmon_regsvr32_network_activity2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects network connections and DNS queries initiated by Regsvr32.exe -filter: -- query: - query_string: - query: data.win.eventdata.image.keyword:*\\regsvr32.exe -index: wazuh-alerts-3.x-* -name: sigma_sysmon_regsvr32_network_activity -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_remote_powershell_session_network.yml b/elastalert_rules/sigma_sysmon_remote_powershell_session_network.yml deleted file mode 100644 index 5e2bda15..00000000 --- a/elastalert_rules/sigma_sysmon_remote_powershell_session_network.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account -filter: -- query: - query_string: - query: (data.win.eventdata.destinationPort:("5985" OR "5986") AND (NOT (user_account:"NT\ AUTHORITY\\NETWORK\ SERVICE"))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_remote_powershell_session_network -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_rundll32_net_connections.yml b/elastalert_rules/sigma_sysmon_rundll32_net_connections.yml deleted file mode 100644 index 35cf8434..00000000 --- a/elastalert_rules/sigma_sysmon_rundll32_net_connections.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a rundll32 that communicates with public IP addresses -filter: -- query: - query_string: - query: ((data.win.eventdata.image.keyword:*\\rundll32.exe AND Initiated:"true") AND (NOT (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_rundll32_net_connections -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_runkey_winekey.yml b/elastalert_rules/sigma_sysmon_runkey_winekey.yml deleted file mode 100644 index 6f542325..00000000 --- a/elastalert_rules/sigma_sysmon_runkey_winekey.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects potential malicious modification of run keys by winekey or team9 backdoor -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:(*Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup\ Mgr) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_runkey_winekey -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_ssp_added_lsa_config.yml b/elastalert_rules/sigma_sysmon_ssp_added_lsa_config.yml deleted file mode 100644 index e8c1f77a..00000000 --- a/elastalert_rules/sigma_sysmon_ssp_added_lsa_config.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject:("HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security\ Packages" OR "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security\ Packages") AND (NOT (data.win.eventdata.image:"C\:\\Windows\\system32\\msiexec.exe" OR data.win.eventdata.image:"C\:\\Windows\\syswow64\\MsiExec.exe"))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_ssp_added_lsa_config -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_stickykey_like_backdoor1.yml b/elastalert_rules/sigma_sysmon_stickykey_like_backdoor1.yml deleted file mode 100644 index 34cf15ed..00000000 --- a/elastalert_rules/sigma_sysmon_stickykey_like_backdoor1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:(*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\sethc.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\utilman.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\osk.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\Magnify.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\Narrator.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\DisplaySwitch.exe\\Debugger) AND data.win.eventdata.eventType:"SetValue") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_stickykey_like_backdoor -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_stickykey_like_backdoor2.yml b/elastalert_rules/sigma_sysmon_stickykey_like_backdoor2.yml deleted file mode 100644 index 52fdbc60..00000000 --- a/elastalert_rules/sigma_sysmon_stickykey_like_backdoor2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen -filter: -- query: - query_string: - query: (data.win.eventdata.parentImage.keyword:(*\\winlogon.exe) AND data.win.eventdata.commandLine.keyword:(*cmd.exe\ sethc.exe\ * OR *cmd.exe\ utilman.exe\ * OR *cmd.exe\ osk.exe\ * OR *cmd.exe\ Magnify.exe\ * OR *cmd.exe\ Narrator.exe\ * OR *cmd.exe\ DisplaySwitch.exe\ *)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_stickykey_like_backdoor -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_adsi_cache_usage.yml b/elastalert_rules/sigma_sysmon_susp_adsi_cache_usage.yml deleted file mode 100644 index bd612b76..00000000 --- a/elastalert_rules/sigma_sysmon_susp_adsi_cache_usage.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. -filter: -- query: - query_string: - query: (data.win.eventdata.targetFilename.keyword:*\\Local\\Microsoft\\Windows\\SchCache\\*.sch AND (NOT (data.win.eventdata.image:("C\:\\windows\\system32\\svchost.exe" OR "C\:\\windows\\system32\\dllhost.exe" OR "C\:\\windows\\system32\\mmc.exe" OR "C\:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" OR "C\:\\Windows\\CCM\\CcmExec.exe")))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_adsi_cache_usage -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_desktop_ini.yml b/elastalert_rules/sigma_sysmon_susp_desktop_ini.yml deleted file mode 100644 index af4f7581..00000000 --- a/elastalert_rules/sigma_sysmon_susp_desktop_ini.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. -filter: -- query: - query_string: - query: (data.win.eventdata.targetFilename.keyword:*\\desktop.ini AND (NOT (data.win.eventdata.image:("C\:\\Windows\\explorer.exe" OR "C\:\\Windows\\System32\\msiexec.exe" OR "C\:\\Windows\\System32\\mmc.exe")))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_desktop_ini -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_download_run_key.yml b/elastalert_rules/sigma_sysmon_susp_download_run_key.yml deleted file mode 100644 index eebf4ba6..00000000 --- a/elastalert_rules/sigma_sysmon_susp_download_run_key.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:(*\\Downloads\\* OR *\\Temporary\ Internet\ Files\\Content.Outlook\\* OR *\\Local\ Settings\\Temporary\ Internet\ Files\\*) AND data.win.eventdata.targetObject.keyword:*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_download_run_key -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_driver_load.yml b/elastalert_rules/sigma_sysmon_susp_driver_load.yml deleted file mode 100644 index 1a589bd1..00000000 --- a/elastalert_rules/sigma_sysmon_susp_driver_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a driver load from a temporary directory -filter: -- query: - query_string: - query: ImageLoaded.keyword:*\\Temp\\* -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_driver_load -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_fax_dll.yml b/elastalert_rules/sigma_sysmon_susp_fax_dll.yml deleted file mode 100644 index a7fdcfce..00000000 --- a/elastalert_rules/sigma_sysmon_susp_fax_dll.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. -filter: -- query: - query_string: - query: ((data.win.eventdata.image.keyword:(*fxssvc.exe) AND ImageLoaded.keyword:(*ualapi.dll)) AND (NOT (ImageLoaded.keyword:(C\:\\Windows\\WinSxS\\*)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_fax_dll -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_image_load.yml b/elastalert_rules/sigma_sysmon_susp_image_load.yml deleted file mode 100644 index ae22db94..00000000 --- a/elastalert_rules/sigma_sysmon_susp_image_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:(*\\notepad.exe) AND ImageLoaded.keyword:(*\\samlib.dll OR *\\WinSCard.dll)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_image_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_lsass_dll_load.yml b/elastalert_rules/sigma_sysmon_susp_lsass_dll_load.yml deleted file mode 100644 index b4a69cf9..00000000 --- a/elastalert_rules/sigma_sysmon_susp_lsass_dll_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a method to load DLL via LSASS process using an undocumented Registry key -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:(*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt* OR *\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_lsass_dll_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_mic_cam_access.yml b/elastalert_rules/sigma_sysmon_susp_mic_cam_access.yml deleted file mode 100644 index 84efe0b6..00000000 --- a/elastalert_rules/sigma_sysmon_susp_mic_cam_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Processes accessing the camera and microphone from suspicious folder -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:(*\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\*\\NonPackaged*) AND data.win.eventdata.targetObject.keyword:(*microphone* OR *webcam*) AND data.win.eventdata.targetObject.keyword:(*#C\:#Windows#Temp#* OR *#C\:#$Recycle.bin#* OR *#C\:#Temp#* OR *#C\:#Users#Public#* OR *#C\:#Users#Default#* OR *#C\:#Users#Desktop#*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_mic_cam_access -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_office_dotnet_assembly_dll_load.yml b/elastalert_rules/sigma_sysmon_susp_office_dotnet_assembly_dll_load.yml deleted file mode 100644 index ecf4f6f4..00000000 --- a/elastalert_rules/sigma_sysmon_susp_office_dotnet_assembly_dll_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects any assembly DLL being loaded by an Office Product -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:(*\\winword.exe OR *\\powerpnt.exe OR *\\excel.exe OR *\\outlook.exe) AND ImageLoaded.keyword:(C\:\\Windows\\assembly\\*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_office_dotnet_assembly_dll_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_office_dotnet_clr_dll_load.yml b/elastalert_rules/sigma_sysmon_susp_office_dotnet_clr_dll_load.yml deleted file mode 100644 index 3351bd03..00000000 --- a/elastalert_rules/sigma_sysmon_susp_office_dotnet_clr_dll_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects CLR DLL being loaded by an Office Product -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:(*\\winword.exe OR *\\powerpnt.exe OR *\\excel.exe OR *\\outlook.exe) AND ImageLoaded.keyword:(*\\clr.dll*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_office_dotnet_clr_dll_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_office_dotnet_gac_dll_load.yml b/elastalert_rules/sigma_sysmon_susp_office_dotnet_gac_dll_load.yml deleted file mode 100644 index ca113ebc..00000000 --- a/elastalert_rules/sigma_sysmon_susp_office_dotnet_gac_dll_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects any GAC DLL being loaded by an Office Product -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:(*\\winword.exe OR *\\powerpnt.exe OR *\\excel.exe OR *\\outlook.exe) AND ImageLoaded.keyword:(C\:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_office_dotnet_gac_dll_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_office_dsparse_dll_load.yml b/elastalert_rules/sigma_sysmon_susp_office_dsparse_dll_load.yml deleted file mode 100644 index f95f915c..00000000 --- a/elastalert_rules/sigma_sysmon_susp_office_dsparse_dll_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects DSParse DLL being loaded by an Office Product -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:(*\\winword.exe OR *\\powerpnt.exe OR *\\excel.exe OR *\\outlook.exe) AND ImageLoaded.keyword:(*\\dsparse.dll*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_office_dsparse_dll_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_office_kerberos_dll_load.yml b/elastalert_rules/sigma_sysmon_susp_office_kerberos_dll_load.yml deleted file mode 100644 index 7c8afd74..00000000 --- a/elastalert_rules/sigma_sysmon_susp_office_kerberos_dll_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Kerberos DLL being loaded by an Office Product -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:(*\\winword.exe OR *\\powerpnt.exe OR *\\excel.exe OR *\\outlook.exe) AND ImageLoaded.keyword:(*\\kerberos.dll)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_office_kerberos_dll_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_powershell_rundll32.yml b/elastalert_rules/sigma_sysmon_susp_powershell_rundll32.yml deleted file mode 100644 index e5627932..00000000 --- a/elastalert_rules/sigma_sysmon_susp_powershell_rundll32.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PowerShell remote thread creation in Rundll32.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"8" AND process_path.keyword:*\\powershell.exe AND data.win.eventdata.targetImage.keyword:*\\rundll32.exe) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_powershell_rundll32 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/elastalert_rules/sigma_sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml deleted file mode 100644 index baf1ca7b..00000000 --- a/elastalert_rules/sigma_sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. -filter: -- query: - query_string: - query: (data.win.eventdata.targetFilename.keyword:*\\AppData\\Local\\Temp\\*\\PROCEXP152.sys AND (NOT (data.win.eventdata.image.keyword:(*\\procexp64.exe* OR *\\procexp.exe* OR *\\procmon64.exe* OR *\\procmon.exe*)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_procexplorer_driver_created_in_tmp_folder -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_prog_location_network_connection.yml b/elastalert_rules/sigma_sysmon_susp_prog_location_network_connection.yml deleted file mode 100644 index ceda092b..00000000 --- a/elastalert_rules/sigma_sysmon_susp_prog_location_network_connection.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects programs with network connections running in suspicious files system locations -filter: -- query: - query_string: - query: data.win.eventdata.image.keyword:(*\\$Recycle.bin OR *\\Users\\All\ Users\\* OR *\\Users\\Default\\* OR *\\Users\\Public\\* OR *\\Users\\Contacts\\* OR *\\Users\\Searches\\* OR C\:\\Perflogs\\* OR *\\config\\systemprofile\\* OR *\\Windows\\Fonts\\* OR *\\Windows\\IME\\* OR *\\Windows\\addins\\*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_prog_location_network_connection -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_rdp.yml b/elastalert_rules/sigma_sysmon_susp_rdp.yml deleted file mode 100644 index e36be397..00000000 --- a/elastalert_rules/sigma_sysmon_susp_rdp.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement -filter: -- query: - query_string: - query: ((data.win.eventdata.destinationPort:"3389" AND Initiated:"true") AND (NOT (data.win.eventdata.image.keyword:(*\\mstsc.exe OR *\\RTSApp.exe OR *\\RTS2App.exe OR *\\RDCMan.exe OR *\\ws_TunnelService.exe OR *\\RSSensor.exe OR *\\RemoteDesktopManagerFree.exe OR *\\RemoteDesktopManager.exe OR *\\RemoteDesktopManager64.exe OR *\\mRemoteNG.exe OR *\\mRemote.exe OR *\\Terminals.exe OR *\\spiceworks\-finder.exe OR *\\FSDiscovery.exe OR *\\FSAssessment.exe OR *\\MobaRTE.exe OR *\\chrome.exe OR *\\thor.exe OR *\\thor64.exe)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_rdp -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_reg_persist_explorer_run.yml b/elastalert_rules/sigma_sysmon_susp_reg_persist_explorer_run.yml deleted file mode 100644 index 0446d549..00000000 --- a/elastalert_rules/sigma_sysmon_susp_reg_persist_explorer_run.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run AND Details.keyword:(C\:\\Windows\\Temp\\* OR C\:\\ProgramData\\* OR *\\AppData\\* OR C\:\\$Recycle.bin\\* OR C\:\\Temp\\* OR C\:\\Users\\Public\\* OR C\:\\Users\\Default\\*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_reg_persist_explorer_run -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_run_key_img_folder.yml b/elastalert_rules/sigma_sysmon_susp_run_key_img_folder.yml deleted file mode 100644 index 395f42f6..00000000 --- a/elastalert_rules/sigma_sysmon_susp_run_key_img_folder.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:(*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\* OR *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*) AND Details.keyword:(*C\:\\Windows\\Temp\\* OR *C\:\\$Recycle.bin\\* OR *C\:\\Temp\\* OR *C\:\\Users\\Public\\* OR %Public%\\* OR *C\:\\Users\\Default\\* OR *C\:\\Users\\Desktop\\* OR wscript* OR cscript*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_run_key_img_folder -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_service_installed.yml b/elastalert_rules/sigma_sysmon_susp_service_installed.yml deleted file mode 100644 index 5af95810..00000000 --- a/elastalert_rules/sigma_sysmon_susp_service_installed.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) -filter: -- query: - query_string: - query: ((data.win.eventdata.targetObject:("HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath" OR "HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath") AND (NOT (data.win.eventdata.image.keyword:(*\\procexp64.exe* OR *\\procexp.exe* OR *\\procmon64.exe* OR *\\procmon.exe*)))) AND (NOT (Details.keyword:(*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS*)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_service_installed -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_winword_vbadll_load.yml b/elastalert_rules/sigma_sysmon_susp_winword_vbadll_load.yml deleted file mode 100644 index a5ec7046..00000000 --- a/elastalert_rules/sigma_sysmon_susp_winword_vbadll_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects DLL's Loaded Via Word Containing VBA Macros -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:(*\\winword.exe OR *\\powerpnt.exe OR *\\excel.exe OR *\\outlook.exe) AND ImageLoaded.keyword:(*\\VBE7.DLL OR *\\VBEUI.DLL OR *\\VBE7INTL.DLL)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_winword_vbadll_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_susp_winword_wmidll_load.yml b/elastalert_rules/sigma_sysmon_susp_winword_wmidll_load.yml deleted file mode 100644 index 535f6b7d..00000000 --- a/elastalert_rules/sigma_sysmon_susp_winword_wmidll_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:(*\\winword.exe OR *\\powerpnt.exe OR *\\excel.exe OR *\\outlook.exe) AND ImageLoaded.keyword:(*\\wmiutils.dll OR *\\wbemcomn.dll OR *\\wbemprox.dll OR *\\wbemdisp.dll OR *\\wbemsvc.dll)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_susp_winword_wmidll_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_suspicious_dbghelp_dbgcore_load.yml b/elastalert_rules/sigma_sysmon_suspicious_dbghelp_dbgcore_load.yml deleted file mode 100644 index 8c0ea41f..00000000 --- a/elastalert_rules/sigma_sysmon_suspicious_dbghelp_dbgcore_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. -filter: -- query: - query_string: - query: (((ImageLoaded.keyword:(*\\dbghelp.dll OR *\\dbgcore.dll) AND data.win.eventdata.image.keyword:(*\\msbuild.exe OR *\\cmd.exe OR *\\svchost.exe OR *\\rundll32.exe OR *\\powershell.exe OR *\\word.exe OR *\\excel.exe OR *\\powerpnt.exe OR *\\outlook.exe OR *\\monitoringhost.exe OR *\\wmic.exe OR *\\bash.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\mshta.exe OR *\\regsvr32.exe OR *\\schtasks.exe OR *\\dnx.exe OR *\\regsvcs.exe OR *\\sc.exe OR *\\scriptrunner.exe)) AND (NOT (data.win.eventdata.image.keyword:*Visual\ Studio*))) OR ((ImageLoaded.keyword:(*\\dbghelp.dll OR *\\dbgcore.dll) AND data.win.eventdata.signed:"FALSE") AND (NOT (data.win.eventdata.image.keyword:*Visual\ Studio*)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_suspicious_dbghelp_dbgcore_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_suspicious_keyboard_layout_load.yml b/elastalert_rules/sigma_sysmon_suspicious_keyboard_layout_load.yml deleted file mode 100644 index 2b6a88c0..00000000 --- a/elastalert_rules/sigma_sysmon_suspicious_keyboard_layout_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:(*\\Keyboard\ Layout\\Preload\\* OR *\\Keyboard\ Layout\\Substitutes\\*) AND Details.keyword:(*00000429* OR *00050429* OR *0000042a*)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_suspicious_keyboard_layout_load -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_suspicious_outbound_kerberos_connection.yml b/elastalert_rules/sigma_sysmon_suspicious_outbound_kerberos_connection.yml deleted file mode 100644 index 12fabbd5..00000000 --- a/elastalert_rules/sigma_sysmon_suspicious_outbound_kerberos_connection.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. -filter: -- query: - query_string: - query: ((data.win.eventdata.destinationPort:"88" AND Initiated:"true") AND (NOT (data.win.eventdata.image.keyword:(*\\lsass.exe OR *\\opera.exe OR *\\chrome.exe OR *\\firefox.exe)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_suspicious_outbound_kerberos_connection -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_suspicious_remote_thread.yml b/elastalert_rules/sigma_sysmon_suspicious_remote_thread.yml deleted file mode 100644 index 1b4f0960..00000000 --- a/elastalert_rules/sigma_sysmon_suspicious_remote_thread.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. -filter: -- query: - query_string: - query: ((data.win.system.eventID:"8" AND process_path.keyword:(*\\bash.exe OR *\\cvtres.exe OR *\\defrag.exe OR *\\dnx.exe OR *\\esentutl.exe OR *\\excel.exe OR *\\expand.exe OR *\\explorer.exe OR *\\find.exe OR *\\findstr.exe OR *\\forfiles.exe OR *\\git.exe OR *\\gpupdate.exe OR *\\hh.exe OR *\\iexplore.exe OR *\\installutil.exe OR *\\lync.exe OR *\\makecab.exe OR *\\mDNSResponder.exe OR *\\monitoringhost.exe OR *\\msbuild.exe OR *\\mshta.exe OR *\\msiexec.exe OR *\\mspaint.exe OR *\\outlook.exe OR *\\ping.exe OR *\\powerpnt.exe OR *\\powershell.exe OR *\\provtool.exe OR *\\python.exe OR *\\regsvr32.exe OR *\\robocopy.exe OR *\\runonce.exe OR *\\sapcimc.exe OR *\\schtasks.exe OR *\\smartscreen.exe OR *\\spoolsv.exe OR *\\tstheme.exe OR *\\userinit.exe OR *\\vssadmin.exe OR *\\vssvc.exe OR *\\w3wp.exe* OR *\\winlogon.exe OR *\\winscp.exe OR *\\wmic.exe OR *\\word.exe OR *\\wscript.exe)) AND (NOT (process_path.keyword:*Visual\ Studio*))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_suspicious_remote_thread -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_svchost_dll_search_order_hijack.yml b/elastalert_rules/sigma_sysmon_svchost_dll_search_order_hijack.yml deleted file mode 100644 index ae51c968..00000000 --- a/elastalert_rules/sigma_sysmon_svchost_dll_search_order_hijack.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. -filter: -- query: - query_string: - query: ((data.win.eventdata.image.keyword:(*\\svchost.exe) AND ImageLoaded.keyword:(*\\tsmsisrv.dll OR *\\tsvipsrv.dll OR *\\wlbsctrl.dll)) AND (NOT (ImageLoaded.keyword:(C\:\\Windows\\WinSxS\\*)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_svchost_dll_search_order_hijack -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_sysinternals_eula_accepted1.yml b/elastalert_rules/sigma_sysmon_sysinternals_eula_accepted1.yml deleted file mode 100644 index 52becc31..00000000 --- a/elastalert_rules/sigma_sysmon_sysinternals_eula_accepted1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:*\\EulaAccepted -index: wazuh-alerts-3.x-* -name: sigma_sysmon_sysinternals_eula_accepted -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_sysinternals_eula_accepted2.yml b/elastalert_rules/sigma_sysmon_sysinternals_eula_accepted2.yml deleted file mode 100644 index 09eee078..00000000 --- a/elastalert_rules/sigma_sysmon_sysinternals_eula_accepted2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry -filter: -- query: - query_string: - query: data.win.eventdata.commandLine.keyword:*\ \-accepteula* -index: wazuh-alerts-3.x-* -name: sigma_sysmon_sysinternals_eula_accepted -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_sysmon_apt_muddywater_dnstunnel.yml b/elastalert_rules/sigma_sysmon_sysmon_apt_muddywater_dnstunnel.yml deleted file mode 100644 index 65426bb9..00000000 --- a/elastalert_rules/sigma_sysmon_sysmon_apt_muddywater_dnstunnel.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detecting DNS tunnel activity for Muddywater actor -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\powershell.exe) AND data.win.eventdata.parentImage.keyword:(*\\excel.exe) AND data.win.eventdata.commandLine.keyword:(*DataExchange.dll*)) -index: wazuh-alerts-3.x-* -name: 36222790-0d43-4fe8-86e4-674b27809543_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_sysmon_hack_wce.yml b/elastalert_rules/sigma_sysmon_sysmon_hack_wce.yml deleted file mode 100644 index 49019699..00000000 --- a/elastalert_rules/sigma_sysmon_sysmon_hack_wce.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of Windows Credential Editor (WCE) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (hash_imphash:("a53a02b997935fd8eedcb5f7abab9b9f" OR "A53A02B997935FD8EEDCB5F7ABAB9B9F" OR "e96a73c7bf33a464c510ede582318bf2" OR "E96A73C7BF33A464C510EDE582318BF2") OR (data.win.eventdata.commandLine.keyword:*.exe\ \-S AND data.win.eventdata.parentImage.keyword:*\\services.exe))) -index: wazuh-alerts-3.x-* -name: 7aa7009a-28b9-4344-8c1f-159489a390df_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/elastalert_rules/sigma_sysmon_sysmon_logon_scripts_userinitmprlogonscript_proc.yml deleted file mode 100644 index a47c465c..00000000 --- a/elastalert_rules/sigma_sysmon_sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects creation or execution of UserInitMprLogonScript persistence method -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.system.eventID:"4688" AND (data.win.eventdata.parentImage.keyword:*\\userinit.exe AND (NOT (process_path.keyword:*\\explorer.exe))) AND (NOT (data.win.eventdata.commandLine.keyword:(*netlogon.bat* OR *UsrLogon.cmd*)))) OR data.win.eventdata.commandLine.keyword:*UserInitMprLogonScript*)) -index: wazuh-alerts-3.x-* -name: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_tsclient_filewrite_startup.yml b/elastalert_rules/sigma_sysmon_tsclient_filewrite_startup.yml deleted file mode 100644 index c61d6790..00000000 --- a/elastalert_rules/sigma_sysmon_tsclient_filewrite_startup.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:*\\mstsc.exe AND data.win.eventdata.targetFilename.keyword:*\\Microsoft\\Windows\\Start\ Menu\\Programs\\Startup\\*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_tsclient_filewrite_startup -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_uac_bypass_eventvwr1.yml b/elastalert_rules/sigma_sysmon_uac_bypass_eventvwr1.yml deleted file mode 100644 index e8c6a776..00000000 --- a/elastalert_rules/sigma_sysmon_uac_bypass_eventvwr1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects UAC bypass method using Windows event viewer -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:HKU\\*\\mscfile\\shell\\open\\command -index: wazuh-alerts-3.x-* -name: sigma_sysmon_uac_bypass_eventvwr -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_uac_bypass_eventvwr2.yml b/elastalert_rules/sigma_sysmon_uac_bypass_eventvwr2.yml deleted file mode 100644 index 1794cac9..00000000 --- a/elastalert_rules/sigma_sysmon_uac_bypass_eventvwr2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects UAC bypass method using Windows event viewer -filter: -- query: - query_string: - query: (data.win.eventdata.parentImage.keyword:*\\eventvwr.exe AND (NOT (data.win.eventdata.image.keyword:*\\mmc.exe))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_uac_bypass_eventvwr -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_uac_bypass_sdclt.yml b/elastalert_rules/sigma_sysmon_uac_bypass_sdclt.yml deleted file mode 100644 index cbc3b0ad..00000000 --- a/elastalert_rules/sigma_sysmon_uac_bypass_sdclt.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand -filter: -- query: - query_string: - query: data.win.eventdata.targetObject.keyword:HKU\\*_Classes\\exefile\\shell\\runas\\command\\isolatedCommand -index: wazuh-alerts-3.x-* -name: sigma_sysmon_uac_bypass_sdclt -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_unsigned_image_loaded_into_lsass.yml b/elastalert_rules/sigma_sysmon_unsigned_image_loaded_into_lsass.yml deleted file mode 100644 index 08b848a0..00000000 --- a/elastalert_rules/sigma_sysmon_unsigned_image_loaded_into_lsass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Loading unsigned image (DLL, EXE) into LSASS process -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:*\\lsass.exe AND data.win.eventdata.signed:"false") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_unsigned_image_loaded_into_lsass -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_webshell_creation_detect.yml b/elastalert_rules/sigma_sysmon_webshell_creation_detect.yml deleted file mode 100644 index 75d7d3df..00000000 --- a/elastalert_rules/sigma_sysmon_webshell_creation_detect.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Possible webshell file creation on a static web site -filter: -- query: - query_string: - query: ((((data.win.eventdata.targetFilename.keyword:*\\inetpub\\wwwroot\\* AND data.win.eventdata.targetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) AND (NOT (data.win.eventdata.targetFilename.keyword:(*\\AppData\\Local\\Temp\\* OR *\\Windows\\Temp\\*)))) OR ((data.win.eventdata.targetFilename.keyword:(*\\www\\* OR *\\htdocs\\* OR *\\html\\*) AND data.win.eventdata.targetFilename.keyword:*.ph*) AND (NOT (data.win.eventdata.targetFilename.keyword:(*\\AppData\\Local\\Temp\\* OR *\\Windows\\Temp\\*))))) OR ((data.win.eventdata.targetFilename.keyword:*.jsp OR (data.win.eventdata.targetFilename.keyword:*\\cgi\-bin\\* AND data.win.eventdata.targetFilename.keyword:*.pl*)) AND (NOT (data.win.eventdata.targetFilename.keyword:(*\\AppData\\Local\\Temp\\* OR *\\Windows\\Temp\\*))))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_webshell_creation_detect -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_advanced_ip_scanner.yml b/elastalert_rules/sigma_sysmon_win_advanced_ip_scanner.yml deleted file mode 100644 index 7add95a7..00000000 --- a/elastalert_rules/sigma_sysmon_win_advanced_ip_scanner.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\advanced_ip_scanner*) -index: wazuh-alerts-3.x-* -name: bef37fa2-f205-4a7b-b484-0759bfd5f86f_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_apt29_thinktanks.yml b/elastalert_rules/sigma_sysmon_win_apt_apt29_thinktanks.yml deleted file mode 100644 index 584f6606..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_apt29_thinktanks.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\-noni\ \-ep\ bypass\ $*) -index: wazuh-alerts-3.x-* -name: 033fe7d6-66d1-4240-ac6b-28908009c71f_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_babyshark.yml b/elastalert_rules/sigma_sysmon_win_apt_babyshark.yml deleted file mode 100644 index 4940af4e..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_babyshark.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects activity that could be related to Baby Shark malware -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(reg\ query\ \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal\ Server\ Client\\Default\" OR powershell.exe\ mshta.exe\ http* OR cmd.exe\ \/c\ taskkill\ \/im\ cmd.exe)) -index: wazuh-alerts-3.x-* -name: 2b30fa36-3a18-402f-a22d-bf4ce2189f35_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_bear_activity_gtr19.yml b/elastalert_rules/sigma_sysmon_win_apt_bear_activity_gtr19.yml deleted file mode 100644 index 26a020cc..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_bear_activity_gtr19.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:*\\xcopy.exe AND data.win.eventdata.commandLine.keyword:*\ \/S\ \/E\ \/C\ \/Q\ \/H\ \\*) OR (process_path.keyword:*\\adexplorer.exe AND data.win.eventdata.commandLine.keyword:*\ \-snapshot\ \"\"\ c\:\\users\\*))) -index: wazuh-alerts-3.x-* -name: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_bluemashroom.yml b/elastalert_rules/sigma_sysmon_win_apt_bluemashroom.yml deleted file mode 100644 index a0acff32..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_bluemashroom.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\\regsvr32*\\AppData\\Local\\* OR *\\AppData\\Local\\*,DllEntry*)) -index: wazuh-alerts-3.x-* -name: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_chafer_mar18.yml b/elastalert_rules/sigma_sysmon_win_apt_chafer_mar18.yml deleted file mode 100644 index 7855c906..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_chafer_mar18.yml +++ /dev/null @@ -1,57 +0,0 @@ -alert: -- debug -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND data.win.eventdata.serviceName:("SC\ Scheduled\ Scan" OR "UpdatMachine")) -index: wazuh-alerts-3.x-* -name: 53ba33fd-3a50-4468-a5ef-c583635cfa92_0 -priority: 1 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4698" AND task_name:("SC\ Scheduled\ Scan" OR "UpdatMachine")) -index: wazuh-alerts-3.x-* -name: 53ba33fd-3a50-4468-a5ef-c583635cfa92-2_0 -priority: 1 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 -filter: -- query: - query_string: - query: (data.win.system.eventID:"13" AND data.win.eventdata.eventType:"SetValue" AND (data.win.eventdata.targetObject.keyword:(*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe OR *SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT) OR (data.win.eventdata.targetObject.keyword:*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential AND data.win.eventdata.details:"DWORD\ \(0x00000001\)"))) -index: wazuh-alerts-3.x-* -name: 53ba33fd-3a50-4468-a5ef-c583635cfa92-3_0 -priority: 1 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:(*\\Service.exe\ i OR *\\Service.exe\ u OR *\\microsoft\\Taskbar\\autoit3.exe OR C\:\\wsc.exe*) OR process_path.keyword:*\\Windows\\Temp\\DB\\*.exe OR (data.win.eventdata.commandLine.keyword:*\\nslookup.exe\ \-q\=TXT* AND data.win.eventdata.parentImage.keyword:*\\Autoit*))) -index: wazuh-alerts-3.x-* -name: 53ba33fd-3a50-4468-a5ef-c583635cfa92-4_0 -priority: 1 -realert: - minutes: 0 -type: any - - diff --git a/elastalert_rules/sigma_sysmon_win_apt_cloudhopper.yml b/elastalert_rules/sigma_sysmon_win_apt_cloudhopper.yml deleted file mode 100644 index 263c5a8c..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_cloudhopper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious file execution by wscript and cscript -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\cscript.exe AND data.win.eventdata.commandLine.keyword:*.vbs\ \/shell\ *) -index: wazuh-alerts-3.x-* -name: 966e4016-627f-44f7-8341-f394905c361f_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_dragonfly.yml b/elastalert_rules/sigma_sysmon_win_apt_dragonfly.yml deleted file mode 100644 index e78c62eb..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_dragonfly.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects CrackMapExecWin Activity as Described by NCSC -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\crackmapexec.exe)) -index: wazuh-alerts-3.x-* -name: 04d9079e-3905-4b70-ad37-6bdf11304965_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_elise.yml b/elastalert_rules/sigma_sysmon_win_apt_elise.yml deleted file mode 100644 index 27270898..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_elise.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Elise backdoor acitivty as used by APT32 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path:"C\:\\Windows\\SysWOW64\\cmd.exe" AND data.win.eventdata.commandLine.keyword:*\\Windows\\Caches\\NavShExt.dll\ *) OR data.win.eventdata.commandLine.keyword:*\\AppData\\Roaming\\MICROS\~1\\Windows\\Caches\\NavShExt.dll,Setting)) -index: wazuh-alerts-3.x-* -name: e507feb7-5f73-4ef6-a970-91bb6f6d744f_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_emissarypanda_sep19.yml b/elastalert_rules/sigma_sysmon_win_apt_emissarypanda_sep19.yml deleted file mode 100644 index 5a9a1fcb..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_emissarypanda_sep19.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\sllauncher.exe AND process_path.keyword:*\\svchost.exe) -index: wazuh-alerts-3.x-* -name: 9aa01d62-7667-4d3b-acb8-8cb5103e2014_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_empiremonkey.yml b/elastalert_rules/sigma_sysmon_win_apt_empiremonkey.yml deleted file mode 100644 index 0f074efd..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_empiremonkey.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects EmpireMonkey APT reported Activity -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\/i\:%APPDATA%\\logs.txt\ scrobj.dll) AND (process_path.keyword:(*\\cutil.exe) OR data.win.eventdata.description:("Microsoft\(C\)\ Registerserver"))) -index: wazuh-alerts-3.x-* -name: 10152a7b-b566-438f-a33c-390b607d1c8d_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_equationgroup_dll_u_load.yml b/elastalert_rules/sigma_sysmon_win_apt_equationgroup_dll_u_load.yml deleted file mode 100644 index a6a84542..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_equationgroup_dll_u_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a specific tool and export used by EquationGroup -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:*\\rundll32.exe AND data.win.eventdata.commandLine.keyword:*,dll_u) OR data.win.eventdata.commandLine.keyword:*\ \-export\ dll_u\ *)) -index: wazuh-alerts-3.x-* -name: d465d1d8-27a2-4cca-9621-a800f37cf72e_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_evilnum_jul20.yml b/elastalert_rules/sigma_sysmon_win_apt_evilnum_jul20.yml deleted file mode 100644 index fd6be8ed..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_evilnum_jul20.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*regsvr32* AND data.win.eventdata.commandLine.keyword:*\ \/s\ \/i\ * AND data.win.eventdata.commandLine.keyword:*\\AppData\\Roaming\\* AND data.win.eventdata.commandLine.keyword:*.ocx*) -index: wazuh-alerts-3.x-* -name: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_gallium.yml b/elastalert_rules/sigma_sysmon_win_apt_gallium.yml deleted file mode 100644 index 00dad9c5..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_gallium.yml +++ /dev/null @@ -1,43 +0,0 @@ -alert: -- debug -description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND sha1:("53a44c2396d15c3a03723fa5e5db54cafd527635" OR "9c5e496921e3bc882dc40694f1dcc3746a75db19" OR "aeb573accfd95758550cf30bf04f389a92922844" OR "79ef78a797403a4ed1a616c68e07fff868a8650a" OR "4f6f38b4cec35e895d91c052b1f5a83d665c2196" OR "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" OR "e841a63e47361a572db9a7334af459ddca11347a" OR "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" OR "2e94b305d6812a9f96e6781c888e48c7fb157b6b" OR "dd44133716b8a241957b912fa6a02efde3ce3025" OR "8793bf166cb89eb55f0593404e4e933ab605e803" OR "a39b57032dbb2335499a51e13470a7cd5d86b138" OR "41cc2b15c662bc001c0eb92f6cc222934f0beeea" OR "d209430d6af54792371174e70e27dd11d3def7a7" OR "1c6452026c56efd2c94cea7e0f671eb55515edb0" OR "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" OR "4923d460e22fbbf165bbbaba168e5a46b8157d9f" OR "f201504bd96e81d0d350c3a8332593ee1c9e09de" OR "ddd2db1127632a2a52943a2fe516a2e7d05d70d2")) -index: wazuh-alerts-3.x-* -name: 440a56bf-7873-4439-940a-1c8a671073c2_0 -priority: 2 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. -filter: -- query: - query_string: - query: (data.win.system.eventID:"257" AND QNAME:("asyspy256.ddns.net" OR "hotkillmail9sddcc.ddns.net" OR "rosaf112.ddns.net" OR "cvdfhjh1231.myftp.biz" OR "sz2016rose.ddns.net" OR "dffwescwer4325.myftp.biz" OR "cvdfhjh1231.ddns.net")) -index: wazuh-alerts-3.x-* -name: 440a56bf-7873-4439-940a-1c8a671073c2-2_0 -priority: 2 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND sha1:("e570585edc69f9074cb5e8a790708336bd45ca0f") AND (NOT (process_path.keyword:(*\:\\Program\ Files\(x86\)\\* OR *\:\\Program\ Files\\*)))) -index: wazuh-alerts-3.x-* -name: 440a56bf-7873-4439-940a-1c8a671073c2-3_0 -priority: 2 -realert: - minutes: 0 -type: any - - diff --git a/elastalert_rules/sigma_sysmon_win_apt_greenbug_may20.yml b/elastalert_rules/sigma_sysmon_win_apt_greenbug_may20.yml deleted file mode 100644 index 0c69e65b..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_greenbug_may20.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects tools and process executions as observed in a Greenbug campaign in May 2020 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.eventdata.commandLine.keyword:*bitsadmin\ \/transfer* AND data.win.eventdata.commandLine.keyword:*CSIDL_APPDATA*) OR data.win.eventdata.commandLine.keyword:(*CSIDL_SYSTEM_DRIVE*) OR data.win.eventdata.commandLine.keyword:(*\\msf.ps1* OR *8989\ \-e\ cmd.exe* OR *system.Data.SqlClient.SqlDataAdapter\($cmd\);\ \[void\]$da.fill* OR *\-nop\ \-w\ hidden\ \-c\ $k\=new\-object* OR *\[Net.CredentialCache\]\:\:DefaultCredentials;IEX\ * OR *\ \-nop\ \-w\ hidden\ \-c\ $m\=new\-object\ net.webclient;$m* OR *\-noninteractive\ \-executionpolicy\ bypass\ whoami* OR *\-noninteractive\ \-executionpolicy\ bypass\ netstat\ \-a* OR *L3NlcnZlc*) OR process_path.keyword:(*\\adobe\\Adobe.exe OR *\\oracle\\local.exe OR *\\revshell.exe OR *infopagesbackup\\ncat.exe OR *CSIDL_SYSTEM\\cmd.exe OR *\\programdata\\oracle\\java.exe OR *CSIDL_COMMON_APPDATA\\comms\\comms.exe OR *\\Programdata\\VMware\\Vmware.exe))) -index: wazuh-alerts-3.x-* -name: 3711eee4-a808-4849-8a14-faf733da3612_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_hurricane_panda.yml b/elastalert_rules/sigma_sysmon_win_apt_hurricane_panda.yml deleted file mode 100644 index 7ac23b98..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_hurricane_panda.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Hurricane Panda Activity -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ localgroup\ administrators\ admin\ \/add OR *\\Win64.exe*)) -index: wazuh-alerts-3.x-* -name: 0eb2107b-a596-422e-b123-b389d5594ed7_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_judgement_panda_gtr19.yml b/elastalert_rules/sigma_sysmon_win_apt_judgement_panda_gtr19.yml deleted file mode 100644 index c0e5840f..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_judgement_panda_gtr19.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:(*\\ldifde.exe\ \-f\ \-n\ * OR *\\7za.exe\ a\ 1.7z\ * OR *\ eprod.ldf OR *\\aaaa\\procdump64.exe* OR *\\aaaa\\netsess.exe* OR *\\aaaa\\7za.exe* OR *copy\ .\\1.7z\ \\* OR *copy\ \\client\\c$\\aaaa\\*) OR process_path:"C\:\\Users\\Public\\7za.exe")) -index: wazuh-alerts-3.x-* -name: 03e2746e-2b31-42f1-ab7a-eb39365b2422_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_ke3chang_regadd.yml b/elastalert_rules/sigma_sysmon_win_apt_ke3chang_regadd.yml deleted file mode 100644 index afe6f606..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_ke3chang_regadd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Registry modifcations performaed by Ke3chang malware in campaigns running in 2019 and 2020 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\-Property\ DWORD\ \-name\ DisableFirstRunCustomize\ \-value\ 2\ \-Force* OR *\-Property\ String\ \-name\ Check_Associations\ \-value* OR *\-Property\ DWORD\ \-name\ IEHarden\ \-value\ 0\ \-Force*)) -index: wazuh-alerts-3.x-* -name: 7b544661-69fc-419f-9a59-82ccc328f205_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_lazarus_session_highjack.yml b/elastalert_rules/sigma_sysmon_win_apt_lazarus_session_highjack.yml deleted file mode 100644 index 9c73cc7e..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_lazarus_session_highjack.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\msdtc.exe OR *\\gpvc.exe) AND (NOT (process_path.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\SysWOW64\\*)))) -index: wazuh-alerts-3.x-* -name: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_mustangpanda.yml b/elastalert_rules/sigma_sysmon_win_apt_mustangpanda.yml deleted file mode 100644 index 0a04a8df..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_mustangpanda.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process parameters as used by Mustang Panda droppers -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:(*Temp\\wtask.exe\ \/create* OR *%windir\:\~\-3,1%%PUBLIC\:\~\-9,1%* OR *\/E\:vbscript\ *\ C\:\\Users\\*.txt\"\ \/F OR *\/tn\ \"Security\ Script\ * OR *%windir\:\~\-1,1%*) OR process_path.keyword:(*Temp\\winwsh.exe))) -index: wazuh-alerts-3.x-* -name: 2d87d610-d760-45ee-a7e6-7a6f2a65de00_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_slingshot1.yml b/elastalert_rules/sigma_sysmon_win_apt_slingshot1.yml deleted file mode 100644 index 9cee5b89..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_slingshot1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\schtasks.exe AND data.win.eventdata.commandLine.keyword:(*\/delete* OR *\/change*) AND data.win.eventdata.commandLine.keyword:*\/TN* AND data.win.eventdata.commandLine.keyword:*\\Microsoft\\Windows\\Defrag\\ScheduledDefrag*) -index: wazuh-alerts-3.x-* -name: 958d81aa-8566-4cea-a565-59ccd4df27b0_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_slingshot2.yml b/elastalert_rules/sigma_sysmon_win_apt_slingshot2.yml deleted file mode 100644 index bb30d7d2..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_slingshot2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group -filter: -- query: - query_string: - query: (data.win.system.eventID:"4701" AND task_name:"\\Microsoft\\Windows\\Defrag\\ScheduledDefrag") -index: wazuh-alerts-3.x-* -name: 958d81aa-8566-4cea-a565-59ccd4df27b0-2_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_sofacy.yml b/elastalert_rules/sigma_sysmon_win_apt_sofacy.yml deleted file mode 100644 index 876f21dd..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_sofacy.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Trojan loader acitivty as used by APT28 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(rundll32.exe\ %APPDATA%\\*.dat\",* OR rundll32.exe\ %APPDATA%\\*.dll\",#1)) -index: wazuh-alerts-3.x-* -name: ba778144-5e3d-40cf-8af9-e28fb1df1e20_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_ta17_293a_ps.yml b/elastalert_rules/sigma_sysmon_win_apt_ta17_293a_ps.yml deleted file mode 100644 index 38e457a7..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_ta17_293a_ps.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine:"ps.exe\ \-accepteula") -index: wazuh-alerts-3.x-* -name: 18da1007-3f26-470f-875d-f77faf1cab31_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_ta505_dropper.yml b/elastalert_rules/sigma_sysmon_win_apt_ta505_dropper.yml deleted file mode 100644 index e4a471fa..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_ta505_dropper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\mshta.exe AND data.win.eventdata.parentImage.keyword:*\\wmiprvse.exe) -index: wazuh-alerts-3.x-* -name: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_taidoor.yml b/elastalert_rules/sigma_sysmon_win_apt_taidoor.yml deleted file mode 100644 index fa1526bf..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_taidoor.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:(*dll,MyStart* OR *dll\ MyStart*) OR (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ MyStart) AND data.win.eventdata.commandLine.keyword:(*rundll32.exe*)))) -index: wazuh-alerts-3.x-* -name: d1aa3382-abab-446f-96ea-4de52908210b_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_tropictrooper.yml b/elastalert_rules/sigma_sysmon_win_apt_tropictrooper.yml deleted file mode 100644 index 1efe94ed..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_tropictrooper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*) -index: wazuh-alerts-3.x-* -name: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_turla_comrat_may20.yml b/elastalert_rules/sigma_sysmon_win_apt_turla_comrat_may20.yml deleted file mode 100644 index 1146893e..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_turla_comrat_may20.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects commands used by Turla group as reported by ESET in May 2020 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:(*tracert\ \-h\ 10\ yahoo.com* OR *.WSqmCons\)\)|iex;* OR *Fr`omBa`se6`4Str`ing*) OR (data.win.eventdata.commandLine.keyword:*net\ use\ https\:\/\/docs.live.net* AND data.win.eventdata.commandLine.keyword:*@aol.co.uk*))) -index: wazuh-alerts-3.x-* -name: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_unidentified_nov_181.yml b/elastalert_rules/sigma_sysmon_win_apt_unidentified_nov_181.yml deleted file mode 100644 index e316df50..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_unidentified_nov_181.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*cyzfc.dat,\ PointFunctionCall) -index: wazuh-alerts-3.x-* -name: 7453575c-a747-40b9-839b-125a0aae324b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_unidentified_nov_182.yml b/elastalert_rules/sigma_sysmon_win_apt_unidentified_nov_182.yml deleted file mode 100644 index 53b7339b..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_unidentified_nov_182.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. -filter: -- query: - query_string: - query: (data.win.system.eventID:"11" AND data.win.eventdata.targetFilename.keyword:(*ds7002.lnk*)) -index: wazuh-alerts-3.x-* -name: 7453575c-a747-40b9-839b-125a0aae324b-2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_winnti_mal_hk_jan20.yml b/elastalert_rules/sigma_sysmon_win_apt_winnti_mal_hk_jan20.yml deleted file mode 100644 index ea0872d4..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_winnti_mal_hk_jan20.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.eventdata.parentImage.keyword:(*C\:\\Windows\\Temp* OR *\\hpqhvind.exe*) AND process_path.keyword:C\:\\ProgramData\\DRM*) OR (data.win.eventdata.parentImage.keyword:C\:\\ProgramData\\DRM* AND process_path.keyword:*\\wmplayer.exe) OR (data.win.eventdata.parentImage.keyword:*\\Test.exe AND process_path.keyword:*\\wmplayer.exe) OR process_path:"C\:\\ProgramData\\DRM\\CLR\\CLR.exe" OR (data.win.eventdata.parentImage.keyword:C\:\\ProgramData\\DRM\\Windows* AND process_path.keyword:*\\SearchFilterHost.exe))) -index: wazuh-alerts-3.x-* -name: 3121461b-5aa0-4a41-b910-66d25524edbb_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_winnti_pipemon.yml b/elastalert_rules/sigma_sysmon_win_apt_winnti_pipemon.yml deleted file mode 100644 index 595c6056..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_winnti_pipemon.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:(*setup0.exe\ \-p*) OR data.win.eventdata.commandLine.keyword:(*setup.exe\ \-x\:0 OR *setup.exe\ \-x\:1 OR *setup.exe\ \-x\:2))) -index: wazuh-alerts-3.x-* -name: 73d70463-75c9-4258-92c6-17500fe972f2_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_wocao1.yml b/elastalert_rules/sigma_sysmon_win_apt_wocao1.yml deleted file mode 100644 index 4a20cc71..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_wocao1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects activity mentioned in Operation Wocao report -filter: -- query: - query_string: - query: (data.win.system.eventID:"4799" AND group_name:"Administrators" AND data.win.eventdata.processName.keyword:*\\checkadmin.exe) -index: wazuh-alerts-3.x-* -name: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_wocao2.yml b/elastalert_rules/sigma_sysmon_win_apt_wocao2.yml deleted file mode 100644 index 4aaa23ae..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_wocao2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects activity mentioned in Operation Wocao report -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*checkadmin.exe\ 127.0.0.1\ \-all* OR *netsh\ advfirewall\ firewall\ add\ rule\ name\=powershell\ dir\=in* OR *cmd\ \/c\ powershell.exe\ \-ep\ bypass\ \-file\ c\:\\s.ps1* OR *\/tn\ win32times\ \/f* OR *create\ win32times\ binPath\=* OR *\\c$\\windows\\system32\\devmgr.dll* OR *\ \-exec\ bypass\ \-enc\ JgAg* OR *type\ *keepass\\KeePass.config.xml* OR *iie.exe\ iie.txt* OR *reg\ query\ HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\*)) -index: wazuh-alerts-3.x-* -name: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d-2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_apt_zxshell.yml b/elastalert_rules/sigma_sysmon_win_apt_zxshell.yml deleted file mode 100644 index 93124451..00000000 --- a/elastalert_rules/sigma_sysmon_win_apt_zxshell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a ZxShell start by the called and well-known function name -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*rundll32.exe\ *,zxFunction* OR *rundll32.exe\ *,RemoteDiskXXXXX*)) -index: wazuh-alerts-3.x-* -name: f0b70adb-0075-43b0-9745-e82a1c608fcc_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_attrib_hiding_files.yml b/elastalert_rules/sigma_sysmon_win_attrib_hiding_files.yml deleted file mode 100644 index 1008c84d..00000000 --- a/elastalert_rules/sigma_sysmon_win_attrib_hiding_files.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects usage of attrib.exe to hide files from users. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\attrib.exe AND data.win.eventdata.commandLine.keyword:*\ \+h\ *) AND (NOT ((data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:*\\desktop.ini\ * OR (data.win.eventdata.parentImage.keyword:*\\cmd.exe AND data.win.eventdata.commandLine.keyword:\+R\ \+H\ \+S\ \+A\ \\*.cui AND data.win.eventdata.parentCommandLine.keyword:C\:\\WINDOWS\\system32\\*.bat)))))) -index: wazuh-alerts-3.x-* -name: 4281cb20-2994-4580-aa63-c8b86d019934_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_binary_github_com.yml b/elastalert_rules/sigma_sysmon_win_binary_github_com.yml deleted file mode 100644 index a7128279..00000000 --- a/elastalert_rules/sigma_sysmon_win_binary_github_com.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects an executable in the Windows folder accessing github.com -filter: -- query: - query_string: - query: (Initiated:"true" AND data.win.eventdata.destinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND data.win.eventdata.image.keyword:C\:\\Windows\\*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_win_binary_github_com -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_binary_susp_com.yml b/elastalert_rules/sigma_sysmon_win_binary_susp_com.yml deleted file mode 100644 index 64929310..00000000 --- a/elastalert_rules/sigma_sysmon_win_binary_susp_com.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects an executable in the Windows folder accessing suspicious domains -filter: -- query: - query_string: - query: (Initiated:"true" AND data.win.eventdata.destinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND data.win.eventdata.image.keyword:C\:\\Windows\\*) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_win_binary_susp_com -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_bootconf_mod.yml b/elastalert_rules/sigma_sysmon_win_bootconf_mod.yml deleted file mode 100644 index 9faa6f3b..00000000 --- a/elastalert_rules/sigma_sysmon_win_bootconf_mod.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\bcdedit.exe AND data.win.eventdata.commandLine.keyword:*set*) AND ((data.win.eventdata.commandLine.keyword:*bootstatuspolicy* AND data.win.eventdata.commandLine.keyword:*ignoreallfailures*) OR (data.win.eventdata.commandLine.keyword:*recoveryenabled* AND data.win.eventdata.commandLine.keyword:*no*))) -index: wazuh-alerts-3.x-* -name: 1444443e-6757-43e4-9ea4-c8fc705f79a2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_bypass_squiblytwo.yml b/elastalert_rules/sigma_sysmon_win_bypass_squiblytwo.yml deleted file mode 100644 index 0df7139f..00000000 --- a/elastalert_rules/sigma_sysmon_win_bypass_squiblytwo.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:(*\\wmic.exe) AND data.win.eventdata.commandLine.keyword:(wmic\ *\ *format\:\\\"http* OR wmic\ *\ \/format\:'http OR wmic\ *\ \/format\:http*)) OR (hash_imphash:("1b1a3f43bf37b5bfe60751f2ee2f326e" OR "1B1A3F43BF37B5BFE60751F2EE2F326E" OR "37777a96245a3c74eb217308f3546f4c" OR "37777A96245A3C74EB217308F3546F4C" OR "9d87c9d67ce724033c0b40cc4ca1b206" OR "9D87C9D67CE724033C0B40CC4CA1B206") AND data.win.eventdata.commandLine.keyword:(*\ *format\:\\\"http* OR *\ \/format\:'http OR *\ \/format\:http*)))) -index: wazuh-alerts-3.x-* -name: 8d63dadf-b91b-4187-87b6-34a1114577ea_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_change_default_file_association.yml b/elastalert_rules/sigma_sysmon_win_change_default_file_association.yml deleted file mode 100644 index b7a81cc7..00000000 --- a/elastalert_rules/sigma_sysmon_win_change_default_file_association.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*cmd* AND data.win.eventdata.commandLine.keyword:*\/c* AND data.win.eventdata.commandLine.keyword:*assoc*) -index: wazuh-alerts-3.x-* -name: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_cmdkey_recon.yml b/elastalert_rules/sigma_sysmon_win_cmdkey_recon.yml deleted file mode 100644 index 004e3535..00000000 --- a/elastalert_rules/sigma_sysmon_win_cmdkey_recon.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects usage of cmdkey to look for cached credentials -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\cmdkey.exe AND data.win.eventdata.commandLine.keyword:*\ \/list\ *) -index: wazuh-alerts-3.x-* -name: 07f8bdc2-c9b3-472a-9817-5a670b872f53_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_cmstp_com_object_access.yml b/elastalert_rules/sigma_sysmon_win_cmstp_com_object_access.yml deleted file mode 100644 index b10c8215..00000000 --- a/elastalert_rules/sigma_sysmon_win_cmstp_com_object_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentCommandLine.keyword:*\\DllHost.exe\ * AND data.win.eventdata.parentCommandLine.keyword:(*\{3E5FC7F9\-9A51\-4367\-9063\-A120244FBEC7\} OR *\{3E000D72\-A845\-4CD9\-BD83\-80C07C3B881F\})) -index: wazuh-alerts-3.x-* -name: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_commandline_path_traversal.yml b/elastalert_rules/sigma_sysmon_win_commandline_path_traversal.yml deleted file mode 100644 index 498aaa34..00000000 --- a/elastalert_rules/sigma_sysmon_win_commandline_path_traversal.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentCommandLine.keyword:*cmd*\/c* AND data.win.eventdata.commandLine.keyword:*\/..\/..\/*) -index: wazuh-alerts-3.x-* -name: 087790e3-3287-436c-bccf-cbd0184a7db1_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_control_panel_item.yml b/elastalert_rules/sigma_sysmon_win_control_panel_item.yml deleted file mode 100644 index 8ade4c9e..00000000 --- a/elastalert_rules/sigma_sysmon_win_control_panel_item.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the malicious use of a control panel item -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.eventdata.commandLine.keyword:*.cpl AND (NOT (data.win.eventdata.commandLine.keyword:(*\\System32\\* OR *%System%*)))) OR (data.win.eventdata.commandLine.keyword:(*reg\ add*) AND data.win.eventdata.commandLine.keyword:(*CurrentVersion\\Control\ Panel\\CPLs*)))) -index: wazuh-alerts-3.x-* -name: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_copying_sensitive_files_with_credential_data.yml b/elastalert_rules/sigma_sysmon_win_copying_sensitive_files_with_credential_data.yml deleted file mode 100644 index aeaf1231..00000000 --- a/elastalert_rules/sigma_sysmon_win_copying_sensitive_files_with_credential_data.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Files with well-known filenames (sensitive files with credential data) copying -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:*\\esentutl.exe AND data.win.eventdata.commandLine.keyword:(*vss* OR *\ \/m\ * OR *\ \/y\ *)) OR data.win.eventdata.commandLine.keyword:(*\\windows\\ntds\\ntds.dit* OR *\\config\\sam* OR *\\config\\security* OR *\\config\\system\ * OR *\\repair\\sam* OR *\\repair\\system* OR *\\repair\\security* OR *\\config\\RegBack\\sam* OR *\\config\\RegBack\\system* OR *\\config\\RegBack\\security*))) -index: wazuh-alerts-3.x-* -name: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_crime_fireball.yml b/elastalert_rules/sigma_sysmon_win_crime_fireball.yml deleted file mode 100644 index 57e3032f..00000000 --- a/elastalert_rules/sigma_sysmon_win_crime_fireball.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Archer malware invocation via rundll32 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\\rundll32.exe\ *,InstallArcherSvc) -index: wazuh-alerts-3.x-* -name: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_crime_maze_ransomware.yml b/elastalert_rules/sigma_sysmon_win_crime_maze_ransomware.yml deleted file mode 100644 index 5948e889..00000000 --- a/elastalert_rules/sigma_sysmon_win_crime_maze_ransomware.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process characteristics of Maze ransomware word document droppers -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.eventdata.parentImage.keyword:(*\\WINWORD.exe) AND process_path.keyword:(*.tmp)) OR (process_path.keyword:*\\wmic.exe AND data.win.eventdata.parentImage.keyword:*\\Temp\\* AND data.win.eventdata.commandLine.keyword:*shadowcopy\ delete) OR (data.win.eventdata.commandLine.keyword:*shadowcopy\ delete AND data.win.eventdata.commandLine.keyword:*\\..\\..\\system32*))) -index: wazuh-alerts-3.x-* -name: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_crime_snatch_ransomware.yml b/elastalert_rules/sigma_sysmon_win_crime_snatch_ransomware.yml deleted file mode 100644 index 30186230..00000000 --- a/elastalert_rules/sigma_sysmon_win_crime_snatch_ransomware.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process characteristics of Snatch ransomware word document droppers -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*shutdown\ \/r\ \/f\ \/t\ 00* OR *net\ stop\ SuperBackupMan*)) -index: wazuh-alerts-3.x-* -name: 5325945e-f1f0-406e-97b8-65104d393fff_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_data_compressed_with_rar.yml b/elastalert_rules/sigma_sysmon_win_data_compressed_with_rar.yml deleted file mode 100644 index c2fcc86c..00000000 --- a/elastalert_rules/sigma_sysmon_win_data_compressed_with_rar.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\rar.exe AND data.win.eventdata.commandLine.keyword:*\ a\ *) -index: wazuh-alerts-3.x-* -name: 6f3e2987-db24-4c78-a860-b4f4095a7095_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_dns_exfiltration_tools_execution.yml b/elastalert_rules/sigma_sysmon_win_dns_exfiltration_tools_execution.yml deleted file mode 100644 index 4a9e9c1e..00000000 --- a/elastalert_rules/sigma_sysmon_win_dns_exfiltration_tools_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Well-known DNS Exfiltration tools execution -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\iodine.exe OR process_path.keyword:*\\dnscat2*)) -index: wazuh-alerts-3.x-* -name: 98a96a5a-64a0-4c42-92c5-489da3866cb0_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_dnscat2_powershell_implementation.yml b/elastalert_rules/sigma_sysmon_win_dnscat2_powershell_implementation.yml deleted file mode 100644 index e7f00609..00000000 --- a/elastalert_rules/sigma_sysmon_win_dnscat2_powershell_implementation.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - minutes: 30 -description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally. -doc_type: doc -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\powershell.exe AND process_path.keyword:*\\nslookup.exe AND data.win.eventdata.commandLine.keyword:*\\nslookup.exe) -index: wazuh-alerts-3.x-* -max_threshold: 100 -metric_agg_key: process_path.keyword -metric_agg_type: cardinality -name: b11d75d6-d7c1-11ea-87d0-0242ac130003_0 -priority: 2 -query_key: data.win.eventdata.parentImage.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_sysmon_win_dsquery_domain_trust_discovery.yml b/elastalert_rules/sigma_sysmon_win_dsquery_domain_trust_discovery.yml deleted file mode 100644 index 1b9445b3..00000000 --- a/elastalert_rules/sigma_sysmon_win_dsquery_domain_trust_discovery.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a discovery of domain trusts -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:*\\dsquery.exe AND data.win.eventdata.commandLine.keyword:*\-filter* AND data.win.eventdata.commandLine.keyword:*trustedDomain*) OR (process_path.keyword:*\\nltest.exe AND data.win.eventdata.commandLine.keyword:*domain_trusts*))) -index: wazuh-alerts-3.x-* -name: 77815820-246c-47b8-9741-e0def3f57308_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_encoded_frombase64string.yml b/elastalert_rules/sigma_sysmon_win_encoded_frombase64string.yml deleted file mode 100644 index 26ebcde2..00000000 --- a/elastalert_rules/sigma_sysmon_win_encoded_frombase64string.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a base64 encoded FromBase64String keyword in a process command line -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)) -index: wazuh-alerts-3.x-* -name: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_encoded_iex.yml b/elastalert_rules/sigma_sysmon_win_encoded_iex.yml deleted file mode 100644 index d273f1bf..00000000 --- a/elastalert_rules/sigma_sysmon_win_encoded_iex.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a base64 encoded IEX command string in a process command line -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)) -index: wazuh-alerts-3.x-* -name: 88f680b8-070e-402c-ae11-d2914f2257f1_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_etw_modification_cmdline.yml b/elastalert_rules/sigma_sysmon_win_etw_modification_cmdline.yml deleted file mode 100644 index be22ea37..00000000 --- a/elastalert_rules/sigma_sysmon_win_etw_modification_cmdline.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*COMPlus_ETWEnabled\=0*) -index: wazuh-alerts-3.x-* -name: 41421f44-58f9-455d-838a-c398859841d4_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_etw_trace_evasion.yml b/elastalert_rules/sigma_sysmon_win_etw_trace_evasion.yml deleted file mode 100644 index c67cf873..00000000 --- a/elastalert_rules/sigma_sysmon_win_etw_trace_evasion.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:*\ cl\ *\/Trace* OR data.win.eventdata.commandLine.keyword:*\ clear\-log\ *\/Trace* OR data.win.eventdata.commandLine.keyword:*\ sl*\ \/e\:false* OR data.win.eventdata.commandLine.keyword:*\ set\-log*\ \/e\:false*)) -index: wazuh-alerts-3.x-* -name: a238b5d0-ce2d-4414-a676-7a531b3d13d6_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_exfiltration_and_tunneling_tools_execution.yml b/elastalert_rules/sigma_sysmon_win_exfiltration_and_tunneling_tools_execution.yml deleted file mode 100644 index 42bd97be..00000000 --- a/elastalert_rules/sigma_sysmon_win_exfiltration_and_tunneling_tools_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Execution of well known tools for data exfiltration and tunneling -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\plink.exe OR *\\socat.exe OR *\\stunnel.exe OR *\\httptunnel.exe)) -index: wazuh-alerts-3.x-* -name: c75309a3-59f8-4a8d-9c2c-4c927ad50555_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_exploit_cve_2015_1641.yml b/elastalert_rules/sigma_sysmon_win_exploit_cve_2015_1641.yml deleted file mode 100644 index e76fba53..00000000 --- a/elastalert_rules/sigma_sysmon_win_exploit_cve_2015_1641.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\WINWORD.EXE AND process_path.keyword:*\\MicroScMgmt.exe) -index: wazuh-alerts-3.x-* -name: 7993792c-5ce2-4475-a3db-a3a5539827ef_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_exploit_cve_2017_0261.yml b/elastalert_rules/sigma_sysmon_win_exploit_cve_2017_0261.yml deleted file mode 100644 index c5e35cf5..00000000 --- a/elastalert_rules/sigma_sysmon_win_exploit_cve_2017_0261.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\WINWORD.EXE AND process_path.keyword:*\\FLTLDR.exe*) -index: wazuh-alerts-3.x-* -name: 864403a1-36c9-40a2-a982-4c9a45f7d833_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_exploit_cve_2017_11882.yml b/elastalert_rules/sigma_sysmon_win_exploit_cve_2017_11882.yml deleted file mode 100644 index c5695ce5..00000000 --- a/elastalert_rules/sigma_sysmon_win_exploit_cve_2017_11882.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\EQNEDT32.EXE) -index: wazuh-alerts-3.x-* -name: 678eb5f4-8597-4be6-8be7-905e4234b53a_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_exploit_cve_2017_8759.yml b/elastalert_rules/sigma_sysmon_win_exploit_cve_2017_8759.yml deleted file mode 100644 index 781b0a24..00000000 --- a/elastalert_rules/sigma_sysmon_win_exploit_cve_2017_8759.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\WINWORD.EXE AND process_path.keyword:*\\csc.exe) -index: wazuh-alerts-3.x-* -name: fdd84c68-a1f6-47c9-9477-920584f94905_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_exploit_cve_2019_1378.yml b/elastalert_rules/sigma_sysmon_win_exploit_cve_2019_1378.yml deleted file mode 100644 index fadcf48c..00000000 --- a/elastalert_rules/sigma_sysmon_win_exploit_cve_2019_1378.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentCommandLine.keyword:(*\\cmd.exe\ \/c\ C\:\\Windows\\Setup\\Scripts\\SetupComplete.cmd OR *\\cmd.exe\ \/c\ C\:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd) AND (NOT (process_path.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\WinSxS\\* OR C\:\\Windows\\Setup\\*)))) -index: wazuh-alerts-3.x-* -name: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_exploit_cve_2019_1388.yml b/elastalert_rules/sigma_sysmon_win_exploit_cve_2019_1388.yml deleted file mode 100644 index eb6bde06..00000000 --- a/elastalert_rules/sigma_sysmon_win_exploit_cve_2019_1388.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\consent.exe AND process_path.keyword:*\\iexplore.exe AND data.win.eventdata.commandLine.keyword:*\ http* AND (IntegrityLevel:"System" OR user_account:"NT\ AUTHORITY\\SYSTEM")) -index: wazuh-alerts-3.x-* -name: 02e0b2ea-a597-428e-b04a-af6a1a403e5c_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_exploit_cve_2020_10189.yml b/elastalert_rules/sigma_sysmon_win_exploit_cve_2020_10189.yml deleted file mode 100644 index ffa14752..00000000 --- a/elastalert_rules/sigma_sysmon_win_exploit_cve_2020_10189.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*DesktopCentral_Server\\jre\\bin\\java.exe AND process_path.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\bitsadmin.exe)) -index: wazuh-alerts-3.x-* -name: 846b866e-2a57-46ee-8e16-85fa92759be7_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_exploit_cve_2020_1048.yml b/elastalert_rules/sigma_sysmon_win_exploit_cve_2020_1048.yml deleted file mode 100644 index b81c7188..00000000 --- a/elastalert_rules/sigma_sysmon_win_exploit_cve_2020_1048.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects new commands that add new printer port which point to suspicious file -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*Add\-PrinterPort\ \-Name*) AND data.win.eventdata.commandLine.keyword:(*.exe* OR *.dll* OR *.bat*)) OR data.win.eventdata.commandLine.keyword:(*Generic\ \/\ Text\ Only*))) -index: wazuh-alerts-3.x-* -name: cc08d590-8b90-413a-aff6-31d1a99678d7_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_exploit_cve_2020_1350.yml b/elastalert_rules/sigma_sysmon_win_exploit_cve_2020_1350.yml deleted file mode 100644 index 942fbffc..00000000 --- a/elastalert_rules/sigma_sysmon_win_exploit_cve_2020_1350.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\System32\\dns.exe AND (NOT (process_path.keyword:(*\\System32\\werfault.exe OR *\\System32\\conhost.exe OR *\\System32\\dnscmd.exe)))) -index: wazuh-alerts-3.x-* -name: b5281f31-f9cc-4d0d-95d0-45b91c45b487_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_file_permission_modifications.yml b/elastalert_rules/sigma_sysmon_win_file_permission_modifications.yml deleted file mode 100644 index 8db41bd4..00000000 --- a/elastalert_rules/sigma_sysmon_win_file_permission_modifications.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a file or folder permissions modifications -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:(*\\takeown.exe OR *\\cacls.exe OR *\\icacls.exe) AND data.win.eventdata.commandLine.keyword:*\/grant*) OR (process_path.keyword:*\\attrib.exe AND data.win.eventdata.commandLine.keyword:*\-r*))) -index: wazuh-alerts-3.x-* -name: 37ae075c-271b-459b-8d7b-55ad5f993dd8_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_grabbing_sensitive_hives_via_reg.yml b/elastalert_rules/sigma_sysmon_win_grabbing_sensitive_hives_via_reg.yml deleted file mode 100644 index 3bad04f8..00000000 --- a/elastalert_rules/sigma_sysmon_win_grabbing_sensitive_hives_via_reg.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Dump sam, system or security hives using REG.exe utility -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\reg.exe AND data.win.eventdata.commandLine.keyword:(*save* OR *export*) AND data.win.eventdata.commandLine.keyword:(*hklm* OR *hkey_local_machine*) AND data.win.eventdata.commandLine.keyword:(*\\system OR *\\sam OR *\\security)) -index: wazuh-alerts-3.x-* -name: fd877b94-9bb5-4191-bb25-d79cbd93c167_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_hack_bloodhound.yml b/elastalert_rules/sigma_sysmon_win_hack_bloodhound.yml deleted file mode 100644 index 68a960f9..00000000 --- a/elastalert_rules/sigma_sysmon_win_hack_bloodhound.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects command line parameters used by Bloodhound and Sharphound hack tools -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:(*\\Bloodhound.exe* OR *\\SharpHound.exe*) OR data.win.eventdata.commandLine.keyword:(*\ \-CollectionMethod\ All\ * OR *.exe\ \-c\ All\ \-d\ * OR *Invoke\-Bloodhound* OR *Get\-BloodHoundData*) OR (data.win.eventdata.commandLine.keyword:*\ \-JsonFolder\ * AND data.win.eventdata.commandLine.keyword:*\ \-ZipFileName\ *) OR (data.win.eventdata.commandLine.keyword:*\ DCOnly\ * AND data.win.eventdata.commandLine.keyword:*\ \-\-NoSaveCache\ *))) -index: wazuh-alerts-3.x-* -name: f376c8a7-a2d0-4ddc-aa0c-16c17236d962_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_hack_koadic.yml b/elastalert_rules/sigma_sysmon_win_hack_koadic.yml deleted file mode 100644 index 96a7d076..00000000 --- a/elastalert_rules/sigma_sysmon_win_hack_koadic.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects command line parameters used by Koadic hack tool -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*cmd.exe*\ \/q\ \/c\ chcp\ *)) -index: wazuh-alerts-3.x-* -name: 5cddf373-ef00-4112-ad72-960ac29bac34_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_hack_rubeus.yml b/elastalert_rules/sigma_sysmon_win_hack_rubeus.yml deleted file mode 100644 index c3876f06..00000000 --- a/elastalert_rules/sigma_sysmon_win_hack_rubeus.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects command line parameters used by Rubeus hack tool -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ asreproast\ * OR *\ dump\ \/service\:krbtgt\ * OR *\ kerberoast\ * OR *\ createnetonly\ \/program\:* OR *\ ptt\ \/ticket\:* OR *\ \/impersonateuser\:* OR *\ renew\ \/ticket\:* OR *\ asktgt\ \/user\:* OR *\ harvest\ \/interval\:*)) -index: wazuh-alerts-3.x-* -name: 7ec2c172-dceb-4c10-92c9-87c1881b7e18_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_hack_secutyxploded.yml b/elastalert_rules/sigma_sysmon_win_hack_secutyxploded.yml deleted file mode 100644 index 492d0f97..00000000 --- a/elastalert_rules/sigma_sysmon_win_hack_secutyxploded.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of SecurityXploded Tools -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.company:"SecurityXploded" OR process_path.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe)) -index: wazuh-alerts-3.x-* -name: 7679d464-4f74-45e2-9e01-ac66c5eb041a_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_hh_chm.yml b/elastalert_rules/sigma_sysmon_win_hh_chm.yml deleted file mode 100644 index 6321d929..00000000 --- a/elastalert_rules/sigma_sysmon_win_hh_chm.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies usage of hh.exe executing recently modified .chm files. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\hh.exe AND data.win.eventdata.commandLine.keyword:*.chm*) -index: wazuh-alerts-3.x-* -name: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_hktl_createminidump1.yml b/elastalert_rules/sigma_sysmon_win_hktl_createminidump1.yml deleted file mode 100644 index b3bfdcb2..00000000 --- a/elastalert_rules/sigma_sysmon_win_hktl_createminidump1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\CreateMiniDump.exe* OR hash_imphash:("4A07F944A83E8A7C2525EFA35DD30E2F" OR "4a07f944a83e8a7c2525efa35dd30e2f"))) -index: wazuh-alerts-3.x-* -name: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_hktl_createminidump2.yml b/elastalert_rules/sigma_sysmon_win_hktl_createminidump2.yml deleted file mode 100644 index a8718cde..00000000 --- a/elastalert_rules/sigma_sysmon_win_hktl_createminidump2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine -filter: -- query: - query_string: - query: (data.win.system.eventID:"11" AND data.win.eventdata.targetFilename.keyword:*\\lsass.dmp*) -index: wazuh-alerts-3.x-* -name: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d-2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_html_help_spawn.yml b/elastalert_rules/sigma_sysmon_win_html_help_spawn.yml deleted file mode 100644 index 42745430..00000000 --- a/elastalert_rules/sigma_sysmon_win_html_help_spawn.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage:"C\:\\Windows\\hh.exe" AND process_path.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\rundll32.exe)) -index: wazuh-alerts-3.x-* -name: 52cad028-0ff0-4854-8f67-d25dfcbc78b4_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_hwp_exploits.yml b/elastalert_rules/sigma_sysmon_win_hwp_exploits.yml deleted file mode 100644 index f64abe0b..00000000 --- a/elastalert_rules/sigma_sysmon_win_hwp_exploits.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\Hwp.exe AND process_path.keyword:*\\gbb.exe) -index: wazuh-alerts-3.x-* -name: 023394c4-29d5-46ab-92b8-6a534c6f447b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_impacket_lateralization.yml b/elastalert_rules/sigma_sysmon_win_impacket_lateralization.yml deleted file mode 100644 index 3a1b5155..00000000 --- a/elastalert_rules/sigma_sysmon_win_impacket_lateralization.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.eventdata.parentImage.keyword:(*\\wmiprvse.exe OR *\\mmc.exe OR *\\explorer.exe OR *\\services.exe) AND data.win.eventdata.commandLine.keyword:(*cmd.exe*\ \/Q\ \/c\ *\ \\\\127.0.0.1\\*&1*)) OR (data.win.eventdata.parentCommandLine.keyword:(*svchost.exe\ \-k\ netsvcs OR taskeng.exe*) AND data.win.eventdata.commandLine.keyword:(cmd.exe\ \/C\ *Windows\\Temp\\*&1)))) -index: wazuh-alerts-3.x-* -name: 10c14723-61c7-4c75-92ca-9af245723ad2_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_indirect_cmd.yml b/elastalert_rules/sigma_sysmon_win_indirect_cmd.yml deleted file mode 100644 index 695434bf..00000000 --- a/elastalert_rules/sigma_sysmon_win_indirect_cmd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:(*\\pcalua.exe OR *\\forfiles.exe)) -index: wazuh-alerts-3.x-* -name: fa47597e-90e9-41cd-ab72-c3b74cfb0d02_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_install_reg_debugger_backdoor.yml b/elastalert_rules/sigma_sysmon_win_install_reg_debugger_backdoor.yml deleted file mode 100644 index c4356f9f..00000000 --- a/elastalert_rules/sigma_sysmon_win_install_reg_debugger_backdoor.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\\CurrentVersion\\Image\ File\ Execution\ Options\\sethc.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\utilman.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\osk.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\magnify.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\narrator.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\displayswitch.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\atbroker.exe*)) -index: wazuh-alerts-3.x-* -name: ae215552-081e-44c7-805f-be16f975c8a2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_interactive_at.yml b/elastalert_rules/sigma_sysmon_win_interactive_at.yml deleted file mode 100644 index 7f312e3a..00000000 --- a/elastalert_rules/sigma_sysmon_win_interactive_at.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect an interactive AT job, which may be used as a form of privilege escalation -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\at.exe AND data.win.eventdata.commandLine.keyword:*interactive*) -index: wazuh-alerts-3.x-* -name: 60fc936d-2eb0-4543-8a13-911c750a1dfc_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_invoke_obfuscation_obfuscated_iex_commandline.yml b/elastalert_rules/sigma_sysmon_win_invoke_obfuscation_obfuscated_iex_commandline.yml deleted file mode 100644 index dae0665b..00000000 --- a/elastalert_rules/sigma_sysmon_win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR data.win.eventdata.commandLine:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR data.win.eventdata.commandLine:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR data.win.eventdata.commandLine:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR data.win.eventdata.commandLine:/\*mdr\*\W\s*\)\.Name/ OR data.win.eventdata.commandLine:/\$VerbosePreference\.ToString\(/ OR data.win.eventdata.commandLine:/\String\]\s*\$VerbosePreference/)) -index: wazuh-alerts-3.x-* -name: 4bf943c6-5146-4273-98dd-e958fd1e3abf_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/elastalert_rules/sigma_sysmon_win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml deleted file mode 100644 index d3cb4831..00000000 --- a/elastalert_rules/sigma_sysmon_win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ParentIntegrityLevel:"Medium" AND IntegrityLevel:"System" AND user_account:"NT\ AUTHORITY\\SYSTEM") -index: wazuh-alerts-3.x-* -name: 8065b1b4-1778-4427-877f-6bf948b26d38_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_lethalhta.yml b/elastalert_rules/sigma_sysmon_win_lethalhta.yml deleted file mode 100644 index 82dfeec3..00000000 --- a/elastalert_rules/sigma_sysmon_win_lethalhta.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\svchost.exe AND process_path.keyword:*\\mshta.exe) -index: wazuh-alerts-3.x-* -name: ed5d72a6-f8f4-479d-ba79-02f6a80d7471_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_local_system_owner_account_discovery.yml b/elastalert_rules/sigma_sysmon_win_local_system_owner_account_discovery.yml deleted file mode 100644 index 3a29aaf1..00000000 --- a/elastalert_rules/sigma_sysmon_win_local_system_owner_account_discovery.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Local accounts, System Owner/User discovery using operating systems utilities -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (((process_path.keyword:*\\whoami.exe OR (process_path.keyword:*\\wmic.exe AND data.win.eventdata.commandLine.keyword:*useraccount* AND data.win.eventdata.commandLine.keyword:*get*) OR process_path.keyword:(*\\quser.exe OR *\\qwinsta.exe) OR (process_path.keyword:*\\cmdkey.exe AND data.win.eventdata.commandLine.keyword:*\/list*) OR (process_path.keyword:*\\cmd.exe AND data.win.eventdata.commandLine.keyword:*\/c* AND data.win.eventdata.commandLine.keyword:*dir\ * AND data.win.eventdata.commandLine.keyword:*\\Users\\*)) AND (NOT (data.win.eventdata.commandLine.keyword:(*\ rmdir\ *)))) OR ((process_path.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*user*) AND (NOT (data.win.eventdata.commandLine.keyword:(*\/domain* OR *\/add* OR *\/delete* OR *\/active* OR *\/expires* OR *\/passwordreq* OR *\/scriptpath* OR *\/times* OR *\/workstations*)))))) -index: wazuh-alerts-3.x-* -name: 502b42de-4306-40b4-9596-6f590c81f073_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_lsass_dump.yml b/elastalert_rules/sigma_sysmon_win_lsass_dump.yml deleted file mode 100644 index 7bbfff92..00000000 --- a/elastalert_rules/sigma_sysmon_win_lsass_dump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (((data.win.eventdata.commandLine.keyword:*lsass* AND data.win.eventdata.commandLine.keyword:*.dmp*) AND (NOT (process_path.keyword:*\\werfault.exe))) OR (process_path.keyword:*\\procdump* AND process_path.keyword:*.exe AND data.win.eventdata.commandLine.keyword:*lsass*))) -index: wazuh-alerts-3.x-* -name: ffa6861c-4461-4f59-8a41-578c39f3f23e_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_dridex.yml b/elastalert_rules/sigma_sysmon_win_malware_dridex.yml deleted file mode 100644 index 40b6e5e4..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_dridex.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects typical Dridex process patterns -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:*\\svchost.exe\ C\:\\Users\\*\\Desktop\\* OR (data.win.eventdata.parentImage.keyword:*\\svchost.exe* AND data.win.eventdata.commandLine.keyword:(*whoami.exe\ \/all OR *net.exe\ view)))) -index: wazuh-alerts-3.x-* -name: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_dtrack.yml b/elastalert_rules/sigma_sysmon_win_malware_dtrack.yml deleted file mode 100644 index cbecc29c..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_dtrack.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process parameters as seen in DTRACK infections -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\ echo\ EEEE\ >\ *) -index: wazuh-alerts-3.x-* -name: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_emotet.yml b/elastalert_rules/sigma_sysmon_win_malware_emotet.yml deleted file mode 100644 index 124a0784..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_emotet.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects all Emotet like process executions that are not covered by the more generic rules -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ \-e*\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*)) -index: wazuh-alerts-3.x-* -name: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_formbook.yml b/elastalert_rules/sigma_sysmon_win_malware_formbook.yml deleted file mode 100644 index 6f477d2f..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_formbook.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentCommandLine.keyword:(C\:\\Windows\\System32\\*.exe OR C\:\\Windows\\SysWOW64\\*.exe) AND data.win.eventdata.commandLine.keyword:(*\ \/c\ del\ \"C\:\\Users\\*\\AppData\\Local\\Temp\\*.exe OR *\ \/c\ del\ \"C\:\\Users\\*\\Desktop\\*.exe OR *\ \/C\ type\ nul\ >\ \"C\:\\Users\\*\\Desktop\\*.exe)) -index: wazuh-alerts-3.x-* -name: 032f5fb3-d959-41a5-9263-4173c802dc2b_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_notpetya.yml b/elastalert_rules/sigma_sysmon_win_malware_notpetya.yml deleted file mode 100644 index e12d04bf..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_notpetya.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:*\\AppData\\Local\\Temp\\*\ \\.\\pipe\\* OR (process_path.keyword:*\\rundll32.exe AND data.win.eventdata.commandLine.keyword:*.dat,#1) OR *\\perfc.dat*)) -index: wazuh-alerts-3.x-* -name: 79aeeb41-8156-4fac-a0cd-076495ab82a1_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_qbot.yml b/elastalert_rules/sigma_sysmon_win_malware_qbot.yml deleted file mode 100644 index ac3444d5..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_qbot.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects QBot like process executions -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.eventdata.parentImage.keyword:*\\WinRAR.exe AND process_path.keyword:*\\wscript.exe) OR data.win.eventdata.commandLine.keyword:*\ \/c\ ping.exe\ \-n\ 6\ 127.0.0.1\ &\ type\ *)) -index: wazuh-alerts-3.x-* -name: 4fcac6eb-0287-4090-8eea-2602e4c20040_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_ryuk.yml b/elastalert_rules/sigma_sysmon_win_malware_ryuk.yml deleted file mode 100644 index c4795008..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_ryuk.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Ryuk ransomware activity -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*Microsoft\\Windows\\CurrentVersion\\Run* AND data.win.eventdata.commandLine.keyword:*C\:\\users\\Public\\*) -index: wazuh-alerts-3.x-* -name: c37510b8-2107-4b78-aa32-72f251e7a844_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_script_dropper.yml b/elastalert_rules/sigma_sysmon_win_malware_script_dropper.yml deleted file mode 100644 index 3e3568eb..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_script_dropper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects wscript/cscript executions of scripts located in user directories -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:(*\\wscript.exe OR *\\cscript.exe) AND data.win.eventdata.commandLine.keyword:(*\ C\:\\Users\\*.jse\ * OR *\ C\:\\Users\\*.vbe\ * OR *\ C\:\\Users\\*.js\ * OR *\ C\:\\Users\\*.vba\ * OR *\ C\:\\Users\\*.vbs\ * OR *\ C\:\\ProgramData\\*.jse\ * OR *\ C\:\\ProgramData\\*.vbe\ * OR *\ C\:\\ProgramData\\*.js\ * OR *\ C\:\\ProgramData\\*.vba\ * OR *\ C\:\\ProgramData\\*.vbs\ *)) AND (NOT (data.win.eventdata.parentImage.keyword:*\\winzip*))) -index: wazuh-alerts-3.x-* -name: cea72823-df4d-4567-950c-0b579eaf0846_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_trickbot_recon_activity.yml b/elastalert_rules/sigma_sysmon_win_malware_trickbot_recon_activity.yml deleted file mode 100644 index 313d9f86..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_trickbot_recon_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:(*\\cmd.exe) AND process_path.keyword:(*\\nltest.exe) AND data.win.eventdata.commandLine.keyword:(*\/domain_trusts\ \/all_trusts*)) -index: wazuh-alerts-3.x-* -name: 410ad193-a728-4107-bc79-4419789fcbf8_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_trickbot_wermgr.yml b/elastalert_rules/sigma_sysmon_win_malware_trickbot_wermgr.yml deleted file mode 100644 index deeae5c2..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_trickbot_wermgr.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\wermgr.exe) AND data.win.eventdata.parentImage.keyword:(*\\rundll32.exe) AND data.win.eventdata.parentCommandLine.keyword:(*DllRegisterServer*)) -index: wazuh-alerts-3.x-* -name: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_malware_wannacry.yml b/elastalert_rules/sigma_sysmon_win_malware_wannacry.yml deleted file mode 100644 index e04048fe..00000000 --- a/elastalert_rules/sigma_sysmon_win_malware_wannacry.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WannaCry ransomware activity -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:(*\\tasksche.exe OR *\\mssecsvc.exe OR *\\taskdl.exe OR *\\@WanaDecryptor@* OR *\\WanaDecryptor* OR *\\taskhsvc.exe OR *\\taskse.exe OR *\\111.exe OR *\\lhdfrgui.exe OR *\\diskpart.exe OR *\\linuxnew.exe OR *\\wannacry.exe) OR data.win.eventdata.commandLine.keyword:(*icacls\ *\ \/grant\ Everyone\:F\ \/T\ \/C\ \/Q* OR *bcdedit\ \/set\ \{default\}\ recoveryenabled\ no* OR *wbadmin\ delete\ catalog\ \-quiet* OR *@Please_Read_Me@.txt*))) -index: wazuh-alerts-3.x-* -name: 41d40bff-377a-43e2-8e1b-2e543069e079_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_mavinject_proc_inj.yml b/elastalert_rules/sigma_sysmon_win_mavinject_proc_inj.yml deleted file mode 100644 index 1fd5971f..00000000 --- a/elastalert_rules/sigma_sysmon_win_mavinject_proc_inj.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process injection using the signed Windows tool Mavinject32.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\ \/INJECTRUNNING\ *) -index: wazuh-alerts-3.x-* -name: 17eb8e57-9983-420d-ad8a-2c4976c22eb8_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/elastalert_rules/sigma_sysmon_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml deleted file mode 100644 index fea42aa1..00000000 --- a/elastalert_rules/sigma_sysmon_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.parentImage.keyword:*\\services.exe AND ((data.win.eventdata.commandLine.keyword:*cmd* AND data.win.eventdata.commandLine.keyword:*\/c* AND data.win.eventdata.commandLine.keyword:*echo* AND data.win.eventdata.commandLine.keyword:*\\pipe\\*) OR (data.win.eventdata.commandLine.keyword:*%COMSPEC%* AND data.win.eventdata.commandLine.keyword:*\/c* AND data.win.eventdata.commandLine.keyword:*echo* AND data.win.eventdata.commandLine.keyword:*\\pipe\\*) OR (data.win.eventdata.commandLine.keyword:*rundll32* AND data.win.eventdata.commandLine.keyword:*.dll,a* AND data.win.eventdata.commandLine.keyword:*\/p\:*))) AND (NOT (data.win.eventdata.commandLine.keyword:*MpCmdRun*))) -index: wazuh-alerts-3.x-* -name: 15619216-e993-4721-b590-4c520615a67d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_mimikatz_command_line.yml b/elastalert_rules/sigma_sysmon_win_mimikatz_command_line.yml deleted file mode 100644 index 82952b5c..00000000 --- a/elastalert_rules/sigma_sysmon_win_mimikatz_command_line.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detection well-known mimikatz command line arguments -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:(*DumpCreds* OR *invoke\-mimikatz*) OR (data.win.eventdata.commandLine.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND data.win.eventdata.commandLine.keyword:(*\:\:*)))) -index: wazuh-alerts-3.x-* -name: a642964e-bead-4bed-8910-1bb4d63e3b4d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_mmc_spawn_shell.yml b/elastalert_rules/sigma_sysmon_win_mmc_spawn_shell.yml deleted file mode 100644 index 9eab2511..00000000 --- a/elastalert_rules/sigma_sysmon_win_mmc_spawn_shell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Windows command line executable started from MMC -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\mmc.exe AND process_path.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\reg.exe OR *\\regsvr32.exe OR *\\BITSADMIN*)) -index: wazuh-alerts-3.x-* -name: 05a2ab7e-ce11-4b63-86db-ab32e763e11d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_mouse_lock.yml b/elastalert_rules/sigma_sysmon_win_mouse_lock.yml deleted file mode 100644 index 925c8ad0..00000000 --- a/elastalert_rules/sigma_sysmon_win_mouse_lock.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. -filter: -- query: - query_string: - query: (data.win.eventdata.product.keyword:*Mouse\ Lock* OR data.win.eventdata.company.keyword:*Misc314* OR data.win.eventdata.commandLine.keyword:*Mouse\ Lock_*) -index: wazuh-alerts-3.x-* -name: c9192ad9-75e5-43eb-8647-82a0a5b493e3_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_mshta_javascript.yml b/elastalert_rules/sigma_sysmon_win_mshta_javascript.yml deleted file mode 100644 index abfbe3ee..00000000 --- a/elastalert_rules/sigma_sysmon_win_mshta_javascript.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies suspicious mshta.exe commands -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\mshta.exe AND data.win.eventdata.commandLine.keyword:*javascript*) -index: wazuh-alerts-3.x-* -name: 67f113fa-e23d-4271-befa-30113b3e08b1_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_mshta_spawn_shell.yml b/elastalert_rules/sigma_sysmon_win_mshta_spawn_shell.yml deleted file mode 100644 index 7f98dc0f..00000000 --- a/elastalert_rules/sigma_sysmon_win_mshta_spawn_shell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Windows command line executable started from MSHTA -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\mshta.exe AND process_path.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\reg.exe OR *\\regsvr32.exe OR *\\BITSADMIN*)) -index: wazuh-alerts-3.x-* -name: 03cc0c25-389f-4bf8-b48d-11878079f1ca_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_multiple_suspicious_cli.yml b/elastalert_rules/sigma_sysmon_win_multiple_suspicious_cli.yml deleted file mode 100644 index 346eb450..00000000 --- a/elastalert_rules/sigma_sysmon_win_multiple_suspicious_cli.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - minutes: 5 -description: Detects multiple suspicious process in a limited timeframe -doc_type: doc -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine:("arp.exe" OR "at.exe" OR "attrib.exe" OR "cscript.exe" OR "dsquery.exe" OR "hostname.exe" OR "ipconfig.exe" OR "mimikatz.exe" OR "nbtstat.exe" OR "net.exe" OR "netsh.exe" OR "nslookup.exe" OR "ping.exe" OR "quser.exe" OR "qwinsta.exe" OR "reg.exe" OR "runas.exe" OR "sc.exe" OR "schtasks.exe" OR "ssh.exe" OR "systeminfo.exe" OR "taskkill.exe" OR "telnet.exe" OR "tracert.exe" OR "wscript.exe" OR "xcopy.exe" OR "pscp.exe" OR "copy.exe" OR "robocopy.exe" OR "certutil.exe" OR "vssadmin.exe" OR "powershell.exe" OR "wevtutil.exe" OR "psexec.exe" OR "bcedit.exe" OR "wbadmin.exe" OR "icacls.exe" OR "diskpart.exe")) -index: wazuh-alerts-3.x-* -max_threshold: 5 -metric_agg_key: _id -metric_agg_type: cardinality -name: 61ab5496-748e-4818-a92f-de78e20fe7f1_0 -priority: 4 -query_key: host_name.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_sysmon_win_net_enum.yml b/elastalert_rules/sigma_sysmon_win_net_enum.yml deleted file mode 100644 index 1b06cb7e..00000000 --- a/elastalert_rules/sigma_sysmon_win_net_enum.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*view*) AND (NOT (data.win.eventdata.commandLine.keyword:*\\\\*))) -index: wazuh-alerts-3.x-* -name: 62510e69-616b-4078-b371-847da438cc03_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_net_user_add.yml b/elastalert_rules/sigma_sysmon_win_net_user_add.yml deleted file mode 100644 index 09b67d30..00000000 --- a/elastalert_rules/sigma_sysmon_win_net_user_add.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies creation of local users via the net.exe command -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*user* AND data.win.eventdata.commandLine.keyword:*add*) -index: wazuh-alerts-3.x-* -name: cd219ff3-fa99-45d4-8380-a7d15116c6dc_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_netsh_allow_port_rdp.yml b/elastalert_rules/sigma_sysmon_win_netsh_allow_port_rdp.yml deleted file mode 100644 index b04f9546..00000000 --- a/elastalert_rules/sigma_sysmon_win_netsh_allow_port_rdp.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*netsh* AND ((data.win.eventdata.commandLine.keyword:*firewall\ add\ portopening* AND data.win.eventdata.commandLine.keyword:*tcp\ 3389*) OR (data.win.eventdata.commandLine.keyword:*advfirewall\ firewall\ add\ rule* AND data.win.eventdata.commandLine.keyword:*action\=allow* AND data.win.eventdata.commandLine.keyword:*protocol\=TCP* AND data.win.eventdata.commandLine.keyword:*localport\=3389*))) -index: wazuh-alerts-3.x-* -name: 01aeb693-138d-49d2-9403-c4f52d7d3d62_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_netsh_fw_add.yml b/elastalert_rules/sigma_sysmon_win_netsh_fw_add.yml deleted file mode 100644 index bf1b7b7b..00000000 --- a/elastalert_rules/sigma_sysmon_win_netsh_fw_add.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Allow Incoming Connections by Port or Application on Windows Firewall -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*netsh*) AND data.win.eventdata.commandLine.keyword:(*firewall\ add*)) -index: wazuh-alerts-3.x-* -name: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_netsh_fw_add_susp_image.yml b/elastalert_rules/sigma_sysmon_win_netsh_fw_add_susp_image.yml deleted file mode 100644 index 669f929f..00000000 --- a/elastalert_rules/sigma_sysmon_win_netsh_fw_add_susp_image.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Netsh commands that allows a suspcious application location on Windows Firewall -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*netsh* AND (data.win.eventdata.commandLine.keyword:*firewall\ add\ allowedprogram* OR (data.win.eventdata.commandLine.keyword:*advfirewall\ firewall\ add\ rule* AND data.win.eventdata.commandLine.keyword:*action\=allow* AND data.win.eventdata.commandLine.keyword:*program\=*)) AND data.win.eventdata.commandLine.keyword:(*%TEMP%* OR *\:\\RECYCLER\\* OR *C\:\\$Recycle.bin\\* OR *\:\\SystemVolumeInformation\\* OR *C\:\\Windows\\Tasks\\* OR *C\:\\Windows\\debug\\* OR *C\:\\Windows\\fonts\\* OR *C\:\\Windows\\help\\* OR *C\:\\Windows\\drivers\\* OR *C\:\\Windows\\addins\\* OR *C\:\\Windows\\cursors\\* OR *C\:\\Windows\\system32\\tasks\\* OR *C\:\\Windows\\Temp\\* OR *C\:\\Temp\\* OR *C\:\\Users\\Public\\* OR *%Public%\\* OR *C\:\\Users\\Default\\* OR *C\:\\Users\\Desktop\\* OR *\\Downloads\\* OR *\\Temporary\ Internet\ Files\\Content.Outlook\\* OR *\\Local\ Settings\\Temporary\ Internet\ Files\\*)) -index: wazuh-alerts-3.x-* -name: a35f5a72-f347-4e36-8895-9869b0d5fc6d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_netsh_packet_capture.yml b/elastalert_rules/sigma_sysmon_win_netsh_packet_capture.yml deleted file mode 100644 index 4a3fd730..00000000 --- a/elastalert_rules/sigma_sysmon_win_netsh_packet_capture.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects capture a network trace via netsh.exe trace functionality -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*netsh* AND data.win.eventdata.commandLine.keyword:*trace* AND data.win.eventdata.commandLine.keyword:*start*) -index: wazuh-alerts-3.x-* -name: d3c3861d-c504-4c77-ba55-224ba82d0118_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_netsh_port_fwd.yml b/elastalert_rules/sigma_sysmon_win_netsh_port_fwd.yml deleted file mode 100644 index 7c0aea6e..00000000 --- a/elastalert_rules/sigma_sysmon_win_netsh_port_fwd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects netsh commands that configure a port forwarding -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(netsh\ interface\ portproxy\ add\ v4tov4\ *)) -index: wazuh-alerts-3.x-* -name: 322ed9ec-fcab-4f67-9a34-e7c6aef43614_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_netsh_port_fwd_3389.yml b/elastalert_rules/sigma_sysmon_win_netsh_port_fwd_3389.yml deleted file mode 100644 index e344e9de..00000000 --- a/elastalert_rules/sigma_sysmon_win_netsh_port_fwd_3389.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(netsh\ i*\ p*\=3389\ c*)) -index: wazuh-alerts-3.x-* -name: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_netsh_wifi_credential_harvesting.yml b/elastalert_rules/sigma_sysmon_win_netsh_wifi_credential_harvesting.yml deleted file mode 100644 index 7b7559cc..00000000 --- a/elastalert_rules/sigma_sysmon_win_netsh_wifi_credential_harvesting.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect the harvesting of wifi credentials using netsh.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(netsh\ wlan\ s*\ p*\ k*\=clear)) -index: wazuh-alerts-3.x-* -name: 42b1a5b8-353f-4f10-b256-39de4467faff_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_network_sniffing.yml b/elastalert_rules/sigma_sysmon_win_network_sniffing.yml deleted file mode 100644 index 4f795ef0..00000000 --- a/elastalert_rules/sigma_sysmon_win_network_sniffing.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:*\\tshark.exe AND data.win.eventdata.commandLine.keyword:*\-i*) OR process_path.keyword:*\\windump.exe)) -index: wazuh-alerts-3.x-* -name: ba1f7802-adc7-48b4-9ecb-81e227fddfd5_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_new_service_creation.yml b/elastalert_rules/sigma_sysmon_win_new_service_creation.yml deleted file mode 100644 index f94e9467..00000000 --- a/elastalert_rules/sigma_sysmon_win_new_service_creation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects creation of a new service -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:*\\sc.exe AND data.win.eventdata.commandLine.keyword:*create* AND data.win.eventdata.commandLine.keyword:*binpath*) OR (process_path.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:*new\-service*))) -index: wazuh-alerts-3.x-* -name: 7fe71fc9-de3b-432a-8d57-8c809efc10ab_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_non_interactive_powershell.yml b/elastalert_rules/sigma_sysmon_win_non_interactive_powershell.yml deleted file mode 100644 index 74d7fae1..00000000 --- a/elastalert_rules/sigma_sysmon_win_non_interactive_powershell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\powershell.exe AND (NOT (data.win.eventdata.parentImage.keyword:*\\explorer.exe))) -index: wazuh-alerts-3.x-* -name: f4bbd493-b796-416e-bbf2-121235348529_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_office_shell.yml b/elastalert_rules/sigma_sysmon_win_office_shell.yml deleted file mode 100644 index 8019187c..00000000 --- a/elastalert_rules/sigma_sysmon_win_office_shell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:(*\\WINWORD.EXE OR *\\EXCEL.EXE OR *\\POWERPNT.exe OR *\\MSPUB.exe OR *\\VISIO.exe OR *\\OUTLOOK.EXE) AND process_path.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\scrcons.exe OR *\\schtasks.exe OR *\\regsvr32.exe OR *\\hh.exe OR *\\wmic.exe OR *\\mshta.exe OR *\\rundll32.exe OR *\\msiexec.exe OR *\\forfiles.exe OR *\\scriptrunner.exe OR *\\mftrace.exe OR *\\AppVLP.exe OR *\\svchost.exe)) -index: wazuh-alerts-3.x-* -name: 438025f9-5856-4663-83f7-52f878a70a50_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_office_spawn_exe_from_users_directory.yml b/elastalert_rules/sigma_sysmon_win_office_spawn_exe_from_users_directory.yml deleted file mode 100644 index 4ecbe300..00000000 --- a/elastalert_rules/sigma_sysmon_win_office_spawn_exe_from_users_directory.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:(*\\WINWORD.EXE OR *\\EXCEL.EXE OR *\\POWERPNT.exe OR *\\MSPUB.exe OR *\\VISIO.exe OR *\\OUTLOOK.EXE) AND process_path.keyword:(C\:\\users\\*.exe)) -index: wazuh-alerts-3.x-* -name: aa3a6f94-890e-4e22-b634-ffdfd54792cc_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_plugx_susp_exe_locations.yml b/elastalert_rules/sigma_sysmon_win_plugx_susp_exe_locations.yml deleted file mode 100644 index 159b79cd..00000000 --- a/elastalert_rules/sigma_sysmon_win_plugx_susp_exe_locations.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((((((((((((process_path.keyword:*\\CamMute.exe AND (NOT (process_path.keyword:*\\Lenovo\\Communication\ Utility\\*))) OR (process_path.keyword:*\\chrome_frame_helper.exe AND (NOT (process_path.keyword:*\\Google\\Chrome\\application\\*)))) OR (process_path.keyword:*\\dvcemumanager.exe AND (NOT (process_path.keyword:*\\Microsoft\ Device\ Emulator\\*)))) OR (process_path.keyword:*\\Gadget.exe AND (NOT (process_path.keyword:*\\Windows\ Media\ Player\\*)))) OR (process_path.keyword:*\\hcc.exe AND (NOT (process_path.keyword:*\\HTML\ Help\ Workshop\\*)))) OR (process_path.keyword:*\\hkcmd.exe AND (NOT (process_path.keyword:(*\\System32\\* OR *\\SysNative\\* OR *\\SysWowo64\\*))))) OR (process_path.keyword:*\\Mc.exe AND (NOT (process_path.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit*))))) OR (process_path.keyword:*\\MsMpEng.exe AND (NOT (process_path.keyword:(*\\Microsoft\ Security\ Client\\* OR *\\Windows\ Defender\\* OR *\\AntiMalware\\*))))) OR (process_path.keyword:*\\msseces.exe AND (NOT (process_path.keyword:(*\\Microsoft\ Security\ Center\\* OR *\\Microsoft\ Security\ Client\\* OR *\\Microsoft\ Security\ Essentials\\*))))) OR (process_path.keyword:*\\OInfoP11.exe AND (NOT (process_path.keyword:*\\Common\ Files\\Microsoft\ Shared\\*)))) OR (process_path.keyword:*\\OleView.exe AND (NOT (process_path.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit* OR *\\Windows\ Resource\ Kit\\*))))) OR (process_path.keyword:*\\rc.exe AND (NOT (process_path.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit* OR *\\Windows\ Resource\ Kit\\* OR *\\Microsoft.NET\\*)))))) -index: wazuh-alerts-3.x-* -name: aeab5ec5-be14-471a-80e8-e344418305c2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_possible_applocker_bypass.yml b/elastalert_rules/sigma_sysmon_win_possible_applocker_bypass.yml deleted file mode 100644 index 0f5c7c30..00000000 --- a/elastalert_rules/sigma_sysmon_win_possible_applocker_bypass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of executables that can be used to bypass Applocker whitelisting -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\\msdt.exe* OR *\\installutil.exe* OR *\\regsvcs.exe* OR *\\regasm.exe* OR *\\msbuild.exe* OR *\\ieexec.exe*)) -index: wazuh-alerts-3.x-* -name: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_possible_privilege_escalation_using_rotten_potato.yml b/elastalert_rules/sigma_sysmon_win_possible_privilege_escalation_using_rotten_potato.yml deleted file mode 100644 index c33776dc..00000000 --- a/elastalert_rules/sigma_sysmon_win_possible_privilege_escalation_using_rotten_potato.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (ParentUser:("NT\ AUTHORITY\\NETWORK\ SERVICE" OR "NT\ AUTHORITY\\LOCAL\ SERVICE") AND user_account:"NT\ AUTHORITY\\SYSTEM") AND (NOT (process_path.keyword:*\\rundll32.exe AND data.win.eventdata.commandLine.keyword:*DavSetCookie*))) -index: wazuh-alerts-3.x-* -name: 6c5808ee-85a2-4e56-8137-72e5876a5096_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powershell_amsi_bypass.yml b/elastalert_rules/sigma_sysmon_win_powershell_amsi_bypass.yml deleted file mode 100644 index 050524c6..00000000 --- a/elastalert_rules/sigma_sysmon_win_powershell_amsi_bypass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*System.Management.Automation.AmsiUtils*) AND data.win.eventdata.commandLine.keyword:(*amsiInitFailed*)) -index: wazuh-alerts-3.x-* -name: 30edb182-aa75-42c0-b0a9-e998bb29067c_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powershell_audio_capture.yml b/elastalert_rules/sigma_sysmon_win_powershell_audio_capture.yml deleted file mode 100644 index 92e12184..00000000 --- a/elastalert_rules/sigma_sysmon_win_powershell_audio_capture.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects audio capture via PowerShell Cmdlet -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*WindowsAudioDevice\-Powershell\-Cmdlet*) -index: wazuh-alerts-3.x-* -name: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powershell_b64_shellcode.yml b/elastalert_rules/sigma_sysmon_win_powershell_b64_shellcode.yml deleted file mode 100644 index bd8f1963..00000000 --- a/elastalert_rules/sigma_sysmon_win_powershell_b64_shellcode.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Base64 encoded Shellcode -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*AAAAYInlM* AND data.win.eventdata.commandLine.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*)) -index: wazuh-alerts-3.x-* -name: 2d117e49-e626-4c7c-bd1f-c3c0147774c8_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powershell_bitsjob.yml b/elastalert_rules/sigma_sysmon_win_powershell_bitsjob.yml deleted file mode 100644 index 5021b86c..00000000 --- a/elastalert_rules/sigma_sysmon_win_powershell_bitsjob.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect download by BITS jobs via PowerShell -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:*Start\-BitsTransfer*) -index: wazuh-alerts-3.x-* -name: f67dbfce-93bc-440d-86ad-a95ae8858c90_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powershell_dll_execution.yml b/elastalert_rules/sigma_sysmon_win_powershell_dll_execution.yml deleted file mode 100644 index 4b589d7a..00000000 --- a/elastalert_rules/sigma_sysmon_win_powershell_dll_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:(*\\rundll32.exe) OR data.win.eventdata.description.keyword:(*Windows\-Hostprozess\ \(Rundll32\)*)) AND data.win.eventdata.commandLine.keyword:(*Default.GetString* OR *FromBase64String*)) -index: wazuh-alerts-3.x-* -name: 6812a10b-60ea-420c-832f-dfcc33b646ba_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powershell_downgrade_attack.yml b/elastalert_rules/sigma_sysmon_win_powershell_downgrade_attack.yml deleted file mode 100644 index fcc67276..00000000 --- a/elastalert_rules/sigma_sysmon_win_powershell_downgrade_attack.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ \-version\ 2\ * OR *\ \-versio\ 2\ * OR *\ \-versi\ 2\ * OR *\ \-vers\ 2\ * OR *\ \-ver\ 2\ * OR *\ \-ve\ 2\ *) AND process_path.keyword:*\\powershell.exe) -index: wazuh-alerts-3.x-* -name: b3512211-c67e-4707-bedc-66efc7848863_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powershell_download.yml b/elastalert_rules/sigma_sysmon_win_powershell_download.yml deleted file mode 100644 index 83728a1a..00000000 --- a/elastalert_rules/sigma_sysmon_win_powershell_download.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Powershell process that contains download commands in its command line string -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:(*new\-object\ system.net.webclient\).downloadstring\(* OR *new\-object\ system.net.webclient\).downloadfile\(* OR *new\-object\ net.webclient\).downloadstring\(* OR *new\-object\ net.webclient\).downloadfile\(*)) -index: wazuh-alerts-3.x-* -name: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powershell_frombase64string.yml b/elastalert_rules/sigma_sysmon_win_powershell_frombase64string.yml deleted file mode 100644 index dec676ae..00000000 --- a/elastalert_rules/sigma_sysmon_win_powershell_frombase64string.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious FromBase64String expressions in command line arguments -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\:\:FromBase64String\(*) -index: wazuh-alerts-3.x-* -name: e32d4572-9826-4738-b651-95fa63747e8a_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powershell_suspicious_parameter_variation.yml b/elastalert_rules/sigma_sysmon_win_powershell_suspicious_parameter_variation.yml deleted file mode 100644 index 57d59fdc..00000000 --- a/elastalert_rules/sigma_sysmon_win_powershell_suspicious_parameter_variation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious PowerShell invocation with a parameter substring -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\Powershell.exe) AND data.win.eventdata.commandLine.keyword:(*\ \-windowstyle\ h\ * OR *\ \-windowstyl\ h* OR *\ \-windowsty\ h* OR *\ \-windowst\ h* OR *\ \-windows\ h* OR *\ \-windo\ h* OR *\ \-wind\ h* OR *\ \-win\ h* OR *\ \-wi\ h* OR *\ \-win\ h\ * OR *\ \-win\ hi\ * OR *\ \-win\ hid\ * OR *\ \-win\ hidd\ * OR *\ \-win\ hidde\ * OR *\ \-NoPr\ * OR *\ \-NoPro\ * OR *\ \-NoProf\ * OR *\ \-NoProfi\ * OR *\ \-NoProfil\ * OR *\ \-nonin\ * OR *\ \-nonint\ * OR *\ \-noninte\ * OR *\ \-noninter\ * OR *\ \-nonintera\ * OR *\ \-noninterac\ * OR *\ \-noninteract\ * OR *\ \-noninteracti\ * OR *\ \-noninteractiv\ * OR *\ \-ec\ * OR *\ \-encodedComman\ * OR *\ \-encodedComma\ * OR *\ \-encodedComm\ * OR *\ \-encodedCom\ * OR *\ \-encodedCo\ * OR *\ \-encodedC\ * OR *\ \-encoded\ * OR *\ \-encode\ * OR *\ \-encod\ * OR *\ \-enco\ * OR *\ \-en\ *)) -index: wazuh-alerts-3.x-* -name: 36210e0d-5b19-485d-a087-c096088885f0_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powershell_xor_commandline.yml b/elastalert_rules/sigma_sysmon_win_powershell_xor_commandline.yml deleted file mode 100644 index 27b05e4f..00000000 --- a/elastalert_rules/sigma_sysmon_win_powershell_xor_commandline.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.description:"Windows\ PowerShell" OR data.win.eventdata.product:"PowerShell\ Core\ 6") AND data.win.eventdata.commandLine.keyword:(*bxor* OR *join* OR *char*)) -index: wazuh-alerts-3.x-* -name: bb780e0c-16cf-4383-8383-1e5471db6cf9_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_powersploit_empire_schtasks.yml b/elastalert_rules/sigma_sysmon_win_powersploit_empire_schtasks.yml deleted file mode 100644 index 21c41740..00000000 --- a/elastalert_rules/sigma_sysmon_win_powersploit_empire_schtasks.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:(*\\powershell.exe) AND data.win.eventdata.commandLine.keyword:(*schtasks*\/Create*\/SC\ *ONLOGON*\/TN\ *Updater*\/TR\ *powershell* OR *schtasks*\/Create*\/SC\ *DAILY*\/TN\ *Updater*\/TR\ *powershell* OR *schtasks*\/Create*\/SC\ *ONIDLE*\/TN\ *Updater*\/TR\ *powershell* OR *schtasks*\/Create*\/SC\ *Updater*\/TN\ *Updater*\/TR\ *powershell*)) -index: wazuh-alerts-3.x-* -name: 56c217c3-2de2-479b-990f-5c109ba8458f_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_proc_wrong_parent.yml b/elastalert_rules/sigma_sysmon_win_proc_wrong_parent.yml deleted file mode 100644 index 6317d1a0..00000000 --- a/elastalert_rules/sigma_sysmon_win_proc_wrong_parent.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect suspicious parent processes of well-known Windows processes -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:(*\\svchost.exe OR *\\taskhost.exe OR *\\lsm.exe OR *\\lsass.exe OR *\\services.exe OR *\\lsaiso.exe OR *\\csrss.exe OR *\\wininit.exe OR *\\winlogon.exe) AND (NOT (data.win.eventdata.parentImage.keyword:(*\\System32\\* OR *\\SysWOW64\\* OR *\\SavService.exe OR *\\Windows\ Defender\\*\\MsMpEng.exe)))) AND (NOT (NOT _exists_:data.win.eventdata.parentImage))) -index: wazuh-alerts-3.x-* -name: 96036718-71cc-4027-a538-d1587e0006a7_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_process_creation_bitsadmin_download.yml b/elastalert_rules/sigma_sysmon_win_process_creation_bitsadmin_download.yml deleted file mode 100644 index a5412a2c..00000000 --- a/elastalert_rules/sigma_sysmon_win_process_creation_bitsadmin_download.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects usage of bitsadmin downloading a file -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:(*\\bitsadmin.exe) AND data.win.eventdata.commandLine.keyword:(*\ \/transfer\ *)) OR data.win.eventdata.commandLine.keyword:(*copy\ bitsadmin.exe*))) -index: wazuh-alerts-3.x-* -name: d059842b-6b9d-4ed1-b5c3-5b89143c6ede_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_process_dump_rundll32_comsvcs.yml b/elastalert_rules/sigma_sysmon_win_process_dump_rundll32_comsvcs.yml deleted file mode 100644 index 9f928b58..00000000 --- a/elastalert_rules/sigma_sysmon_win_process_dump_rundll32_comsvcs.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*)) -index: wazuh-alerts-3.x-* -name: 646ea171-dded-4578-8a4d-65e9822892e3_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_psexesvc_start.yml b/elastalert_rules/sigma_sysmon_win_psexesvc_start.yml deleted file mode 100644 index efc7558b..00000000 --- a/elastalert_rules/sigma_sysmon_win_psexesvc_start.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a PsExec service start -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine:"C\:\\Windows\\PSEXESVC.exe") -index: wazuh-alerts-3.x-* -name: 3ede524d-21cc-472d-a3ce-d21b568d8db7_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_query_registry.yml b/elastalert_rules/sigma_sysmon_win_query_registry.yml deleted file mode 100644 index e299e88b..00000000 --- a/elastalert_rules/sigma_sysmon_win_query_registry.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\reg.exe AND data.win.eventdata.commandLine.keyword:(*query* OR *save* OR *export*) AND data.win.eventdata.commandLine.keyword:(*currentVersion\\windows* OR *currentVersion\\runServicesOnce* OR *currentVersion\\runServices* OR *winlogon\\* OR *currentVersion\\shellServiceObjectDelayLoad* OR *currentVersion\\runOnce* OR *currentVersion\\runOnceEx* OR *currentVersion\\run* OR *currentVersion\\policies\\explorer\\run* OR *currentcontrolset\\services*)) -index: wazuh-alerts-3.x-* -name: 970007b7-ce32-49d0-a4a4-fbef016950bd_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_rdp_hijack_shadowing.yml b/elastalert_rules/sigma_sysmon_win_rdp_hijack_shadowing.yml deleted file mode 100644 index d42ac4b0..00000000 --- a/elastalert_rules/sigma_sysmon_win_rdp_hijack_shadowing.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects RDP session hijacking by using MSTSC shadowing -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*noconsentprompt* AND data.win.eventdata.commandLine.keyword:*shadow\:*) -index: wazuh-alerts-3.x-* -name: 6ba5a05f-b095-4f0a-8654-b825f4f16334_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_redmimicry_winnti_proc.yml b/elastalert_rules/sigma_sysmon_win_redmimicry_winnti_proc.yml deleted file mode 100644 index a7b92a74..00000000 --- a/elastalert_rules/sigma_sysmon_win_redmimicry_winnti_proc.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects actions caused by the RedMimicry Winnti playbook -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*rundll32.exe* OR *cmd.exe*) AND data.win.eventdata.commandLine.keyword:(*gthread\-3.6.dll* OR *\\Windows\\Temp\\tmp.bat* OR *sigcmm\-2.4.dll*)) -index: wazuh-alerts-3.x-* -name: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_reg_persistence.yml b/elastalert_rules/sigma_sysmon_win_reg_persistence.yml deleted file mode 100644 index 413492c3..00000000 --- a/elastalert_rules/sigma_sysmon_win_reg_persistence.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects persistence registry keys -filter: -- query: - query_string: - query: (data.win.eventdata.targetObject.keyword:(*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\*\\GlobalFlag OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\SilentProcessExit\\*\\ReportingMode OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess) AND data.win.eventdata.eventType:"SetValue") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_win_reg_persistence -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_remote_powershell_session_process.yml b/elastalert_rules/sigma_sysmon_win_remote_powershell_session_process.yml deleted file mode 100644 index aaadee35..00000000 --- a/elastalert_rules/sigma_sysmon_win_remote_powershell_session_process.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\wsmprovhost.exe OR data.win.eventdata.parentImage.keyword:*\\wsmprovhost.exe)) -index: wazuh-alerts-3.x-* -name: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_remote_time_discovery.yml b/elastalert_rules/sigma_sysmon_win_remote_time_discovery.yml deleted file mode 100644 index f328ce2d..00000000 --- a/elastalert_rules/sigma_sysmon_win_remote_time_discovery.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*time*) OR (process_path.keyword:*\\w32tm.exe AND data.win.eventdata.commandLine.keyword:*tz*) OR (process_path.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:*Get\-Date*))) -index: wazuh-alerts-3.x-* -name: b243b280-65fe-48df-ba07-6ddea7646427_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_renamed_binary.yml b/elastalert_rules/sigma_sysmon_win_renamed_binary.yml deleted file mode 100644 index 2fafeb75..00000000 --- a/elastalert_rules/sigma_sysmon_win_renamed_binary.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.originalFileName:("cmd.exe" OR "powershell.exe" OR "powershell_ise.exe" OR "psexec.exe" OR "psexec.c" OR "cscript.exe" OR "wscript.exe" OR "mshta.exe" OR "regsvr32.exe" OR "wmic.exe" OR "certutil.exe" OR "rundll32.exe" OR "cmstp.exe" OR "msiexec.exe" OR "7z.exe" OR "winrar.exe" OR "wevtutil.exe" OR "net.exe" OR "net1.exe" OR "netsh.exe") AND (NOT (process_path.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\powershell_ise.exe OR *\\psexec.exe OR *\\psexec64.exe OR *\\cscript.exe OR *\\wscript.exe OR *\\mshta.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\certutil.exe OR *\\rundll32.exe OR *\\cmstp.exe OR *\\msiexec.exe OR *\\7z.exe OR *\\winrar.exe OR *\\wevtutil.exe OR *\\net.exe OR *\\net1.exe OR *\\netsh.exe)))) -index: wazuh-alerts-3.x-* -name: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_renamed_binary_highly_relevant.yml b/elastalert_rules/sigma_sysmon_win_renamed_binary_highly_relevant.yml deleted file mode 100644 index 13031a61..00000000 --- a/elastalert_rules/sigma_sysmon_win_renamed_binary_highly_relevant.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.originalFileName:("powershell.exe" OR "powershell_ise.exe" OR "psexec.exe" OR "psexec.c" OR "cscript.exe" OR "wscript.exe" OR "mshta.exe" OR "regsvr32.exe" OR "wmic.exe" OR "certutil.exe" OR "rundll32.exe" OR "cmstp.exe" OR "msiexec.exe") AND (NOT (process_path.keyword:(*\\powershell.exe OR *\\powershell_ise.exe OR *\\psexec.exe OR *\\psexec64.exe OR *\\cscript.exe OR *\\wscript.exe OR *\\mshta.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\certutil.exe OR *\\rundll32.exe OR *\\cmstp.exe OR *\\msiexec.exe)))) -index: wazuh-alerts-3.x-* -name: 0ba1da6d-b6ce-4366-828c-18826c9de23e_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_renamed_jusched.yml b/elastalert_rules/sigma_sysmon_win_renamed_jusched.yml deleted file mode 100644 index e0e58774..00000000 --- a/elastalert_rules/sigma_sysmon_win_renamed_jusched.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects renamed jusched.exe used by cobalt group -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.system.eventID:"4688" AND (data.win.eventdata.description:"Java\ Update\ Scheduler" OR data.win.eventdata.description:"Java\(TM\)\ Update\ Scheduler")) AND (NOT (process_path.keyword:(*\\jusched.exe)))) -index: wazuh-alerts-3.x-* -name: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_renamed_paexec.yml b/elastalert_rules/sigma_sysmon_win_renamed_paexec.yml deleted file mode 100644 index 01a92877..00000000 --- a/elastalert_rules/sigma_sysmon_win_renamed_paexec.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of renamed paexec via imphash and executable product string -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.system.eventID:"4688" AND data.win.eventdata.product.keyword:(*PAExec*) AND hash_imphash:("11d40a7b7876288f919ab819cc2d9802" OR "11D40A7B7876288F919AB819CC2D9802" OR "6444f8a34e99b8f7d9647de66aabe516" OR "6444F8A34E99B8F7D9647DE66AABE516" OR "dfd6aa3f7b2b1035b76b718f1ddc689f" OR "DFD6AA3F7B2B1035B76B718F1DDC689F" OR "1a6cca4d5460b1710a12dea39e4a592c" OR "1A6CCA4D5460B1710A12DEA39E4A592C")) AND (NOT (process_path.keyword:*paexec*))) -index: wazuh-alerts-3.x-* -name: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_renamed_powershell.yml b/elastalert_rules/sigma_sysmon_win_renamed_powershell.yml deleted file mode 100644 index ef6f5c18..00000000 --- a/elastalert_rules/sigma_sysmon_win_renamed_powershell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a renamed PowerShell often used by attackers or malware -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.description:"Windows\ PowerShell" AND data.win.eventdata.company:"Microsoft\ Corporation") AND (NOT (process_path.keyword:(*\\powershell.exe OR *\\powershell_ise.exe)))) -index: wazuh-alerts-3.x-* -name: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_renamed_procdump.yml b/elastalert_rules/sigma_sysmon_win_renamed_procdump.yml deleted file mode 100644 index 1b9f8c9b..00000000 --- a/elastalert_rules/sigma_sysmon_win_renamed_procdump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a renamed ProcDump executable often used by attackers or malware -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.originalFileName:"procdump" AND (NOT (process_path.keyword:(*\\procdump.exe OR *\\procdump64.exe)))) -index: wazuh-alerts-3.x-* -name: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_renamed_psexec.yml b/elastalert_rules/sigma_sysmon_win_renamed_psexec.yml deleted file mode 100644 index b84e1095..00000000 --- a/elastalert_rules/sigma_sysmon_win_renamed_psexec.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a renamed PsExec often used by attackers or malware -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.description:"Execute\ processes\ remotely" AND data.win.eventdata.product:"Sysinternals\ PsExec") AND (NOT (process_path.keyword:(*\\PsExec.exe OR *\\PsExec64.exe)))) -index: wazuh-alerts-3.x-* -name: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_run_powershell_script_from_ads.yml b/elastalert_rules/sigma_sysmon_win_run_powershell_script_from_ads.yml deleted file mode 100644 index 5e113cca..00000000 --- a/elastalert_rules/sigma_sysmon_win_run_powershell_script_from_ads.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PowerShell script execution from Alternate Data Stream (ADS) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\powershell.exe AND process_path.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:*Get\-Content* AND data.win.eventdata.commandLine.keyword:*\-Stream*) -index: wazuh-alerts-3.x-* -name: 45a594aa-1fbd-4972-a809-ff5a99dd81b8_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_sdbinst_shim_persistence.yml b/elastalert_rules/sigma_sysmon_win_sdbinst_shim_persistence.yml deleted file mode 100644 index dd6e1685..00000000 --- a/elastalert_rules/sigma_sysmon_win_sdbinst_shim_persistence.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\sdbinst.exe) AND data.win.eventdata.commandLine.keyword:(*.sdb*)) -index: wazuh-alerts-3.x-* -name: 517490a7-115a-48c6-8862-1a481504d5a8_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_service_execution.yml b/elastalert_rules/sigma_sysmon_win_service_execution.yml deleted file mode 100644 index 25ead320..00000000 --- a/elastalert_rules/sigma_sysmon_win_service_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects manual service execution (start) via system utilities -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*\ start\ *) -index: wazuh-alerts-3.x-* -name: 2a072a96-a086-49fa-bcb5-15cc5a619093_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_service_stop.yml b/elastalert_rules/sigma_sysmon_win_service_stop.yml deleted file mode 100644 index 94a43ba8..00000000 --- a/elastalert_rules/sigma_sysmon_win_service_stop.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a windows service to be stopped -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\sc.exe OR *\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*stop*) -index: wazuh-alerts-3.x-* -name: eb87818d-db5d-49cc-a987-d5da331fbd90_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_shadow_copies_access_symlink.yml b/elastalert_rules/sigma_sysmon_win_shadow_copies_access_symlink.yml deleted file mode 100644 index 28da85f1..00000000 --- a/elastalert_rules/sigma_sysmon_win_shadow_copies_access_symlink.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Shadow Copies storage symbolic link creation using operating systems utilities -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*mklink* AND data.win.eventdata.commandLine.keyword:*HarddiskVolumeShadowCopy*) -index: wazuh-alerts-3.x-* -name: 40b19fa6-d835-400c-b301-41f3a2baacaf_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_shadow_copies_creation.yml b/elastalert_rules/sigma_sysmon_win_shadow_copies_creation.yml deleted file mode 100644 index 35c8c870..00000000 --- a/elastalert_rules/sigma_sysmon_win_shadow_copies_creation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Shadow Copies creation using operating systems utilities, possible credential access -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\powershell.exe OR *\\wmic.exe OR *\\vssadmin.exe) AND data.win.eventdata.commandLine.keyword:*shadow* AND data.win.eventdata.commandLine.keyword:*create*) -index: wazuh-alerts-3.x-* -name: b17ea6f7-6e90-447e-a799-e6c0a493d6ce_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_shadow_copies_deletion.yml b/elastalert_rules/sigma_sysmon_win_shadow_copies_deletion.yml deleted file mode 100644 index 9506d2d2..00000000 --- a/elastalert_rules/sigma_sysmon_win_shadow_copies_deletion.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Shadow Copies deletion using operating systems utilities -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\powershell.exe OR *\\wmic.exe OR *\\vssadmin.exe) AND data.win.eventdata.commandLine.keyword:*shadow* AND data.win.eventdata.commandLine.keyword:*delete*) -index: wazuh-alerts-3.x-* -name: c947b146-0abc-4c87-9c64-b17e9d7274a2_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_shell_spawn_susp_program.yml b/elastalert_rules/sigma_sysmon_win_shell_spawn_susp_program.yml deleted file mode 100644 index 785f96c8..00000000 --- a/elastalert_rules/sigma_sysmon_win_shell_spawn_susp_program.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious child process of a Windows shell -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.parentImage.keyword:(*\\mshta.exe OR *\\powershell.exe OR *\\rundll32.exe OR *\\cscript.exe OR *\\wscript.exe OR *\\wmiprvse.exe) AND process_path.keyword:(*\\schtasks.exe OR *\\nslookup.exe OR *\\certutil.exe OR *\\bitsadmin.exe OR *\\mshta.exe)) AND (NOT (data.win.eventdata.currentDirectory.keyword:*\\ccmcache\\*))) -index: wazuh-alerts-3.x-* -name: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_silenttrinity_stage_use1.yml b/elastalert_rules/sigma_sysmon_win_silenttrinity_stage_use1.yml deleted file mode 100644 index ae1fdf34..00000000 --- a/elastalert_rules/sigma_sysmon_win_silenttrinity_stage_use1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects SILENTTRINITY stager use -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.description.keyword:*st2stager*) -index: wazuh-alerts-3.x-* -name: 03552375-cc2c-4883-bbe4-7958d5a980be_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_silenttrinity_stage_use2.yml b/elastalert_rules/sigma_sysmon_win_silenttrinity_stage_use2.yml deleted file mode 100644 index 0cf02473..00000000 --- a/elastalert_rules/sigma_sysmon_win_silenttrinity_stage_use2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects SILENTTRINITY stager use -filter: -- query: - query_string: - query: (data.win.system.eventID:"7" AND data.win.eventdata.description.keyword:*st2stager*) -index: wazuh-alerts-3.x-* -name: 03552375-cc2c-4883-bbe4-7958d5a980be-2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_soundrec_audio_capture.yml b/elastalert_rules/sigma_sysmon_win_soundrec_audio_capture.yml deleted file mode 100644 index 59c592c2..00000000 --- a/elastalert_rules/sigma_sysmon_win_soundrec_audio_capture.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect attacker collecting audio via SoundRecorder application -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\SoundRecorder.exe AND data.win.eventdata.commandLine.keyword:*\/FILE*) -index: wazuh-alerts-3.x-* -name: 83865853-59aa-449e-9600-74b9d89a6d6e_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_spn_enum.yml b/elastalert_rules/sigma_sysmon_win_spn_enum.yml deleted file mode 100644 index 0f4f0b5f..00000000 --- a/elastalert_rules/sigma_sysmon_win_spn_enum.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Service Principal Name Enumeration used for Kerberoasting -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\setspn.exe OR data.win.eventdata.description.keyword:*Query\ or\ reset\ the\ computer*\ SPN\ attribute*) AND data.win.eventdata.commandLine.keyword:*\-q*) -index: wazuh-alerts-3.x-* -name: 1eeed653-dbc8-4187-ad0c-eeebb20e6599_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_adfind.yml b/elastalert_rules/sigma_sysmon_win_susp_adfind.yml deleted file mode 100644 index d899690a..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_adfind.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a AdFind for Active Directory enumeration -filter: -- query: - query_string: - query: (ProcessCommandline.keyword:*objectcategory* AND process_path.keyword:(*\\adfind.exe)) -index: wazuh-alerts-3.x-* -name: 75df3b17-8bcc-4565-b89b-c9898acef911_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_bcdedit.yml b/elastalert_rules/sigma_sysmon_win_susp_bcdedit.yml deleted file mode 100644 index f9ce19b6..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_bcdedit.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects, possibly, malicious unauthorized usage of bcdedit.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\bcdedit.exe AND data.win.eventdata.commandLine.keyword:(*delete* OR *deletevalue* OR *import*)) -index: wazuh-alerts-3.x-* -name: c9fbe8e9-119d-40a6-9b59-dd58a5d84429_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_bginfo.yml b/elastalert_rules/sigma_sysmon_win_susp_bginfo.yml deleted file mode 100644 index 726703d2..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_bginfo.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Execute VBscript code that is referenced within the *.bgi file. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\bginfo.exe AND data.win.eventdata.commandLine.keyword:*\/popup* AND data.win.eventdata.commandLine.keyword:*\/nolicprompt*) -index: wazuh-alerts-3.x-* -name: aaf46cdc-934e-4284-b329-34aa701e3771_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_calc.yml b/elastalert_rules/sigma_sysmon_win_susp_calc.yml deleted file mode 100644 index d7a55007..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_calc.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:*\\calc.exe\ * OR (data.win.system.eventID:"4688" AND process_path.keyword:*\\calc.exe AND (NOT (process_path.keyword:*\\Windows\\Sys*))))) -index: wazuh-alerts-3.x-* -name: 737e618a-a410-49b5-bec3-9e55ff7fbc15_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_cdb.yml b/elastalert_rules/sigma_sysmon_win_susp_cdb.yml deleted file mode 100644 index 259d54bf..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_cdb.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Launch 64-bit shellcode from a debugger script file using cdb.exe. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\cdb.exe AND data.win.eventdata.commandLine.keyword:*\-cf*) -index: wazuh-alerts-3.x-* -name: b5c7395f-e501-4a08-94d4-57fe7a9da9d2_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_certutil_command.yml b/elastalert_rules/sigma_sysmon_win_susp_certutil_command.yml deleted file mode 100644 index 86be0ded..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_certutil_command.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ \-decode\ * OR *\ \/decode\ * OR *\ \-decodehex\ * OR *\ \/decodehex\ * OR *\ \-urlcache\ * OR *\ \/urlcache\ * OR *\ \-verifyctl\ * OR *\ \/verifyctl\ * OR *\ \-encode\ * OR *\ \/encode\ * OR *certutil*\ \-URL* OR *certutil*\ \/URL* OR *certutil*\ \-ping* OR *certutil*\ \/ping*)) -index: wazuh-alerts-3.x-* -name: e011a729-98a6-4139-b5c4-bf6f6dd8239a_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_certutil_encode.yml b/elastalert_rules/sigma_sysmon_win_susp_certutil_encode.yml deleted file mode 100644 index 9e8d2115..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_certutil_encode.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(certutil\ \-f\ \-encode\ * OR certutil.exe\ \-f\ \-encode\ * OR certutil\ \-encode\ \-f\ * OR certutil.exe\ \-encode\ \-f\ *)) -index: wazuh-alerts-3.x-* -name: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_cli_escape.yml b/elastalert_rules/sigma_sysmon_win_susp_cli_escape.yml deleted file mode 100644 index 09308f9e..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_cli_escape.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious process that use escape characters -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*h\^t\^t\^p* OR *h\"t\"t\"p*)) -index: wazuh-alerts-3.x-* -name: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_cmd_http_appdata.yml b/elastalert_rules/sigma_sysmon_win_susp_cmd_http_appdata.yml deleted file mode 100644 index bb905f66..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_cmd_http_appdata.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(cmd.exe\ \/c\ *http\:\/\/*%AppData% OR cmd.exe\ \/c\ *https\:\/\/*%AppData%)) -index: wazuh-alerts-3.x-* -name: 1ac8666b-046f-4201-8aba-1951aaec03a3_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_codepage_switch.yml b/elastalert_rules/sigma_sysmon_win_susp_codepage_switch.yml deleted file mode 100644 index c92b5bb0..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_codepage_switch.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a code page switch in command line or batch scripts to a rare language -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(chcp*\ 936 OR chcp*\ 1258)) -index: wazuh-alerts-3.x-* -name: c7942406-33dd-4377-a564-0f62db0593a3_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_commands_recon_activity.yml b/elastalert_rules/sigma_sysmon_win_susp_commands_recon_activity.yml deleted file mode 100644 index 3c367913..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_commands_recon_activity.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - seconds: 15 -description: Detects a set of commands often used in recon stages by different attack groups -doc_type: doc -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(tasklist OR net\ time OR systeminfo OR whoami OR nbtstat OR net\ start OR *\\net1\ start OR qprocess OR nslookup OR hostname.exe OR *\\net1\ user\ \/domain OR *\\net1\ group\ \/domain OR *\\net1\ group\ \"domain\ admins\"\ \/domain OR *\\net1\ group\ \"Exchange\ Trusted\ Subsystem\"\ \/domain OR *\\net1\ accounts\ \/domain OR *\\net1\ user\ net\ localgroup\ administrators OR netstat\ \-an)) -index: wazuh-alerts-3.x-* -max_threshold: 4 -metric_agg_key: _id -metric_agg_type: cardinality -name: 2887e914-ce96-435f-8105-593937e90757_0 -priority: 3 -query_key: data.win.eventdata.commandLine.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_sysmon_win_susp_compression_params.yml b/elastalert_rules/sigma_sysmon_win_susp_compression_params.yml deleted file mode 100644 index dd40d790..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_compression_params.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious command line arguments of common data compression tools -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.originalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND data.win.eventdata.commandLine.keyword:(*\ \-p* OR *\ \-ta* OR *\ \-tb* OR *\ \-sdel* OR *\ \-dw* OR *\ \-hp*)) AND (NOT (data.win.eventdata.parentImage.keyword:C\:\\Program*))) -index: wazuh-alerts-3.x-* -name: 27a72a60-7e5e-47b1-9d17-909c9abafdcd_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_comsvcs_procdump.yml b/elastalert_rules/sigma_sysmon_win_susp_comsvcs_procdump.yml deleted file mode 100644 index 770be50c..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_comsvcs_procdump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process memory dump via comsvcs.dll and rundll32 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\rundll32.exe OR data.win.eventdata.originalFileName:"RUNDLL32.EXE") AND data.win.eventdata.commandLine.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*)) -index: wazuh-alerts-3.x-* -name: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_control_dll_load.yml b/elastalert_rules/sigma_sysmon_win_susp_control_dll_load.yml deleted file mode 100644 index b53271b3..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_control_dll_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.parentImage.keyword:*\\System32\\control.exe AND data.win.eventdata.commandLine.keyword:*\\rundll32.exe\ *) AND (NOT (data.win.eventdata.commandLine.keyword:*Shell32.dll*))) -index: wazuh-alerts-3.x-* -name: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_copy_lateral_movement.yml b/elastalert_rules/sigma_sysmon_win_susp_copy_lateral_movement.yml deleted file mode 100644 index cb617881..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_copy_lateral_movement.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious copy command from a remote C$ or ADMIN$ share -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*copy\ *\\c$* OR *copy\ *\\ADMIN$*)) -index: wazuh-alerts-3.x-* -name: 855bc8b5-2ae8-402e-a9ed-b889e6df1900_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_copy_system32.yml b/elastalert_rules/sigma_sysmon_win_susp_copy_system32.yml deleted file mode 100644 index ada1fbca..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_copy_system32.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ \/c\ copy\ *\\System32\\* OR *xcopy*\\System32\\*)) -index: wazuh-alerts-3.x-* -name: fff9d2b7-e11c-4a69-93d3-40ef66189767_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_covenant.yml b/elastalert_rules/sigma_sysmon_win_susp_covenant.yml deleted file mode 100644 index 3857f092..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_covenant.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious command lines used in Covenant luanchers -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ \-Sta\ \-Nop\ \-Window\ Hidden\ \-Command\ * OR *\ \-Sta\ \-Nop\ \-Window\ Hidden\ \-EncodedCommand\ * OR *sv\ o\ \(New\-Object\ IO.MemorySteam\);sv\ d\ * OR *mshta\ file.hta* OR *GruntHTTP* OR *\-EncodedCommand\ cwB2ACAAbwAgA*)) -index: wazuh-alerts-3.x-* -name: c260b6db-48ba-4b4a-a76f-2f67644e99d2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_crackmapexec_execution.yml b/elastalert_rules/sigma_sysmon_win_susp_crackmapexec_execution.yml deleted file mode 100644 index d51ed43d..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_crackmapexec_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect various execution methods of the CrackMapExec pentesting framework -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*cmd.exe\ \/Q\ \/c\ *\ 1>\ \\\\*\\*\\*\ 2>&1 OR *cmd.exe\ \/C\ *\ >\ \\\\*\\*\\*\ 2>&1 OR *cmd.exe\ \/C\ *\ >\ *\\Temp\\*\ 2>&1 OR *powershell.exe\ \-exec\ bypass\ \-noni\ \-nop\ \-w\ 1\ \-C\ \"* OR *powershell.exe\ \-noni\ \-nop\ \-w\ 1\ \-enc\ *)) -index: wazuh-alerts-3.x-* -name: 058f4380-962d-40a5-afce-50207d36d7e2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_crackmapexec_powershell_obfuscation.yml b/elastalert_rules/sigma_sysmon_win_susp_crackmapexec_powershell_obfuscation.yml deleted file mode 100644 index a454c982..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_crackmapexec_powershell_obfuscation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*powershell.exe* AND data.win.eventdata.commandLine.keyword:(*join*split* OR *\(\ $ShellId\[1\]\+$ShellId\[13\]\+'x'\)* OR *\(\ $PSHome\[*\]\+$PSHOME\[*\]\+* OR *\(\ $env\:Public\[13\]\+$env\:Public\[5\]\+'x'\)* OR *\(\ $env\:ComSpec\[4,*,25\]\-Join''\)* OR *\[1,3\]\+'x'\-Join''\)*)) -index: wazuh-alerts-3.x-* -name: 6f8b3439-a203-45dc-a88b-abf57ea15ccf_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_csc.yml b/elastalert_rules/sigma_sysmon_win_susp_csc.yml deleted file mode 100644 index d48fff87..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_csc.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\csc.exe* AND data.win.eventdata.parentImage.keyword:(*\\wscript.exe OR *\\cscript.exe OR *\\mshta.exe)) -index: wazuh-alerts-3.x-* -name: b730a276-6b63-41b8-bcf8-55930c8fc6ee_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_csc_folder.yml b/elastalert_rules/sigma_sysmon_win_susp_csc_folder.yml deleted file mode 100644 index acceda2d..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_csc_folder.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\csc.exe AND data.win.eventdata.commandLine.keyword:(*\\AppData\\* OR *\\Windows\\Temp\\*)) AND (NOT (data.win.eventdata.parentImage.keyword:(C\:\\Program\ Files* OR *\\sdiagnhost.exe OR *\\w3wp.exe)))) -index: wazuh-alerts-3.x-* -name: dcaa3f04-70c3-427a-80b4-b870d73c94c4_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_curl_download.yml b/elastalert_rules/sigma_sysmon_win_susp_curl_download.yml deleted file mode 100644 index 9537baeb..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_curl_download.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\curl.exe OR data.win.eventdata.product:"The\ curl\ executable") AND data.win.eventdata.commandLine.keyword:*\ \-O\ *) -index: wazuh-alerts-3.x-* -name: e218595b-bbe7-4ee5-8a96-f32a24ad3468_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_curl_fileupload.yml b/elastalert_rules/sigma_sysmon_win_susp_curl_fileupload.yml deleted file mode 100644 index 091424e1..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_curl_fileupload.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious curl process start the adds a file to a web request -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\curl.exe AND data.win.eventdata.commandLine.keyword:*\ \-F\ *) -index: wazuh-alerts-3.x-* -name: 00bca14a-df4e-4649-9054-3f2aa676bc04_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_curl_start_combo.yml b/elastalert_rules/sigma_sysmon_win_susp_curl_start_combo.yml deleted file mode 100644 index b3741263..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_curl_start_combo.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*curl*\ start\ *) -index: wazuh-alerts-3.x-* -name: 21dd6d38-2b18-4453-9404-a0fe4a0cc288_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_dctask64_proc_inject.yml b/elastalert_rules/sigma_sysmon_win_susp_dctask64_proc_inject.yml deleted file mode 100644 index 76e3be5e..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_dctask64_proc_inject.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious process injection using ZOHO's dctask64.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\dctask64.exe) AND (NOT (data.win.eventdata.commandLine.keyword:(*DesktopCentral_Agent\\agent*)))) -index: wazuh-alerts-3.x-* -name: 6345b048-8441-43a7-9bed-541133633d7a_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_desktopimgdownldr.yml b/elastalert_rules/sigma_sysmon_win_susp_desktopimgdownldr.yml deleted file mode 100644 index 1da73144..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_desktopimgdownldr.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\ \/lockscreenurl\:* AND (NOT (data.win.eventdata.commandLine.keyword:(*.jpg* OR *.jpeg* OR *.png*)))) OR (data.win.eventdata.commandLine.keyword:*reg\ delete* AND data.win.eventdata.commandLine.keyword:*\\PersonalizationCSP*))) -index: wazuh-alerts-3.x-* -name: bb58aa4a-b80b-415a-a2c0-2f65a4c81009_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_devtoolslauncher.yml b/elastalert_rules/sigma_sysmon_win_susp_devtoolslauncher.yml deleted file mode 100644 index 792e4a5d..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_devtoolslauncher.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The Devtoolslauncher.exe executes other binary -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\devtoolslauncher.exe AND data.win.eventdata.commandLine.keyword:*LaunchForDeploy*) -index: wazuh-alerts-3.x-* -name: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_direct_asep_reg_keys_modification.yml b/elastalert_rules/sigma_sysmon_win_susp_direct_asep_reg_keys_modification.yml deleted file mode 100644 index 9ee7e11a..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_direct_asep_reg_keys_modification.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\reg.exe AND data.win.eventdata.commandLine.keyword:*add* AND data.win.eventdata.commandLine.keyword:(*\\software\\Microsoft\\Windows\\CurrentVersion\\Run* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Userinit* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Shell* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User\ Shell\ Folders* OR *\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell*)) -index: wazuh-alerts-3.x-* -name: 24357373-078f-44ed-9ac4-6d334a668a11_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_disable_ie_features.yml b/elastalert_rules/sigma_sysmon_win_susp_disable_ie_features.yml deleted file mode 100644 index 438e57e8..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_disable_ie_features.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.eventdata.commandLine.keyword:*\ \-name\ IEHarden\ * AND data.win.eventdata.commandLine.keyword:*\ \-value\ 0\ *) OR (data.win.eventdata.commandLine.keyword:*\ \-name\ DEPOff\ * AND data.win.eventdata.commandLine.keyword:*\ \-value\ 1\ *) OR (data.win.eventdata.commandLine.keyword:*\ \-name\ DisableFirstRunCustomize\ * AND data.win.eventdata.commandLine.keyword:*\ \-value\ 2\ *))) -index: wazuh-alerts-3.x-* -name: fb50eb7a-5ab1-43ae-bcc9-091818cb8424_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_ditsnap.yml b/elastalert_rules/sigma_sysmon_win_susp_ditsnap.yml deleted file mode 100644 index a2c379ac..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_ditsnap.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:(*\\ditsnap.exe) OR data.win.eventdata.commandLine.keyword:(*ditsnap.exe*))) -index: wazuh-alerts-3.x-* -name: d3b70aad-097e-409c-9df2-450f80dc476b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_dnx.yml b/elastalert_rules/sigma_sysmon_win_susp_dnx.yml deleted file mode 100644 index 238de752..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_dnx.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Execute C# code located in the consoleapp folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\dnx.exe) -index: wazuh-alerts-3.x-* -name: 81ebd28b-9607-4478-bf06-974ed9d53ed7_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_double_extension.yml b/elastalert_rules/sigma_sysmon_win_susp_double_extension.yml deleted file mode 100644 index 3acc2576..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_double_extension.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\ \ \ \ \ \ .exe OR *______.exe)) -index: wazuh-alerts-3.x-* -name: 1cdd9a09-06c9-4769-99ff-626e2b3991b8_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_dxcap.yml b/elastalert_rules/sigma_sysmon_win_susp_dxcap.yml deleted file mode 100644 index 1f7ec831..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_dxcap.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of of Dxcap.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\dxcap.exe AND data.win.eventdata.commandLine.keyword:*\-c* AND data.win.eventdata.commandLine.keyword:*.exe*) -index: wazuh-alerts-3.x-* -name: 60f16a96-db70-42eb-8f76-16763e333590_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_eventlog_clear.yml b/elastalert_rules/sigma_sysmon_win_susp_eventlog_clear.yml deleted file mode 100644 index 69227ed7..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_eventlog_clear.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (((process_path.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:(*Clear\-EventLog* OR *Remove\-EventLog* OR *Limit\-EventLog*)) OR (process_path.keyword:*\\wmic.exe AND data.win.eventdata.commandLine.keyword:*\ ClearEventLog\ *)) OR (data.win.system.eventID:"4688" AND process_path.keyword:*\\wevtutil.exe AND data.win.eventdata.commandLine.keyword:(*clear\-log* OR *\ cl\ * OR *set\-log* OR *\ sl\ *)))) -index: wazuh-alerts-3.x-* -name: cc36992a-4671-4f21-a91d-6c2b72a2edf5_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_exec_folder.yml b/elastalert_rules/sigma_sysmon_win_susp_exec_folder.yml deleted file mode 100644 index 1288bd13..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_exec_folder.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process starts of binaries from a suspicious folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(C\:\\PerfLogs\\* OR C\:\\$Recycle.bin\\* OR C\:\\Intel\\Logs\\* OR C\:\\Users\\Default\\* OR C\:\\Users\\Public\\* OR C\:\\Users\\NetworkService\\* OR C\:\\Windows\\Fonts\\* OR C\:\\Windows\\Debug\\* OR C\:\\Windows\\Media\\* OR C\:\\Windows\\Help\\* OR C\:\\Windows\\addins\\* OR C\:\\Windows\\repair\\* OR C\:\\Windows\\security\\* OR *\\RSA\\MachineKeys\\* OR C\:\\Windows\\system32\\config\\systemprofile\\* OR C\:\\Windows\\Tasks\\* OR C\:\\Windows\\System32\\Tasks\\*)) -index: wazuh-alerts-3.x-* -name: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_execution_path.yml b/elastalert_rules/sigma_sysmon_win_susp_execution_path.yml deleted file mode 100644 index c76102c8..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_execution_path.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious exection from an uncommon folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\$Recycle.bin OR *\\Users\\All\ Users\\* OR *\\Users\\Default\\* OR *\\Users\\Public\\* OR C\:\\Perflogs\\* OR *\\config\\systemprofile\\* OR *\\Windows\\Fonts\\* OR *\\Windows\\IME\\* OR *\\Windows\\addins\\*)) -index: wazuh-alerts-3.x-* -name: 3dfd06d2-eaf4-4532-9555-68aca59f57c4_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_execution_path_webserver.yml b/elastalert_rules/sigma_sysmon_win_susp_execution_path_webserver.yml deleted file mode 100644 index 0c58d6b6..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_execution_path_webserver.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious program execution in a web service root folder (filter out false positives) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\wwwroot\\* OR *\\wmpub\\* OR *\\htdocs\\*) AND (NOT (process_path.keyword:(*bin\\* OR *\\Tools\\* OR *\\SMSComponent\\*) AND data.win.eventdata.parentImage.keyword:(*\\services.exe)))) -index: wazuh-alerts-3.x-* -name: 35efb964-e6a5-47ad-bbcd-19661854018d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_explorer_break_proctree.yml b/elastalert_rules/sigma_sysmon_win_susp_explorer_break_proctree.yml deleted file mode 100644 index 5039439a..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_explorer_break_proctree.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*explorer.exe* AND data.win.eventdata.commandLine.keyword:*\ \/root,*) -index: wazuh-alerts-3.x-* -name: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_file_characteristics.yml b/elastalert_rules/sigma_sysmon_win_susp_file_characteristics.yml deleted file mode 100644 index 08f0d798..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_file_characteristics.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.description:"\?" AND (data.win.eventdata.fileVersion:"\?" OR data.win.eventdata.product:"\?" OR data.win.eventdata.company:"\?") AND process_path.keyword:*\\Downloads\\*) -index: wazuh-alerts-3.x-* -name: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_findstr_lnk.yml b/elastalert_rules/sigma_sysmon_win_susp_findstr_lnk.yml deleted file mode 100644 index 88e2c5f7..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_findstr_lnk.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\findstr.exe AND data.win.eventdata.commandLine.keyword:*.lnk) -index: wazuh-alerts-3.x-* -name: 33339be3-148b-4e16-af56-ad16ec6c7e7b_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_firewall_disable.yml b/elastalert_rules/sigma_sysmon_win_susp_firewall_disable.yml deleted file mode 100644 index c2631f6a..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_firewall_disable.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects netsh commands that turns off the Windows firewall -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(netsh\ firewall\ set\ opmode\ mode\=disable OR netsh\ advfirewall\ set\ *\ state\ off)) -index: wazuh-alerts-3.x-* -name: 57c4bf16-227f-4394-8ec7-1b745ee061c3_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_fsutil_usage.yml b/elastalert_rules/sigma_sysmon_win_susp_fsutil_usage.yml deleted file mode 100644 index 7b5d37ea..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_fsutil_usage.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\fsutil.exe OR data.win.eventdata.originalFileName:"fsutil.exe") AND data.win.eventdata.commandLine.keyword:(*deletejournal* OR *createjournal*)) -index: wazuh-alerts-3.x-* -name: add64136-62e5-48ea-807e-88638d02df1e_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_gup.yml b/elastalert_rules/sigma_sysmon_win_susp_gup.yml deleted file mode 100644 index f7f5850c..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_gup.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\GUP.exe AND (NOT (process_path.keyword:(*\:\\Users\\*\\AppData\\Local\\Notepad\+\+\\updater\\GUP.exe OR *\:\\Users\\*\\AppData\\Roaming\\Notepad\+\+\\updater\\GUP.exe OR *\:\\Program\ Files\\Notepad\+\+\\updater\\GUP.exe OR *\:\\Program\ Files\ \(x86\)\\Notepad\+\+\\updater\\GUP.exe)))) -index: wazuh-alerts-3.x-* -name: 0a4f6091-223b-41f6-8743-f322ec84930b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_iss_module_install.yml b/elastalert_rules/sigma_sysmon_win_susp_iss_module_install.yml deleted file mode 100644 index fe858058..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_iss_module_install.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious IIS native-code module installations via command line -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\\APPCMD.EXE\ install\ module\ \/name\:*)) -index: wazuh-alerts-3.x-* -name: 9465ddf4-f9e4-4ebd-8d98-702df3a93239_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_mpcmdrun_download.yml b/elastalert_rules/sigma_sysmon_win_susp_mpcmdrun_download.yml deleted file mode 100644 index aaa739f6..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_mpcmdrun_download.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect the use of Windows Defender to download payloads -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:*MpCmdRun.exe* OR data.win.eventdata.description:"Microsoft\ Malware\ Protection\ Command\ Line\ Utility") AND (data.win.eventdata.commandLine.keyword:*DownloadFile* AND data.win.eventdata.commandLine.keyword:*url*)) -index: wazuh-alerts-3.x-* -name: 46123129-1024-423e-9fae-43af4a0fa9a5_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_msiexec_cwd.yml b/elastalert_rules/sigma_sysmon_win_susp_msiexec_cwd.yml deleted file mode 100644 index feefc60a..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_msiexec_cwd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious msiexec process starts in an uncommon directory -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\msiexec.exe AND (NOT (process_path.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\WinSxS\\*)))) -index: wazuh-alerts-3.x-* -name: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_msiexec_web_install.yml b/elastalert_rules/sigma_sysmon_win_susp_msiexec_web_install.yml deleted file mode 100644 index cb56e855..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_msiexec_web_install.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious msiexec process starts with web addreses as parameter -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ msiexec*\:\/\/*)) -index: wazuh-alerts-3.x-* -name: f7b5f842-a6af-4da5-9e95-e32478f3cd2f_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_msoffice.yml b/elastalert_rules/sigma_sysmon_win_susp_msoffice.yml deleted file mode 100644 index 6efc22be..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_msoffice.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Downloads payload from remote server -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\powerpnt.exe OR *\\winword.exe OR *\\excel.exe) AND data.win.eventdata.commandLine.keyword:*http*) -index: wazuh-alerts-3.x-* -name: 0c79148b-118e-472b-bdb7-9b57b444cc19_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_net_execution.yml b/elastalert_rules/sigma_sysmon_win_susp_net_execution.yml deleted file mode 100644 index 369da907..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_net_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of Net.exe, whether suspicious or benign. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:(*\ group* OR *\ localgroup* OR *\ user* OR *\ view* OR *\ share OR *\ accounts* OR *\ use* OR *\ stop\ *)) -index: wazuh-alerts-3.x-* -name: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_netsh_dll_persistence.yml b/elastalert_rules/sigma_sysmon_win_susp_netsh_dll_persistence.yml deleted file mode 100644 index 07ae67ae..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_netsh_dll_persistence.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects persitence via netsh helper -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\netsh.exe AND data.win.eventdata.commandLine.keyword:*add* AND data.win.eventdata.commandLine.keyword:*helper*) -index: wazuh-alerts-3.x-* -name: 56321594-9087-49d9-bf10-524fe8479452_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_ntdsutil.yml b/elastalert_rules/sigma_sysmon_win_susp_ntdsutil.yml deleted file mode 100644 index b1954526..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_ntdsutil.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\\ntdsutil*) -index: wazuh-alerts-3.x-* -name: 2afafd61-6aae-4df4-baed-139fa1f4c345_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_odbcconf.yml b/elastalert_rules/sigma_sysmon_win_susp_odbcconf.yml deleted file mode 100644 index 48288f51..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_odbcconf.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects defence evasion attempt via odbcconf.exe execution to load DLL -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:*\\odbcconf.exe AND data.win.eventdata.commandLine.keyword:(*\-f* OR *regsvr*)) OR (data.win.eventdata.parentImage.keyword:*\\odbcconf.exe AND process_path.keyword:*\\rundll32.exe))) -index: wazuh-alerts-3.x-* -name: 65d2be45-8600-4042-b4c0-577a1ff8a60e_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_openwith.yml b/elastalert_rules/sigma_sysmon_win_susp_openwith.yml deleted file mode 100644 index d7e51303..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_openwith.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The OpenWith.exe executes other binary -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\OpenWith.exe AND data.win.eventdata.commandLine.keyword:*\/c*) -index: wazuh-alerts-3.x-* -name: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_outlook.yml b/elastalert_rules/sigma_sysmon_win_susp_outlook.yml deleted file mode 100644 index 5ab36d7d..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_outlook.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.commandLine.keyword:*EnableUnsafeClientMailRules* OR (data.win.eventdata.parentImage.keyword:*\\outlook.exe AND data.win.eventdata.commandLine.keyword:\\\\*\\*.exe))) -index: wazuh-alerts-3.x-* -name: e212d415-0e93-435f-9e1a-f29005bb4723_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_outlook_temp.yml b/elastalert_rules/sigma_sysmon_win_susp_outlook_temp.yml deleted file mode 100644 index fbf6e2e1..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_outlook_temp.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious program execution in Outlook temp folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\Temporary\ Internet\ Files\\Content.Outlook\\*) -index: wazuh-alerts-3.x-* -name: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_ping_hex_ip.yml b/elastalert_rules/sigma_sysmon_win_susp_ping_hex_ip.yml deleted file mode 100644 index b07c6242..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_ping_hex_ip.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a ping command that uses a hex encoded IP address -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\\ping.exe\ 0x* OR *\\ping\ 0x*) AND process_path.keyword:(*ping.exe*)) -index: wazuh-alerts-3.x-* -name: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_powershell_empire_launch.yml b/elastalert_rules/sigma_sysmon_win_susp_powershell_empire_launch.yml deleted file mode 100644 index c357a058..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_powershell_empire_launch.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious powershell command line parameters used in Empire -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ \-NoP\ \-sta\ \-NonI\ \-W\ Hidden\ \-Enc\ * OR *\ \-noP\ \-sta\ \-w\ 1\ \-enc\ * OR *\ \-NoP\ \-NonI\ \-W\ Hidden\ \-enc\ * OR *\ \-noP\ \-sta\ \-w\ 1\ \-enc* OR *\ \-enc\ \ SQB* OR *\ \-nop\ \-exec\ bypass\ \-EncodedCommand\ SQB*)) -index: wazuh-alerts-3.x-* -name: 79f4ede3-402e-41c8-bc3e-ebbf5f162581_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_powershell_empire_uac_bypass.yml b/elastalert_rules/sigma_sysmon_win_susp_powershell_empire_uac_bypass.yml deleted file mode 100644 index c0e7e8ae..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_powershell_empire_uac_bypass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects some Empire PowerShell UAC bypass methods -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ \-NoP\ \-NonI\ \-w\ Hidden\ \-c\ $x\=$\(\(gp\ HKCU\:Software\\Microsoft\\Windows\ Update\).Update\)* OR *\ \-NoP\ \-NonI\ \-c\ $x\=$\(\(gp\ HKCU\:Software\\Microsoft\\Windows\ Update\).Update\);*)) -index: wazuh-alerts-3.x-* -name: 3268b746-88d8-4cd3-bffc-30077d02c787_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_powershell_enc_cmd.yml b/elastalert_rules/sigma_sysmon_win_susp_powershell_enc_cmd.yml deleted file mode 100644 index d2c81659..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_powershell_enc_cmd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ \-e\ JAB* OR *\ \-e\ \ JAB* OR *\ \-e\ \ \ JAB* OR *\ \-e\ \ \ \ JAB* OR *\ \-e\ \ \ \ \ JAB* OR *\ \-e\ \ \ \ \ \ JAB* OR *\ \-en\ JAB* OR *\ \-enc\ JAB* OR *\ \-enc*\ JAB* OR *\ \-w\ hidden\ \-e*\ JAB* OR *\ BA\^J\ e\- OR *\ \-e\ SUVYI* OR *\ \-e\ aWV4I* OR *\ \-e\ SQBFAFgA* OR *\ \-e\ aQBlAHgA* OR *\ \-enc\ SUVYI* OR *\ \-enc\ aWV4I* OR *\ \-enc\ SQBFAFgA* OR *\ \-enc\ aQBlAHgA* OR *\ \-e*\ IAA* OR *\ \-e*\ IAB* OR *\ \-e*\ UwB* OR *\ \-e*\ cwB* OR *.exe\ \-ENCOD\ *) AND (NOT (data.win.eventdata.commandLine.keyword:*\ \-ExecutionPolicy\ remotesigned\ *))) -index: wazuh-alerts-3.x-* -name: ca2092a1-c273-4878-9b4b-0d60115bf5ea_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_powershell_encoded_param.yml b/elastalert_rules/sigma_sysmon_win_susp_powershell_encoded_param.yml deleted file mode 100644 index ab997d1c..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_powershell_encoded_param.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious encoded character syntax often used for defense evasion -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\(WCHAR\)0x*) -index: wazuh-alerts-3.x-* -name: e312efd0-35a1-407f-8439-b8d434b438a6_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_powershell_hidden_b64_cmd.yml b/elastalert_rules/sigma_sysmon_win_susp_powershell_hidden_b64_cmd.yml deleted file mode 100644 index 6eda2f32..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_powershell_hidden_b64_cmd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects base64 encoded strings used in hidden malicious PowerShell command lines -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:*\ hidden\ * AND data.win.eventdata.commandLine.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*)) -index: wazuh-alerts-3.x-* -name: f26c6093-6f14-4b12-800f-0fcb46f5ffd0_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_powershell_parent_combo.yml b/elastalert_rules/sigma_sysmon_win_susp_powershell_parent_combo.yml deleted file mode 100644 index 7d471f9c..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_powershell_parent_combo.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious powershell invocations from interpreters or unusual programs -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.parentImage.keyword:(*\\wscript.exe OR *\\cscript.exe) AND process_path.keyword:(*\\powershell.exe)) AND (NOT (data.win.eventdata.currentDirectory.keyword:*\\Health\ Service\ State\\*))) -index: wazuh-alerts-3.x-* -name: 95eadcb2-92e4-4ed1-9031-92547773a6db_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_powershell_parent_process.yml b/elastalert_rules/sigma_sysmon_win_susp_powershell_parent_process.yml deleted file mode 100644 index 70267e84..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_powershell_parent_process.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious parents of powershell.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.parentImage.keyword:(*\\mshta.exe OR *\\rundll32.exe OR *\\regsvr32.exe OR *\\services.exe OR *\\winword.exe OR *\\wmiprvse.exe OR *\\powerpnt.exe OR *\\excel.exe OR *\\msaccess.exe OR *\\mspub.exe OR *\\visio.exe OR *\\outlook.exe OR *\\amigo.exe OR *\\chrome.exe OR *\\firefox.exe OR *\\iexplore.exe OR *\\microsoftedgecp.exe OR *\\microsoftedge.exe OR *\\browser.exe OR *\\vivaldi.exe OR *\\safari.exe OR *\\sqlagent.exe OR *\\sqlserver.exe OR *\\sqlservr.exe OR *\\w3wp.exe OR *\\httpd.exe OR *\\nginx.exe OR *\\php\-cgi.exe OR *\\jbosssvc.exe OR *MicrosoftEdgeSH.exe) OR data.win.eventdata.parentImage.keyword:*tomcat*) AND (data.win.eventdata.commandLine.keyword:(*powershell* OR *pwsh*) OR data.win.eventdata.description:"Windows\ PowerShell" OR data.win.eventdata.product:"PowerShell\ Core\ 6")) -index: wazuh-alerts-3.x-* -name: 754ed792-634f-40ae-b3bc-e0448d33f695_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_procdump.yml b/elastalert_rules/sigma_sysmon_win_susp_procdump.yml deleted file mode 100644 index 8017b3fa..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_procdump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ \-ma\ *) AND data.win.eventdata.commandLine.keyword:(*\ lsass*)) OR data.win.eventdata.commandLine.keyword:(*\ \-ma\ ls*))) -index: wazuh-alerts-3.x-* -name: 5afee48e-67dd-4e03-a783-f74259dcf998_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_prog_location_process_starts.yml b/elastalert_rules/sigma_sysmon_win_susp_prog_location_process_starts.yml deleted file mode 100644 index 4de0f56e..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_prog_location_process_starts.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects programs running in suspicious files system locations -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\$Recycle.bin OR *\\Users\\Public\\* OR C\:\\Perflogs\\* OR *\\Windows\\Fonts\\* OR *\\Windows\\IME\\* OR *\\Windows\\addins\\* OR *\\Windows\\debug\\*)) -index: wazuh-alerts-3.x-* -name: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_ps_appdata.yml b/elastalert_rules/sigma_sysmon_win_susp_ps_appdata.yml deleted file mode 100644 index 07ce6bce..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_ps_appdata.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\ \/c\ powershell*\\AppData\\Local\\* OR *\ \/c\ powershell*\\AppData\\Roaming\\*)) -index: wazuh-alerts-3.x-* -name: ac175779-025a-4f12-98b0-acdaeb77ea85_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_ps_downloadfile.yml b/elastalert_rules/sigma_sysmon_win_susp_ps_downloadfile.yml deleted file mode 100644 index c6c6e6a5..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_ps_downloadfile.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*powershell* AND data.win.eventdata.commandLine.keyword:*.DownloadFile* AND data.win.eventdata.commandLine.keyword:*System.Net.WebClient*) -index: wazuh-alerts-3.x-* -name: 8f70ac5f-1f6f-4f8e-b454-db19561216c5_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_psexec_eula.yml b/elastalert_rules/sigma_sysmon_win_susp_psexec_eula.yml deleted file mode 100644 index fed77b0a..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_psexec_eula.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect ed user accept agreement execution in psexec commandline -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\psexec.exe AND data.win.eventdata.commandLine.keyword:*accepteula*) -index: wazuh-alerts-3.x-* -name: 730fc21b-eaff-474b-ad23-90fd265d4988_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_psr_capture_screenshots.yml b/elastalert_rules/sigma_sysmon_win_susp_psr_capture_screenshots.yml deleted file mode 100644 index b2995c47..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_psr_capture_screenshots.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The psr.exe captures desktop screenshots and saves them on the local machine -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\Psr.exe AND data.win.eventdata.commandLine.keyword:*\/start*) -index: wazuh-alerts-3.x-* -name: 2158f96f-43c2-43cb-952a-ab4580f32382_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_rar_flags.yml b/elastalert_rules/sigma_sysmon_win_susp_rar_flags.yml deleted file mode 100644 index 7c7d5a8e..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_rar_flags.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\ \-hp* AND data.win.eventdata.commandLine.keyword:*\ \-m*) -index: wazuh-alerts-3.x-* -name: faa48cae-6b25-4f00-a094-08947fef582f_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_rasdial_activity.yml b/elastalert_rules/sigma_sysmon_win_susp_rasdial_activity.yml deleted file mode 100644 index e9175525..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_rasdial_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious process related to rasdial.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*rasdial.exe)) -index: wazuh-alerts-3.x-* -name: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_recon_activity.yml b/elastalert_rules/sigma_sysmon_win_susp_recon_activity.yml deleted file mode 100644 index 3b847c02..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_recon_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious command line activity on Windows systems -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine:("net\ group\ \"domain\ admins\"\ \/domain" OR "net\ localgroup\ administrators" OR "net\ group\ \"enterprise\ admins\"\ \/domain")) -index: wazuh-alerts-3.x-* -name: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_regsvr32_anomalies.yml b/elastalert_rules/sigma_sysmon_win_susp_regsvr32_anomalies.yml deleted file mode 100644 index 3ed4452b..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_regsvr32_anomalies.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects various anomalies in relation to regsvr32.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:*\\regsvr32.exe AND data.win.eventdata.commandLine.keyword:*\\Temp\\*) OR (process_path.keyword:*\\regsvr32.exe AND data.win.eventdata.parentImage.keyword:*\\powershell.exe) OR (process_path.keyword:*\\regsvr32.exe AND data.win.eventdata.parentImage.keyword:*\\cmd.exe) OR (process_path.keyword:*\\regsvr32.exe AND data.win.eventdata.commandLine.keyword:(*\/i\:http*\ scrobj.dll OR *\/i\:ftp*\ scrobj.dll)) OR (process_path.keyword:*\\wscript.exe AND data.win.eventdata.parentImage.keyword:*\\regsvr32.exe) OR (process_path.keyword:*\\EXCEL.EXE AND data.win.eventdata.commandLine.keyword:*..\\..\\..\\Windows\\System32\\regsvr32.exe\ *))) -index: wazuh-alerts-3.x-* -name: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_regsvr32_flags_anomaly.yml b/elastalert_rules/sigma_sysmon_win_susp_regsvr32_flags_anomaly.yml deleted file mode 100644 index 45526a18..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_regsvr32_flags_anomaly.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\regsvr32.exe AND data.win.eventdata.commandLine.keyword:*\ \/i\:*) AND (NOT (data.win.eventdata.commandLine.keyword:*\ \/n\ *))) -index: wazuh-alerts-3.x-* -name: b236190c-1c61-41e9-84b3-3fe03f6d76b0_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_renamed_dctask64.yml b/elastalert_rules/sigma_sysmon_win_susp_renamed_dctask64.yml deleted file mode 100644 index 4f9f8043..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_renamed_dctask64.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND hash_imphash:("6834B1B94E49701D77CCB3C0895E1AFD" OR "6834b1b94e49701d77ccb3c0895e1afd") AND (NOT (process_path.keyword:*\\dctask64.exe))) -index: wazuh-alerts-3.x-* -name: 340a090b-c4e9-412e-bb36-b4b16fe96f9b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_renamed_debugview.yml b/elastalert_rules/sigma_sysmon_win_susp_renamed_debugview.yml deleted file mode 100644 index 8f000a3c..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_renamed_debugview.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious renamed SysInternals DebugView execution -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.product:("Sysinternals\ DebugView" OR "Sysinternals\ Debugview") AND (NOT (OriginalFilename:"Dbgview.exe" AND process_path.keyword:*\\Dbgview.exe))) -index: wazuh-alerts-3.x-* -name: cd764533-2e07-40d6-a718-cfeec7f2da7f_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_run_locations.yml b/elastalert_rules/sigma_sysmon_win_susp_run_locations.yml deleted file mode 100644 index 9d969439..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_run_locations.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious process run from unusual locations -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\:\\RECYCLER\\* OR *\:\\SystemVolumeInformation\\* OR C\:\\Windows\\Tasks\\* OR C\:\\Windows\\debug\\* OR C\:\\Windows\\fonts\\* OR C\:\\Windows\\help\\* OR C\:\\Windows\\drivers\\* OR C\:\\Windows\\addins\\* OR C\:\\Windows\\cursors\\* OR C\:\\Windows\\system32\\tasks\\*)) -index: wazuh-alerts-3.x-* -name: 15b75071-74cc-47e0-b4c6-b43744a62a2b_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_rundll32_activity.yml b/elastalert_rules/sigma_sysmon_win_susp_rundll32_activity.yml deleted file mode 100644 index df9fa8ad..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_rundll32_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious process related to rundll32 based on arguments -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\\rundll32.exe*\ url.dll,*OpenURL\ * OR *\\rundll32.exe*\ url.dll,*OpenURLA\ * OR *\\rundll32.exe*\ url.dll,*FileProtocolHandler\ * OR *\\rundll32.exe*\ zipfldr.dll,*RouteTheCall\ * OR *\\rundll32.exe*\ Shell32.dll,*Control_RunDLL\ * OR *\\rundll32.exe\ javascript\:* OR *\ url.dll,*OpenURL\ * OR *\ url.dll,*OpenURLA\ * OR *\ url.dll,*FileProtocolHandler\ * OR *\ zipfldr.dll,*RouteTheCall\ * OR *\ Shell32.dll,*Control_RunDLL\ * OR *\ javascript\:* OR *.RegisterXLL*)) -index: wazuh-alerts-3.x-* -name: e593cf51-88db-4ee1-b920-37e89012a3c9_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_rundll32_by_ordinal.yml b/elastalert_rules/sigma_sysmon_win_susp_rundll32_by_ordinal.yml deleted file mode 100644 index 1e3ec1b9..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_rundll32_by_ordinal.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\\rundll32.exe\ *,#*) -index: wazuh-alerts-3.x-* -name: e79a9e79-eb72-4e78-a628-0e7e8f59e89c_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_schtask_creation.yml b/elastalert_rules/sigma_sysmon_win_susp_schtask_creation.yml deleted file mode 100644 index 7e714184..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_schtask_creation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of scheduled tasks in user session -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\schtasks.exe AND data.win.eventdata.commandLine.keyword:*\ \/create\ *) AND (NOT (user_account:"NT\ AUTHORITY\\SYSTEM"))) -index: wazuh-alerts-3.x-* -name: 92626ddd-662c-49e3-ac59-f6535f12d189_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_script_execution.yml b/elastalert_rules/sigma_sysmon_win_susp_script_execution.yml deleted file mode 100644 index cd530098..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_script_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious file execution by wscript and cscript -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\wscript.exe OR *\\cscript.exe) AND data.win.eventdata.commandLine.keyword:(*.jse* OR *.vbe* OR *.js* OR *.vba*)) -index: wazuh-alerts-3.x-* -name: 1e33157c-53b1-41ad-bbcc-780b80b58288_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_service_path_modification.yml b/elastalert_rules/sigma_sysmon_win_susp_service_path_modification.yml deleted file mode 100644 index d4dbac6e..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_service_path_modification.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects service path modification to powershell/cmd -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\sc.exe AND data.win.eventdata.commandLine.keyword:*config* AND data.win.eventdata.commandLine.keyword:*binpath* AND data.win.eventdata.commandLine.keyword:(*powershell* OR *cmd*)) -index: wazuh-alerts-3.x-* -name: 138d3531-8793-4f50-a2cd-f291b2863d78_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_shell_spawn_from_mssql.yml b/elastalert_rules/sigma_sysmon_win_susp_shell_spawn_from_mssql.yml deleted file mode 100644 index f24f7d6f..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_shell_spawn_from_mssql.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\sqlservr.exe AND process_path.keyword:(*\\cmd.exe OR *\\sh.exe OR *\\bash.exe OR *\\powershell.exe OR *\\bitsadmin.exe)) -index: wazuh-alerts-3.x-* -name: 869b9ca7-9ea2-4a5a-8325-e80e62f75445_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_squirrel_lolbin.yml b/elastalert_rules/sigma_sysmon_win_susp_squirrel_lolbin.yml deleted file mode 100644 index 903b2e37..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_squirrel_lolbin.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Possible Squirrel Packages Manager as Lolbin -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\update.exe) AND data.win.eventdata.commandLine.keyword:(*\-\-processStart*.exe* OR *\-\-processStartAndWait*.exe* OR *\-\-createShortcut*.exe*)) -index: wazuh-alerts-3.x-* -name: fa4b21c9-0057-4493-b289-2556416ae4d7_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_svchost.yml b/elastalert_rules/sigma_sysmon_win_susp_svchost.yml deleted file mode 100644 index 30f957d4..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_svchost.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious svchost process start -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\svchost.exe AND (NOT (data.win.eventdata.parentImage.keyword:(*\\services.exe OR *\\MsMpEng.exe OR *\\Mrt.exe OR *\\rpcnet.exe OR *\\svchost.exe)))) AND (NOT (NOT _exists_:data.win.eventdata.parentImage))) -index: wazuh-alerts-3.x-* -name: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_svchost_no_cli.yml b/elastalert_rules/sigma_sysmon_win_susp_svchost_no_cli.yml deleted file mode 100644 index 108ff81f..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_svchost_no_cli.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*svchost.exe AND process_path.keyword:*\\svchost.exe) AND (NOT (data.win.eventdata.parentImage.keyword:(*\\rpcnet.exe OR *\\rpcnetp.exe)))) -index: wazuh-alerts-3.x-* -name: 16c37b52-b141-42a5-a3ea-bbe098444397_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_sysprep_appdata.yml b/elastalert_rules/sigma_sysmon_win_susp_sysprep_appdata.yml deleted file mode 100644 index 57d35321..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_sysprep_appdata.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:(*\\sysprep.exe\ *\\AppData\\* OR sysprep.exe\ *\\AppData\\*)) -index: wazuh-alerts-3.x-* -name: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_sysvol_access.yml b/elastalert_rules/sigma_sysmon_win_susp_sysvol_access.yml deleted file mode 100644 index 2a3b768b..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_sysvol_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Access to Domain Group Policies stored in SYSVOL -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\\SYSVOL\\*\\policies\\*) -index: wazuh-alerts-3.x-* -name: 05f3c945-dcc8-4393-9f3d-af65077a8f86_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_taskmgr_localsystem.yml b/elastalert_rules/sigma_sysmon_win_susp_taskmgr_localsystem.yml deleted file mode 100644 index 48e41a3a..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_taskmgr_localsystem.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND user_account:"NT\ AUTHORITY\\SYSTEM" AND process_path.keyword:*\\taskmgr.exe) -index: wazuh-alerts-3.x-* -name: 9fff585c-c33e-4a86-b3cd-39312079a65f_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_taskmgr_parent.yml b/elastalert_rules/sigma_sysmon_win_susp_taskmgr_parent.yml deleted file mode 100644 index 17c162dd..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_taskmgr_parent.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of a process from Windows task manager -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\taskmgr.exe AND (NOT (process_path.keyword:(*\\resmon.exe OR *\\mmc.exe OR *\\taskmgr.exe)))) -index: wazuh-alerts-3.x-* -name: 3d7679bd-0c00-440c-97b0-3f204273e6c7_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_tscon_localsystem.yml b/elastalert_rules/sigma_sysmon_win_susp_tscon_localsystem.yml deleted file mode 100644 index 1f782984..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_tscon_localsystem.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a tscon.exe start as LOCAL SYSTEM -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND user_account:"NT\ AUTHORITY\\SYSTEM" AND process_path.keyword:*\\tscon.exe) -index: wazuh-alerts-3.x-* -name: 9847f263-4a81-424f-970c-875dab15b79b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_tscon_rdp_redirect.yml b/elastalert_rules/sigma_sysmon_win_susp_tscon_rdp_redirect.yml deleted file mode 100644 index 3df2afa4..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_tscon_rdp_redirect.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious RDP session redirect using tscon.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*\ \/dest\:rdp\-tcp\:*) -index: wazuh-alerts-3.x-* -name: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_use_of_csharp_console.yml b/elastalert_rules/sigma_sysmon_win_susp_use_of_csharp_console.yml deleted file mode 100644 index 87c3d621..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_use_of_csharp_console.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of CSharp interactive console by PowerShell -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\csi.exe AND data.win.eventdata.parentImage.keyword:*\\powershell.exe AND data.win.eventdata.originalFileName:"csi.exe") -index: wazuh-alerts-3.x-* -name: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_userinit_child.yml b/elastalert_rules/sigma_sysmon_win_susp_userinit_child.yml deleted file mode 100644 index c53a77d9..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_userinit_child.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious child process of userinit -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (data.win.eventdata.parentImage.keyword:*\\userinit.exe AND (NOT (data.win.eventdata.commandLine.keyword:*\\netlogon\\*))) AND (NOT (process_path.keyword:*\\explorer.exe))) -index: wazuh-alerts-3.x-* -name: b655a06a-31c0-477a-95c2-3726b83d649d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_whoami.yml b/elastalert_rules/sigma_sysmon_win_susp_whoami.yml deleted file mode 100644 index 379b04fd..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_whoami.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND (process_path.keyword:*\\whoami.exe OR data.win.eventdata.originalFileName:"whoami.exe")) -index: wazuh-alerts-3.x-* -name: e28a5a99-da44-436d-b7a0-2afc20a5f413_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_wmi_execution.yml b/elastalert_rules/sigma_sysmon_win_susp_wmi_execution.yml deleted file mode 100644 index 1ff5099d..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_wmi_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI executing suspicious commands -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\wmic.exe) AND data.win.eventdata.commandLine.keyword:(*\/NODE\:*process\ call\ create\ * OR *\ path\ AntiVirusProduct\ get\ * OR *\ path\ FirewallProduct\ get\ * OR *\ shadowcopy\ delete\ *)) -index: wazuh-alerts-3.x-* -name: 526be59f-a573-4eea-b5f7-f0973207634d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_susp_wmic_proc_create_rundll32.yml b/elastalert_rules/sigma_sysmon_win_susp_wmic_proc_create_rundll32.yml deleted file mode 100644 index 26c3be0b..00000000 --- a/elastalert_rules/sigma_sysmon_win_susp_wmic_proc_create_rundll32.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI executing rundll32 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*process\ call\ create* AND data.win.eventdata.commandLine.keyword:*rundll32*) -index: wazuh-alerts-3.x-* -name: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_sysmon_driver_unload.yml b/elastalert_rules/sigma_sysmon_win_sysmon_driver_unload.yml deleted file mode 100644 index 4e708969..00000000 --- a/elastalert_rules/sigma_sysmon_win_sysmon_driver_unload.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect possible Sysmon driver unload -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\fltmc.exe AND data.win.eventdata.commandLine.keyword:*unload* AND data.win.eventdata.commandLine.keyword:*sys*) -index: wazuh-alerts-3.x-* -name: 4d7cda18-1b12-4e52-b45c-d28653210df8_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_system_exe_anomaly.yml b/elastalert_rules/sigma_sysmon_win_system_exe_anomaly.yml deleted file mode 100644 index a1aadbb3..00000000 --- a/elastalert_rules/sigma_sysmon_win_system_exe_anomaly.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Windows program executable started in a suspicious folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:(*\\svchost.exe OR *\\rundll32.exe OR *\\services.exe OR *\\powershell.exe OR *\\regsvr32.exe OR *\\spoolsv.exe OR *\\lsass.exe OR *\\smss.exe OR *\\csrss.exe OR *\\conhost.exe OR *\\wininit.exe OR *\\lsm.exe OR *\\winlogon.exe OR *\\explorer.exe OR *\\taskhost.exe OR *\\Taskmgr.exe OR *\\sihost.exe OR *\\RuntimeBroker.exe OR *\\smartscreen.exe OR *\\dllhost.exe OR *\\audiodg.exe OR *\\wlanext.exe) AND (NOT (process_path.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\system32\\* OR C\:\\Windows\\SysWow64\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\explorer.exe OR C\:\\Windows\\winsxs\\* OR C\:\\Windows\\WinSxS\\* OR \\SystemRoot\\System32\\*)))) -index: wazuh-alerts-3.x-* -name: e4a6b256-3e47-40fc-89d2-7a477edd6915_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_tap_installer_execution.yml b/elastalert_rules/sigma_sysmon_win_tap_installer_execution.yml deleted file mode 100644 index 1a50ea91..00000000 --- a/elastalert_rules/sigma_sysmon_win_tap_installer_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\tapinstall.exe) -index: wazuh-alerts-3.x-* -name: 99793437-3e16-439b-be0f-078782cf953d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_task_folder_evasion.yml b/elastalert_rules/sigma_sysmon_win_task_folder_evasion.yml deleted file mode 100644 index 19943164..00000000 --- a/elastalert_rules/sigma_sysmon_win_task_folder_evasion.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr -filter: -- query: - query_string: - query: (data.win.eventdata.commandLine.keyword:(*echo\ * OR *copy\ * OR *type\ * OR *file\ createnew*) AND data.win.eventdata.commandLine.keyword:(*\ C\:\\Windows\\System32\\Tasks\\* OR *\ C\:\\Windows\\SysWow64\\Tasks\\*)) -index: wazuh-alerts-3.x-* -name: cc4e02ba-9c06-48e2-b09e-2500cace9ae0_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_termserv_proc_spawn.yml b/elastalert_rules/sigma_sysmon_win_termserv_proc_spawn.yml deleted file mode 100644 index 9fd0e5f9..00000000 --- a/elastalert_rules/sigma_sysmon_win_termserv_proc_spawn.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentCommandLine.keyword:*\\svchost.exe*termsvcs AND (NOT (process_path.keyword:*\\rdpclip.exe))) -index: wazuh-alerts-3.x-* -name: 1012f107-b8f1-4271-af30-5aed2de89b39_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_trust_discovery.yml b/elastalert_rules/sigma_sysmon_win_trust_discovery.yml deleted file mode 100644 index 4ef63d18..00000000 --- a/elastalert_rules/sigma_sysmon_win_trust_discovery.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:*\\nltest.exe AND data.win.eventdata.commandLine.keyword:(*domain_trusts* OR *all_trusts* OR *\/dclist*)) OR (process_path.keyword:*\\dsquery.exe AND data.win.eventdata.commandLine.keyword:*trustedDomain*))) -index: wazuh-alerts-3.x-* -name: 3bad990e-4848-4a78-9530-b427d854aac0_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_uac_cmstp.yml b/elastalert_rules/sigma_sysmon_win_uac_cmstp.yml deleted file mode 100644 index bbb98164..00000000 --- a/elastalert_rules/sigma_sysmon_win_uac_cmstp.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\cmstp.exe AND data.win.eventdata.commandLine.keyword:(*\/s* OR *\/au*)) -index: wazuh-alerts-3.x-* -name: e66779cc-383e-4224-a3a4-267eeb585c40_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_uac_fodhelper.yml b/elastalert_rules/sigma_sysmon_win_uac_fodhelper.yml deleted file mode 100644 index da2f0783..00000000 --- a/elastalert_rules/sigma_sysmon_win_uac_fodhelper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\fodhelper.exe) -index: wazuh-alerts-3.x-* -name: 7f741dcf-fc22-4759-87b4-9ae8376676a2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_uac_wsreset.yml b/elastalert_rules/sigma_sysmon_win_uac_wsreset.yml deleted file mode 100644 index e5acede9..00000000 --- a/elastalert_rules/sigma_sysmon_win_uac_wsreset.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\wsreset.exe AND (NOT (process_path.keyword:*\\conhost.exe))) -index: wazuh-alerts-3.x-* -name: d797268e-28a9-49a7-b9a8-2f5039011c5c_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/elastalert_rules/sigma_sysmon_win_using_sc_to_change_sevice_image_path_by_non_admin.yml deleted file mode 100644 index de6da5a3..00000000 --- a/elastalert_rules/sigma_sysmon_win_using_sc_to_change_sevice_image_path_by_non_admin.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\sc.exe AND IntegrityLevel:"Medium" AND ((data.win.eventdata.commandLine.keyword:*config* AND data.win.eventdata.commandLine.keyword:*binPath*) OR (data.win.eventdata.commandLine.keyword:*failure* AND data.win.eventdata.commandLine.keyword:*command*))) -index: wazuh-alerts-3.x-* -name: d937b75f-a665-4480-88a5-2f20e9f9b22a_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_vul_java_remote_debugging.yml b/elastalert_rules/sigma_sysmon_win_vul_java_remote_debugging.yml deleted file mode 100644 index a5ddcc82..00000000 --- a/elastalert_rules/sigma_sysmon_win_vul_java_remote_debugging.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.commandLine.keyword:*transport\=dt_socket,address\=* AND (NOT (data.win.eventdata.commandLine.keyword:*address\=127.0.0.1* OR data.win.eventdata.commandLine.keyword:*address\=localhost*))) -index: wazuh-alerts-3.x-* -name: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_webshell_detection.yml b/elastalert_rules/sigma_sysmon_win_webshell_detection.yml deleted file mode 100644 index dd4f2bb9..00000000 --- a/elastalert_rules/sigma_sysmon_win_webshell_detection.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects certain command line parameters often used during reconnaissance activity via web shells -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:(*\\apache* OR *\\tomcat* OR *\\w3wp.exe OR *\\php\-cgi.exe OR *\\nginx.exe OR *\\httpd.exe) AND data.win.eventdata.commandLine.keyword:(*whoami* OR *net\ user\ * OR *ping\ \-n\ * OR *systeminfo OR *&cd&echo* OR *cd\ \/d*)) -index: wazuh-alerts-3.x-* -name: bed2a484-9348-4143-8a8a-b801c979301c_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_webshell_recon_detection.yml b/elastalert_rules/sigma_sysmon_win_webshell_recon_detection.yml deleted file mode 100644 index 80e38804..00000000 --- a/elastalert_rules/sigma_sysmon_win_webshell_recon_detection.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:(*\\apache* OR *\\tomcat* OR *\\w3wp.exe* OR *\\php\-cgi.exe* OR *\\nginx.exe* OR *\\httpd.exe*) AND process_path.keyword:(*\\cmd.exe) AND data.win.eventdata.commandLine.keyword:(*perl\ \-\-help* OR *python\ \-\-help* OR *wget\ \-\-help* OR *perl\ \-h*)) -index: wazuh-alerts-3.x-* -name: f64e5c19-879c-4bae-b471-6d84c8339677_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_webshell_spawn.yml b/elastalert_rules/sigma_sysmon_win_webshell_spawn.yml deleted file mode 100644 index f53322cf..00000000 --- a/elastalert_rules/sigma_sysmon_win_webshell_spawn.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:(*\\w3wp.exe OR *\\httpd.exe OR *\\nginx.exe OR *\\php\-cgi.exe OR *\\tomcat.exe) AND process_path.keyword:(*\\cmd.exe OR *\\sh.exe OR *\\bash.exe OR *\\powershell.exe OR *\\bitsadmin.exe)) -index: wazuh-alerts-3.x-* -name: 8202070f-edeb-4d31-a010-a26c72ac5600_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_whoami_as_system.yml b/elastalert_rules/sigma_sysmon_win_whoami_as_system.yml deleted file mode 100644 index 378473c3..00000000 --- a/elastalert_rules/sigma_sysmon_win_whoami_as_system.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND user_account:"NT\ AUTHORITY\\SYSTEM" AND process_path.keyword:*\\whoami.exe) -index: wazuh-alerts-3.x-* -name: 80167ada-7a12-41ed-b8e9-aa47195c66a1_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_win10_sched_task_0day.yml b/elastalert_rules/sigma_sysmon_win_win10_sched_task_0day.yml deleted file mode 100644 index bfd769c8..00000000 --- a/elastalert_rules/sigma_sysmon_win_win10_sched_task_0day.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Task Scheduler .job import arbitrary DACL write\par -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\schtasks.exe AND data.win.eventdata.commandLine.keyword:*\/change*\/TN*\/RU*\/RP*) -index: wazuh-alerts-3.x-* -name: 931b6802-d6a6-4267-9ffa-526f57f22aaf_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_wmi_backdoor_exchange_transport_agent.yml b/elastalert_rules/sigma_sysmon_win_wmi_backdoor_exchange_transport_agent.yml deleted file mode 100644 index 0acfd21e..00000000 --- a/elastalert_rules/sigma_sysmon_win_wmi_backdoor_exchange_transport_agent.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\EdgeTransport.exe) -index: wazuh-alerts-3.x-* -name: 797011dc-44f4-4e6f-9f10-a8ceefbe566b_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_wmi_persistence_script_event_consumer.yml b/elastalert_rules/sigma_sysmon_win_wmi_persistence_script_event_consumer.yml deleted file mode 100644 index fcbe8c32..00000000 --- a/elastalert_rules/sigma_sysmon_win_wmi_persistence_script_event_consumer.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI script event consumers -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path:"C\:\\WINDOWS\\system32\\wbem\\scrcons.exe" AND data.win.eventdata.parentImage:"C\:\\Windows\\System32\\svchost.exe") -index: wazuh-alerts-3.x-* -name: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_wmi_spwns_powershell.yml b/elastalert_rules/sigma_sysmon_win_wmi_spwns_powershell.yml deleted file mode 100644 index c9073ef7..00000000 --- a/elastalert_rules/sigma_sysmon_win_wmi_spwns_powershell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI spawning PowerShell -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:(*\\wmiprvse.exe) AND process_path.keyword:(*\\powershell.exe)) -index: wazuh-alerts-3.x-* -name: 692f0bec-83ba-4d04-af7e-e884a96059b6_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_wmiprvse_spawning_process.yml b/elastalert_rules/sigma_sysmon_win_wmiprvse_spawning_process.yml deleted file mode 100644 index 2d3e4c62..00000000 --- a/elastalert_rules/sigma_sysmon_win_wmiprvse_spawning_process.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects wmiprvse spawning processes -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:*\\WmiPrvSe.exe AND (NOT (data.win.eventdata.logonId:"0x3e7" OR user_account:"NT\ AUTHORITY\\SYSTEM" OR process_path.keyword:(*\\WmiPrvSE.exe OR *\\WerFault.exe)))) -index: wazuh-alerts-3.x-* -name: d21374ff-f574-44a7-9998-4a8c8bf33d7d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_workflow_compiler.yml b/elastalert_rules/sigma_sysmon_win_workflow_compiler.yml deleted file mode 100644 index 5c7ade48..00000000 --- a/elastalert_rules/sigma_sysmon_win_workflow_compiler.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND process_path.keyword:*\\Microsoft.Workflow.Compiler.exe) -index: wazuh-alerts-3.x-* -name: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_wsreset_uac_bypass.yml b/elastalert_rules/sigma_sysmon_win_wsreset_uac_bypass.yml deleted file mode 100644 index 6638777a..00000000 --- a/elastalert_rules/sigma_sysmon_win_wsreset_uac_bypass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND data.win.eventdata.parentImage.keyword:(*\\WSreset.exe)) -index: wazuh-alerts-3.x-* -name: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_win_xsl_script_processing.yml b/elastalert_rules/sigma_sysmon_win_xsl_script_processing.yml deleted file mode 100644 index f4fd1ac8..00000000 --- a/elastalert_rules/sigma_sysmon_win_xsl_script_processing.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses -filter: -- query: - query_string: - query: (data.win.system.eventID:"4688" AND ((process_path.keyword:*\\wmic.exe AND data.win.eventdata.commandLine.keyword:*\/format*) OR process_path.keyword:*\\msxsl.exe)) -index: wazuh-alerts-3.x-* -name: 05c36dd6-79d6-4a9a-97da-3db20298ab2d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_wmi_event_subscription.yml b/elastalert_rules/sigma_sysmon_wmi_event_subscription.yml deleted file mode 100644 index e1b83459..00000000 --- a/elastalert_rules/sigma_sysmon_wmi_event_subscription.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects creation of WMI event subscription persistence method -filter: -- query: - query_string: - query: data.win.system.eventID:("19" OR "20" OR "21") -index: wazuh-alerts-3.x-* -name: sigma_sysmon_wmi_event_subscription -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_wmi_module_load.yml b/elastalert_rules/sigma_sysmon_wmi_module_load.yml deleted file mode 100644 index 38c345f2..00000000 --- a/elastalert_rules/sigma_sysmon_wmi_module_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects non wmiprvse loading WMI modules -filter: -- query: - query_string: - query: (ImageLoaded.keyword:(*\\wmiclnt.dll OR *\\WmiApRpl.dll OR *\\wmiprov.dll OR *\\wmiutils.dll OR *\\wbemcomn.dll OR *\\wbemprox.dll OR *\\WMINet_Utils.dll OR *\\wbemsvc.dll OR *\\fastprox.dll) AND (NOT (data.win.eventdata.image.keyword:(*\\WmiPrvSe.exe OR *\\WmiAPsrv.exe OR *\\svchost.exe OR *\\DeviceCensus.exe OR *\\CompatTelRunner.exe OR *\\sdiagnhost.exe OR *\\SIHClient.exe OR *\\ngentask.exe OR *\\windows\\system32\\taskhostw.exe OR *\\windows\\system32\\MoUsoCoreWorker.exe)))) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_wmi_module_load -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_wmi_persistence_commandline_event_consumer.yml b/elastalert_rules/sigma_sysmon_wmi_persistence_commandline_event_consumer.yml deleted file mode 100644 index 08368feb..00000000 --- a/elastalert_rules/sigma_sysmon_wmi_persistence_commandline_event_consumer.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI command line event consumers -filter: -- query: - query_string: - query: (data.win.eventdata.image:"C\:\\Windows\\System32\\wbem\\WmiPrvSE.exe" AND ImageLoaded.keyword:*\\wbemcons.dll) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_wmi_persistence_commandline_event_consumer -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_wmi_persistence_script_event_consumer_write.yml b/elastalert_rules/sigma_sysmon_wmi_persistence_script_event_consumer_write.yml deleted file mode 100644 index ceacc552..00000000 --- a/elastalert_rules/sigma_sysmon_wmi_persistence_script_event_consumer_write.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects file writes of WMI script event consumer -filter: -- query: - query_string: - query: data.win.eventdata.image:"C\:\\WINDOWS\\system32\\wbem\\scrcons.exe" -index: wazuh-alerts-3.x-* -name: sigma_sysmon_wmi_persistence_script_event_consumer_write -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_sysmon_wmi_susp_scripting.yml b/elastalert_rules/sigma_sysmon_wmi_susp_scripting.yml deleted file mode 100644 index 271d3eaa..00000000 --- a/elastalert_rules/sigma_sysmon_wmi_susp_scripting.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious scripting in WMI Event Consumers -filter: -- query: - query_string: - query: (data.win.system.eventID:"20" AND wmi_consumer_destination.keyword:(*new\-object\ system.net.webclient\).downloadstring\(* OR *new\-object\ system.net.webclient\).downloadfile\(* OR *new\-object\ net.webclient\).downloadstring\(* OR *new\-object\ net.webclient\).downloadfile\(* OR *\ iex\(* OR *WScript.shell* OR *\ \-nop\ * OR *\ \-noprofile\ * OR *\ \-decode\ * OR *\ \-enc\ *)) -index: wazuh-alerts-3.x-* -name: sigma_sysmon_wmi_susp_scripting -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_GPO_scheduledtasks.yml b/elastalert_rules/sigma_win_GPO_scheduledtasks.yml deleted file mode 100644 index f9deda52..00000000 --- a/elastalert_rules/sigma_win_GPO_scheduledtasks.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale -filter: -- query: - query_string: - query: (data.win.system.eventID:"5145" AND data.win.eventdata.shareName.keyword:\\*\\SYSVOL AND data.win.eventdata.relativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*) -index: wazuh-alerts-3.x-* -name: sigma_win_GPO_scheduledtasks -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_account_backdoor_dcsync_rights.yml b/elastalert_rules/sigma_win_account_backdoor_dcsync_rights.yml deleted file mode 100644 index 14cf6a68..00000000 --- a/elastalert_rules/sigma_win_account_backdoor_dcsync_rights.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer -filter: -- query: - query_string: - query: (data.win.system.eventID:"5136" AND LDAPDisplayName:"ntSecurityDescriptor" AND Value.keyword:(*1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2* OR *1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2* OR *89e95b76\-444d\-4c62\-991a\-0facbeda640c*)) -index: wazuh-alerts-3.x-* -name: sigma_win_account_backdoor_dcsync_rights -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_account_discovery.yml b/elastalert_rules/sigma_win_account_discovery.yml deleted file mode 100644 index ba2cc2b8..00000000 --- a/elastalert_rules/sigma_win_account_discovery.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs -filter: -- query: - query_string: - query: (data.win.system.eventID:"4661" AND data.win.eventdata.objectType:("SAM_USER" OR "SAM_GROUP") AND data.win.eventdata.objectName.keyword:(*\-512 OR *\-502 OR *\-500 OR *\-505 OR *\-519 OR *\-520 OR *\-544 OR *\-551 OR *\-555 OR *admin*)) -index: wazuh-alerts-3.x-* -name: sigma_win_account_discovery -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_ad_object_writedac_access.yml b/elastalert_rules/sigma_win_ad_object_writedac_access.yml deleted file mode 100644 index 56e8e198..00000000 --- a/elastalert_rules/sigma_win_ad_object_writedac_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WRITE_DAC access to a domain object -filter: -- query: - query_string: - query: (data.win.system.eventID:"4662" AND ObjectServer:"DS" AND data.win.eventdata.accessMask:"0x40000" AND data.win.eventdata.objectType:("19195a5b\-6da0\-11d0\-afd3\-00c04fd930c9" OR "domainDNS")) -index: wazuh-alerts-3.x-* -name: sigma_win_ad_object_writedac_access -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_ad_replication_non_machine_account.yml b/elastalert_rules/sigma_win_ad_replication_non_machine_account.yml deleted file mode 100644 index df326673..00000000 --- a/elastalert_rules/sigma_win_ad_replication_non_machine_account.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4662" AND data.win.eventdata.accessMask:"0x100" AND data.win.eventdata.properties.keyword:(*1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2* OR *1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2* OR *89e95b76\-444d\-4c62\-991a\-0facbeda640c*)) AND (NOT (SubjectUserName.keyword:*$ OR SubjectUserName.keyword:MSOL_*))) -index: wazuh-alerts-3.x-* -name: sigma_win_ad_replication_non_machine_account -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_ad_user_enumeration.yml b/elastalert_rules/sigma_win_ad_user_enumeration.yml deleted file mode 100644 index e7a3351f..00000000 --- a/elastalert_rules/sigma_win_ad_user_enumeration.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects access to a domain user from a non-machine account -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4662" AND data.win.eventdata.objectType.keyword:(*bf967aba\-0de6\-11d0\-a285\-00aa003049e2*)) AND (NOT (SubjectUserName.keyword:*$ OR SubjectUserName.keyword:MSOL_*))) -index: wazuh-alerts-3.x-* -name: sigma_win_ad_user_enumeration -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_admin_rdp_login.yml b/elastalert_rules/sigma_win_admin_rdp_login.yml deleted file mode 100644 index 92af663b..00000000 --- a/elastalert_rules/sigma_win_admin_rdp_login.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect remote login by Administrator user depending on internal pattern -filter: -- query: - query_string: - query: (data.win.system.eventID:"4624" AND data.win.eventdata.logonType:"10" AND logon_authentication_package:"Negotiate" AND data.win.eventdata.accountName.keyword:Admin\-*) -index: wazuh-alerts-3.x-* -name: sigma_win_admin_rdp_login -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_admin_share_access.yml b/elastalert_rules/sigma_win_admin_share_access.yml deleted file mode 100644 index e0a398c8..00000000 --- a/elastalert_rules/sigma_win_admin_share_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects access to $ADMIN share -filter: -- query: - query_string: - query: ((data.win.system.eventID:"5140" AND data.win.eventdata.shareName:"Admin$") AND (NOT (user_name.keyword:*$))) -index: wazuh-alerts-3.x-* -name: sigma_win_admin_share_access -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_advanced_ip_scanner.yml b/elastalert_rules/sigma_win_advanced_ip_scanner.yml deleted file mode 100644 index 50b56f12..00000000 --- a/elastalert_rules/sigma_win_advanced_ip_scanner.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\advanced_ip_scanner*) -index: wazuh-alerts-3.x-* -name: bef37fa2-f205-4a7b-b484-0759bfd5f86f_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_alert_active_directory_user_control.yml b/elastalert_rules/sigma_win_alert_active_directory_user_control.yml deleted file mode 100644 index f51bd8e4..00000000 --- a/elastalert_rules/sigma_win_alert_active_directory_user_control.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4704" AND data.win.system.message.keyword:(*SeEnableDelegationPrivilege*)) -index: wazuh-alerts-3.x-* -name: sigma_win_alert_active_directory_user_control -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_alert_ad_user_backdoors.yml b/elastalert_rules/sigma_win_alert_ad_user_backdoors.yml deleted file mode 100644 index fc989743..00000000 --- a/elastalert_rules/sigma_win_alert_ad_user_backdoors.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects scenarios where one can control another users or computers account without having to use their credentials. -filter: -- query: - query_string: - query: (((((data.win.system.eventID:"4738" AND (NOT (user_attribute_allowed_todelegate:"\-"))) AND (NOT (NOT _exists_:user_attribute_allowed_todelegate))) OR (data.win.system.eventID:"5136" AND dsobject_attribute_name:"msDS\-AllowedToDelegateTo")) OR (data.win.system.eventID:"5136" AND dsobject_class:"user" AND dsobject_attribute_name:"servicePrincipalName")) OR (data.win.system.eventID:"5136" AND dsobject_attribute_name:"msDS\-AllowedToActOnBehalfOfOtherIdentity")) -index: wazuh-alerts-3.x-* -name: sigma_win_alert_ad_user_backdoors -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_alert_enable_weak_encryption.yml b/elastalert_rules/sigma_win_alert_enable_weak_encryption.yml deleted file mode 100644 index b0d4b32e..00000000 --- a/elastalert_rules/sigma_win_alert_enable_weak_encryption.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4738" AND data.win.system.message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND data.win.system.message.keyword:(*Enabled*)) -index: wazuh-alerts-3.x-* -name: sigma_win_alert_enable_weak_encryption -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_alert_lsass_access.yml b/elastalert_rules/sigma_win_alert_lsass_access.yml deleted file mode 100644 index de2a1792..00000000 --- a/elastalert_rules/sigma_win_alert_lsass_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Access to LSASS Process -filter: -- query: - query_string: - query: (data.win.system.eventID:"1121" AND process_path.keyword:*\\lsass.exe) -index: wazuh-alerts-3.x-* -name: sigma_win_alert_lsass_access -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_alert_mimikatz_keywords.yml b/elastalert_rules/sigma_win_alert_mimikatz_keywords.yml deleted file mode 100644 index ef19147d..00000000 --- a/elastalert_rules/sigma_win_alert_mimikatz_keywords.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) -filter: -- query: - query_string: - query: data.win.system.message.keyword:(*\ mimikatz\ * OR *\ mimilib\ * OR *\ <3\ eo.oe\ * OR *\ eo.oe.kiwi\ * OR *\ privilege\:\:debug\ * OR *\ sekurlsa\:\:logonpasswords\ * OR *\ lsadump\:\:sam\ * OR *\ mimidrv.sys\ * OR *\ p\:\:d\ * OR *\ s\:\:l\ *) -index: wazuh-alerts-3.x-* -name: sigma_win_alert_mimikatz_keywords -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_alert_ruler.yml b/elastalert_rules/sigma_win_alert_ruler.yml deleted file mode 100644 index ca3d1eeb..00000000 --- a/elastalert_rules/sigma_win_alert_ruler.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This events that are generated when using the hacktool Ruler by Sensepost -filter: -- query: - query_string: - query: (data.win.eventdata.sourceHostname:"RULER" AND (data.win.system.eventID:("4776") OR data.win.system.eventID:("4624" OR "4625"))) -index: wazuh-alerts-3.x-* -name: sigma_win_alert_ruler -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_applocker_file_was_not_allowed_to_run.yml b/elastalert_rules/sigma_win_applocker_file_was_not_allowed_to_run.yml deleted file mode 100644 index 1fc63e21..00000000 --- a/elastalert_rules/sigma_win_applocker_file_was_not_allowed_to_run.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events. -filter: -- query: - query_string: - query: data.win.system.eventID:("8004" OR "8007") -index: wazuh-alerts-3.x-* -name: sigma_win_applocker_file_was_not_allowed_to_run -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_apt29_thinktanks.yml b/elastalert_rules/sigma_win_apt_apt29_thinktanks.yml deleted file mode 100644 index aa2837a7..00000000 --- a/elastalert_rules/sigma_win_apt_apt29_thinktanks.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\-noni\ \-ep\ bypass\ $*) -index: wazuh-alerts-3.x-* -name: 033fe7d6-66d1-4240-ac6b-28908009c71f_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_babyshark.yml b/elastalert_rules/sigma_win_apt_babyshark.yml deleted file mode 100644 index 72191903..00000000 --- a/elastalert_rules/sigma_win_apt_babyshark.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects activity that could be related to Baby Shark malware -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(reg\ query\ \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal\ Server\ Client\\Default\" OR powershell.exe\ mshta.exe\ http* OR cmd.exe\ \/c\ taskkill\ \/im\ cmd.exe)) -index: wazuh-alerts-3.x-* -name: 2b30fa36-3a18-402f-a22d-bf4ce2189f35_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_bear_activity_gtr19.yml b/elastalert_rules/sigma_win_apt_bear_activity_gtr19.yml deleted file mode 100644 index 3d9a2cea2..00000000 --- a/elastalert_rules/sigma_win_apt_bear_activity_gtr19.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:*\\xcopy.exe AND data.win.eventdata.commandLine.keyword:*\ \/S\ \/E\ \/C\ \/Q\ \/H\ \\*) OR (data.win.eventdata.image.keyword:*\\adexplorer.exe AND data.win.eventdata.commandLine.keyword:*\ \-snapshot\ \"\"\ c\:\\users\\*))) -index: wazuh-alerts-3.x-* -name: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_bluemashroom.yml b/elastalert_rules/sigma_win_apt_bluemashroom.yml deleted file mode 100644 index 3a971e92..00000000 --- a/elastalert_rules/sigma_win_apt_bluemashroom.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\\regsvr32*\\AppData\\Local\\* OR *\\AppData\\Local\\*,DllEntry*)) -index: wazuh-alerts-3.x-* -name: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_carbonpaper_turla.yml b/elastalert_rules/sigma_win_apt_carbonpaper_turla.yml deleted file mode 100644 index a61fec83..00000000 --- a/elastalert_rules/sigma_win_apt_carbonpaper_turla.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND data.win.eventdata.serviceName:("srservice" OR "ipvpn" OR "hkmsvc")) -index: wazuh-alerts-3.x-* -name: sigma_win_apt_carbonpaper_turla -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_chafer_mar18.yml b/elastalert_rules/sigma_win_apt_chafer_mar18.yml deleted file mode 100644 index b593647e..00000000 --- a/elastalert_rules/sigma_win_apt_chafer_mar18.yml +++ /dev/null @@ -1,57 +0,0 @@ -alert: -- debug -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND data.win.eventdata.serviceName:("SC\ Scheduled\ Scan" OR "UpdatMachine")) -index: wazuh-alerts-3.x-* -name: 53ba33fd-3a50-4468-a5ef-c583635cfa92_0 -priority: 1 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 -filter: -- query: - query_string: - query: (data.win.system.eventID:"4698" AND task_name:("SC\ Scheduled\ Scan" OR "UpdatMachine")) -index: wazuh-alerts-3.x-* -name: 53ba33fd-3a50-4468-a5ef-c583635cfa92-2_0 -priority: 1 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 -filter: -- query: - query_string: - query: (data.win.system.eventID:"13" AND data.win.eventdata.eventType:"SetValue" AND (data.win.eventdata.targetObject.keyword:(*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe OR *SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT) OR (data.win.eventdata.targetObject.keyword:*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential AND data.win.eventdata.details:"DWORD\ \(0x00000001\)"))) -index: wazuh-alerts-3.x-* -name: 53ba33fd-3a50-4468-a5ef-c583635cfa92-3_0 -priority: 1 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:(*\\Service.exe\ i OR *\\Service.exe\ u OR *\\microsoft\\Taskbar\\autoit3.exe OR C\:\\wsc.exe*) OR data.win.eventdata.image.keyword:*\\Windows\\Temp\\DB\\*.exe OR (data.win.eventdata.commandLine.keyword:*\\nslookup.exe\ \-q\=TXT* AND data.win.eventdata.parentImage.keyword:*\\Autoit*))) -index: wazuh-alerts-3.x-* -name: 53ba33fd-3a50-4468-a5ef-c583635cfa92-4_0 -priority: 1 -realert: - minutes: 0 -type: any - - diff --git a/elastalert_rules/sigma_win_apt_cloudhopper.yml b/elastalert_rules/sigma_win_apt_cloudhopper.yml deleted file mode 100644 index bba599c7..00000000 --- a/elastalert_rules/sigma_win_apt_cloudhopper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious file execution by wscript and cscript -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\cscript.exe AND data.win.eventdata.commandLine.keyword:*.vbs\ \/shell\ *) -index: wazuh-alerts-3.x-* -name: 966e4016-627f-44f7-8341-f394905c361f_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_dragonfly.yml b/elastalert_rules/sigma_win_apt_dragonfly.yml deleted file mode 100644 index ee26fb8d..00000000 --- a/elastalert_rules/sigma_win_apt_dragonfly.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects CrackMapExecWin Activity as Described by NCSC -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\crackmapexec.exe)) -index: wazuh-alerts-3.x-* -name: 04d9079e-3905-4b70-ad37-6bdf11304965_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_elise.yml b/elastalert_rules/sigma_win_apt_elise.yml deleted file mode 100644 index 20d77292..00000000 --- a/elastalert_rules/sigma_win_apt_elise.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Elise backdoor acitivty as used by APT32 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image:"C\:\\Windows\\SysWOW64\\cmd.exe" AND data.win.eventdata.commandLine.keyword:*\\Windows\\Caches\\NavShExt.dll\ *) OR data.win.eventdata.commandLine.keyword:*\\AppData\\Roaming\\MICROS\~1\\Windows\\Caches\\NavShExt.dll,Setting)) -index: wazuh-alerts-3.x-* -name: e507feb7-5f73-4ef6-a970-91bb6f6d744f_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_emissarypanda_sep19.yml b/elastalert_rules/sigma_win_apt_emissarypanda_sep19.yml deleted file mode 100644 index fc6789e9..00000000 --- a/elastalert_rules/sigma_win_apt_emissarypanda_sep19.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\sllauncher.exe AND data.win.eventdata.image.keyword:*\\svchost.exe) -index: wazuh-alerts-3.x-* -name: 9aa01d62-7667-4d3b-acb8-8cb5103e2014_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_empiremonkey.yml b/elastalert_rules/sigma_win_apt_empiremonkey.yml deleted file mode 100644 index 7f5297d7..00000000 --- a/elastalert_rules/sigma_win_apt_empiremonkey.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects EmpireMonkey APT reported Activity -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\/i\:%APPDATA%\\logs.txt\ scrobj.dll) AND (data.win.eventdata.image.keyword:(*\\cutil.exe) OR data.win.eventdata.description:("Microsoft\(C\)\ Registerserver"))) -index: wazuh-alerts-3.x-* -name: 10152a7b-b566-438f-a33c-390b607d1c8d_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_equationgroup_dll_u_load.yml b/elastalert_rules/sigma_win_apt_equationgroup_dll_u_load.yml deleted file mode 100644 index ca0bf358..00000000 --- a/elastalert_rules/sigma_win_apt_equationgroup_dll_u_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a specific tool and export used by EquationGroup -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:*\\rundll32.exe AND data.win.eventdata.commandLine.keyword:*,dll_u) OR data.win.eventdata.commandLine.keyword:*\ \-export\ dll_u\ *)) -index: wazuh-alerts-3.x-* -name: d465d1d8-27a2-4cca-9621-a800f37cf72e_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_evilnum_jul20.yml b/elastalert_rules/sigma_win_apt_evilnum_jul20.yml deleted file mode 100644 index bdbf5fc1..00000000 --- a/elastalert_rules/sigma_win_apt_evilnum_jul20.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*regsvr32* AND data.win.eventdata.commandLine.keyword:*\ \/s\ \/i\ * AND data.win.eventdata.commandLine.keyword:*\\AppData\\Roaming\\* AND data.win.eventdata.commandLine.keyword:*.ocx*) -index: wazuh-alerts-3.x-* -name: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_gallium.yml b/elastalert_rules/sigma_win_apt_gallium.yml deleted file mode 100644 index 18a437df..00000000 --- a/elastalert_rules/sigma_win_apt_gallium.yml +++ /dev/null @@ -1,43 +0,0 @@ -alert: -- debug -description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND sha1:("53a44c2396d15c3a03723fa5e5db54cafd527635" OR "9c5e496921e3bc882dc40694f1dcc3746a75db19" OR "aeb573accfd95758550cf30bf04f389a92922844" OR "79ef78a797403a4ed1a616c68e07fff868a8650a" OR "4f6f38b4cec35e895d91c052b1f5a83d665c2196" OR "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" OR "e841a63e47361a572db9a7334af459ddca11347a" OR "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" OR "2e94b305d6812a9f96e6781c888e48c7fb157b6b" OR "dd44133716b8a241957b912fa6a02efde3ce3025" OR "8793bf166cb89eb55f0593404e4e933ab605e803" OR "a39b57032dbb2335499a51e13470a7cd5d86b138" OR "41cc2b15c662bc001c0eb92f6cc222934f0beeea" OR "d209430d6af54792371174e70e27dd11d3def7a7" OR "1c6452026c56efd2c94cea7e0f671eb55515edb0" OR "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" OR "4923d460e22fbbf165bbbaba168e5a46b8157d9f" OR "f201504bd96e81d0d350c3a8332593ee1c9e09de" OR "ddd2db1127632a2a52943a2fe516a2e7d05d70d2")) -index: wazuh-alerts-3.x-* -name: 440a56bf-7873-4439-940a-1c8a671073c2_0 -priority: 2 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. -filter: -- query: - query_string: - query: (data.win.system.eventID:"257" AND QNAME:("asyspy256.ddns.net" OR "hotkillmail9sddcc.ddns.net" OR "rosaf112.ddns.net" OR "cvdfhjh1231.myftp.biz" OR "sz2016rose.ddns.net" OR "dffwescwer4325.myftp.biz" OR "cvdfhjh1231.ddns.net")) -index: wazuh-alerts-3.x-* -name: 440a56bf-7873-4439-940a-1c8a671073c2-2_0 -priority: 2 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND sha1:("e570585edc69f9074cb5e8a790708336bd45ca0f") AND (NOT (data.win.eventdata.image.keyword:(*\:\\Program\ Files\(x86\)\\* OR *\:\\Program\ Files\\*)))) -index: wazuh-alerts-3.x-* -name: 440a56bf-7873-4439-940a-1c8a671073c2-3_0 -priority: 2 -realert: - minutes: 0 -type: any - - diff --git a/elastalert_rules/sigma_win_apt_greenbug_may20.yml b/elastalert_rules/sigma_win_apt_greenbug_may20.yml deleted file mode 100644 index 2344b7cb..00000000 --- a/elastalert_rules/sigma_win_apt_greenbug_may20.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects tools and process executions as observed in a Greenbug campaign in May 2020 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.commandLine.keyword:*bitsadmin\ \/transfer* AND data.win.eventdata.commandLine.keyword:*CSIDL_APPDATA*) OR data.win.eventdata.commandLine.keyword:(*CSIDL_SYSTEM_DRIVE*) OR data.win.eventdata.commandLine.keyword:(*\\msf.ps1* OR *8989\ \-e\ cmd.exe* OR *system.Data.SqlClient.SqlDataAdapter\($cmd\);\ \[void\]$da.fill* OR *\-nop\ \-w\ hidden\ \-c\ $k\=new\-object* OR *\[Net.CredentialCache\]\:\:DefaultCredentials;IEX\ * OR *\ \-nop\ \-w\ hidden\ \-c\ $m\=new\-object\ net.webclient;$m* OR *\-noninteractive\ \-executionpolicy\ bypass\ whoami* OR *\-noninteractive\ \-executionpolicy\ bypass\ netstat\ \-a* OR *L3NlcnZlc*) OR data.win.eventdata.image.keyword:(*\\adobe\\Adobe.exe OR *\\oracle\\local.exe OR *\\revshell.exe OR *infopagesbackup\\ncat.exe OR *CSIDL_SYSTEM\\cmd.exe OR *\\programdata\\oracle\\java.exe OR *CSIDL_COMMON_APPDATA\\comms\\comms.exe OR *\\Programdata\\VMware\\Vmware.exe))) -index: wazuh-alerts-3.x-* -name: 3711eee4-a808-4849-8a14-faf733da3612_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_hurricane_panda.yml b/elastalert_rules/sigma_win_apt_hurricane_panda.yml deleted file mode 100644 index d371059b..00000000 --- a/elastalert_rules/sigma_win_apt_hurricane_panda.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Hurricane Panda Activity -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ localgroup\ administrators\ admin\ \/add OR *\\Win64.exe*)) -index: wazuh-alerts-3.x-* -name: 0eb2107b-a596-422e-b123-b389d5594ed7_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_judgement_panda_gtr19.yml b/elastalert_rules/sigma_win_apt_judgement_panda_gtr19.yml deleted file mode 100644 index 11738aac..00000000 --- a/elastalert_rules/sigma_win_apt_judgement_panda_gtr19.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:(*\\ldifde.exe\ \-f\ \-n\ * OR *\\7za.exe\ a\ 1.7z\ * OR *\ eprod.ldf OR *\\aaaa\\procdump64.exe* OR *\\aaaa\\netsess.exe* OR *\\aaaa\\7za.exe* OR *copy\ .\\1.7z\ \\* OR *copy\ \\client\\c$\\aaaa\\*) OR data.win.eventdata.image:"C\:\\Users\\Public\\7za.exe")) -index: wazuh-alerts-3.x-* -name: 03e2746e-2b31-42f1-ab7a-eb39365b2422_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_ke3chang_regadd.yml b/elastalert_rules/sigma_win_apt_ke3chang_regadd.yml deleted file mode 100644 index 2c7ca92d..00000000 --- a/elastalert_rules/sigma_win_apt_ke3chang_regadd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Registry modifcations performaed by Ke3chang malware in campaigns running in 2019 and 2020 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\-Property\ DWORD\ \-name\ DisableFirstRunCustomize\ \-value\ 2\ \-Force* OR *\-Property\ String\ \-name\ Check_Associations\ \-value* OR *\-Property\ DWORD\ \-name\ IEHarden\ \-value\ 0\ \-Force*)) -index: wazuh-alerts-3.x-* -name: 7b544661-69fc-419f-9a59-82ccc328f205_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_lazarus_session_highjack.yml b/elastalert_rules/sigma_win_apt_lazarus_session_highjack.yml deleted file mode 100644 index 03469a80..00000000 --- a/elastalert_rules/sigma_win_apt_lazarus_session_highjack.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\msdtc.exe OR *\\gpvc.exe) AND (NOT (data.win.eventdata.image.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\SysWOW64\\*)))) -index: wazuh-alerts-3.x-* -name: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_mustangpanda.yml b/elastalert_rules/sigma_win_apt_mustangpanda.yml deleted file mode 100644 index 01f171e4..00000000 --- a/elastalert_rules/sigma_win_apt_mustangpanda.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process parameters as used by Mustang Panda droppers -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:(*Temp\\wtask.exe\ \/create* OR *%windir\:\~\-3,1%%PUBLIC\:\~\-9,1%* OR *\/E\:vbscript\ *\ C\:\\Users\\*.txt\"\ \/F OR *\/tn\ \"Security\ Script\ * OR *%windir\:\~\-1,1%*) OR data.win.eventdata.image.keyword:(*Temp\\winwsh.exe))) -index: wazuh-alerts-3.x-* -name: 2d87d610-d760-45ee-a7e6-7a6f2a65de00_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_slingshot1.yml b/elastalert_rules/sigma_win_apt_slingshot1.yml deleted file mode 100644 index f29b3dfe..00000000 --- a/elastalert_rules/sigma_win_apt_slingshot1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\schtasks.exe AND data.win.eventdata.commandLine.keyword:(*\/delete* OR *\/change*) AND data.win.eventdata.commandLine.keyword:*\/TN* AND data.win.eventdata.commandLine.keyword:*\\Microsoft\\Windows\\Defrag\\ScheduledDefrag*) -index: wazuh-alerts-3.x-* -name: 958d81aa-8566-4cea-a565-59ccd4df27b0_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_slingshot2.yml b/elastalert_rules/sigma_win_apt_slingshot2.yml deleted file mode 100644 index bb30d7d2..00000000 --- a/elastalert_rules/sigma_win_apt_slingshot2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group -filter: -- query: - query_string: - query: (data.win.system.eventID:"4701" AND task_name:"\\Microsoft\\Windows\\Defrag\\ScheduledDefrag") -index: wazuh-alerts-3.x-* -name: 958d81aa-8566-4cea-a565-59ccd4df27b0-2_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_sofacy.yml b/elastalert_rules/sigma_win_apt_sofacy.yml deleted file mode 100644 index 6fb00138..00000000 --- a/elastalert_rules/sigma_win_apt_sofacy.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Trojan loader acitivty as used by APT28 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(rundll32.exe\ %APPDATA%\\*.dat\",* OR rundll32.exe\ %APPDATA%\\*.dll\",#1)) -index: wazuh-alerts-3.x-* -name: ba778144-5e3d-40cf-8af9-e28fb1df1e20_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_stonedrill.yml b/elastalert_rules/sigma_win_apt_stonedrill.yml deleted file mode 100644 index 4cd48655..00000000 --- a/elastalert_rules/sigma_win_apt_stonedrill.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND data.win.eventdata.serviceName:"NtsSrv" AND data.win.eventdata.imagePath.keyword:*\ LocalService) -index: wazuh-alerts-3.x-* -name: sigma_win_apt_stonedrill -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_ta17_293a_ps.yml b/elastalert_rules/sigma_win_apt_ta17_293a_ps.yml deleted file mode 100644 index d90e4fd2..00000000 --- a/elastalert_rules/sigma_win_apt_ta17_293a_ps.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine:"ps.exe\ \-accepteula") -index: wazuh-alerts-3.x-* -name: 18da1007-3f26-470f-875d-f77faf1cab31_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_ta505_dropper.yml b/elastalert_rules/sigma_win_apt_ta505_dropper.yml deleted file mode 100644 index 8f978a0e..00000000 --- a/elastalert_rules/sigma_win_apt_ta505_dropper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\mshta.exe AND data.win.eventdata.parentImage.keyword:*\\wmiprvse.exe) -index: wazuh-alerts-3.x-* -name: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_taidoor.yml b/elastalert_rules/sigma_win_apt_taidoor.yml deleted file mode 100644 index 79f5f711..00000000 --- a/elastalert_rules/sigma_win_apt_taidoor.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:(*dll,MyStart* OR *dll\ MyStart*) OR (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ MyStart) AND data.win.eventdata.commandLine.keyword:(*rundll32.exe*)))) -index: wazuh-alerts-3.x-* -name: d1aa3382-abab-446f-96ea-4de52908210b_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_tropictrooper.yml b/elastalert_rules/sigma_win_apt_tropictrooper.yml deleted file mode 100644 index 086bf42e..00000000 --- a/elastalert_rules/sigma_win_apt_tropictrooper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*) -index: wazuh-alerts-3.x-* -name: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_turla_comrat_may20.yml b/elastalert_rules/sigma_win_apt_turla_comrat_may20.yml deleted file mode 100644 index 61bad252..00000000 --- a/elastalert_rules/sigma_win_apt_turla_comrat_may20.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects commands used by Turla group as reported by ESET in May 2020 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:(*tracert\ \-h\ 10\ yahoo.com* OR *.WSqmCons\)\)|iex;* OR *Fr`omBa`se6`4Str`ing*) OR (data.win.eventdata.commandLine.keyword:*net\ use\ https\:\/\/docs.live.net* AND data.win.eventdata.commandLine.keyword:*@aol.co.uk*))) -index: wazuh-alerts-3.x-* -name: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_turla_service_png.yml b/elastalert_rules/sigma_win_apt_turla_service_png.yml deleted file mode 100644 index d08d45e5..00000000 --- a/elastalert_rules/sigma_win_apt_turla_service_png.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND data.win.eventdata.serviceName:"WerFaultSvc") -index: wazuh-alerts-3.x-* -name: sigma_win_apt_turla_service_png -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_unidentified_nov_181.yml b/elastalert_rules/sigma_win_apt_unidentified_nov_181.yml deleted file mode 100644 index de689583..00000000 --- a/elastalert_rules/sigma_win_apt_unidentified_nov_181.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*cyzfc.dat,\ PointFunctionCall) -index: wazuh-alerts-3.x-* -name: 7453575c-a747-40b9-839b-125a0aae324b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_unidentified_nov_182.yml b/elastalert_rules/sigma_win_apt_unidentified_nov_182.yml deleted file mode 100644 index 53b7339b..00000000 --- a/elastalert_rules/sigma_win_apt_unidentified_nov_182.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. -filter: -- query: - query_string: - query: (data.win.system.eventID:"11" AND data.win.eventdata.targetFilename.keyword:(*ds7002.lnk*)) -index: wazuh-alerts-3.x-* -name: 7453575c-a747-40b9-839b-125a0aae324b-2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_winnti_mal_hk_jan20.yml b/elastalert_rules/sigma_win_apt_winnti_mal_hk_jan20.yml deleted file mode 100644 index 153f17ff..00000000 --- a/elastalert_rules/sigma_win_apt_winnti_mal_hk_jan20.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.parentImage.keyword:(*C\:\\Windows\\Temp* OR *\\hpqhvind.exe*) AND data.win.eventdata.image.keyword:C\:\\ProgramData\\DRM*) OR (data.win.eventdata.parentImage.keyword:C\:\\ProgramData\\DRM* AND data.win.eventdata.image.keyword:*\\wmplayer.exe) OR (data.win.eventdata.parentImage.keyword:*\\Test.exe AND data.win.eventdata.image.keyword:*\\wmplayer.exe) OR data.win.eventdata.image:"C\:\\ProgramData\\DRM\\CLR\\CLR.exe" OR (data.win.eventdata.parentImage.keyword:C\:\\ProgramData\\DRM\\Windows* AND data.win.eventdata.image.keyword:*\\SearchFilterHost.exe))) -index: wazuh-alerts-3.x-* -name: 3121461b-5aa0-4a41-b910-66d25524edbb_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_winnti_pipemon.yml b/elastalert_rules/sigma_win_apt_winnti_pipemon.yml deleted file mode 100644 index 6d520e27..00000000 --- a/elastalert_rules/sigma_win_apt_winnti_pipemon.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:(*setup0.exe\ \-p*) OR data.win.eventdata.commandLine.keyword:(*setup.exe\ \-x\:0 OR *setup.exe\ \-x\:1 OR *setup.exe\ \-x\:2))) -index: wazuh-alerts-3.x-* -name: 73d70463-75c9-4258-92c6-17500fe972f2_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_wocao1.yml b/elastalert_rules/sigma_win_apt_wocao1.yml deleted file mode 100644 index 4a20cc71..00000000 --- a/elastalert_rules/sigma_win_apt_wocao1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects activity mentioned in Operation Wocao report -filter: -- query: - query_string: - query: (data.win.system.eventID:"4799" AND group_name:"Administrators" AND data.win.eventdata.processName.keyword:*\\checkadmin.exe) -index: wazuh-alerts-3.x-* -name: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_wocao2.yml b/elastalert_rules/sigma_win_apt_wocao2.yml deleted file mode 100644 index 0c4e1dbe..00000000 --- a/elastalert_rules/sigma_win_apt_wocao2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects activity mentioned in Operation Wocao report -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*checkadmin.exe\ 127.0.0.1\ \-all* OR *netsh\ advfirewall\ firewall\ add\ rule\ name\=powershell\ dir\=in* OR *cmd\ \/c\ powershell.exe\ \-ep\ bypass\ \-file\ c\:\\s.ps1* OR *\/tn\ win32times\ \/f* OR *create\ win32times\ binPath\=* OR *\\c$\\windows\\system32\\devmgr.dll* OR *\ \-exec\ bypass\ \-enc\ JgAg* OR *type\ *keepass\\KeePass.config.xml* OR *iie.exe\ iie.txt* OR *reg\ query\ HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\*)) -index: wazuh-alerts-3.x-* -name: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d-2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_apt_zxshell.yml b/elastalert_rules/sigma_win_apt_zxshell.yml deleted file mode 100644 index 2e912a4b..00000000 --- a/elastalert_rules/sigma_win_apt_zxshell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a ZxShell start by the called and well-known function name -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*rundll32.exe\ *,zxFunction* OR *rundll32.exe\ *,RemoteDiskXXXXX*)) -index: wazuh-alerts-3.x-* -name: f0b70adb-0075-43b0-9745-e82a1c608fcc_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_atsvc_task.yml b/elastalert_rules/sigma_win_atsvc_task.yml deleted file mode 100644 index f84e4b71..00000000 --- a/elastalert_rules/sigma_win_atsvc_task.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe -filter: -- query: - query_string: - query: (data.win.system.eventID:"5145" AND data.win.eventdata.shareName.keyword:\\*\\IPC$ AND data.win.eventdata.relativeTargetName:"atsvc" AND Accesses.keyword:*WriteData*) -index: wazuh-alerts-3.x-* -name: sigma_win_atsvc_task -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_attrib_hiding_files.yml b/elastalert_rules/sigma_win_attrib_hiding_files.yml deleted file mode 100644 index a02266a3..00000000 --- a/elastalert_rules/sigma_win_attrib_hiding_files.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects usage of attrib.exe to hide files from users. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\attrib.exe AND data.win.eventdata.commandLine.keyword:*\ \+h\ *) AND (NOT ((data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:*\\desktop.ini\ * OR (data.win.eventdata.parentImage.keyword:*\\cmd.exe AND data.win.eventdata.commandLine.keyword:\+R\ \+H\ \+S\ \+A\ \\*.cui AND data.win.eventdata.parentCommandLine.keyword:C\:\\WINDOWS\\system32\\*.bat)))))) -index: wazuh-alerts-3.x-* -name: 4281cb20-2994-4580-aa63-c8b86d019934_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_audit_cve.yml b/elastalert_rules/sigma_win_audit_cve.yml deleted file mode 100644 index e975376a..00000000 --- a/elastalert_rules/sigma_win_audit_cve.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601) -filter: -- query: - query_string: - query: data.win.eventdata.source Name:"Microsoft\-Windows\-Audit\-CVE" -index: wazuh-alerts-3.x-* -name: sigma_win_audit_cve -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_av_relevant_match.yml b/elastalert_rules/sigma_win_av_relevant_match.yml deleted file mode 100644 index 1458fc34..00000000 --- a/elastalert_rules/sigma_win_av_relevant_match.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This detection method points out highly relevant Antivirus events -filter: -- query: - query_string: - query: (data.win.system.message.keyword:(*HTool* OR *Hacktool* OR *ASP\/Backdoor* OR *JSP\/Backdoor* OR *PHP\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (data.win.system.message.keyword:(*Keygen* OR *Crack*)))) -index: wazuh-alerts-3.x-* -name: sigma_win_av_relevant_match -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_bootconf_mod.yml b/elastalert_rules/sigma_win_bootconf_mod.yml deleted file mode 100644 index 35d16538..00000000 --- a/elastalert_rules/sigma_win_bootconf_mod.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\bcdedit.exe AND data.win.eventdata.commandLine.keyword:*set*) AND ((data.win.eventdata.commandLine.keyword:*bootstatuspolicy* AND data.win.eventdata.commandLine.keyword:*ignoreallfailures*) OR (data.win.eventdata.commandLine.keyword:*recoveryenabled* AND data.win.eventdata.commandLine.keyword:*no*))) -index: wazuh-alerts-3.x-* -name: 1444443e-6757-43e4-9ea4-c8fc705f79a2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_bypass_squiblytwo.yml b/elastalert_rules/sigma_win_bypass_squiblytwo.yml deleted file mode 100644 index d25f157c..00000000 --- a/elastalert_rules/sigma_win_bypass_squiblytwo.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:(*\\wmic.exe) AND data.win.eventdata.commandLine.keyword:(wmic\ *\ *format\:\\\"http* OR wmic\ *\ \/format\:'http OR wmic\ *\ \/format\:http*)) OR (hash_imphash:("1b1a3f43bf37b5bfe60751f2ee2f326e" OR "1B1A3F43BF37B5BFE60751F2EE2F326E" OR "37777a96245a3c74eb217308f3546f4c" OR "37777A96245A3C74EB217308F3546F4C" OR "9d87c9d67ce724033c0b40cc4ca1b206" OR "9D87C9D67CE724033C0B40CC4CA1B206") AND data.win.eventdata.commandLine.keyword:(*\ *format\:\\\"http* OR *\ \/format\:'http OR *\ \/format\:http*)))) -index: wazuh-alerts-3.x-* -name: 8d63dadf-b91b-4187-87b6-34a1114577ea_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_change_default_file_association.yml b/elastalert_rules/sigma_win_change_default_file_association.yml deleted file mode 100644 index 5b632fdb..00000000 --- a/elastalert_rules/sigma_win_change_default_file_association.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*cmd* AND data.win.eventdata.commandLine.keyword:*\/c* AND data.win.eventdata.commandLine.keyword:*assoc*) -index: wazuh-alerts-3.x-* -name: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_cmdkey_recon.yml b/elastalert_rules/sigma_win_cmdkey_recon.yml deleted file mode 100644 index f907e4ef..00000000 --- a/elastalert_rules/sigma_win_cmdkey_recon.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects usage of cmdkey to look for cached credentials -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\cmdkey.exe AND data.win.eventdata.commandLine.keyword:*\ \/list\ *) -index: wazuh-alerts-3.x-* -name: 07f8bdc2-c9b3-472a-9817-5a670b872f53_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_cmstp_com_object_access.yml b/elastalert_rules/sigma_win_cmstp_com_object_access.yml deleted file mode 100644 index e56668b8..00000000 --- a/elastalert_rules/sigma_win_cmstp_com_object_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentCommandLine.keyword:*\\DllHost.exe\ * AND data.win.eventdata.parentCommandLine.keyword:(*\{3E5FC7F9\-9A51\-4367\-9063\-A120244FBEC7\} OR *\{3E000D72\-A845\-4CD9\-BD83\-80C07C3B881F\})) -index: wazuh-alerts-3.x-* -name: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_commandline_path_traversal.yml b/elastalert_rules/sigma_win_commandline_path_traversal.yml deleted file mode 100644 index 2fa7549e..00000000 --- a/elastalert_rules/sigma_win_commandline_path_traversal.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentCommandLine.keyword:*cmd*\/c* AND data.win.eventdata.commandLine.keyword:*\/..\/..\/*) -index: wazuh-alerts-3.x-* -name: 087790e3-3287-436c-bccf-cbd0184a7db1_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_control_panel_item.yml b/elastalert_rules/sigma_win_control_panel_item.yml deleted file mode 100644 index b83a4f03..00000000 --- a/elastalert_rules/sigma_win_control_panel_item.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the malicious use of a control panel item -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.commandLine.keyword:*.cpl AND (NOT (data.win.eventdata.commandLine.keyword:(*\\System32\\* OR *%System%*)))) OR (data.win.eventdata.commandLine.keyword:(*reg\ add*) AND data.win.eventdata.commandLine.keyword:(*CurrentVersion\\Control\ Panel\\CPLs*)))) -index: wazuh-alerts-3.x-* -name: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_copying_sensitive_files_with_credential_data.yml b/elastalert_rules/sigma_win_copying_sensitive_files_with_credential_data.yml deleted file mode 100644 index f97e0a66..00000000 --- a/elastalert_rules/sigma_win_copying_sensitive_files_with_credential_data.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Files with well-known filenames (sensitive files with credential data) copying -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:*\\esentutl.exe AND data.win.eventdata.commandLine.keyword:(*vss* OR *\ \/m\ * OR *\ \/y\ *)) OR data.win.eventdata.commandLine.keyword:(*\\windows\\ntds\\ntds.dit* OR *\\config\\sam* OR *\\config\\security* OR *\\config\\system\ * OR *\\repair\\sam* OR *\\repair\\system* OR *\\repair\\security* OR *\\config\\RegBack\\sam* OR *\\config\\RegBack\\system* OR *\\config\\RegBack\\security*))) -index: wazuh-alerts-3.x-* -name: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_crime_fireball.yml b/elastalert_rules/sigma_win_crime_fireball.yml deleted file mode 100644 index 9179483a..00000000 --- a/elastalert_rules/sigma_win_crime_fireball.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Archer malware invocation via rundll32 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\\rundll32.exe\ *,InstallArcherSvc) -index: wazuh-alerts-3.x-* -name: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_crime_maze_ransomware.yml b/elastalert_rules/sigma_win_crime_maze_ransomware.yml deleted file mode 100644 index 41f9857e..00000000 --- a/elastalert_rules/sigma_win_crime_maze_ransomware.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process characteristics of Maze ransomware word document droppers -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.parentImage.keyword:(*\\WINWORD.exe) AND data.win.eventdata.image.keyword:(*.tmp)) OR (data.win.eventdata.image.keyword:*\\wmic.exe AND data.win.eventdata.parentImage.keyword:*\\Temp\\* AND data.win.eventdata.commandLine.keyword:*shadowcopy\ delete) OR (data.win.eventdata.commandLine.keyword:*shadowcopy\ delete AND data.win.eventdata.commandLine.keyword:*\\..\\..\\system32*))) -index: wazuh-alerts-3.x-* -name: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_crime_snatch_ransomware.yml b/elastalert_rules/sigma_win_crime_snatch_ransomware.yml deleted file mode 100644 index 327ebe79..00000000 --- a/elastalert_rules/sigma_win_crime_snatch_ransomware.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process characteristics of Snatch ransomware word document droppers -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*shutdown\ \/r\ \/f\ \/t\ 00* OR *net\ stop\ SuperBackupMan*)) -index: wazuh-alerts-3.x-* -name: 5325945e-f1f0-406e-97b8-65104d393fff_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_data_compressed_with_rar.yml b/elastalert_rules/sigma_win_data_compressed_with_rar.yml deleted file mode 100644 index eef17800..00000000 --- a/elastalert_rules/sigma_win_data_compressed_with_rar.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\rar.exe AND data.win.eventdata.commandLine.keyword:*\ a\ *) -index: wazuh-alerts-3.x-* -name: 6f3e2987-db24-4c78-a860-b4f4095a7095_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_dcsync.yml b/elastalert_rules/sigma_win_dcsync.yml deleted file mode 100644 index 879cd81f..00000000 --- a/elastalert_rules/sigma_win_dcsync.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Mimikatz DC sync security events -filter: -- query: - query_string: - query: (((data.win.system.eventID:"4662" AND data.win.eventdata.properties.keyword:(*Replicating\ Directory\ Changes\ All* OR *1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:"Window\ Manager"))) AND (NOT (SubjectUserName.keyword:(NT\ AUTHORITY* OR *$ OR MSOL_*)))) -index: wazuh-alerts-3.x-* -name: sigma_win_dcsync -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_defender_amsi_trigger.yml b/elastalert_rules/sigma_win_defender_amsi_trigger.yml deleted file mode 100644 index 79e8c62a..00000000 --- a/elastalert_rules/sigma_win_defender_amsi_trigger.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects triggering of AMSI by Windows Defender. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1116" AND DetectionSource:"AMSI") -index: wazuh-alerts-3.x-* -name: sigma_win_defender_amsi_trigger -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_defender_bypass.yml b/elastalert_rules/sigma_win_defender_bypass.yml deleted file mode 100644 index 623101ed..00000000 --- a/elastalert_rules/sigma_win_defender_bypass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender -filter: -- query: - query_string: - query: (data.win.system.eventID:("4657" OR "4656" OR "4660" OR "4663") AND data.win.eventdata.objectName.keyword:*\\Microsoft\\Windows\ Defender\\Exclusions\\*) -index: wazuh-alerts-3.x-* -name: sigma_win_defender_bypass -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_defender_disabled.yml b/elastalert_rules/sigma_win_defender_disabled.yml deleted file mode 100644 index b521040c..00000000 --- a/elastalert_rules/sigma_win_defender_disabled.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects disabling Windows Defender threat protection -filter: -- query: - query_string: - query: (data.win.system.eventID:("5001" OR "5010" OR "5012" OR "5101") OR (data.win.eventdata.targetObject:("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinDefend" OR "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\ Defender" OR "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\ Defender") AND Details:"DWORD\ \(0x00000001\)")) -index: wazuh-alerts-3.x-* -name: sigma_win_defender_disabled -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_defender_history_delete.yml b/elastalert_rules/sigma_win_defender_history_delete.yml deleted file mode 100644 index d74d1b08..00000000 --- a/elastalert_rules/sigma_win_defender_history_delete.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software". -filter: -- query: - query_string: - query: (data.win.system.eventID:"1013" AND data.win.eventdata.eventType:"4") -index: wazuh-alerts-3.x-* -name: sigma_win_defender_history_delete -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_defender_psexec_wmi_asr.yml b/elastalert_rules/sigma_win_defender_psexec_wmi_asr.yml deleted file mode 100644 index 634a8381..00000000 --- a/elastalert_rules/sigma_win_defender_psexec_wmi_asr.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects blocking of process creations originating from PSExec and WMI commands -filter: -- query: - query_string: - query: (data.win.system.eventID:"1121" AND data.win.eventdata.processName.keyword:(*\\wmiprvse.exe OR *\\psexesvc.exe)) -index: wazuh-alerts-3.x-* -name: sigma_win_defender_psexec_wmi_asr -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_defender_threat.yml b/elastalert_rules/sigma_win_defender_threat.yml deleted file mode 100644 index 2db6934a..00000000 --- a/elastalert_rules/sigma_win_defender_threat.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects all actions taken by Windows Defender malware detection engines -filter: -- query: - query_string: - query: data.win.system.eventID:("1006" OR "1116" OR "1015" OR "1117") -index: wazuh-alerts-3.x-* -name: sigma_win_defender_threat -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_disable_event_logging.yml b/elastalert_rules/sigma_win_disable_event_logging.yml deleted file mode 100644 index 9f8bf2a3..00000000 --- a/elastalert_rules/sigma_win_disable_event_logging.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.' -filter: -- query: - query_string: - query: (data.win.system.eventID:"4719" AND policy_changes:"removed") -index: wazuh-alerts-3.x-* -name: sigma_win_disable_event_logging -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_dns_exfiltration_tools_execution.yml b/elastalert_rules/sigma_win_dns_exfiltration_tools_execution.yml deleted file mode 100644 index 34b5fa48..00000000 --- a/elastalert_rules/sigma_win_dns_exfiltration_tools_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Well-known DNS Exfiltration tools execution -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\iodine.exe OR data.win.eventdata.image.keyword:*\\dnscat2*)) -index: wazuh-alerts-3.x-* -name: 98a96a5a-64a0-4c42-92c5-489da3866cb0_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_dnscat2_powershell_implementation.yml b/elastalert_rules/sigma_win_dnscat2_powershell_implementation.yml deleted file mode 100644 index ebe9f3ec..00000000 --- a/elastalert_rules/sigma_win_dnscat2_powershell_implementation.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - minutes: 30 -description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally. -doc_type: doc -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\powershell.exe AND data.win.eventdata.image.keyword:*\\nslookup.exe AND data.win.eventdata.commandLine.keyword:*\\nslookup.exe) -index: wazuh-alerts-3.x-* -max_threshold: 100 -metric_agg_key: data.win.eventdata.image.keyword -metric_agg_type: cardinality -name: b11d75d6-d7c1-11ea-87d0-0242ac130003_0 -priority: 2 -query_key: data.win.eventdata.parentImage.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_win_dpapi_domain_backupkey_extraction.yml b/elastalert_rules/sigma_win_dpapi_domain_backupkey_extraction.yml deleted file mode 100644 index 45b71372..00000000 --- a/elastalert_rules/sigma_win_dpapi_domain_backupkey_extraction.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers -filter: -- query: - query_string: - query: (data.win.system.eventID:"4662" AND data.win.eventdata.objectType:"SecretObject" AND data.win.eventdata.accessMask:"0x2" AND data.win.eventdata.objectName:"BCKUPKEY") -index: wazuh-alerts-3.x-* -name: sigma_win_dpapi_domain_backupkey_extraction -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_dpapi_domain_masterkey_backup_attempt.yml b/elastalert_rules/sigma_win_dpapi_domain_masterkey_backup_attempt.yml deleted file mode 100644 index 1f28f4f1..00000000 --- a/elastalert_rules/sigma_win_dpapi_domain_masterkey_backup_attempt.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. -filter: -- query: - query_string: - query: data.win.system.eventID:"4692" -index: wazuh-alerts-3.x-* -name: sigma_win_dpapi_domain_masterkey_backup_attempt -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_dsquery_domain_trust_discovery.yml b/elastalert_rules/sigma_win_dsquery_domain_trust_discovery.yml deleted file mode 100644 index bb558311..00000000 --- a/elastalert_rules/sigma_win_dsquery_domain_trust_discovery.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a discovery of domain trusts -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:*\\dsquery.exe AND data.win.eventdata.commandLine.keyword:*\-filter* AND data.win.eventdata.commandLine.keyword:*trustedDomain*) OR (data.win.eventdata.image.keyword:*\\nltest.exe AND data.win.eventdata.commandLine.keyword:*domain_trusts*))) -index: wazuh-alerts-3.x-* -name: 77815820-246c-47b8-9741-e0def3f57308_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_encoded_frombase64string.yml b/elastalert_rules/sigma_win_encoded_frombase64string.yml deleted file mode 100644 index 5580faae..00000000 --- a/elastalert_rules/sigma_win_encoded_frombase64string.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a base64 encoded FromBase64String keyword in a process command line -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)) -index: wazuh-alerts-3.x-* -name: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_encoded_iex.yml b/elastalert_rules/sigma_win_encoded_iex.yml deleted file mode 100644 index 80323b1f..00000000 --- a/elastalert_rules/sigma_win_encoded_iex.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a base64 encoded IEX command string in a process command line -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)) -index: wazuh-alerts-3.x-* -name: 88f680b8-070e-402c-ae11-d2914f2257f1_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_etw_modification.yml b/elastalert_rules/sigma_win_etw_modification.yml deleted file mode 100644 index 36c7412f..00000000 --- a/elastalert_rules/sigma_win_etw_modification.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4657" AND data.win.eventdata.objectName.keyword:*\\SOFTWARE\\Microsoft\\.NETFramework AND object_value_name:"ETWEnabled" AND NewValue:"0") -index: wazuh-alerts-3.x-* -name: sigma_win_etw_modification -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_etw_modification_cmdline.yml b/elastalert_rules/sigma_win_etw_modification_cmdline.yml deleted file mode 100644 index f65abe94..00000000 --- a/elastalert_rules/sigma_win_etw_modification_cmdline.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*COMPlus_ETWEnabled\=0*) -index: wazuh-alerts-3.x-* -name: 41421f44-58f9-455d-838a-c398859841d4_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_etw_trace_evasion.yml b/elastalert_rules/sigma_win_etw_trace_evasion.yml deleted file mode 100644 index a3fb09a3..00000000 --- a/elastalert_rules/sigma_win_etw_trace_evasion.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:*\ cl\ *\/Trace* OR data.win.eventdata.commandLine.keyword:*\ clear\-log\ *\/Trace* OR data.win.eventdata.commandLine.keyword:*\ sl*\ \/e\:false* OR data.win.eventdata.commandLine.keyword:*\ set\-log*\ \/e\:false*)) -index: wazuh-alerts-3.x-* -name: a238b5d0-ce2d-4414-a676-7a531b3d13d6_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_exfiltration_and_tunneling_tools_execution.yml b/elastalert_rules/sigma_win_exfiltration_and_tunneling_tools_execution.yml deleted file mode 100644 index 19244248..00000000 --- a/elastalert_rules/sigma_win_exfiltration_and_tunneling_tools_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Execution of well known tools for data exfiltration and tunneling -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\plink.exe OR *\\socat.exe OR *\\stunnel.exe OR *\\httptunnel.exe)) -index: wazuh-alerts-3.x-* -name: c75309a3-59f8-4a8d-9c2c-4c927ad50555_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_exploit_cve_2015_1641.yml b/elastalert_rules/sigma_win_exploit_cve_2015_1641.yml deleted file mode 100644 index 0f525a96..00000000 --- a/elastalert_rules/sigma_win_exploit_cve_2015_1641.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\WINWORD.EXE AND data.win.eventdata.image.keyword:*\\MicroScMgmt.exe) -index: wazuh-alerts-3.x-* -name: 7993792c-5ce2-4475-a3db-a3a5539827ef_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_exploit_cve_2017_0261.yml b/elastalert_rules/sigma_win_exploit_cve_2017_0261.yml deleted file mode 100644 index 86358e5e..00000000 --- a/elastalert_rules/sigma_win_exploit_cve_2017_0261.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\WINWORD.EXE AND data.win.eventdata.image.keyword:*\\FLTLDR.exe*) -index: wazuh-alerts-3.x-* -name: 864403a1-36c9-40a2-a982-4c9a45f7d833_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_exploit_cve_2017_11882.yml b/elastalert_rules/sigma_win_exploit_cve_2017_11882.yml deleted file mode 100644 index eddcbba6..00000000 --- a/elastalert_rules/sigma_win_exploit_cve_2017_11882.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\EQNEDT32.EXE) -index: wazuh-alerts-3.x-* -name: 678eb5f4-8597-4be6-8be7-905e4234b53a_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_exploit_cve_2017_8759.yml b/elastalert_rules/sigma_win_exploit_cve_2017_8759.yml deleted file mode 100644 index ca136b86..00000000 --- a/elastalert_rules/sigma_win_exploit_cve_2017_8759.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\WINWORD.EXE AND data.win.eventdata.image.keyword:*\\csc.exe) -index: wazuh-alerts-3.x-* -name: fdd84c68-a1f6-47c9-9477-920584f94905_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_exploit_cve_2019_1378.yml b/elastalert_rules/sigma_win_exploit_cve_2019_1378.yml deleted file mode 100644 index 8b181781..00000000 --- a/elastalert_rules/sigma_win_exploit_cve_2019_1378.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentCommandLine.keyword:(*\\cmd.exe\ \/c\ C\:\\Windows\\Setup\\Scripts\\SetupComplete.cmd OR *\\cmd.exe\ \/c\ C\:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd) AND (NOT (data.win.eventdata.image.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\WinSxS\\* OR C\:\\Windows\\Setup\\*)))) -index: wazuh-alerts-3.x-* -name: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_exploit_cve_2019_1388.yml b/elastalert_rules/sigma_win_exploit_cve_2019_1388.yml deleted file mode 100644 index 0e0d5400..00000000 --- a/elastalert_rules/sigma_win_exploit_cve_2019_1388.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\consent.exe AND data.win.eventdata.image.keyword:*\\iexplore.exe AND data.win.eventdata.commandLine.keyword:*\ http* AND (IntegrityLevel:"System" OR user_account:"NT\ AUTHORITY\\SYSTEM")) -index: wazuh-alerts-3.x-* -name: 02e0b2ea-a597-428e-b04a-af6a1a403e5c_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_exploit_cve_2020_10189.yml b/elastalert_rules/sigma_win_exploit_cve_2020_10189.yml deleted file mode 100644 index ed214274..00000000 --- a/elastalert_rules/sigma_win_exploit_cve_2020_10189.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*DesktopCentral_Server\\jre\\bin\\java.exe AND data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\bitsadmin.exe)) -index: wazuh-alerts-3.x-* -name: 846b866e-2a57-46ee-8e16-85fa92759be7_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_exploit_cve_2020_1048.yml b/elastalert_rules/sigma_win_exploit_cve_2020_1048.yml deleted file mode 100644 index 26c2b621..00000000 --- a/elastalert_rules/sigma_win_exploit_cve_2020_1048.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects new commands that add new printer port which point to suspicious file -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*Add\-PrinterPort\ \-Name*) AND data.win.eventdata.commandLine.keyword:(*.exe* OR *.dll* OR *.bat*)) OR data.win.eventdata.commandLine.keyword:(*Generic\ \/\ Text\ Only*))) -index: wazuh-alerts-3.x-* -name: cc08d590-8b90-413a-aff6-31d1a99678d7_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_exploit_cve_2020_1350.yml b/elastalert_rules/sigma_win_exploit_cve_2020_1350.yml deleted file mode 100644 index c2a72b11..00000000 --- a/elastalert_rules/sigma_win_exploit_cve_2020_1350.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\System32\\dns.exe AND (NOT (data.win.eventdata.image.keyword:(*\\System32\\werfault.exe OR *\\System32\\conhost.exe OR *\\System32\\dnscmd.exe)))) -index: wazuh-alerts-3.x-* -name: b5281f31-f9cc-4d0d-95d0-45b91c45b487_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_external_device.yml b/elastalert_rules/sigma_win_external_device.yml deleted file mode 100644 index 5647500b..00000000 --- a/elastalert_rules/sigma_win_external_device.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects external diskdrives or plugged in USB devices -filter: -- query: - query_string: - query: ((data.win.system.eventID:("6416") AND DeviceClassName:"DiskDrive") OR DeviceDescription:"USB\ Mass\ Storage\ Device") -index: wazuh-alerts-3.x-* -name: sigma_win_external_device -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_file_permission_modifications.yml b/elastalert_rules/sigma_win_file_permission_modifications.yml deleted file mode 100644 index ee2c86f0..00000000 --- a/elastalert_rules/sigma_win_file_permission_modifications.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a file or folder permissions modifications -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:(*\\takeown.exe OR *\\cacls.exe OR *\\icacls.exe) AND data.win.eventdata.commandLine.keyword:*\/grant*) OR (data.win.eventdata.image.keyword:*\\attrib.exe AND data.win.eventdata.commandLine.keyword:*\-r*))) -index: wazuh-alerts-3.x-* -name: 37ae075c-271b-459b-8d7b-55ad5f993dd8_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_global_catalog_enumeration.yml b/elastalert_rules/sigma_win_global_catalog_enumeration.yml deleted file mode 100644 index 5b97c64b..00000000 --- a/elastalert_rules/sigma_win_global_catalog_enumeration.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - hours: 1 -description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width. -doc_type: doc -filter: -- query: - query_string: - query: (data.win.system.eventID:"5156" AND data.win.eventdata.destinationPort:("3268" OR "3269")) -index: wazuh-alerts-3.x-* -max_threshold: 2000 -metric_agg_key: _id -metric_agg_type: cardinality -name: sigma_win_global_catalog_enumeration -priority: 3 -query_key: src_ip_addr.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_win_grabbing_sensitive_hives_via_reg.yml b/elastalert_rules/sigma_win_grabbing_sensitive_hives_via_reg.yml deleted file mode 100644 index cfd4bb9d..00000000 --- a/elastalert_rules/sigma_win_grabbing_sensitive_hives_via_reg.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Dump sam, system or security hives using REG.exe utility -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\reg.exe AND data.win.eventdata.commandLine.keyword:(*save* OR *export*) AND data.win.eventdata.commandLine.keyword:(*hklm* OR *hkey_local_machine*) AND data.win.eventdata.commandLine.keyword:(*\\system OR *\\sam OR *\\security)) -index: wazuh-alerts-3.x-* -name: fd877b94-9bb5-4191-bb25-d79cbd93c167_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_hack_bloodhound.yml b/elastalert_rules/sigma_win_hack_bloodhound.yml deleted file mode 100644 index 7a064887..00000000 --- a/elastalert_rules/sigma_win_hack_bloodhound.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects command line parameters used by Bloodhound and Sharphound hack tools -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:(*\\Bloodhound.exe* OR *\\SharpHound.exe*) OR data.win.eventdata.commandLine.keyword:(*\ \-CollectionMethod\ All\ * OR *.exe\ \-c\ All\ \-d\ * OR *Invoke\-Bloodhound* OR *Get\-BloodHoundData*) OR (data.win.eventdata.commandLine.keyword:*\ \-JsonFolder\ * AND data.win.eventdata.commandLine.keyword:*\ \-ZipFileName\ *) OR (data.win.eventdata.commandLine.keyword:*\ DCOnly\ * AND data.win.eventdata.commandLine.keyword:*\ \-\-NoSaveCache\ *))) -index: wazuh-alerts-3.x-* -name: f376c8a7-a2d0-4ddc-aa0c-16c17236d962_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_hack_koadic.yml b/elastalert_rules/sigma_win_hack_koadic.yml deleted file mode 100644 index f63b77b5..00000000 --- a/elastalert_rules/sigma_win_hack_koadic.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects command line parameters used by Koadic hack tool -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*cmd.exe*\ \/q\ \/c\ chcp\ *)) -index: wazuh-alerts-3.x-* -name: 5cddf373-ef00-4112-ad72-960ac29bac34_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_hack_rubeus.yml b/elastalert_rules/sigma_win_hack_rubeus.yml deleted file mode 100644 index c63e2830..00000000 --- a/elastalert_rules/sigma_win_hack_rubeus.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects command line parameters used by Rubeus hack tool -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ asreproast\ * OR *\ dump\ \/service\:krbtgt\ * OR *\ kerberoast\ * OR *\ createnetonly\ \/program\:* OR *\ ptt\ \/ticket\:* OR *\ \/impersonateuser\:* OR *\ renew\ \/ticket\:* OR *\ asktgt\ \/user\:* OR *\ harvest\ \/interval\:*)) -index: wazuh-alerts-3.x-* -name: 7ec2c172-dceb-4c10-92c9-87c1881b7e18_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_hack_secutyxploded.yml b/elastalert_rules/sigma_win_hack_secutyxploded.yml deleted file mode 100644 index 5a8116e8..00000000 --- a/elastalert_rules/sigma_win_hack_secutyxploded.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of SecurityXploded Tools -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.company:"SecurityXploded" OR data.win.eventdata.image.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe)) -index: wazuh-alerts-3.x-* -name: 7679d464-4f74-45e2-9e01-ac66c5eb041a_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_hack_smbexec.yml b/elastalert_rules/sigma_win_hack_smbexec.yml deleted file mode 100644 index 6b8cfcf5..00000000 --- a/elastalert_rules/sigma_win_hack_smbexec.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of smbexec.py tool by detecting a specific service installation -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND data.win.eventdata.serviceName:"BTOBTO" AND data.win.eventdata.imagePath.keyword:*\\execute.bat) -index: wazuh-alerts-3.x-* -name: sigma_win_hack_smbexec -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_hh_chm.yml b/elastalert_rules/sigma_win_hh_chm.yml deleted file mode 100644 index 66e8c64e..00000000 --- a/elastalert_rules/sigma_win_hh_chm.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies usage of hh.exe executing recently modified .chm files. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\hh.exe AND data.win.eventdata.commandLine.keyword:*.chm*) -index: wazuh-alerts-3.x-* -name: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_hktl_createminidump1.yml b/elastalert_rules/sigma_win_hktl_createminidump1.yml deleted file mode 100644 index d701a564..00000000 --- a/elastalert_rules/sigma_win_hktl_createminidump1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\CreateMiniDump.exe* OR hash_imphash:("4A07F944A83E8A7C2525EFA35DD30E2F" OR "4a07f944a83e8a7c2525efa35dd30e2f"))) -index: wazuh-alerts-3.x-* -name: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_hktl_createminidump2.yml b/elastalert_rules/sigma_win_hktl_createminidump2.yml deleted file mode 100644 index a8718cde..00000000 --- a/elastalert_rules/sigma_win_hktl_createminidump2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine -filter: -- query: - query_string: - query: (data.win.system.eventID:"11" AND data.win.eventdata.targetFilename.keyword:*\\lsass.dmp*) -index: wazuh-alerts-3.x-* -name: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d-2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_html_help_spawn.yml b/elastalert_rules/sigma_win_html_help_spawn.yml deleted file mode 100644 index 030c3c03..00000000 --- a/elastalert_rules/sigma_win_html_help_spawn.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage:"C\:\\Windows\\hh.exe" AND data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\rundll32.exe)) -index: wazuh-alerts-3.x-* -name: 52cad028-0ff0-4854-8f67-d25dfcbc78b4_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_hwp_exploits.yml b/elastalert_rules/sigma_win_hwp_exploits.yml deleted file mode 100644 index 2b0c34cb..00000000 --- a/elastalert_rules/sigma_win_hwp_exploits.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\Hwp.exe AND data.win.eventdata.image.keyword:*\\gbb.exe) -index: wazuh-alerts-3.x-* -name: 023394c4-29d5-46ab-92b8-6a534c6f447b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_impacket_lateralization.yml b/elastalert_rules/sigma_win_impacket_lateralization.yml deleted file mode 100644 index 251e2a86..00000000 --- a/elastalert_rules/sigma_win_impacket_lateralization.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.parentImage.keyword:(*\\wmiprvse.exe OR *\\mmc.exe OR *\\explorer.exe OR *\\services.exe) AND data.win.eventdata.commandLine.keyword:(*cmd.exe*\ \/Q\ \/c\ *\ \\\\127.0.0.1\\*&1*)) OR (data.win.eventdata.parentCommandLine.keyword:(*svchost.exe\ \-k\ netsvcs OR taskeng.exe*) AND data.win.eventdata.commandLine.keyword:(cmd.exe\ \/C\ *Windows\\Temp\\*&1)))) -index: wazuh-alerts-3.x-* -name: 10c14723-61c7-4c75-92ca-9af245723ad2_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_impacket_secretdump.yml b/elastalert_rules/sigma_win_impacket_secretdump.yml deleted file mode 100644 index 498c07c0..00000000 --- a/elastalert_rules/sigma_win_impacket_secretdump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect AD credential dumping using impacket secretdump HKTL -filter: -- query: - query_string: - query: (data.win.system.eventID:"5145" AND data.win.eventdata.shareName.keyword:\\*\\ADMIN$ AND data.win.eventdata.relativeTargetName.keyword:SYSTEM32\\*.tmp) -index: wazuh-alerts-3.x-* -name: sigma_win_impacket_secretdump -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_indirect_cmd.yml b/elastalert_rules/sigma_win_indirect_cmd.yml deleted file mode 100644 index fdcbaf48..00000000 --- a/elastalert_rules/sigma_win_indirect_cmd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:(*\\pcalua.exe OR *\\forfiles.exe)) -index: wazuh-alerts-3.x-* -name: fa47597e-90e9-41cd-ab72-c3b74cfb0d02_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_install_reg_debugger_backdoor.yml b/elastalert_rules/sigma_win_install_reg_debugger_backdoor.yml deleted file mode 100644 index c5ab6383..00000000 --- a/elastalert_rules/sigma_win_install_reg_debugger_backdoor.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\\CurrentVersion\\Image\ File\ Execution\ Options\\sethc.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\utilman.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\osk.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\magnify.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\narrator.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\displayswitch.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\atbroker.exe*)) -index: wazuh-alerts-3.x-* -name: ae215552-081e-44c7-805f-be16f975c8a2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_interactive_at.yml b/elastalert_rules/sigma_win_interactive_at.yml deleted file mode 100644 index a7b29cd2..00000000 --- a/elastalert_rules/sigma_win_interactive_at.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect an interactive AT job, which may be used as a form of privilege escalation -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\at.exe AND data.win.eventdata.commandLine.keyword:*interactive*) -index: wazuh-alerts-3.x-* -name: 60fc936d-2eb0-4543-8a13-911c750a1dfc_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_invoke_obfuscation_obfuscated_iex_commandline.yml b/elastalert_rules/sigma_win_invoke_obfuscation_obfuscated_iex_commandline.yml deleted file mode 100644 index 390650f1..00000000 --- a/elastalert_rules/sigma_win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR data.win.eventdata.commandLine:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR data.win.eventdata.commandLine:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR data.win.eventdata.commandLine:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR data.win.eventdata.commandLine:/\*mdr\*\W\s*\)\.Name/ OR data.win.eventdata.commandLine:/\$VerbosePreference\.ToString\(/ OR data.win.eventdata.commandLine:/\String\]\s*\$VerbosePreference/)) -index: wazuh-alerts-3.x-* -name: 4bf943c6-5146-4273-98dd-e958fd1e3abf_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_invoke_obfuscation_obfuscated_iex_services.yml b/elastalert_rules/sigma_win_invoke_obfuscation_obfuscated_iex_services.yml deleted file mode 100644 index 8586ec2e..00000000 --- a/elastalert_rules/sigma_win_invoke_obfuscation_obfuscated_iex_services.yml +++ /dev/null @@ -1,43 +0,0 @@ -alert: -- debug -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND (ImagePath:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ImagePath:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ImagePath:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ImagePath:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ImagePath:/\*mdr\*\W\s*\)\.Name/ OR ImagePath:/\$VerbosePreference\.ToString\(/ OR ImagePath:/\String\]\s*\$VerbosePreference/)) -index: wazuh-alerts-3.x-* -name: sigma_win_invoke_obfuscation_obfuscated_iex_services -priority: 2 -realert: - minutes: 0 -type: any - -alert: -- debug -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -filter: -- query: - query_string: - query: (data.win.system.eventID:"6" AND (ImagePath:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ImagePath:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ImagePath:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ImagePath:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ImagePath:/\*mdr\*\W\s*\)\.Name/ OR ImagePath:/\$VerbosePreference\.ToString\(/ OR ImagePath:/\String\]\s*\$VerbosePreference/)) -index: wazuh-alerts-3.x-* -name: sigma_win_invoke_obfuscation_obfuscated_iex_services -priority: 2 -realert: - minutes: 0 -type: any - -alert: -- debug -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -filter: -- query: - query_string: - query: (data.win.system.eventID:"4697" AND (ImagePath:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ImagePath:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ImagePath:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ImagePath:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ImagePath:/\*mdr\*\W\s*\)\.Name/ OR ImagePath:/\$VerbosePreference\.ToString\(/ OR ImagePath:/\String\]\s*\$VerbosePreference/)) -index: wazuh-alerts-3.x-* -name: sigma_win_invoke_obfuscation_obfuscated_iex_services -priority: 2 -realert: - minutes: 0 -type: any - - diff --git a/elastalert_rules/sigma_win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/elastalert_rules/sigma_win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml deleted file mode 100644 index 58496f05..00000000 --- a/elastalert_rules/sigma_win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ParentIntegrityLevel:"Medium" AND IntegrityLevel:"System" AND user_account:"NT\ AUTHORITY\\SYSTEM") -index: wazuh-alerts-3.x-* -name: 8065b1b4-1778-4427-877f-6bf948b26d38_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_lethalhta.yml b/elastalert_rules/sigma_win_lethalhta.yml deleted file mode 100644 index ea36ab9a..00000000 --- a/elastalert_rules/sigma_win_lethalhta.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\svchost.exe AND data.win.eventdata.image.keyword:*\\mshta.exe) -index: wazuh-alerts-3.x-* -name: ed5d72a6-f8f4-479d-ba79-02f6a80d7471_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_lm_namedpipe.yml b/elastalert_rules/sigma_win_lm_namedpipe.yml deleted file mode 100644 index 8633ae6b..00000000 --- a/elastalert_rules/sigma_win_lm_namedpipe.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes -filter: -- query: - query_string: - query: ((data.win.system.eventID:"5145" AND data.win.eventdata.shareName.keyword:\\*\\IPC$) AND (NOT (data.win.system.eventID:"5145" AND data.win.eventdata.shareName.keyword:\\*\\IPC$ AND data.win.eventdata.relativeTargetName:("atsvc" OR "samr" OR "lsarpc" OR "winreg" OR "netlogon" OR "srvsvc" OR "protected_storage" OR "wkssvc" OR "browser" OR "netdfs" OR "svcctl" OR "spoolss" OR "ntsvcs" OR "LSM_API_service" OR "HydraLsPipe" OR "TermSrv_API_service" OR "MsFteWds")))) -index: wazuh-alerts-3.x-* -name: sigma_win_lm_namedpipe -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_local_system_owner_account_discovery.yml b/elastalert_rules/sigma_win_local_system_owner_account_discovery.yml deleted file mode 100644 index 25f069f8..00000000 --- a/elastalert_rules/sigma_win_local_system_owner_account_discovery.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Local accounts, System Owner/User discovery using operating systems utilities -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (((data.win.eventdata.image.keyword:*\\whoami.exe OR (data.win.eventdata.image.keyword:*\\wmic.exe AND data.win.eventdata.commandLine.keyword:*useraccount* AND data.win.eventdata.commandLine.keyword:*get*) OR data.win.eventdata.image.keyword:(*\\quser.exe OR *\\qwinsta.exe) OR (data.win.eventdata.image.keyword:*\\cmdkey.exe AND data.win.eventdata.commandLine.keyword:*\/list*) OR (data.win.eventdata.image.keyword:*\\cmd.exe AND data.win.eventdata.commandLine.keyword:*\/c* AND data.win.eventdata.commandLine.keyword:*dir\ * AND data.win.eventdata.commandLine.keyword:*\\Users\\*)) AND (NOT (data.win.eventdata.commandLine.keyword:(*\ rmdir\ *)))) OR ((data.win.eventdata.image.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*user*) AND (NOT (data.win.eventdata.commandLine.keyword:(*\/domain* OR *\/add* OR *\/delete* OR *\/active* OR *\/expires* OR *\/passwordreq* OR *\/scriptpath* OR *\/times* OR *\/workstations*)))))) -index: wazuh-alerts-3.x-* -name: 502b42de-4306-40b4-9596-6f590c81f073_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_lsass_access_non_system_account.yml b/elastalert_rules/sigma_win_lsass_access_non_system_account.yml deleted file mode 100644 index 49844324..00000000 --- a/elastalert_rules/sigma_win_lsass_access_non_system_account.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects potential mimikatz-like tools accessing LSASS from non system account -filter: -- query: - query_string: - query: ((data.win.system.eventID:("4663" OR "4656") AND data.win.eventdata.objectType:"Process" AND data.win.eventdata.objectName.keyword:*\\lsass.exe) AND (NOT (SubjectUserName.keyword:*$))) -index: wazuh-alerts-3.x-* -name: sigma_win_lsass_access_non_system_account -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_lsass_dump.yml b/elastalert_rules/sigma_win_lsass_dump.yml deleted file mode 100644 index 09f5962f..00000000 --- a/elastalert_rules/sigma_win_lsass_dump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (((data.win.eventdata.commandLine.keyword:*lsass* AND data.win.eventdata.commandLine.keyword:*.dmp*) AND (NOT (data.win.eventdata.image.keyword:*\\werfault.exe))) OR (data.win.eventdata.image.keyword:*\\procdump* AND data.win.eventdata.image.keyword:*.exe AND data.win.eventdata.commandLine.keyword:*lsass*))) -index: wazuh-alerts-3.x-* -name: ffa6861c-4461-4f59-8a41-578c39f3f23e_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mal_blue_mockingbird.yml b/elastalert_rules/sigma_win_mal_blue_mockingbird.yml deleted file mode 100644 index f9c8cb7d..00000000 --- a/elastalert_rules/sigma_win_mal_blue_mockingbird.yml +++ /dev/null @@ -1,43 +0,0 @@ -alert: -- debug -description: Attempts to detect system changes made by Blue Mockingbird -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:*\\cmd.exe AND data.win.eventdata.commandLine.keyword:*sc\ config* AND data.win.eventdata.commandLine.keyword:*wercplsupporte.dll*) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_blue_mockingbird -priority: 2 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Attempts to detect system changes made by Blue Mockingbird -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:*\\wmic.exe AND data.win.eventdata.commandLine.keyword:*COR_PROFILER) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_blue_mockingbird -priority: 2 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Attempts to detect system changes made by Blue Mockingbird -filter: -- query: - query_string: - query: (data.win.system.eventID:"13" AND data.win.eventdata.targetObject.keyword:(*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll)) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_blue_mockingbird -priority: 2 -realert: - minutes: 0 -type: any - - diff --git a/elastalert_rules/sigma_win_mal_creddumper.yml b/elastalert_rules/sigma_win_mal_creddumper.yml deleted file mode 100644 index 6217fa14..00000000 --- a/elastalert_rules/sigma_win_mal_creddumper.yml +++ /dev/null @@ -1,43 +0,0 @@ -alert: -- debug -description: Detects well-known credential dumping tools execution via service execution events -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND (data.win.eventdata.serviceName.keyword:(*fgexec* OR *wceservice* OR *wce\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/)) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_creddumper -priority: 2 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects well-known credential dumping tools execution via service execution events -filter: -- query: - query_string: - query: (data.win.system.eventID:"6" AND (data.win.eventdata.serviceName.keyword:(*fgexec* OR *wceservice* OR *wce\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/)) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_creddumper -priority: 2 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects well-known credential dumping tools execution via service execution events -filter: -- query: - query_string: - query: (data.win.system.eventID:"4697" AND (data.win.eventdata.serviceName.keyword:(*fgexec* OR *wceservice* OR *wce\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/)) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_creddumper -priority: 2 -realert: - minutes: 0 -type: any - - diff --git a/elastalert_rules/sigma_win_mal_flowcloud.yml b/elastalert_rules/sigma_win_mal_flowcloud.yml deleted file mode 100644 index 73917c58..00000000 --- a/elastalert_rules/sigma_win_mal_flowcloud.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects FlowCloud malware from threat group TA410. -filter: -- query: - query_string: - query: (data.win.system.eventID:("12" OR "13") AND data.win.eventdata.targetObject.keyword:(HKLM\\HARDWARE\\\{804423C2\-F490\-4ac3\-BFA5\-13DEDE63A71A\} OR HKLM\\HARDWARE\\\{A5124AF5\-DF23\-49bf\-B0ED\-A18ED3DEA027\} OR HKLM\\HARDWARE\\\{2DB80286\-1784\-48b5\-A751\-B6ED1F490303\} OR HKLM\\SYSTEM\\Setup\\PrintResponsor\\*)) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_flowcloud -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mal_octopus_scanner.yml b/elastalert_rules/sigma_win_mal_octopus_scanner.yml deleted file mode 100644 index cd9f2773..00000000 --- a/elastalert_rules/sigma_win_mal_octopus_scanner.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Octopus Scanner Malware. -filter: -- query: - query_string: - query: (data.win.system.eventID:"11" AND data.win.eventdata.targetFilename.keyword:(*\\AppData\\Local\\Microsoft\\Cache134.dat OR *\\AppData\\Local\\Microsoft\\ExplorerSync.db)) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_octopus_scanner -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mal_ryuk.yml b/elastalert_rules/sigma_win_mal_ryuk.yml deleted file mode 100644 index 6e5a2b65..00000000 --- a/elastalert_rules/sigma_win_mal_ryuk.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Ryuk Ransomware command lines -filter: -- query: - query_string: - query: data.win.eventdata.commandLine.keyword:(*\\net.exe\ stop\ \"samss\"\ * OR *\\net.exe\ stop\ \"audioendpointbuilder\"\ * OR *\\net.exe\ stop\ \"unistoresvc_?????\"\ *) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_ryuk -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mal_service_installs.yml b/elastalert_rules/sigma_win_mal_service_installs.yml deleted file mode 100644 index 45276bb8..00000000 --- a/elastalert_rules/sigma_win_mal_service_installs.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND (data.win.eventdata.imagePath.keyword:*\\PAExec* OR data.win.eventdata.serviceName:"mssecsvc2.0" OR data.win.eventdata.imagePath.keyword:*net\ user*)) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_service_installs -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mal_ursnif.yml b/elastalert_rules/sigma_win_mal_ursnif.yml deleted file mode 100644 index f02d9c77..00000000 --- a/elastalert_rules/sigma_win_mal_ursnif.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects new registry key created by Ursnif malware. -filter: -- query: - query_string: - query: (data.win.system.eventID:"13" AND data.win.eventdata.targetObject.keyword:*\\Software\\AppDataLow\\Software\\Microsoft\\*) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_ursnif -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mal_wceaux_dll.yml b/elastalert_rules/sigma_win_mal_wceaux_dll.yml deleted file mode 100644 index e02ebeba..00000000 --- a/elastalert_rules/sigma_win_mal_wceaux_dll.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host -filter: -- query: - query_string: - query: (data.win.system.eventID:("4656" OR "4658" OR "4660" OR "4663") AND data.win.eventdata.objectName.keyword:*\\wceaux.dll) -index: wazuh-alerts-3.x-* -name: sigma_win_mal_wceaux_dll -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_dridex.yml b/elastalert_rules/sigma_win_malware_dridex.yml deleted file mode 100644 index fbf8035e..00000000 --- a/elastalert_rules/sigma_win_malware_dridex.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects typical Dridex process patterns -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:*\\svchost.exe\ C\:\\Users\\*\\Desktop\\* OR (data.win.eventdata.parentImage.keyword:*\\svchost.exe* AND data.win.eventdata.commandLine.keyword:(*whoami.exe\ \/all OR *net.exe\ view)))) -index: wazuh-alerts-3.x-* -name: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_dtrack.yml b/elastalert_rules/sigma_win_malware_dtrack.yml deleted file mode 100644 index a4506f14..00000000 --- a/elastalert_rules/sigma_win_malware_dtrack.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects specific process parameters as seen in DTRACK infections -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\ echo\ EEEE\ >\ *) -index: wazuh-alerts-3.x-* -name: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_emotet.yml b/elastalert_rules/sigma_win_malware_emotet.yml deleted file mode 100644 index c429e8ce..00000000 --- a/elastalert_rules/sigma_win_malware_emotet.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects all Emotet like process executions that are not covered by the more generic rules -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ \-e*\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*)) -index: wazuh-alerts-3.x-* -name: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_formbook.yml b/elastalert_rules/sigma_win_malware_formbook.yml deleted file mode 100644 index 6819ad12..00000000 --- a/elastalert_rules/sigma_win_malware_formbook.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentCommandLine.keyword:(C\:\\Windows\\System32\\*.exe OR C\:\\Windows\\SysWOW64\\*.exe) AND data.win.eventdata.commandLine.keyword:(*\ \/c\ del\ \"C\:\\Users\\*\\AppData\\Local\\Temp\\*.exe OR *\ \/c\ del\ \"C\:\\Users\\*\\Desktop\\*.exe OR *\ \/C\ type\ nul\ >\ \"C\:\\Users\\*\\Desktop\\*.exe)) -index: wazuh-alerts-3.x-* -name: 032f5fb3-d959-41a5-9263-4173c802dc2b_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_notpetya.yml b/elastalert_rules/sigma_win_malware_notpetya.yml deleted file mode 100644 index 1ef27432..00000000 --- a/elastalert_rules/sigma_win_malware_notpetya.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:*\\AppData\\Local\\Temp\\*\ \\.\\pipe\\* OR (data.win.eventdata.image.keyword:*\\rundll32.exe AND data.win.eventdata.commandLine.keyword:*.dat,#1) OR *\\perfc.dat*)) -index: wazuh-alerts-3.x-* -name: 79aeeb41-8156-4fac-a0cd-076495ab82a1_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_qbot.yml b/elastalert_rules/sigma_win_malware_qbot.yml deleted file mode 100644 index 4e1a1be5..00000000 --- a/elastalert_rules/sigma_win_malware_qbot.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects QBot like process executions -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.parentImage.keyword:*\\WinRAR.exe AND data.win.eventdata.image.keyword:*\\wscript.exe) OR data.win.eventdata.commandLine.keyword:*\ \/c\ ping.exe\ \-n\ 6\ 127.0.0.1\ &\ type\ *)) -index: wazuh-alerts-3.x-* -name: 4fcac6eb-0287-4090-8eea-2602e4c20040_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_ryuk.yml b/elastalert_rules/sigma_win_malware_ryuk.yml deleted file mode 100644 index 8ab55082..00000000 --- a/elastalert_rules/sigma_win_malware_ryuk.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Ryuk ransomware activity -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*Microsoft\\Windows\\CurrentVersion\\Run* AND data.win.eventdata.commandLine.keyword:*C\:\\users\\Public\\*) -index: wazuh-alerts-3.x-* -name: c37510b8-2107-4b78-aa32-72f251e7a844_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_script_dropper.yml b/elastalert_rules/sigma_win_malware_script_dropper.yml deleted file mode 100644 index 5d73f577..00000000 --- a/elastalert_rules/sigma_win_malware_script_dropper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects wscript/cscript executions of scripts located in user directories -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:(*\\wscript.exe OR *\\cscript.exe) AND data.win.eventdata.commandLine.keyword:(*\ C\:\\Users\\*.jse\ * OR *\ C\:\\Users\\*.vbe\ * OR *\ C\:\\Users\\*.js\ * OR *\ C\:\\Users\\*.vba\ * OR *\ C\:\\Users\\*.vbs\ * OR *\ C\:\\ProgramData\\*.jse\ * OR *\ C\:\\ProgramData\\*.vbe\ * OR *\ C\:\\ProgramData\\*.js\ * OR *\ C\:\\ProgramData\\*.vba\ * OR *\ C\:\\ProgramData\\*.vbs\ *)) AND (NOT (data.win.eventdata.parentImage.keyword:*\\winzip*))) -index: wazuh-alerts-3.x-* -name: cea72823-df4d-4567-950c-0b579eaf0846_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_trickbot_recon_activity.yml b/elastalert_rules/sigma_win_malware_trickbot_recon_activity.yml deleted file mode 100644 index 9448b87e..00000000 --- a/elastalert_rules/sigma_win_malware_trickbot_recon_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:(*\\cmd.exe) AND data.win.eventdata.image.keyword:(*\\nltest.exe) AND data.win.eventdata.commandLine.keyword:(*\/domain_trusts\ \/all_trusts*)) -index: wazuh-alerts-3.x-* -name: 410ad193-a728-4107-bc79-4419789fcbf8_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_trickbot_wermgr.yml b/elastalert_rules/sigma_win_malware_trickbot_wermgr.yml deleted file mode 100644 index 701a2e08..00000000 --- a/elastalert_rules/sigma_win_malware_trickbot_wermgr.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\wermgr.exe) AND data.win.eventdata.parentImage.keyword:(*\\rundll32.exe) AND data.win.eventdata.parentCommandLine.keyword:(*DllRegisterServer*)) -index: wazuh-alerts-3.x-* -name: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_malware_wannacry.yml b/elastalert_rules/sigma_win_malware_wannacry.yml deleted file mode 100644 index 69cc32db..00000000 --- a/elastalert_rules/sigma_win_malware_wannacry.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WannaCry ransomware activity -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:(*\\tasksche.exe OR *\\mssecsvc.exe OR *\\taskdl.exe OR *\\@WanaDecryptor@* OR *\\WanaDecryptor* OR *\\taskhsvc.exe OR *\\taskse.exe OR *\\111.exe OR *\\lhdfrgui.exe OR *\\diskpart.exe OR *\\linuxnew.exe OR *\\wannacry.exe) OR data.win.eventdata.commandLine.keyword:(*icacls\ *\ \/grant\ Everyone\:F\ \/T\ \/C\ \/Q* OR *bcdedit\ \/set\ \{default\}\ recoveryenabled\ no* OR *wbadmin\ delete\ catalog\ \-quiet* OR *@Please_Read_Me@.txt*))) -index: wazuh-alerts-3.x-* -name: 41d40bff-377a-43e2-8e1b-2e543069e079_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mavinject_proc_inj.yml b/elastalert_rules/sigma_win_mavinject_proc_inj.yml deleted file mode 100644 index 68f18504..00000000 --- a/elastalert_rules/sigma_win_mavinject_proc_inj.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process injection using the signed Windows tool Mavinject32.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\ \/INJECTRUNNING\ *) -index: wazuh-alerts-3.x-* -name: 17eb8e57-9983-420d-ad8a-2c4976c22eb8_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_metasploit_authentication.yml b/elastalert_rules/sigma_win_metasploit_authentication.yml deleted file mode 100644 index db206dc2..00000000 --- a/elastalert_rules/sigma_win_metasploit_authentication.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Alerts on Metasploit host's authentications on the domain. -filter: -- query: - query_string: - query: ((data.win.system.eventID:("4625" OR "4624") AND data.win.eventdata.logonType:"3" AND AuthenticationPackage:"NTLM" AND data.win.eventdata.sourceHostname:/^[A-Za-z0-9]{16}$/) OR (NOT _exists_:data.win.eventdata.processName AND data.win.system.eventID:"4776" AND SourceWorkstation:/^[A-Za-z0-9]{16}$/)) -index: wazuh-alerts-3.x-* -name: sigma_win_metasploit_authentication -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/elastalert_rules/sigma_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml deleted file mode 100644 index 68801aca..00000000 --- a/elastalert_rules/sigma_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ /dev/null @@ -1,43 +0,0 @@ -alert: -- debug -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND ((data.win.eventdata.imagePath.keyword:*cmd* AND data.win.eventdata.imagePath.keyword:*\/c* AND data.win.eventdata.imagePath.keyword:*echo* AND data.win.eventdata.imagePath.keyword:*\\pipe\\*) OR (data.win.eventdata.imagePath.keyword:*%COMSPEC%* AND data.win.eventdata.imagePath.keyword:*\/c* AND data.win.eventdata.imagePath.keyword:*echo* AND data.win.eventdata.imagePath.keyword:*\\pipe\\*) OR (data.win.eventdata.imagePath.keyword:*rundll32* AND data.win.eventdata.imagePath.keyword:*.dll,a* AND data.win.eventdata.imagePath.keyword:*\/p\:*))) -index: wazuh-alerts-3.x-* -name: sigma_win_meterpreter_or_cobaltstrike_getsystem_service_installation -priority: 1 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation -filter: -- query: - query_string: - query: (data.win.system.eventID:"6" AND ((data.win.eventdata.imagePath.keyword:*cmd* AND data.win.eventdata.imagePath.keyword:*\/c* AND data.win.eventdata.imagePath.keyword:*echo* AND data.win.eventdata.imagePath.keyword:*\\pipe\\*) OR (data.win.eventdata.imagePath.keyword:*%COMSPEC%* AND data.win.eventdata.imagePath.keyword:*\/c* AND data.win.eventdata.imagePath.keyword:*echo* AND data.win.eventdata.imagePath.keyword:*\\pipe\\*) OR (data.win.eventdata.imagePath.keyword:*rundll32* AND data.win.eventdata.imagePath.keyword:*.dll,a* AND data.win.eventdata.imagePath.keyword:*\/p\:*))) -index: wazuh-alerts-3.x-* -name: sigma_win_meterpreter_or_cobaltstrike_getsystem_service_installation -priority: 1 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation -filter: -- query: - query_string: - query: (data.win.system.eventID:"4697" AND ((data.win.eventdata.imagePath.keyword:*cmd* AND data.win.eventdata.imagePath.keyword:*\/c* AND data.win.eventdata.imagePath.keyword:*echo* AND data.win.eventdata.imagePath.keyword:*\\pipe\\*) OR (data.win.eventdata.imagePath.keyword:*%COMSPEC%* AND data.win.eventdata.imagePath.keyword:*\/c* AND data.win.eventdata.imagePath.keyword:*echo* AND data.win.eventdata.imagePath.keyword:*\\pipe\\*) OR (data.win.eventdata.imagePath.keyword:*rundll32* AND data.win.eventdata.imagePath.keyword:*.dll,a* AND data.win.eventdata.imagePath.keyword:*\/p\:*))) -index: wazuh-alerts-3.x-* -name: sigma_win_meterpreter_or_cobaltstrike_getsystem_service_installation -priority: 1 -realert: - minutes: 0 -type: any - - diff --git a/elastalert_rules/sigma_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/elastalert_rules/sigma_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml deleted file mode 100644 index 7d5504e6..00000000 --- a/elastalert_rules/sigma_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.parentImage.keyword:*\\services.exe AND ((data.win.eventdata.commandLine.keyword:*cmd* AND data.win.eventdata.commandLine.keyword:*\/c* AND data.win.eventdata.commandLine.keyword:*echo* AND data.win.eventdata.commandLine.keyword:*\\pipe\\*) OR (data.win.eventdata.commandLine.keyword:*%COMSPEC%* AND data.win.eventdata.commandLine.keyword:*\/c* AND data.win.eventdata.commandLine.keyword:*echo* AND data.win.eventdata.commandLine.keyword:*\\pipe\\*) OR (data.win.eventdata.commandLine.keyword:*rundll32* AND data.win.eventdata.commandLine.keyword:*.dll,a* AND data.win.eventdata.commandLine.keyword:*\/p\:*))) AND (NOT (data.win.eventdata.commandLine.keyword:*MpCmdRun*))) -index: wazuh-alerts-3.x-* -name: 15619216-e993-4721-b590-4c520615a67d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mimikatz_command_line.yml b/elastalert_rules/sigma_win_mimikatz_command_line.yml deleted file mode 100644 index 21605cf8..00000000 --- a/elastalert_rules/sigma_win_mimikatz_command_line.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detection well-known mimikatz command line arguments -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:(*DumpCreds* OR *invoke\-mimikatz*) OR (data.win.eventdata.commandLine.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND data.win.eventdata.commandLine.keyword:(*\:\:*)))) -index: wazuh-alerts-3.x-* -name: a642964e-bead-4bed-8910-1bb4d63e3b4d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mmc20_lateral_movement.yml b/elastalert_rules/sigma_win_mmc20_lateral_movement.yml deleted file mode 100644 index 5c8dbaa3..00000000 --- a/elastalert_rules/sigma_win_mmc20_lateral_movement.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe -filter: -- query: - query_string: - query: (data.win.eventdata.parentImage.keyword:*\\svchost.exe AND data.win.eventdata.image.keyword:*\\mmc.exe AND data.win.eventdata.commandLine.keyword:*\-Embedding*) -index: wazuh-alerts-3.x-* -name: sigma_win_mmc20_lateral_movement -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mmc_spawn_shell.yml b/elastalert_rules/sigma_win_mmc_spawn_shell.yml deleted file mode 100644 index f09b044f..00000000 --- a/elastalert_rules/sigma_win_mmc_spawn_shell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Windows command line executable started from MMC -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\mmc.exe AND data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\reg.exe OR *\\regsvr32.exe OR *\\BITSADMIN*)) -index: wazuh-alerts-3.x-* -name: 05a2ab7e-ce11-4b63-86db-ab32e763e11d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mouse_lock.yml b/elastalert_rules/sigma_win_mouse_lock.yml deleted file mode 100644 index 925c8ad0..00000000 --- a/elastalert_rules/sigma_win_mouse_lock.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. -filter: -- query: - query_string: - query: (data.win.eventdata.product.keyword:*Mouse\ Lock* OR data.win.eventdata.company.keyword:*Misc314* OR data.win.eventdata.commandLine.keyword:*Mouse\ Lock_*) -index: wazuh-alerts-3.x-* -name: c9192ad9-75e5-43eb-8647-82a0a5b493e3_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mshta_javascript.yml b/elastalert_rules/sigma_win_mshta_javascript.yml deleted file mode 100644 index 87281592..00000000 --- a/elastalert_rules/sigma_win_mshta_javascript.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies suspicious mshta.exe commands -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\mshta.exe AND data.win.eventdata.commandLine.keyword:*javascript*) -index: wazuh-alerts-3.x-* -name: 67f113fa-e23d-4271-befa-30113b3e08b1_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_mshta_spawn_shell.yml b/elastalert_rules/sigma_win_mshta_spawn_shell.yml deleted file mode 100644 index 06e93de8..00000000 --- a/elastalert_rules/sigma_win_mshta_spawn_shell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Windows command line executable started from MSHTA -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\mshta.exe AND data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\reg.exe OR *\\regsvr32.exe OR *\\BITSADMIN*)) -index: wazuh-alerts-3.x-* -name: 03cc0c25-389f-4bf8-b48d-11878079f1ca_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_multiple_suspicious_cli.yml b/elastalert_rules/sigma_win_multiple_suspicious_cli.yml deleted file mode 100644 index b5cb220a..00000000 --- a/elastalert_rules/sigma_win_multiple_suspicious_cli.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - minutes: 5 -description: Detects multiple suspicious process in a limited timeframe -doc_type: doc -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine:("arp.exe" OR "at.exe" OR "attrib.exe" OR "cscript.exe" OR "dsquery.exe" OR "hostname.exe" OR "ipconfig.exe" OR "mimikatz.exe" OR "nbtstat.exe" OR "net.exe" OR "netsh.exe" OR "nslookup.exe" OR "ping.exe" OR "quser.exe" OR "qwinsta.exe" OR "reg.exe" OR "runas.exe" OR "sc.exe" OR "schtasks.exe" OR "ssh.exe" OR "systeminfo.exe" OR "taskkill.exe" OR "telnet.exe" OR "tracert.exe" OR "wscript.exe" OR "xcopy.exe" OR "pscp.exe" OR "copy.exe" OR "robocopy.exe" OR "certutil.exe" OR "vssadmin.exe" OR "powershell.exe" OR "wevtutil.exe" OR "psexec.exe" OR "bcedit.exe" OR "wbadmin.exe" OR "icacls.exe" OR "diskpart.exe")) -index: wazuh-alerts-3.x-* -max_threshold: 5 -metric_agg_key: _id -metric_agg_type: cardinality -name: 61ab5496-748e-4818-a92f-de78e20fe7f1_0 -priority: 4 -query_key: host_name.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_win_net_enum.yml b/elastalert_rules/sigma_win_net_enum.yml deleted file mode 100644 index b5d25b40..00000000 --- a/elastalert_rules/sigma_win_net_enum.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*view*) AND (NOT (data.win.eventdata.commandLine.keyword:*\\\\*))) -index: wazuh-alerts-3.x-* -name: 62510e69-616b-4078-b371-847da438cc03_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_net_ntlm_downgrade1.yml b/elastalert_rules/sigma_win_net_ntlm_downgrade1.yml deleted file mode 100644 index d37612b4..00000000 --- a/elastalert_rules/sigma_win_net_ntlm_downgrade1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects NetNTLM downgrade attack -filter: -- query: - query_string: - query: (data.win.system.eventID:"13" AND data.win.eventdata.targetObject.keyword:(*SYSTEM\\*ControlSet*\\Control\\Lsa\\lmcompatibilitylevel OR *SYSTEM\\*ControlSet*\\Control\\Lsa*\\NtlmMinClientSec OR *SYSTEM\\*ControlSet*\\Control\\Lsa*\\RestrictSendingNTLMTraffic)) -index: wazuh-alerts-3.x-* -name: sigma_win_net_ntlm_downgrade -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_net_ntlm_downgrade2.yml b/elastalert_rules/sigma_win_net_ntlm_downgrade2.yml deleted file mode 100644 index a10868d9..00000000 --- a/elastalert_rules/sigma_win_net_ntlm_downgrade2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects NetNTLM downgrade attack -filter: -- query: - query_string: - query: (data.win.system.eventID:"4657" AND data.win.eventdata.objectName.keyword:\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa* AND object_value_name:("LmCompatibilityLevel" OR "NtlmMinClientSec" OR "RestrictSendingNTLMTraffic")) -index: wazuh-alerts-3.x-* -name: sigma_win_net_ntlm_downgrade -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_net_user_add.yml b/elastalert_rules/sigma_win_net_user_add.yml deleted file mode 100644 index c5c7e0c7..00000000 --- a/elastalert_rules/sigma_win_net_user_add.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies creation of local users via the net.exe command -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*user* AND data.win.eventdata.commandLine.keyword:*add*) -index: wazuh-alerts-3.x-* -name: cd219ff3-fa99-45d4-8380-a7d15116c6dc_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_netsh_allow_port_rdp.yml b/elastalert_rules/sigma_win_netsh_allow_port_rdp.yml deleted file mode 100644 index 5579f2a9..00000000 --- a/elastalert_rules/sigma_win_netsh_allow_port_rdp.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*netsh* AND ((data.win.eventdata.commandLine.keyword:*firewall\ add\ portopening* AND data.win.eventdata.commandLine.keyword:*tcp\ 3389*) OR (data.win.eventdata.commandLine.keyword:*advfirewall\ firewall\ add\ rule* AND data.win.eventdata.commandLine.keyword:*action\=allow* AND data.win.eventdata.commandLine.keyword:*protocol\=TCP* AND data.win.eventdata.commandLine.keyword:*localport\=3389*))) -index: wazuh-alerts-3.x-* -name: 01aeb693-138d-49d2-9403-c4f52d7d3d62_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_netsh_fw_add.yml b/elastalert_rules/sigma_win_netsh_fw_add.yml deleted file mode 100644 index dc11c4a7..00000000 --- a/elastalert_rules/sigma_win_netsh_fw_add.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Allow Incoming Connections by Port or Application on Windows Firewall -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*netsh*) AND data.win.eventdata.commandLine.keyword:(*firewall\ add*)) -index: wazuh-alerts-3.x-* -name: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_netsh_fw_add_susp_image.yml b/elastalert_rules/sigma_win_netsh_fw_add_susp_image.yml deleted file mode 100644 index f4c57595..00000000 --- a/elastalert_rules/sigma_win_netsh_fw_add_susp_image.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Netsh commands that allows a suspcious application location on Windows Firewall -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*netsh* AND (data.win.eventdata.commandLine.keyword:*firewall\ add\ allowedprogram* OR (data.win.eventdata.commandLine.keyword:*advfirewall\ firewall\ add\ rule* AND data.win.eventdata.commandLine.keyword:*action\=allow* AND data.win.eventdata.commandLine.keyword:*program\=*)) AND data.win.eventdata.commandLine.keyword:(*%TEMP%* OR *\:\\RECYCLER\\* OR *C\:\\$Recycle.bin\\* OR *\:\\SystemVolumeInformation\\* OR *C\:\\Windows\\Tasks\\* OR *C\:\\Windows\\debug\\* OR *C\:\\Windows\\fonts\\* OR *C\:\\Windows\\help\\* OR *C\:\\Windows\\drivers\\* OR *C\:\\Windows\\addins\\* OR *C\:\\Windows\\cursors\\* OR *C\:\\Windows\\system32\\tasks\\* OR *C\:\\Windows\\Temp\\* OR *C\:\\Temp\\* OR *C\:\\Users\\Public\\* OR *%Public%\\* OR *C\:\\Users\\Default\\* OR *C\:\\Users\\Desktop\\* OR *\\Downloads\\* OR *\\Temporary\ Internet\ Files\\Content.Outlook\\* OR *\\Local\ Settings\\Temporary\ Internet\ Files\\*)) -index: wazuh-alerts-3.x-* -name: a35f5a72-f347-4e36-8895-9869b0d5fc6d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_netsh_packet_capture.yml b/elastalert_rules/sigma_win_netsh_packet_capture.yml deleted file mode 100644 index d02db8d2..00000000 --- a/elastalert_rules/sigma_win_netsh_packet_capture.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects capture a network trace via netsh.exe trace functionality -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*netsh* AND data.win.eventdata.commandLine.keyword:*trace* AND data.win.eventdata.commandLine.keyword:*start*) -index: wazuh-alerts-3.x-* -name: d3c3861d-c504-4c77-ba55-224ba82d0118_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_netsh_port_fwd.yml b/elastalert_rules/sigma_win_netsh_port_fwd.yml deleted file mode 100644 index cf5cd29f..00000000 --- a/elastalert_rules/sigma_win_netsh_port_fwd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects netsh commands that configure a port forwarding -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(netsh\ interface\ portproxy\ add\ v4tov4\ *)) -index: wazuh-alerts-3.x-* -name: 322ed9ec-fcab-4f67-9a34-e7c6aef43614_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_netsh_port_fwd_3389.yml b/elastalert_rules/sigma_win_netsh_port_fwd_3389.yml deleted file mode 100644 index b42a1163..00000000 --- a/elastalert_rules/sigma_win_netsh_port_fwd_3389.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(netsh\ i*\ p*\=3389\ c*)) -index: wazuh-alerts-3.x-* -name: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_netsh_wifi_credential_harvesting.yml b/elastalert_rules/sigma_win_netsh_wifi_credential_harvesting.yml deleted file mode 100644 index 293e6d83..00000000 --- a/elastalert_rules/sigma_win_netsh_wifi_credential_harvesting.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect the harvesting of wifi credentials using netsh.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(netsh\ wlan\ s*\ p*\ k*\=clear)) -index: wazuh-alerts-3.x-* -name: 42b1a5b8-353f-4f10-b256-39de4467faff_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_network_sniffing.yml b/elastalert_rules/sigma_win_network_sniffing.yml deleted file mode 100644 index b696af86..00000000 --- a/elastalert_rules/sigma_win_network_sniffing.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:*\\tshark.exe AND data.win.eventdata.commandLine.keyword:*\-i*) OR data.win.eventdata.image.keyword:*\\windump.exe)) -index: wazuh-alerts-3.x-* -name: ba1f7802-adc7-48b4-9ecb-81e227fddfd5_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_new_or_renamed_user_account_with_dollar_sign.yml b/elastalert_rules/sigma_win_new_or_renamed_user_account_with_dollar_sign.yml deleted file mode 100644 index 4cc5b0e4..00000000 --- a/elastalert_rules/sigma_win_new_or_renamed_user_account_with_dollar_sign.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects possible bypass EDR and SIEM via abnormal user account name. -filter: -- query: - query_string: - query: (data.win.system.eventID:("4720" OR "4781") AND user_name.keyword:*$*) -index: wazuh-alerts-3.x-* -name: sigma_win_new_or_renamed_user_account_with_dollar_sign -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_new_service_creation.yml b/elastalert_rules/sigma_win_new_service_creation.yml deleted file mode 100644 index d7b75c81..00000000 --- a/elastalert_rules/sigma_win_new_service_creation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects creation of a new service -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:*\\sc.exe AND data.win.eventdata.commandLine.keyword:*create* AND data.win.eventdata.commandLine.keyword:*binpath*) OR (data.win.eventdata.image.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:*new\-service*))) -index: wazuh-alerts-3.x-* -name: 7fe71fc9-de3b-432a-8d57-8c809efc10ab_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_non_interactive_powershell.yml b/elastalert_rules/sigma_win_non_interactive_powershell.yml deleted file mode 100644 index 21042749..00000000 --- a/elastalert_rules/sigma_win_non_interactive_powershell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\powershell.exe AND (NOT (data.win.eventdata.parentImage.keyword:*\\explorer.exe))) -index: wazuh-alerts-3.x-* -name: f4bbd493-b796-416e-bbf2-121235348529_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_not_allowed_rdp_access.yml b/elastalert_rules/sigma_win_not_allowed_rdp_access.yml deleted file mode 100644 index bf0439ae..00000000 --- a/elastalert_rules/sigma_win_not_allowed_rdp_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network. -filter: -- query: - query_string: - query: data.win.system.eventID:"4825" -index: wazuh-alerts-3.x-* -name: sigma_win_not_allowed_rdp_access -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_office_shell.yml b/elastalert_rules/sigma_win_office_shell.yml deleted file mode 100644 index 47a03476..00000000 --- a/elastalert_rules/sigma_win_office_shell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:(*\\WINWORD.EXE OR *\\EXCEL.EXE OR *\\POWERPNT.exe OR *\\MSPUB.exe OR *\\VISIO.exe OR *\\OUTLOOK.EXE) AND data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\scrcons.exe OR *\\schtasks.exe OR *\\regsvr32.exe OR *\\hh.exe OR *\\wmic.exe OR *\\mshta.exe OR *\\rundll32.exe OR *\\msiexec.exe OR *\\forfiles.exe OR *\\scriptrunner.exe OR *\\mftrace.exe OR *\\AppVLP.exe OR *\\svchost.exe)) -index: wazuh-alerts-3.x-* -name: 438025f9-5856-4663-83f7-52f878a70a50_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_office_spawn_exe_from_users_directory.yml b/elastalert_rules/sigma_win_office_spawn_exe_from_users_directory.yml deleted file mode 100644 index 0cdbafb5..00000000 --- a/elastalert_rules/sigma_win_office_spawn_exe_from_users_directory.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:(*\\WINWORD.EXE OR *\\EXCEL.EXE OR *\\POWERPNT.exe OR *\\MSPUB.exe OR *\\VISIO.exe OR *\\OUTLOOK.EXE) AND data.win.eventdata.image.keyword:(C\:\\users\\*.exe)) -index: wazuh-alerts-3.x-* -name: aa3a6f94-890e-4e22-b634-ffdfd54792cc_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_overpass_the_hash.yml b/elastalert_rules/sigma_win_overpass_the_hash.yml deleted file mode 100644 index 23c1cc6f..00000000 --- a/elastalert_rules/sigma_win_overpass_the_hash.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4624" AND data.win.eventdata.logonType:"9" AND data.win.eventdata.logonProcessName:"seclogo" AND logon_authentication_package:"Negotiate") -index: wazuh-alerts-3.x-* -name: sigma_win_overpass_the_hash -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_pass_the_hash.yml b/elastalert_rules/sigma_win_pass_the_hash.yml deleted file mode 100644 index 9c0bbcdf..00000000 --- a/elastalert_rules/sigma_win_pass_the_hash.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the attack technique pass the hash which is used to move laterally inside the network -filter: -- query: - query_string: - query: ((data.win.eventdata.logonType:"3" AND data.win.eventdata.logonProcessName:"NtLmSsp" AND data.win.eventdata.sourceHostname:"%Workstations%" AND data.win.system.computer:"%Workstations%" AND (data.win.system.eventID:"4624" OR data.win.system.eventID:"4625")) AND (NOT (data.win.eventdata.accountName:"ANONYMOUS\ LOGON"))) -index: wazuh-alerts-3.x-* -name: sigma_win_pass_the_hash -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_pass_the_hash_2.yml b/elastalert_rules/sigma_win_pass_the_hash_2.yml deleted file mode 100644 index 621be9d8..00000000 --- a/elastalert_rules/sigma_win_pass_the_hash_2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the attack technique pass the hash which is used to move laterally inside the network -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4624" AND ((SubjectUserSid:"S\-1\-0\-0" AND data.win.eventdata.logonType:"3" AND data.win.eventdata.logonProcessName:"NtLmSsp" AND KeyLength:"0") OR (data.win.eventdata.logonType:"9" AND data.win.eventdata.logonProcessName:"seclogo"))) AND (NOT (data.win.eventdata.accountName:"ANONYMOUS\ LOGON"))) -index: wazuh-alerts-3.x-* -name: sigma_win_pass_the_hash_2 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_pcap_drivers.yml b/elastalert_rules/sigma_win_pcap_drivers.yml deleted file mode 100644 index ad2661a5..00000000 --- a/elastalert_rules/sigma_win_pcap_drivers.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Windows Pcap driver installation based on a list of associated .sys files. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4697" AND data.win.eventdata.imagePath.keyword:(*pcap* OR *npcap* OR *npf* OR *nm3* OR *ndiscap* OR *nmnt* OR *windivert* OR *USBPcap* OR *pktmon*)) -index: wazuh-alerts-3.x-* -name: sigma_win_pcap_drivers -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_plugx_susp_exe_locations.yml b/elastalert_rules/sigma_win_plugx_susp_exe_locations.yml deleted file mode 100644 index 125c43a2..00000000 --- a/elastalert_rules/sigma_win_plugx_susp_exe_locations.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((((((((((((data.win.eventdata.image.keyword:*\\CamMute.exe AND (NOT (data.win.eventdata.image.keyword:*\\Lenovo\\Communication\ Utility\\*))) OR (data.win.eventdata.image.keyword:*\\chrome_frame_helper.exe AND (NOT (data.win.eventdata.image.keyword:*\\Google\\Chrome\\application\\*)))) OR (data.win.eventdata.image.keyword:*\\dvcemumanager.exe AND (NOT (data.win.eventdata.image.keyword:*\\Microsoft\ Device\ Emulator\\*)))) OR (data.win.eventdata.image.keyword:*\\Gadget.exe AND (NOT (data.win.eventdata.image.keyword:*\\Windows\ Media\ Player\\*)))) OR (data.win.eventdata.image.keyword:*\\hcc.exe AND (NOT (data.win.eventdata.image.keyword:*\\HTML\ Help\ Workshop\\*)))) OR (data.win.eventdata.image.keyword:*\\hkcmd.exe AND (NOT (data.win.eventdata.image.keyword:(*\\System32\\* OR *\\SysNative\\* OR *\\SysWowo64\\*))))) OR (data.win.eventdata.image.keyword:*\\Mc.exe AND (NOT (data.win.eventdata.image.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit*))))) OR (data.win.eventdata.image.keyword:*\\MsMpEng.exe AND (NOT (data.win.eventdata.image.keyword:(*\\Microsoft\ Security\ Client\\* OR *\\Windows\ Defender\\* OR *\\AntiMalware\\*))))) OR (data.win.eventdata.image.keyword:*\\msseces.exe AND (NOT (data.win.eventdata.image.keyword:(*\\Microsoft\ Security\ Center\\* OR *\\Microsoft\ Security\ Client\\* OR *\\Microsoft\ Security\ Essentials\\*))))) OR (data.win.eventdata.image.keyword:*\\OInfoP11.exe AND (NOT (data.win.eventdata.image.keyword:*\\Common\ Files\\Microsoft\ Shared\\*)))) OR (data.win.eventdata.image.keyword:*\\OleView.exe AND (NOT (data.win.eventdata.image.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit* OR *\\Windows\ Resource\ Kit\\*))))) OR (data.win.eventdata.image.keyword:*\\rc.exe AND (NOT (data.win.eventdata.image.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit* OR *\\Windows\ Resource\ Kit\\* OR *\\Microsoft.NET\\*)))))) -index: wazuh-alerts-3.x-* -name: aeab5ec5-be14-471a-80e8-e344418305c2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_possible_applocker_bypass.yml b/elastalert_rules/sigma_win_possible_applocker_bypass.yml deleted file mode 100644 index fe9c2edc..00000000 --- a/elastalert_rules/sigma_win_possible_applocker_bypass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of executables that can be used to bypass Applocker whitelisting -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\\msdt.exe* OR *\\installutil.exe* OR *\\regsvcs.exe* OR *\\regasm.exe* OR *\\msbuild.exe* OR *\\ieexec.exe*)) -index: wazuh-alerts-3.x-* -name: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_possible_dc_shadow.yml b/elastalert_rules/sigma_win_possible_dc_shadow.yml deleted file mode 100644 index 5147b157..00000000 --- a/elastalert_rules/sigma_win_possible_dc_shadow.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects DCShadow via create new SPN -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4742" AND ServicePrincipalNames.keyword:*GC\/*) OR (data.win.system.eventID:"5136" AND LDAPDisplayName:"servicePrincipalName" AND Value.keyword:GC\/*)) -index: wazuh-alerts-3.x-* -name: sigma_win_possible_dc_shadow -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_possible_privilege_escalation_using_rotten_potato.yml b/elastalert_rules/sigma_win_possible_privilege_escalation_using_rotten_potato.yml deleted file mode 100644 index f551892f..00000000 --- a/elastalert_rules/sigma_win_possible_privilege_escalation_using_rotten_potato.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (ParentUser:("NT\ AUTHORITY\\NETWORK\ SERVICE" OR "NT\ AUTHORITY\\LOCAL\ SERVICE") AND user_account:"NT\ AUTHORITY\\SYSTEM") AND (NOT (data.win.eventdata.image.keyword:*\\rundll32.exe AND data.win.eventdata.commandLine.keyword:*DavSetCookie*))) -index: wazuh-alerts-3.x-* -name: 6c5808ee-85a2-4e56-8137-72e5876a5096_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_amsi_bypass.yml b/elastalert_rules/sigma_win_powershell_amsi_bypass.yml deleted file mode 100644 index 6529e375..00000000 --- a/elastalert_rules/sigma_win_powershell_amsi_bypass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*System.Management.Automation.AmsiUtils*) AND data.win.eventdata.commandLine.keyword:(*amsiInitFailed*)) -index: wazuh-alerts-3.x-* -name: 30edb182-aa75-42c0-b0a9-e998bb29067c_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_audio_capture.yml b/elastalert_rules/sigma_win_powershell_audio_capture.yml deleted file mode 100644 index 4f5801f8..00000000 --- a/elastalert_rules/sigma_win_powershell_audio_capture.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects audio capture via PowerShell Cmdlet -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*WindowsAudioDevice\-Powershell\-Cmdlet*) -index: wazuh-alerts-3.x-* -name: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_b64_shellcode.yml b/elastalert_rules/sigma_win_powershell_b64_shellcode.yml deleted file mode 100644 index cf03b8b9..00000000 --- a/elastalert_rules/sigma_win_powershell_b64_shellcode.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Base64 encoded Shellcode -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*AAAAYInlM* AND data.win.eventdata.commandLine.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*)) -index: wazuh-alerts-3.x-* -name: 2d117e49-e626-4c7c-bd1f-c3c0147774c8_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_bitsjob.yml b/elastalert_rules/sigma_win_powershell_bitsjob.yml deleted file mode 100644 index 964f7966..00000000 --- a/elastalert_rules/sigma_win_powershell_bitsjob.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect download by BITS jobs via PowerShell -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:*Start\-BitsTransfer*) -index: wazuh-alerts-3.x-* -name: f67dbfce-93bc-440d-86ad-a95ae8858c90_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_dll_execution.yml b/elastalert_rules/sigma_win_powershell_dll_execution.yml deleted file mode 100644 index e8590198..00000000 --- a/elastalert_rules/sigma_win_powershell_dll_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:(*\\rundll32.exe) OR data.win.eventdata.description.keyword:(*Windows\-Hostprozess\ \(Rundll32\)*)) AND data.win.eventdata.commandLine.keyword:(*Default.GetString* OR *FromBase64String*)) -index: wazuh-alerts-3.x-* -name: 6812a10b-60ea-420c-832f-dfcc33b646ba_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_downgrade_attack.yml b/elastalert_rules/sigma_win_powershell_downgrade_attack.yml deleted file mode 100644 index c554e2c4..00000000 --- a/elastalert_rules/sigma_win_powershell_downgrade_attack.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ \-version\ 2\ * OR *\ \-versio\ 2\ * OR *\ \-versi\ 2\ * OR *\ \-vers\ 2\ * OR *\ \-ver\ 2\ * OR *\ \-ve\ 2\ *) AND data.win.eventdata.image.keyword:*\\powershell.exe) -index: wazuh-alerts-3.x-* -name: b3512211-c67e-4707-bedc-66efc7848863_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_download.yml b/elastalert_rules/sigma_win_powershell_download.yml deleted file mode 100644 index dde14882..00000000 --- a/elastalert_rules/sigma_win_powershell_download.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Powershell process that contains download commands in its command line string -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:(*new\-object\ system.net.webclient\).downloadstring\(* OR *new\-object\ system.net.webclient\).downloadfile\(* OR *new\-object\ net.webclient\).downloadstring\(* OR *new\-object\ net.webclient\).downloadfile\(*)) -index: wazuh-alerts-3.x-* -name: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_frombase64string.yml b/elastalert_rules/sigma_win_powershell_frombase64string.yml deleted file mode 100644 index 5cc3c8de..00000000 --- a/elastalert_rules/sigma_win_powershell_frombase64string.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious FromBase64String expressions in command line arguments -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\:\:FromBase64String\(*) -index: wazuh-alerts-3.x-* -name: e32d4572-9826-4738-b651-95fa63747e8a_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_suspicious_parameter_variation.yml b/elastalert_rules/sigma_win_powershell_suspicious_parameter_variation.yml deleted file mode 100644 index fde8ee7b..00000000 --- a/elastalert_rules/sigma_win_powershell_suspicious_parameter_variation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious PowerShell invocation with a parameter substring -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\Powershell.exe) AND data.win.eventdata.commandLine.keyword:(*\ \-windowstyle\ h\ * OR *\ \-windowstyl\ h* OR *\ \-windowsty\ h* OR *\ \-windowst\ h* OR *\ \-windows\ h* OR *\ \-windo\ h* OR *\ \-wind\ h* OR *\ \-win\ h* OR *\ \-wi\ h* OR *\ \-win\ h\ * OR *\ \-win\ hi\ * OR *\ \-win\ hid\ * OR *\ \-win\ hidd\ * OR *\ \-win\ hidde\ * OR *\ \-NoPr\ * OR *\ \-NoPro\ * OR *\ \-NoProf\ * OR *\ \-NoProfi\ * OR *\ \-NoProfil\ * OR *\ \-nonin\ * OR *\ \-nonint\ * OR *\ \-noninte\ * OR *\ \-noninter\ * OR *\ \-nonintera\ * OR *\ \-noninterac\ * OR *\ \-noninteract\ * OR *\ \-noninteracti\ * OR *\ \-noninteractiv\ * OR *\ \-ec\ * OR *\ \-encodedComman\ * OR *\ \-encodedComma\ * OR *\ \-encodedComm\ * OR *\ \-encodedCom\ * OR *\ \-encodedCo\ * OR *\ \-encodedC\ * OR *\ \-encoded\ * OR *\ \-encode\ * OR *\ \-encod\ * OR *\ \-enco\ * OR *\ \-en\ *)) -index: wazuh-alerts-3.x-* -name: 36210e0d-5b19-485d-a087-c096088885f0_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_web_request1.yml b/elastalert_rules/sigma_win_powershell_web_request1.yml deleted file mode 100644 index f6b56b4b..00000000 --- a/elastalert_rules/sigma_win_powershell_web_request1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of various web request methods (including aliases) via Windows PowerShell -filter: -- query: - query_string: - query: data.win.eventdata.commandLine.keyword:(*Invoke\-WebRequest* OR *iwr\ * OR *wget\ * OR *curl\ * OR *Net.WebClient* OR *Start\-BitsTransfer*) -index: wazuh-alerts-3.x-* -name: sigma_win_powershell_web_request -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_web_request2.yml b/elastalert_rules/sigma_win_powershell_web_request2.yml deleted file mode 100644 index e78ac8ab..00000000 --- a/elastalert_rules/sigma_win_powershell_web_request2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of various web request methods (including aliases) via Windows PowerShell -filter: -- query: - query_string: - query: (data.win.system.eventID:"4104" AND ScriptBlockText.keyword:(*Invoke\-WebRequest* OR *iwr\ * OR *wget\ * OR *curl\ * OR *Net.WebClient* OR *Start\-BitsTransfer*)) -index: wazuh-alerts-3.x-* -name: sigma_win_powershell_web_request -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powershell_xor_commandline.yml b/elastalert_rules/sigma_win_powershell_xor_commandline.yml deleted file mode 100644 index 12108100..00000000 --- a/elastalert_rules/sigma_win_powershell_xor_commandline.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.description:"Windows\ PowerShell" OR data.win.eventdata.product:"PowerShell\ Core\ 6") AND data.win.eventdata.commandLine.keyword:(*bxor* OR *join* OR *char*)) -index: wazuh-alerts-3.x-* -name: bb780e0c-16cf-4383-8383-1e5471db6cf9_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_powersploit_empire_schtasks.yml b/elastalert_rules/sigma_win_powersploit_empire_schtasks.yml deleted file mode 100644 index c11ab8c6..00000000 --- a/elastalert_rules/sigma_win_powersploit_empire_schtasks.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:(*\\powershell.exe) AND data.win.eventdata.commandLine.keyword:(*schtasks*\/Create*\/SC\ *ONLOGON*\/TN\ *Updater*\/TR\ *powershell* OR *schtasks*\/Create*\/SC\ *DAILY*\/TN\ *Updater*\/TR\ *powershell* OR *schtasks*\/Create*\/SC\ *ONIDLE*\/TN\ *Updater*\/TR\ *powershell* OR *schtasks*\/Create*\/SC\ *Updater*\/TN\ *Updater*\/TR\ *powershell*)) -index: wazuh-alerts-3.x-* -name: 56c217c3-2de2-479b-990f-5c109ba8458f_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_proc_wrong_parent.yml b/elastalert_rules/sigma_win_proc_wrong_parent.yml deleted file mode 100644 index b1141b0d..00000000 --- a/elastalert_rules/sigma_win_proc_wrong_parent.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect suspicious parent processes of well-known Windows processes -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:(*\\svchost.exe OR *\\taskhost.exe OR *\\lsm.exe OR *\\lsass.exe OR *\\services.exe OR *\\lsaiso.exe OR *\\csrss.exe OR *\\wininit.exe OR *\\winlogon.exe) AND (NOT (data.win.eventdata.parentImage.keyword:(*\\System32\\* OR *\\SysWOW64\\* OR *\\SavService.exe OR *\\Windows\ Defender\\*\\MsMpEng.exe)))) AND (NOT (NOT _exists_:data.win.eventdata.parentImage))) -index: wazuh-alerts-3.x-* -name: 96036718-71cc-4027-a538-d1587e0006a7_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_process_creation_bitsadmin_download.yml b/elastalert_rules/sigma_win_process_creation_bitsadmin_download.yml deleted file mode 100644 index b149b7d4..00000000 --- a/elastalert_rules/sigma_win_process_creation_bitsadmin_download.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects usage of bitsadmin downloading a file -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:(*\\bitsadmin.exe) AND data.win.eventdata.commandLine.keyword:(*\ \/transfer\ *)) OR data.win.eventdata.commandLine.keyword:(*copy\ bitsadmin.exe*))) -index: wazuh-alerts-3.x-* -name: d059842b-6b9d-4ed1-b5c3-5b89143c6ede_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_process_dump_rundll32_comsvcs.yml b/elastalert_rules/sigma_win_process_dump_rundll32_comsvcs.yml deleted file mode 100644 index 74faaaf4..00000000 --- a/elastalert_rules/sigma_win_process_dump_rundll32_comsvcs.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*)) -index: wazuh-alerts-3.x-* -name: 646ea171-dded-4578-8a4d-65e9822892e3_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_protected_storage_service_access.yml b/elastalert_rules/sigma_win_protected_storage_service_access.yml deleted file mode 100644 index b5ca5f0f..00000000 --- a/elastalert_rules/sigma_win_protected_storage_service_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers -filter: -- query: - query_string: - query: (data.win.system.eventID:"5145" AND data.win.eventdata.shareName.keyword:*IPC* AND data.win.eventdata.relativeTargetName:"protected_storage") -index: wazuh-alerts-3.x-* -name: sigma_win_protected_storage_service_access -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_psexesvc_start.yml b/elastalert_rules/sigma_win_psexesvc_start.yml deleted file mode 100644 index af936241..00000000 --- a/elastalert_rules/sigma_win_psexesvc_start.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a PsExec service start -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine:"C\:\\Windows\\PSEXESVC.exe") -index: wazuh-alerts-3.x-* -name: 3ede524d-21cc-472d-a3ce-d21b568d8db7_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_quarkspwdump_clearing_hive_access_history.yml b/elastalert_rules/sigma_win_quarkspwdump_clearing_hive_access_history.yml deleted file mode 100644 index f9e32cf3..00000000 --- a/elastalert_rules/sigma_win_quarkspwdump_clearing_hive_access_history.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects QuarksPwDump clearing access history in hive -filter: -- query: - query_string: - query: (data.win.system.eventID:"16" AND hive_name.keyword:*\\AppData\\Local\\Temp\\SAM* AND hive_name.keyword:*.dmp) -index: wazuh-alerts-3.x-* -name: sigma_win_quarkspwdump_clearing_hive_access_history -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_query_registry.yml b/elastalert_rules/sigma_win_query_registry.yml deleted file mode 100644 index 1eb3a02d..00000000 --- a/elastalert_rules/sigma_win_query_registry.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\reg.exe AND data.win.eventdata.commandLine.keyword:(*query* OR *save* OR *export*) AND data.win.eventdata.commandLine.keyword:(*currentVersion\\windows* OR *currentVersion\\runServicesOnce* OR *currentVersion\\runServices* OR *winlogon\\* OR *currentVersion\\shellServiceObjectDelayLoad* OR *currentVersion\\runOnce* OR *currentVersion\\runOnceEx* OR *currentVersion\\run* OR *currentVersion\\policies\\explorer\\run* OR *currentcontrolset\\services*)) -index: wazuh-alerts-3.x-* -name: 970007b7-ce32-49d0-a4a4-fbef016950bd_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_rare_schtask_creation.yml b/elastalert_rules/sigma_win_rare_schtask_creation.yml deleted file mode 100644 index 6ffda34f..00000000 --- a/elastalert_rules/sigma_win_rare_schtask_creation.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - days: 7 -description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. -doc_type: doc -filter: -- query: - query_string: - query: data.win.system.eventID:"106" -index: wazuh-alerts-3.x-* -metric_agg_key: _id -metric_agg_type: cardinality -min_threshold: 5 -name: sigma_win_rare_schtask_creation -priority: 4 -query_key: task_name.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_win_rare_schtasks_creations.yml b/elastalert_rules/sigma_win_rare_schtasks_creations.yml deleted file mode 100644 index 3db686f4..00000000 --- a/elastalert_rules/sigma_win_rare_schtasks_creations.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - days: 7 -description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code -doc_type: doc -filter: -- query: - query_string: - query: data.win.system.eventID:"4698" -index: wazuh-alerts-3.x-* -metric_agg_key: _id -metric_agg_type: cardinality -min_threshold: 5 -name: sigma_win_rare_schtasks_creations -priority: 4 -query_key: task_name.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_win_rare_service_installs.yml b/elastalert_rules/sigma_win_rare_service_installs.yml deleted file mode 100644 index 5250e03c..00000000 --- a/elastalert_rules/sigma_win_rare_service_installs.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - days: 7 -description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services -doc_type: doc -filter: -- query: - query_string: - query: data.win.system.eventID:"7045" -index: wazuh-alerts-3.x-* -metric_agg_key: _id -metric_agg_type: cardinality -min_threshold: 5 -name: sigma_win_rare_service_installs -priority: 4 -query_key: data.win.eventdata.imagePath.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_win_rdp_bluekeep_poc_scanner.yml b/elastalert_rules/sigma_win_rdp_bluekeep_poc_scanner.yml deleted file mode 100644 index e5ad7ea8..00000000 --- a/elastalert_rules/sigma_win_rdp_bluekeep_poc_scanner.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep -filter: -- query: - query_string: - query: (data.win.system.eventID:"4625" AND data.win.eventdata.accountName:"AAAAAAA") -index: wazuh-alerts-3.x-* -name: sigma_win_rdp_bluekeep_poc_scanner -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_rdp_hijack_shadowing.yml b/elastalert_rules/sigma_win_rdp_hijack_shadowing.yml deleted file mode 100644 index 1f04c59c..00000000 --- a/elastalert_rules/sigma_win_rdp_hijack_shadowing.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects RDP session hijacking by using MSTSC shadowing -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*noconsentprompt* AND data.win.eventdata.commandLine.keyword:*shadow\:*) -index: wazuh-alerts-3.x-* -name: 6ba5a05f-b095-4f0a-8654-b825f4f16334_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_rdp_localhost_login.yml b/elastalert_rules/sigma_win_rdp_localhost_login.yml deleted file mode 100644 index 8907bd94..00000000 --- a/elastalert_rules/sigma_win_rdp_localhost_login.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: RDP login with localhost source address may be a tunnelled login -filter: -- query: - query_string: - query: (data.win.system.eventID:"4624" AND data.win.eventdata.logonType:"10" AND SourceNetworkAddress:("\:\:1" OR "127.0.0.1")) -index: wazuh-alerts-3.x-* -name: sigma_win_rdp_localhost_login -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_rdp_potential_cve-2019-0708.yml b/elastalert_rules/sigma_win_rdp_potential_cve-2019-0708.yml deleted file mode 100644 index dd7fceb8..00000000 --- a/elastalert_rules/sigma_win_rdp_potential_cve-2019-0708.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect suspicious error on protocol RDP, potential CVE-2019-0708 -filter: -- query: - query_string: - query: (data.win.system.eventID:("56" OR "50") AND data.win.eventdata.source Name:"TermDD") -index: wazuh-alerts-3.x-* -name: sigma_win_rdp_potential_cve-2019-0708 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_rdp_reverse_tunnel.yml b/elastalert_rules/sigma_win_rdp_reverse_tunnel.yml deleted file mode 100644 index fdc2c652..00000000 --- a/elastalert_rules/sigma_win_rdp_reverse_tunnel.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects svchost hosting RDP termsvcs communicating with the loopback address -filter: -- query: - query_string: - query: (data.win.system.eventID:"5156" AND ((data.win.eventdata.sourcePort:"3389" AND DestinationAddress.keyword:(127.* OR \:\:1)) OR (data.win.eventdata.destinationPort:"3389" AND src_ip_addr.keyword:(127.* OR \:\:1)))) -index: wazuh-alerts-3.x-* -name: sigma_win_rdp_reverse_tunnel -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_redmimicry_winnti_proc.yml b/elastalert_rules/sigma_win_redmimicry_winnti_proc.yml deleted file mode 100644 index 8e170507..00000000 --- a/elastalert_rules/sigma_win_redmimicry_winnti_proc.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects actions caused by the RedMimicry Winnti playbook -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*rundll32.exe* OR *cmd.exe*) AND data.win.eventdata.commandLine.keyword:(*gthread\-3.6.dll* OR *\\Windows\\Temp\\tmp.bat* OR *sigcmm\-2.4.dll*)) -index: wazuh-alerts-3.x-* -name: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_register_new_logon_process_by_rubeus.yml b/elastalert_rules/sigma_win_register_new_logon_process_by_rubeus.yml deleted file mode 100644 index 6e76b525..00000000 --- a/elastalert_rules/sigma_win_register_new_logon_process_by_rubeus.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects potential use of Rubeus via registered new trusted logon process -filter: -- query: - query_string: - query: (data.win.system.eventID:"4611" AND data.win.eventdata.logonProcessName:"User32LogonProcesss") -index: wazuh-alerts-3.x-* -name: sigma_win_register_new_logon_process_by_rubeus -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_remote_powershell_session.yml b/elastalert_rules/sigma_win_remote_powershell_session.yml deleted file mode 100644 index b13aadee..00000000 --- a/elastalert_rules/sigma_win_remote_powershell_session.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986 -filter: -- query: - query_string: - query: (data.win.system.eventID:"5156" AND DestPort:("5985" OR "5986") AND LayerRTID:"44") -index: wazuh-alerts-3.x-* -name: sigma_win_remote_powershell_session -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_remote_powershell_session_process.yml b/elastalert_rules/sigma_win_remote_powershell_session_process.yml deleted file mode 100644 index 8ea22dc3..00000000 --- a/elastalert_rules/sigma_win_remote_powershell_session_process.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\wsmprovhost.exe OR data.win.eventdata.parentImage.keyword:*\\wsmprovhost.exe)) -index: wazuh-alerts-3.x-* -name: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_remote_registry_management_using_reg_utility.yml b/elastalert_rules/sigma_win_remote_registry_management_using_reg_utility.yml deleted file mode 100644 index 372aff1f..00000000 --- a/elastalert_rules/sigma_win_remote_registry_management_using_reg_utility.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Remote registry management using REG utility from non-admin workstation -filter: -- query: - query_string: - query: ((data.win.system.eventID:"5145" AND data.win.eventdata.relativeTargetName.keyword:*\\winreg*) AND (NOT (src_ip_addr:"%Admins_Workstations%"))) -index: wazuh-alerts-3.x-* -name: sigma_win_remote_registry_management_using_reg_utility -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_remote_time_discovery.yml b/elastalert_rules/sigma_win_remote_time_discovery.yml deleted file mode 100644 index ab44083a..00000000 --- a/elastalert_rules/sigma_win_remote_time_discovery.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*time*) OR (data.win.eventdata.image.keyword:*\\w32tm.exe AND data.win.eventdata.commandLine.keyword:*tz*) OR (data.win.eventdata.image.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:*Get\-Date*))) -index: wazuh-alerts-3.x-* -name: b243b280-65fe-48df-ba07-6ddea7646427_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_renamed_binary.yml b/elastalert_rules/sigma_win_renamed_binary.yml deleted file mode 100644 index 421b5dc0..00000000 --- a/elastalert_rules/sigma_win_renamed_binary.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.originalFileName:("cmd.exe" OR "powershell.exe" OR "powershell_ise.exe" OR "psexec.exe" OR "psexec.c" OR "cscript.exe" OR "wscript.exe" OR "mshta.exe" OR "regsvr32.exe" OR "wmic.exe" OR "certutil.exe" OR "rundll32.exe" OR "cmstp.exe" OR "msiexec.exe" OR "7z.exe" OR "winrar.exe" OR "wevtutil.exe" OR "net.exe" OR "net1.exe" OR "netsh.exe") AND (NOT (data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\powershell_ise.exe OR *\\psexec.exe OR *\\psexec64.exe OR *\\cscript.exe OR *\\wscript.exe OR *\\mshta.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\certutil.exe OR *\\rundll32.exe OR *\\cmstp.exe OR *\\msiexec.exe OR *\\7z.exe OR *\\winrar.exe OR *\\wevtutil.exe OR *\\net.exe OR *\\net1.exe OR *\\netsh.exe)))) -index: wazuh-alerts-3.x-* -name: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_renamed_binary_highly_relevant.yml b/elastalert_rules/sigma_win_renamed_binary_highly_relevant.yml deleted file mode 100644 index 7496b64b..00000000 --- a/elastalert_rules/sigma_win_renamed_binary_highly_relevant.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.originalFileName:("powershell.exe" OR "powershell_ise.exe" OR "psexec.exe" OR "psexec.c" OR "cscript.exe" OR "wscript.exe" OR "mshta.exe" OR "regsvr32.exe" OR "wmic.exe" OR "certutil.exe" OR "rundll32.exe" OR "cmstp.exe" OR "msiexec.exe") AND (NOT (data.win.eventdata.image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe OR *\\psexec.exe OR *\\psexec64.exe OR *\\cscript.exe OR *\\wscript.exe OR *\\mshta.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\certutil.exe OR *\\rundll32.exe OR *\\cmstp.exe OR *\\msiexec.exe)))) -index: wazuh-alerts-3.x-* -name: 0ba1da6d-b6ce-4366-828c-18826c9de23e_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_renamed_jusched.yml b/elastalert_rules/sigma_win_renamed_jusched.yml deleted file mode 100644 index 269732ae..00000000 --- a/elastalert_rules/sigma_win_renamed_jusched.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects renamed jusched.exe used by cobalt group -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.system.eventID:"1" AND (data.win.eventdata.description:"Java\ Update\ Scheduler" OR data.win.eventdata.description:"Java\(TM\)\ Update\ Scheduler")) AND (NOT (data.win.eventdata.image.keyword:(*\\jusched.exe)))) -index: wazuh-alerts-3.x-* -name: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_renamed_paexec.yml b/elastalert_rules/sigma_win_renamed_paexec.yml deleted file mode 100644 index 44f464b4..00000000 --- a/elastalert_rules/sigma_win_renamed_paexec.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of renamed paexec via imphash and executable product string -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.system.eventID:"1" AND data.win.eventdata.product.keyword:(*PAExec*) AND hash_imphash:("11d40a7b7876288f919ab819cc2d9802" OR "11D40A7B7876288F919AB819CC2D9802" OR "6444f8a34e99b8f7d9647de66aabe516" OR "6444F8A34E99B8F7D9647DE66AABE516" OR "dfd6aa3f7b2b1035b76b718f1ddc689f" OR "DFD6AA3F7B2B1035B76B718F1DDC689F" OR "1a6cca4d5460b1710a12dea39e4a592c" OR "1A6CCA4D5460B1710A12DEA39E4A592C")) AND (NOT (data.win.eventdata.image.keyword:*paexec*))) -index: wazuh-alerts-3.x-* -name: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_renamed_powershell.yml b/elastalert_rules/sigma_win_renamed_powershell.yml deleted file mode 100644 index 42b87889..00000000 --- a/elastalert_rules/sigma_win_renamed_powershell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a renamed PowerShell often used by attackers or malware -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.description:"Windows\ PowerShell" AND data.win.eventdata.company:"Microsoft\ Corporation") AND (NOT (data.win.eventdata.image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe)))) -index: wazuh-alerts-3.x-* -name: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_renamed_procdump.yml b/elastalert_rules/sigma_win_renamed_procdump.yml deleted file mode 100644 index 344c36f8..00000000 --- a/elastalert_rules/sigma_win_renamed_procdump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a renamed ProcDump executable often used by attackers or malware -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.originalFileName:"procdump" AND (NOT (data.win.eventdata.image.keyword:(*\\procdump.exe OR *\\procdump64.exe)))) -index: wazuh-alerts-3.x-* -name: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_renamed_psexec.yml b/elastalert_rules/sigma_win_renamed_psexec.yml deleted file mode 100644 index eee65143..00000000 --- a/elastalert_rules/sigma_win_renamed_psexec.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a renamed PsExec often used by attackers or malware -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.description:"Execute\ processes\ remotely" AND data.win.eventdata.product:"Sysinternals\ PsExec") AND (NOT (data.win.eventdata.image.keyword:(*\\PsExec.exe OR *\\PsExec64.exe)))) -index: wazuh-alerts-3.x-* -name: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_run_powershell_script_from_ads.yml b/elastalert_rules/sigma_win_run_powershell_script_from_ads.yml deleted file mode 100644 index 9c7eace0..00000000 --- a/elastalert_rules/sigma_win_run_powershell_script_from_ads.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PowerShell script execution from Alternate Data Stream (ADS) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\powershell.exe AND data.win.eventdata.image.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:*Get\-Content* AND data.win.eventdata.commandLine.keyword:*\-Stream*) -index: wazuh-alerts-3.x-* -name: 45a594aa-1fbd-4972-a809-ff5a99dd81b8_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_sam_registry_hive_handle_request.yml b/elastalert_rules/sigma_win_sam_registry_hive_handle_request.yml deleted file mode 100644 index bff4d480..00000000 --- a/elastalert_rules/sigma_win_sam_registry_hive_handle_request.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects handles requested to SAM registry hive -filter: -- query: - query_string: - query: (data.win.system.eventID:"4656" AND data.win.eventdata.objectType:"Key" AND data.win.eventdata.objectName.keyword:*\\SAM) -index: wazuh-alerts-3.x-* -name: sigma_win_sam_registry_hive_handle_request -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_scm_database_handle_failure.yml b/elastalert_rules/sigma_win_scm_database_handle_failure.yml deleted file mode 100644 index 5e6b96db..00000000 --- a/elastalert_rules/sigma_win_scm_database_handle_failure.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects non-system users failing to get a handle of the SCM database. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4656" AND data.win.eventdata.objectType:"SC_MANAGER\ OBJECT" AND data.win.eventdata.objectName:"servicesactive" AND Keywords:"Audit\ Failure" AND SubjectLogonId:"0x3e4") -index: wazuh-alerts-3.x-* -name: sigma_win_scm_database_handle_failure -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_scm_database_privileged_operation.yml b/elastalert_rules/sigma_win_scm_database_privileged_operation.yml deleted file mode 100644 index d842d4c7..00000000 --- a/elastalert_rules/sigma_win_scm_database_privileged_operation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects non-system users performing privileged operation os the SCM database -filter: -- query: - query_string: - query: (data.win.system.eventID:"4674" AND data.win.eventdata.objectType:"SC_MANAGER\ OBJECT" AND data.win.eventdata.objectName:"servicesactive" AND PrivilegeList:"SeTakeOwnershipPrivilege" AND SubjectLogonId:"0x3e4") -index: wazuh-alerts-3.x-* -name: sigma_win_scm_database_privileged_operation -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_sdbinst_shim_persistence.yml b/elastalert_rules/sigma_win_sdbinst_shim_persistence.yml deleted file mode 100644 index e3c17c96..00000000 --- a/elastalert_rules/sigma_win_sdbinst_shim_persistence.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\sdbinst.exe) AND data.win.eventdata.commandLine.keyword:(*.sdb*)) -index: wazuh-alerts-3.x-* -name: 517490a7-115a-48c6-8862-1a481504d5a8_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_service_execution.yml b/elastalert_rules/sigma_win_service_execution.yml deleted file mode 100644 index 70e19f7d..00000000 --- a/elastalert_rules/sigma_win_service_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects manual service execution (start) via system utilities -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*\ start\ *) -index: wazuh-alerts-3.x-* -name: 2a072a96-a086-49fa-bcb5-15cc5a619093_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_service_stop.yml b/elastalert_rules/sigma_win_service_stop.yml deleted file mode 100644 index b01423e7..00000000 --- a/elastalert_rules/sigma_win_service_stop.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a windows service to be stopped -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\sc.exe OR *\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:*stop*) -index: wazuh-alerts-3.x-* -name: eb87818d-db5d-49cc-a987-d5da331fbd90_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_shadow_copies_access_symlink.yml b/elastalert_rules/sigma_win_shadow_copies_access_symlink.yml deleted file mode 100644 index 12dd5563..00000000 --- a/elastalert_rules/sigma_win_shadow_copies_access_symlink.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Shadow Copies storage symbolic link creation using operating systems utilities -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*mklink* AND data.win.eventdata.commandLine.keyword:*HarddiskVolumeShadowCopy*) -index: wazuh-alerts-3.x-* -name: 40b19fa6-d835-400c-b301-41f3a2baacaf_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_shadow_copies_creation.yml b/elastalert_rules/sigma_win_shadow_copies_creation.yml deleted file mode 100644 index 8a44780a..00000000 --- a/elastalert_rules/sigma_win_shadow_copies_creation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Shadow Copies creation using operating systems utilities, possible credential access -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\powershell.exe OR *\\wmic.exe OR *\\vssadmin.exe) AND data.win.eventdata.commandLine.keyword:*shadow* AND data.win.eventdata.commandLine.keyword:*create*) -index: wazuh-alerts-3.x-* -name: b17ea6f7-6e90-447e-a799-e6c0a493d6ce_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_shadow_copies_deletion.yml b/elastalert_rules/sigma_win_shadow_copies_deletion.yml deleted file mode 100644 index 5127cebc..00000000 --- a/elastalert_rules/sigma_win_shadow_copies_deletion.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Shadow Copies deletion using operating systems utilities -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\powershell.exe OR *\\wmic.exe OR *\\vssadmin.exe) AND data.win.eventdata.commandLine.keyword:*shadow* AND data.win.eventdata.commandLine.keyword:*delete*) -index: wazuh-alerts-3.x-* -name: c947b146-0abc-4c87-9c64-b17e9d7274a2_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_shell_spawn_susp_program.yml b/elastalert_rules/sigma_win_shell_spawn_susp_program.yml deleted file mode 100644 index 4f124bc8..00000000 --- a/elastalert_rules/sigma_win_shell_spawn_susp_program.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious child process of a Windows shell -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.parentImage.keyword:(*\\mshta.exe OR *\\powershell.exe OR *\\rundll32.exe OR *\\cscript.exe OR *\\wscript.exe OR *\\wmiprvse.exe) AND data.win.eventdata.image.keyword:(*\\schtasks.exe OR *\\nslookup.exe OR *\\certutil.exe OR *\\bitsadmin.exe OR *\\mshta.exe)) AND (NOT (data.win.eventdata.currentDirectory.keyword:*\\ccmcache\\*))) -index: wazuh-alerts-3.x-* -name: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_silenttrinity_stage_use1.yml b/elastalert_rules/sigma_win_silenttrinity_stage_use1.yml deleted file mode 100644 index 44c62b6a..00000000 --- a/elastalert_rules/sigma_win_silenttrinity_stage_use1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects SILENTTRINITY stager use -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.description.keyword:*st2stager*) -index: wazuh-alerts-3.x-* -name: 03552375-cc2c-4883-bbe4-7958d5a980be_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_silenttrinity_stage_use2.yml b/elastalert_rules/sigma_win_silenttrinity_stage_use2.yml deleted file mode 100644 index 0cf02473..00000000 --- a/elastalert_rules/sigma_win_silenttrinity_stage_use2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects SILENTTRINITY stager use -filter: -- query: - query_string: - query: (data.win.system.eventID:"7" AND data.win.eventdata.description.keyword:*st2stager*) -index: wazuh-alerts-3.x-* -name: 03552375-cc2c-4883-bbe4-7958d5a980be-2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_soundrec_audio_capture.yml b/elastalert_rules/sigma_win_soundrec_audio_capture.yml deleted file mode 100644 index 1e4b6c57..00000000 --- a/elastalert_rules/sigma_win_soundrec_audio_capture.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect attacker collecting audio via SoundRecorder application -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\SoundRecorder.exe AND data.win.eventdata.commandLine.keyword:*\/FILE*) -index: wazuh-alerts-3.x-* -name: 83865853-59aa-449e-9600-74b9d89a6d6e_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_spn_enum.yml b/elastalert_rules/sigma_win_spn_enum.yml deleted file mode 100644 index ce3485b7..00000000 --- a/elastalert_rules/sigma_win_spn_enum.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Service Principal Name Enumeration used for Kerberoasting -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\setspn.exe OR data.win.eventdata.description.keyword:*Query\ or\ reset\ the\ computer*\ SPN\ attribute*) AND data.win.eventdata.commandLine.keyword:*\-q*) -index: wazuh-alerts-3.x-* -name: 1eeed653-dbc8-4187-ad0c-eeebb20e6599_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_add_domain_trust.yml b/elastalert_rules/sigma_win_susp_add_domain_trust.yml deleted file mode 100644 index 5ada44ab..00000000 --- a/elastalert_rules/sigma_win_susp_add_domain_trust.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Addition of domains is seldom and should be verified for legitimacy. -filter: -- query: - query_string: - query: data.win.system.eventID:"4706" -index: wazuh-alerts-3.x-* -name: sigma_win_susp_add_domain_trust -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_add_sid_history.yml b/elastalert_rules/sigma_win_susp_add_sid_history.yml deleted file mode 100644 index 22440ccc..00000000 --- a/elastalert_rules/sigma_win_susp_add_sid_history.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: An attacker can use the SID history attribute to gain additional privileges. -filter: -- query: - query_string: - query: (data.win.system.eventID:("4765" OR "4766") OR ((data.win.system.eventID:"4738" AND (NOT (SidHistory:("\-" OR "%%1793")))) AND (NOT (NOT _exists_:SidHistory)))) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_add_sid_history -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_adfind.yml b/elastalert_rules/sigma_win_susp_adfind.yml deleted file mode 100644 index 4a8ddc01..00000000 --- a/elastalert_rules/sigma_win_susp_adfind.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of a AdFind for Active Directory enumeration -filter: -- query: - query_string: - query: (ProcessCommandline.keyword:*objectcategory* AND data.win.eventdata.image.keyword:(*\\adfind.exe)) -index: wazuh-alerts-3.x-* -name: 75df3b17-8bcc-4565-b89b-c9898acef911_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_backup_delete.yml b/elastalert_rules/sigma_win_susp_backup_delete.yml deleted file mode 100644 index ebbf8c41..00000000 --- a/elastalert_rules/sigma_win_susp_backup_delete.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects backup catalog deletions -filter: -- query: - query_string: - query: (data.win.system.eventID:"524" AND data.win.eventdata.source Name:"Microsoft\-Windows\-Backup") -index: wazuh-alerts-3.x-* -name: sigma_win_susp_backup_delete -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_bcdedit.yml b/elastalert_rules/sigma_win_susp_bcdedit.yml deleted file mode 100644 index 11337fd2..00000000 --- a/elastalert_rules/sigma_win_susp_bcdedit.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects, possibly, malicious unauthorized usage of bcdedit.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\bcdedit.exe AND data.win.eventdata.commandLine.keyword:(*delete* OR *deletevalue* OR *import*)) -index: wazuh-alerts-3.x-* -name: c9fbe8e9-119d-40a6-9b59-dd58a5d84429_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_bginfo.yml b/elastalert_rules/sigma_win_susp_bginfo.yml deleted file mode 100644 index 25672739..00000000 --- a/elastalert_rules/sigma_win_susp_bginfo.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Execute VBscript code that is referenced within the *.bgi file. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\bginfo.exe AND data.win.eventdata.commandLine.keyword:*\/popup* AND data.win.eventdata.commandLine.keyword:*\/nolicprompt*) -index: wazuh-alerts-3.x-* -name: aaf46cdc-934e-4284-b329-34aa701e3771_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_calc.yml b/elastalert_rules/sigma_win_susp_calc.yml deleted file mode 100644 index 0cd96e0e..00000000 --- a/elastalert_rules/sigma_win_susp_calc.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:*\\calc.exe\ * OR (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\calc.exe AND (NOT (data.win.eventdata.image.keyword:*\\Windows\\Sys*))))) -index: wazuh-alerts-3.x-* -name: 737e618a-a410-49b5-bec3-9e55ff7fbc15_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_cdb.yml b/elastalert_rules/sigma_win_susp_cdb.yml deleted file mode 100644 index 5bc21ab8..00000000 --- a/elastalert_rules/sigma_win_susp_cdb.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Launch 64-bit shellcode from a debugger script file using cdb.exe. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\cdb.exe AND data.win.eventdata.commandLine.keyword:*\-cf*) -index: wazuh-alerts-3.x-* -name: b5c7395f-e501-4a08-94d4-57fe7a9da9d2_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_certutil_command.yml b/elastalert_rules/sigma_win_susp_certutil_command.yml deleted file mode 100644 index 8236cefc..00000000 --- a/elastalert_rules/sigma_win_susp_certutil_command.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ \-decode\ * OR *\ \/decode\ * OR *\ \-decodehex\ * OR *\ \/decodehex\ * OR *\ \-urlcache\ * OR *\ \/urlcache\ * OR *\ \-verifyctl\ * OR *\ \/verifyctl\ * OR *\ \-encode\ * OR *\ \/encode\ * OR *certutil*\ \-URL* OR *certutil*\ \/URL* OR *certutil*\ \-ping* OR *certutil*\ \/ping*)) -index: wazuh-alerts-3.x-* -name: e011a729-98a6-4139-b5c4-bf6f6dd8239a_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_certutil_encode.yml b/elastalert_rules/sigma_win_susp_certutil_encode.yml deleted file mode 100644 index f74f8a46..00000000 --- a/elastalert_rules/sigma_win_susp_certutil_encode.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(certutil\ \-f\ \-encode\ * OR certutil.exe\ \-f\ \-encode\ * OR certutil\ \-encode\ \-f\ * OR certutil.exe\ \-encode\ \-f\ *)) -index: wazuh-alerts-3.x-* -name: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_cli_escape.yml b/elastalert_rules/sigma_win_susp_cli_escape.yml deleted file mode 100644 index e806bfb9..00000000 --- a/elastalert_rules/sigma_win_susp_cli_escape.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious process that use escape characters -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*h\^t\^t\^p* OR *h\"t\"t\"p*)) -index: wazuh-alerts-3.x-* -name: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_cmd_http_appdata.yml b/elastalert_rules/sigma_win_susp_cmd_http_appdata.yml deleted file mode 100644 index 39969ab0..00000000 --- a/elastalert_rules/sigma_win_susp_cmd_http_appdata.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(cmd.exe\ \/c\ *http\:\/\/*%AppData% OR cmd.exe\ \/c\ *https\:\/\/*%AppData%)) -index: wazuh-alerts-3.x-* -name: 1ac8666b-046f-4201-8aba-1951aaec03a3_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_codeintegrity_check_failure.yml b/elastalert_rules/sigma_win_susp_codeintegrity_check_failure.yml deleted file mode 100644 index c795601e..00000000 --- a/elastalert_rules/sigma_win_susp_codeintegrity_check_failure.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Code integrity failures may indicate tampered executables. -filter: -- query: - query_string: - query: data.win.system.eventID:("5038" OR "6281") -index: wazuh-alerts-3.x-* -name: sigma_win_susp_codeintegrity_check_failure -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_codepage_switch.yml b/elastalert_rules/sigma_win_susp_codepage_switch.yml deleted file mode 100644 index 46b2ba14..00000000 --- a/elastalert_rules/sigma_win_susp_codepage_switch.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a code page switch in command line or batch scripts to a rare language -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(chcp*\ 936 OR chcp*\ 1258)) -index: wazuh-alerts-3.x-* -name: c7942406-33dd-4377-a564-0f62db0593a3_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_commands_recon_activity.yml b/elastalert_rules/sigma_win_susp_commands_recon_activity.yml deleted file mode 100644 index b36fdfbe..00000000 --- a/elastalert_rules/sigma_win_susp_commands_recon_activity.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - seconds: 15 -description: Detects a set of commands often used in recon stages by different attack groups -doc_type: doc -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(tasklist OR net\ time OR systeminfo OR whoami OR nbtstat OR net\ start OR *\\net1\ start OR qprocess OR nslookup OR hostname.exe OR *\\net1\ user\ \/domain OR *\\net1\ group\ \/domain OR *\\net1\ group\ \"domain\ admins\"\ \/domain OR *\\net1\ group\ \"Exchange\ Trusted\ Subsystem\"\ \/domain OR *\\net1\ accounts\ \/domain OR *\\net1\ user\ net\ localgroup\ administrators OR netstat\ \-an)) -index: wazuh-alerts-3.x-* -max_threshold: 4 -metric_agg_key: _id -metric_agg_type: cardinality -name: 2887e914-ce96-435f-8105-593937e90757_0 -priority: 3 -query_key: data.win.eventdata.commandLine.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_win_susp_compression_params.yml b/elastalert_rules/sigma_win_susp_compression_params.yml deleted file mode 100644 index e7d65b4b..00000000 --- a/elastalert_rules/sigma_win_susp_compression_params.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious command line arguments of common data compression tools -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.originalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND data.win.eventdata.commandLine.keyword:(*\ \-p* OR *\ \-ta* OR *\ \-tb* OR *\ \-sdel* OR *\ \-dw* OR *\ \-hp*)) AND (NOT (data.win.eventdata.parentImage.keyword:C\:\\Program*))) -index: wazuh-alerts-3.x-* -name: 27a72a60-7e5e-47b1-9d17-909c9abafdcd_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_comsvcs_procdump.yml b/elastalert_rules/sigma_win_susp_comsvcs_procdump.yml deleted file mode 100644 index e8c373a2..00000000 --- a/elastalert_rules/sigma_win_susp_comsvcs_procdump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process memory dump via comsvcs.dll and rundll32 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\rundll32.exe OR data.win.eventdata.originalFileName:"RUNDLL32.EXE") AND data.win.eventdata.commandLine.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*)) -index: wazuh-alerts-3.x-* -name: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_control_dll_load.yml b/elastalert_rules/sigma_win_susp_control_dll_load.yml deleted file mode 100644 index 60de247c..00000000 --- a/elastalert_rules/sigma_win_susp_control_dll_load.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.parentImage.keyword:*\\System32\\control.exe AND data.win.eventdata.commandLine.keyword:*\\rundll32.exe\ *) AND (NOT (data.win.eventdata.commandLine.keyword:*Shell32.dll*))) -index: wazuh-alerts-3.x-* -name: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_copy_lateral_movement.yml b/elastalert_rules/sigma_win_susp_copy_lateral_movement.yml deleted file mode 100644 index e5b509cf..00000000 --- a/elastalert_rules/sigma_win_susp_copy_lateral_movement.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious copy command from a remote C$ or ADMIN$ share -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*copy\ *\\c$* OR *copy\ *\\ADMIN$*)) -index: wazuh-alerts-3.x-* -name: 855bc8b5-2ae8-402e-a9ed-b889e6df1900_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_copy_system32.yml b/elastalert_rules/sigma_win_susp_copy_system32.yml deleted file mode 100644 index 498fd2f7..00000000 --- a/elastalert_rules/sigma_win_susp_copy_system32.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ \/c\ copy\ *\\System32\\* OR *xcopy*\\System32\\*)) -index: wazuh-alerts-3.x-* -name: fff9d2b7-e11c-4a69-93d3-40ef66189767_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_covenant.yml b/elastalert_rules/sigma_win_susp_covenant.yml deleted file mode 100644 index c9561a2d..00000000 --- a/elastalert_rules/sigma_win_susp_covenant.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious command lines used in Covenant luanchers -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ \-Sta\ \-Nop\ \-Window\ Hidden\ \-Command\ * OR *\ \-Sta\ \-Nop\ \-Window\ Hidden\ \-EncodedCommand\ * OR *sv\ o\ \(New\-Object\ IO.MemorySteam\);sv\ d\ * OR *mshta\ file.hta* OR *GruntHTTP* OR *\-EncodedCommand\ cwB2ACAAbwAgA*)) -index: wazuh-alerts-3.x-* -name: c260b6db-48ba-4b4a-a76f-2f67644e99d2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_crackmapexec_execution.yml b/elastalert_rules/sigma_win_susp_crackmapexec_execution.yml deleted file mode 100644 index 14fb2391..00000000 --- a/elastalert_rules/sigma_win_susp_crackmapexec_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect various execution methods of the CrackMapExec pentesting framework -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*cmd.exe\ \/Q\ \/c\ *\ 1>\ \\\\*\\*\\*\ 2>&1 OR *cmd.exe\ \/C\ *\ >\ \\\\*\\*\\*\ 2>&1 OR *cmd.exe\ \/C\ *\ >\ *\\Temp\\*\ 2>&1 OR *powershell.exe\ \-exec\ bypass\ \-noni\ \-nop\ \-w\ 1\ \-C\ \"* OR *powershell.exe\ \-noni\ \-nop\ \-w\ 1\ \-enc\ *)) -index: wazuh-alerts-3.x-* -name: 058f4380-962d-40a5-afce-50207d36d7e2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_crackmapexec_powershell_obfuscation.yml b/elastalert_rules/sigma_win_susp_crackmapexec_powershell_obfuscation.yml deleted file mode 100644 index c7d93f04..00000000 --- a/elastalert_rules/sigma_win_susp_crackmapexec_powershell_obfuscation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*powershell.exe* AND data.win.eventdata.commandLine.keyword:(*join*split* OR *\(\ $ShellId\[1\]\+$ShellId\[13\]\+'x'\)* OR *\(\ $PSHome\[*\]\+$PSHOME\[*\]\+* OR *\(\ $env\:Public\[13\]\+$env\:Public\[5\]\+'x'\)* OR *\(\ $env\:ComSpec\[4,*,25\]\-Join''\)* OR *\[1,3\]\+'x'\-Join''\)*)) -index: wazuh-alerts-3.x-* -name: 6f8b3439-a203-45dc-a88b-abf57ea15ccf_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_csc.yml b/elastalert_rules/sigma_win_susp_csc.yml deleted file mode 100644 index d94086a2..00000000 --- a/elastalert_rules/sigma_win_susp_csc.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\csc.exe* AND data.win.eventdata.parentImage.keyword:(*\\wscript.exe OR *\\cscript.exe OR *\\mshta.exe)) -index: wazuh-alerts-3.x-* -name: b730a276-6b63-41b8-bcf8-55930c8fc6ee_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_csc_folder.yml b/elastalert_rules/sigma_win_susp_csc_folder.yml deleted file mode 100644 index 6937fe99..00000000 --- a/elastalert_rules/sigma_win_susp_csc_folder.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\csc.exe AND data.win.eventdata.commandLine.keyword:(*\\AppData\\* OR *\\Windows\\Temp\\*)) AND (NOT (data.win.eventdata.parentImage.keyword:(C\:\\Program\ Files* OR *\\sdiagnhost.exe OR *\\w3wp.exe)))) -index: wazuh-alerts-3.x-* -name: dcaa3f04-70c3-427a-80b4-b870d73c94c4_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_curl_download.yml b/elastalert_rules/sigma_win_susp_curl_download.yml deleted file mode 100644 index 44275996..00000000 --- a/elastalert_rules/sigma_win_susp_curl_download.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\curl.exe OR data.win.eventdata.product:"The\ curl\ executable") AND data.win.eventdata.commandLine.keyword:*\ \-O\ *) -index: wazuh-alerts-3.x-* -name: e218595b-bbe7-4ee5-8a96-f32a24ad3468_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_curl_fileupload.yml b/elastalert_rules/sigma_win_susp_curl_fileupload.yml deleted file mode 100644 index fa9a2c44..00000000 --- a/elastalert_rules/sigma_win_susp_curl_fileupload.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious curl process start the adds a file to a web request -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\curl.exe AND data.win.eventdata.commandLine.keyword:*\ \-F\ *) -index: wazuh-alerts-3.x-* -name: 00bca14a-df4e-4649-9054-3f2aa676bc04_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_curl_start_combo.yml b/elastalert_rules/sigma_win_susp_curl_start_combo.yml deleted file mode 100644 index 8bb01e8c..00000000 --- a/elastalert_rules/sigma_win_susp_curl_start_combo.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*curl*\ start\ *) -index: wazuh-alerts-3.x-* -name: 21dd6d38-2b18-4453-9404-a0fe4a0cc288_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_dctask64_proc_inject.yml b/elastalert_rules/sigma_win_susp_dctask64_proc_inject.yml deleted file mode 100644 index f2f2e91d..00000000 --- a/elastalert_rules/sigma_win_susp_dctask64_proc_inject.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious process injection using ZOHO's dctask64.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\dctask64.exe) AND (NOT (data.win.eventdata.commandLine.keyword:(*DesktopCentral_Agent\\agent*)))) -index: wazuh-alerts-3.x-* -name: 6345b048-8441-43a7-9bed-541133633d7a_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_desktopimgdownldr.yml b/elastalert_rules/sigma_win_susp_desktopimgdownldr.yml deleted file mode 100644 index 2c8d5ed1..00000000 --- a/elastalert_rules/sigma_win_susp_desktopimgdownldr.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\ \/lockscreenurl\:* AND (NOT (data.win.eventdata.commandLine.keyword:(*.jpg* OR *.jpeg* OR *.png*)))) OR (data.win.eventdata.commandLine.keyword:*reg\ delete* AND data.win.eventdata.commandLine.keyword:*\\PersonalizationCSP*))) -index: wazuh-alerts-3.x-* -name: bb58aa4a-b80b-415a-a2c0-2f65a4c81009_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_desktopimgdownldr_file.yml b/elastalert_rules/sigma_win_susp_desktopimgdownldr_file.yml deleted file mode 100644 index aef22549..00000000 --- a/elastalert_rules/sigma_win_susp_desktopimgdownldr_file.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension -filter: -- query: - query_string: - query: (((data.win.eventdata.image.keyword:*svchost.exe AND data.win.eventdata.targetFilename.keyword:*\\Personalization\\LockScreenImage\\*) AND (NOT (data.win.eventdata.targetFilename.keyword:*C\:\\Windows\\*))) AND (NOT (data.win.eventdata.targetFilename.keyword:(*.jpg* OR *.jpeg* OR *.png*)))) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_desktopimgdownldr_file -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_devtoolslauncher.yml b/elastalert_rules/sigma_win_susp_devtoolslauncher.yml deleted file mode 100644 index 4887ac1a..00000000 --- a/elastalert_rules/sigma_win_susp_devtoolslauncher.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The Devtoolslauncher.exe executes other binary -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\devtoolslauncher.exe AND data.win.eventdata.commandLine.keyword:*LaunchForDeploy*) -index: wazuh-alerts-3.x-* -name: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_dhcp_config.yml b/elastalert_rules/sigma_win_susp_dhcp_config.yml deleted file mode 100644 index 25377d4f..00000000 --- a/elastalert_rules/sigma_win_susp_dhcp_config.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded -filter: -- query: - query_string: - query: (data.win.system.eventID:"1033" AND data.win.eventdata.source Name:"Microsoft\-Windows\-DHCP\-Server") -index: wazuh-alerts-3.x-* -name: sigma_win_susp_dhcp_config -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_dhcp_config_failed.yml b/elastalert_rules/sigma_win_susp_dhcp_config_failed.yml deleted file mode 100644 index 27aee023..00000000 --- a/elastalert_rules/sigma_win_susp_dhcp_config_failed.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded -filter: -- query: - query_string: - query: (data.win.system.eventID:("1031" OR "1032" OR "1034") AND data.win.eventdata.source Name:"Microsoft\-Windows\-DHCP\-Server") -index: wazuh-alerts-3.x-* -name: sigma_win_susp_dhcp_config_failed -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_direct_asep_reg_keys_modification.yml b/elastalert_rules/sigma_win_susp_direct_asep_reg_keys_modification.yml deleted file mode 100644 index e5383e07..00000000 --- a/elastalert_rules/sigma_win_susp_direct_asep_reg_keys_modification.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\reg.exe AND data.win.eventdata.commandLine.keyword:*add* AND data.win.eventdata.commandLine.keyword:(*\\software\\Microsoft\\Windows\\CurrentVersion\\Run* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Userinit* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Shell* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User\ Shell\ Folders* OR *\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell*)) -index: wazuh-alerts-3.x-* -name: 24357373-078f-44ed-9ac4-6d334a668a11_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_disable_ie_features.yml b/elastalert_rules/sigma_win_susp_disable_ie_features.yml deleted file mode 100644 index 0da9964d..00000000 --- a/elastalert_rules/sigma_win_susp_disable_ie_features.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.commandLine.keyword:*\ \-name\ IEHarden\ * AND data.win.eventdata.commandLine.keyword:*\ \-value\ 0\ *) OR (data.win.eventdata.commandLine.keyword:*\ \-name\ DEPOff\ * AND data.win.eventdata.commandLine.keyword:*\ \-value\ 1\ *) OR (data.win.eventdata.commandLine.keyword:*\ \-name\ DisableFirstRunCustomize\ * AND data.win.eventdata.commandLine.keyword:*\ \-value\ 2\ *))) -index: wazuh-alerts-3.x-* -name: fb50eb7a-5ab1-43ae-bcc9-091818cb8424_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_ditsnap.yml b/elastalert_rules/sigma_win_susp_ditsnap.yml deleted file mode 100644 index b176b76e..00000000 --- a/elastalert_rules/sigma_win_susp_ditsnap.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:(*\\ditsnap.exe) OR data.win.eventdata.commandLine.keyword:(*ditsnap.exe*))) -index: wazuh-alerts-3.x-* -name: d3b70aad-097e-409c-9df2-450f80dc476b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_dns_config.yml b/elastalert_rules/sigma_win_susp_dns_config.yml deleted file mode 100644 index 9d25c02d..00000000 --- a/elastalert_rules/sigma_win_susp_dns_config.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded -filter: -- query: - query_string: - query: data.win.system.eventID:("150" OR "770") -index: wazuh-alerts-3.x-* -name: sigma_win_susp_dns_config -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_dnx.yml b/elastalert_rules/sigma_win_susp_dnx.yml deleted file mode 100644 index 7f9a54dd..00000000 --- a/elastalert_rules/sigma_win_susp_dnx.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Execute C# code located in the consoleapp folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\dnx.exe) -index: wazuh-alerts-3.x-* -name: 81ebd28b-9607-4478-bf06-974ed9d53ed7_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_double_extension.yml b/elastalert_rules/sigma_win_susp_double_extension.yml deleted file mode 100644 index e4885421..00000000 --- a/elastalert_rules/sigma_win_susp_double_extension.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\ \ \ \ \ \ .exe OR *______.exe)) -index: wazuh-alerts-3.x-* -name: 1cdd9a09-06c9-4769-99ff-626e2b3991b8_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_dsrm_password_change.yml b/elastalert_rules/sigma_win_susp_dsrm_password_change.yml deleted file mode 100644 index 29bb233b..00000000 --- a/elastalert_rules/sigma_win_susp_dsrm_password_change.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. -filter: -- query: - query_string: - query: data.win.system.eventID:"4794" -index: wazuh-alerts-3.x-* -name: sigma_win_susp_dsrm_password_change -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_dxcap.yml b/elastalert_rules/sigma_win_susp_dxcap.yml deleted file mode 100644 index 0589d169..00000000 --- a/elastalert_rules/sigma_win_susp_dxcap.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of of Dxcap.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\dxcap.exe AND data.win.eventdata.commandLine.keyword:*\-c* AND data.win.eventdata.commandLine.keyword:*.exe*) -index: wazuh-alerts-3.x-* -name: 60f16a96-db70-42eb-8f76-16763e333590_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_esentutl_activity.yml b/elastalert_rules/sigma_win_susp_esentutl_activity.yml deleted file mode 100644 index 6537f8ff..00000000 --- a/elastalert_rules/sigma_win_susp_esentutl_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. -filter: -- query: - query_string: - query: (data.win.eventdata.commandLine.keyword:*\ \/vss\ * AND data.win.eventdata.commandLine.keyword:*\ \/y\ *) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_esentutl_activity -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_eventlog_clear.yml b/elastalert_rules/sigma_win_susp_eventlog_clear.yml deleted file mode 100644 index bdcc2f1d..00000000 --- a/elastalert_rules/sigma_win_susp_eventlog_clear.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (((data.win.eventdata.image.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:(*Clear\-EventLog* OR *Remove\-EventLog* OR *Limit\-EventLog*)) OR (data.win.eventdata.image.keyword:*\\wmic.exe AND data.win.eventdata.commandLine.keyword:*\ ClearEventLog\ *)) OR (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\wevtutil.exe AND data.win.eventdata.commandLine.keyword:(*clear\-log* OR *\ cl\ * OR *set\-log* OR *\ sl\ *)))) -index: wazuh-alerts-3.x-* -name: cc36992a-4671-4f21-a91d-6c2b72a2edf5_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_eventlog_cleared.yml b/elastalert_rules/sigma_win_susp_eventlog_cleared.yml deleted file mode 100644 index ea819a05..00000000 --- a/elastalert_rules/sigma_win_susp_eventlog_cleared.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution -filter: -- query: - query_string: - query: (data.win.system.eventID:"104" AND data.win.eventdata.source Name:"Microsoft\-Windows\-Eventlog") -index: wazuh-alerts-3.x-* -name: sigma_win_susp_eventlog_cleared -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_exec_folder.yml b/elastalert_rules/sigma_win_susp_exec_folder.yml deleted file mode 100644 index 4b31d792..00000000 --- a/elastalert_rules/sigma_win_susp_exec_folder.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process starts of binaries from a suspicious folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(C\:\\PerfLogs\\* OR C\:\\$Recycle.bin\\* OR C\:\\Intel\\Logs\\* OR C\:\\Users\\Default\\* OR C\:\\Users\\Public\\* OR C\:\\Users\\NetworkService\\* OR C\:\\Windows\\Fonts\\* OR C\:\\Windows\\Debug\\* OR C\:\\Windows\\Media\\* OR C\:\\Windows\\Help\\* OR C\:\\Windows\\addins\\* OR C\:\\Windows\\repair\\* OR C\:\\Windows\\security\\* OR *\\RSA\\MachineKeys\\* OR C\:\\Windows\\system32\\config\\systemprofile\\* OR C\:\\Windows\\Tasks\\* OR C\:\\Windows\\System32\\Tasks\\*)) -index: wazuh-alerts-3.x-* -name: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_execution_path.yml b/elastalert_rules/sigma_win_susp_execution_path.yml deleted file mode 100644 index 4e20eeb8..00000000 --- a/elastalert_rules/sigma_win_susp_execution_path.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious exection from an uncommon folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\$Recycle.bin OR *\\Users\\All\ Users\\* OR *\\Users\\Default\\* OR *\\Users\\Public\\* OR C\:\\Perflogs\\* OR *\\config\\systemprofile\\* OR *\\Windows\\Fonts\\* OR *\\Windows\\IME\\* OR *\\Windows\\addins\\*)) -index: wazuh-alerts-3.x-* -name: 3dfd06d2-eaf4-4532-9555-68aca59f57c4_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_execution_path_webserver.yml b/elastalert_rules/sigma_win_susp_execution_path_webserver.yml deleted file mode 100644 index 75c16b69..00000000 --- a/elastalert_rules/sigma_win_susp_execution_path_webserver.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious program execution in a web service root folder (filter out false positives) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\wwwroot\\* OR *\\wmpub\\* OR *\\htdocs\\*) AND (NOT (data.win.eventdata.image.keyword:(*bin\\* OR *\\Tools\\* OR *\\SMSComponent\\*) AND data.win.eventdata.parentImage.keyword:(*\\services.exe)))) -index: wazuh-alerts-3.x-* -name: 35efb964-e6a5-47ad-bbcd-19661854018d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_explorer_break_proctree.yml b/elastalert_rules/sigma_win_susp_explorer_break_proctree.yml deleted file mode 100644 index e515b476..00000000 --- a/elastalert_rules/sigma_win_susp_explorer_break_proctree.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*explorer.exe* AND data.win.eventdata.commandLine.keyword:*\ \/root,*) -index: wazuh-alerts-3.x-* -name: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_failed_logon_reasons.yml b/elastalert_rules/sigma_win_susp_failed_logon_reasons.yml deleted file mode 100644 index 13a3190f..00000000 --- a/elastalert_rules/sigma_win_susp_failed_logon_reasons.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. -filter: -- query: - query_string: - query: (data.win.system.eventID:("4625" OR "4776") AND event_status:("0xC0000072" OR "0xC000006F" OR "0xC0000070" OR "0xC0000413" OR "0xC000018C" OR "0xC000015B")) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_failed_logon_reasons -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_failed_logon_source.yml b/elastalert_rules/sigma_win_susp_failed_logon_source.yml deleted file mode 100644 index 90f3f002..00000000 --- a/elastalert_rules/sigma_win_susp_failed_logon_source.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: A login from a public IP can indicate a misconfigured firewall or network boundary. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4625" AND (NOT ((src_ip_addr.keyword:*\-* OR src_ip_addr.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.* OR 169.254.*) OR src_ip_addr:"\:\:1" OR src_ip_addr.keyword:(fe80\:\:* OR fc00\:\:*))))) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_failed_logon_source -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_failed_logons_single_source1.yml b/elastalert_rules/sigma_win_susp_failed_logons_single_source1.yml deleted file mode 100644 index 57040164..00000000 --- a/elastalert_rules/sigma_win_susp_failed_logons_single_source1.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - hours: 24 -description: Detects suspicious failed logins with different user accounts from a single source system -doc_type: doc -filter: -- query: - query_string: - query: (data.win.system.eventID:("529" OR "4625") AND user_name.keyword:* AND data.win.eventdata.sourceHostname.keyword:*) -index: wazuh-alerts-3.x-* -max_threshold: 3 -metric_agg_key: user_name.keyword -metric_agg_type: cardinality -name: sigma_win_susp_failed_logons_single_source -priority: 3 -query_key: data.win.eventdata.sourceHostname.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_win_susp_failed_logons_single_source2.yml b/elastalert_rules/sigma_win_susp_failed_logons_single_source2.yml deleted file mode 100644 index 0b0480d7..00000000 --- a/elastalert_rules/sigma_win_susp_failed_logons_single_source2.yml +++ /dev/null @@ -1,20 +0,0 @@ -alert: -- debug -buffer_time: - hours: 24 -description: Detects suspicious failed logins with different user accounts from a single source system -doc_type: doc -filter: -- query: - query_string: - query: (data.win.system.eventID:"4776" AND user_name.keyword:* AND data.win.eventdata.sourceHostname.keyword:*) -index: wazuh-alerts-3.x-* -max_threshold: 3 -metric_agg_key: user_name.keyword -metric_agg_type: cardinality -name: sigma_win_susp_failed_logons_single_source -priority: 3 -query_key: data.win.eventdata.sourceHostname.keyword -realert: - minutes: 0 -type: metric_aggregation diff --git a/elastalert_rules/sigma_win_susp_file_characteristics.yml b/elastalert_rules/sigma_win_susp_file_characteristics.yml deleted file mode 100644 index 7ea83e41..00000000 --- a/elastalert_rules/sigma_win_susp_file_characteristics.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.description:"\?" AND (data.win.eventdata.fileVersion:"\?" OR data.win.eventdata.product:"\?" OR data.win.eventdata.company:"\?") AND data.win.eventdata.image.keyword:*\\Downloads\\*) -index: wazuh-alerts-3.x-* -name: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_findstr_lnk.yml b/elastalert_rules/sigma_win_susp_findstr_lnk.yml deleted file mode 100644 index d7d5a1ce..00000000 --- a/elastalert_rules/sigma_win_susp_findstr_lnk.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\findstr.exe AND data.win.eventdata.commandLine.keyword:*.lnk) -index: wazuh-alerts-3.x-* -name: 33339be3-148b-4e16-af56-ad16ec6c7e7b_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_firewall_disable.yml b/elastalert_rules/sigma_win_susp_firewall_disable.yml deleted file mode 100644 index 3b2b4510..00000000 --- a/elastalert_rules/sigma_win_susp_firewall_disable.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects netsh commands that turns off the Windows firewall -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(netsh\ firewall\ set\ opmode\ mode\=disable OR netsh\ advfirewall\ set\ *\ state\ off)) -index: wazuh-alerts-3.x-* -name: 57c4bf16-227f-4394-8ec7-1b745ee061c3_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_fsutil_usage.yml b/elastalert_rules/sigma_win_susp_fsutil_usage.yml deleted file mode 100644 index 4e8a7c69..00000000 --- a/elastalert_rules/sigma_win_susp_fsutil_usage.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\fsutil.exe OR data.win.eventdata.originalFileName:"fsutil.exe") AND data.win.eventdata.commandLine.keyword:(*deletejournal* OR *createjournal*)) -index: wazuh-alerts-3.x-* -name: add64136-62e5-48ea-807e-88638d02df1e_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_gup.yml b/elastalert_rules/sigma_win_susp_gup.yml deleted file mode 100644 index 41cea498..00000000 --- a/elastalert_rules/sigma_win_susp_gup.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\GUP.exe AND (NOT (data.win.eventdata.image.keyword:(*\:\\Users\\*\\AppData\\Local\\Notepad\+\+\\updater\\GUP.exe OR *\:\\Users\\*\\AppData\\Roaming\\Notepad\+\+\\updater\\GUP.exe OR *\:\\Program\ Files\\Notepad\+\+\\updater\\GUP.exe OR *\:\\Program\ Files\ \(x86\)\\Notepad\+\+\\updater\\GUP.exe)))) -index: wazuh-alerts-3.x-* -name: 0a4f6091-223b-41f6-8743-f322ec84930b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_interactive_logons.yml b/elastalert_rules/sigma_win_susp_interactive_logons.yml deleted file mode 100644 index 06c32673..00000000 --- a/elastalert_rules/sigma_win_susp_interactive_logons.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects interactive console logons to Server Systems -filter: -- query: - query_string: - query: ((data.win.system.eventID:("528" OR "529" OR "4624" OR "4625") AND data.win.eventdata.logonType:"2" AND data.win.system.computer:("%ServerSystems%" OR "%DomainControllers%")) AND (NOT (data.win.eventdata.logonProcessName:"Advapi" AND data.win.system.computer:"%Workstations%"))) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_interactive_logons -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_iss_module_install.yml b/elastalert_rules/sigma_win_susp_iss_module_install.yml deleted file mode 100644 index 1acf4963..00000000 --- a/elastalert_rules/sigma_win_susp_iss_module_install.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious IIS native-code module installations via command line -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\\APPCMD.EXE\ install\ module\ \/name\:*)) -index: wazuh-alerts-3.x-* -name: 9465ddf4-f9e4-4ebd-8d98-702df3a93239_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_kerberos_manipulation.yml b/elastalert_rules/sigma_win_susp_kerberos_manipulation.yml deleted file mode 100644 index e95c80f4..00000000 --- a/elastalert_rules/sigma_win_susp_kerberos_manipulation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages -filter: -- query: - query_string: - query: (data.win.system.eventID:("675" OR "4768" OR "4769" OR "4771") AND ticket_failure_code:("0x9" OR "0xA" OR "0xB" OR "0xF" OR "0x10" OR "0x11" OR "0x13" OR "0x14" OR "0x1A" OR "0x1F" OR "0x21" OR "0x22" OR "0x23" OR "0x24" OR "0x26" OR "0x27" OR "0x28" OR "0x29" OR "0x2C" OR "0x2D" OR "0x2E" OR "0x2F" OR "0x31" OR "0x32" OR "0x3E" OR "0x3F" OR "0x40" OR "0x41" OR "0x43" OR "0x44")) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_kerberos_manipulation -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_ldap_dataexchange.yml b/elastalert_rules/sigma_win_susp_ldap_dataexchange.yml deleted file mode 100644 index b00ea4ad..00000000 --- a/elastalert_rules/sigma_win_susp_ldap_dataexchange.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. -filter: -- query: - query_string: - query: (data.win.system.eventID:"5136" AND AttributeValue.keyword:* AND dsobject_attribute_name:("primaryInternationalISDNNumber" OR "otherFacsimileTelephoneNumber" OR "primaryTelexNumber")) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_ldap_dataexchange -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_local_anon_logon_created.yml b/elastalert_rules/sigma_win_susp_local_anon_logon_created.yml deleted file mode 100644 index 7a2e2c02..00000000 --- a/elastalert_rules/sigma_win_susp_local_anon_logon_created.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4720" AND SAMAccountName.keyword:*ANONYMOUS*LOGON*) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_local_anon_logon_created -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_lsass_dump.yml b/elastalert_rules/sigma_win_susp_lsass_dump.yml deleted file mode 100644 index c189c788..00000000 --- a/elastalert_rules/sigma_win_susp_lsass_dump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN -filter: -- query: - query_string: - query: (data.win.system.eventID:"4656" AND data.win.eventdata.processName:"C\:\\Windows\\System32\\lsass.exe" AND data.win.eventdata.accessMask:"0x705" AND data.win.eventdata.objectType:"SAM_DOMAIN") -index: wazuh-alerts-3.x-* -name: sigma_win_susp_lsass_dump -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_lsass_dump_generic.yml b/elastalert_rules/sigma_win_susp_lsass_dump_generic.yml deleted file mode 100644 index 5d7b4dee..00000000 --- a/elastalert_rules/sigma_win_susp_lsass_dump_generic.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects process handle on LSASS process with certain access mask -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4656" AND data.win.eventdata.objectName.keyword:*\\lsass.exe AND data.win.eventdata.accessMask.keyword:(*0x40* OR *0x1400* OR *0x1000* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) OR ((data.win.system.eventID:"4663" AND data.win.eventdata.objectName.keyword:*\\lsass.exe AND AccessList.keyword:(*4484* OR *4416*)) AND (NOT (data.win.eventdata.processName.keyword:(*\\wmiprvse.exe OR *\\taskmgr.exe OR *\\procexp64.exe OR *\\procexp.exe OR *\\lsm.exe OR *\\csrss.exe OR *\\wininit.exe OR *\\vmtoolsd.exe OR *\\minionhost.exe OR *\\VsTskMgr.exe))))) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_lsass_dump_generic -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_mpcmdrun_download.yml b/elastalert_rules/sigma_win_susp_mpcmdrun_download.yml deleted file mode 100644 index c1ec3934..00000000 --- a/elastalert_rules/sigma_win_susp_mpcmdrun_download.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect the use of Windows Defender to download payloads -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:*MpCmdRun.exe* OR data.win.eventdata.description:"Microsoft\ Malware\ Protection\ Command\ Line\ Utility") AND (data.win.eventdata.commandLine.keyword:*DownloadFile* AND data.win.eventdata.commandLine.keyword:*url*)) -index: wazuh-alerts-3.x-* -name: 46123129-1024-423e-9fae-43af4a0fa9a5_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_mshta_execution.yml b/elastalert_rules/sigma_win_susp_mshta_execution.yml deleted file mode 100644 index 89189d22..00000000 --- a/elastalert_rules/sigma_win_susp_mshta_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:*\\mshta.exe AND data.win.eventdata.commandLine.keyword:(*vbscript* OR *.jpg* OR *.png* OR *.lnk* OR *.xls* OR *.doc* OR *.zip*)) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_mshta_execution -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_msiexec_cwd.yml b/elastalert_rules/sigma_win_susp_msiexec_cwd.yml deleted file mode 100644 index b65f4617..00000000 --- a/elastalert_rules/sigma_win_susp_msiexec_cwd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious msiexec process starts in an uncommon directory -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\msiexec.exe AND (NOT (data.win.eventdata.image.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\WinSxS\\*)))) -index: wazuh-alerts-3.x-* -name: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_msiexec_web_install.yml b/elastalert_rules/sigma_win_susp_msiexec_web_install.yml deleted file mode 100644 index 78af9b58..00000000 --- a/elastalert_rules/sigma_win_susp_msiexec_web_install.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious msiexec process starts with web addreses as parameter -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ msiexec*\:\/\/*)) -index: wazuh-alerts-3.x-* -name: f7b5f842-a6af-4da5-9e95-e32478f3cd2f_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_msmpeng_crash.yml b/elastalert_rules/sigma_win_susp_msmpeng_crash.yml deleted file mode 100644 index 4ecda8b3..00000000 --- a/elastalert_rules/sigma_win_susp_msmpeng_crash.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine -filter: -- query: - query_string: - query: (((data.win.eventdata.source Name:"Application\ Error" AND data.win.system.eventID:"1000") OR (data.win.eventdata.source Name:"Windows\ Error\ Reporting" AND data.win.system.eventID:"1001")) AND data.win.system.message.keyword:(*MsMpEng.exe* OR *mpengine.dll*)) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_msmpeng_crash -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_msoffice.yml b/elastalert_rules/sigma_win_susp_msoffice.yml deleted file mode 100644 index ab77f7f7..00000000 --- a/elastalert_rules/sigma_win_susp_msoffice.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Downloads payload from remote server -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\powerpnt.exe OR *\\winword.exe OR *\\excel.exe) AND data.win.eventdata.commandLine.keyword:*http*) -index: wazuh-alerts-3.x-* -name: 0c79148b-118e-472b-bdb7-9b57b444cc19_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_net_execution.yml b/elastalert_rules/sigma_win_susp_net_execution.yml deleted file mode 100644 index c88ec4f8..00000000 --- a/elastalert_rules/sigma_win_susp_net_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of Net.exe, whether suspicious or benign. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\net.exe OR *\\net1.exe) AND data.win.eventdata.commandLine.keyword:(*\ group* OR *\ localgroup* OR *\ user* OR *\ view* OR *\ share OR *\ accounts* OR *\ use* OR *\ stop\ *)) -index: wazuh-alerts-3.x-* -name: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_net_recon_activity.yml b/elastalert_rules/sigma_win_susp_net_recon_activity.yml deleted file mode 100644 index 9a45ab63..00000000 --- a/elastalert_rules/sigma_win_susp_net_recon_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects activity as "net user administrator /domain" and "net group domain admins /domain" -filter: -- query: - query_string: - query: (data.win.system.eventID:"4661" AND data.win.eventdata.accessMask:"0x2d" AND ((data.win.eventdata.objectType:"SAM_USER" AND data.win.eventdata.objectName.keyword:S\-1\-5\-21\-*\-500) OR (data.win.eventdata.objectType:"SAM_GROUP" AND data.win.eventdata.objectName.keyword:S\-1\-5\-21\-*\-512))) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_net_recon_activity -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_netsh_dll_persistence.yml b/elastalert_rules/sigma_win_susp_netsh_dll_persistence.yml deleted file mode 100644 index 03814dbd..00000000 --- a/elastalert_rules/sigma_win_susp_netsh_dll_persistence.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects persitence via netsh helper -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\netsh.exe AND data.win.eventdata.commandLine.keyword:*add* AND data.win.eventdata.commandLine.keyword:*helper*) -index: wazuh-alerts-3.x-* -name: 56321594-9087-49d9-bf10-524fe8479452_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_ntdsutil.yml b/elastalert_rules/sigma_win_susp_ntdsutil.yml deleted file mode 100644 index 0d07555c..00000000 --- a/elastalert_rules/sigma_win_susp_ntdsutil.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\\ntdsutil*) -index: wazuh-alerts-3.x-* -name: 2afafd61-6aae-4df4-baed-139fa1f4c345_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_ntlm_auth.yml b/elastalert_rules/sigma_win_susp_ntlm_auth.yml deleted file mode 100644 index 3c950cdf..00000000 --- a/elastalert_rules/sigma_win_susp_ntlm_auth.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects logons using NTLM, which could be caused by a legacy source or attackers -filter: -- query: - query_string: - query: (data.win.system.eventID:"8002" AND process_path.keyword:*) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_ntlm_auth -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_ntlm_rdp.yml b/elastalert_rules/sigma_win_susp_ntlm_rdp.yml deleted file mode 100644 index 99f665d9..00000000 --- a/elastalert_rules/sigma_win_susp_ntlm_rdp.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects logons using NTLM to hosts that are potentially not part of the domain. -filter: -- query: - query_string: - query: (data.win.system.eventID:"8001" AND TargetName.keyword:TERMSRV*) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_ntlm_rdp -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_odbcconf.yml b/elastalert_rules/sigma_win_susp_odbcconf.yml deleted file mode 100644 index fb085009..00000000 --- a/elastalert_rules/sigma_win_susp_odbcconf.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects defence evasion attempt via odbcconf.exe execution to load DLL -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:*\\odbcconf.exe AND data.win.eventdata.commandLine.keyword:(*\-f* OR *regsvr*)) OR (data.win.eventdata.parentImage.keyword:*\\odbcconf.exe AND data.win.eventdata.image.keyword:*\\rundll32.exe))) -index: wazuh-alerts-3.x-* -name: 65d2be45-8600-4042-b4c0-577a1ff8a60e_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_openwith.yml b/elastalert_rules/sigma_win_susp_openwith.yml deleted file mode 100644 index 1cc0e3a4..00000000 --- a/elastalert_rules/sigma_win_susp_openwith.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The OpenWith.exe executes other binary -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\OpenWith.exe AND data.win.eventdata.commandLine.keyword:*\/c*) -index: wazuh-alerts-3.x-* -name: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_outlook.yml b/elastalert_rules/sigma_win_susp_outlook.yml deleted file mode 100644 index c569c09b..00000000 --- a/elastalert_rules/sigma_win_susp_outlook.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.commandLine.keyword:*EnableUnsafeClientMailRules* OR (data.win.eventdata.parentImage.keyword:*\\outlook.exe AND data.win.eventdata.commandLine.keyword:\\\\*\\*.exe))) -index: wazuh-alerts-3.x-* -name: e212d415-0e93-435f-9e1a-f29005bb4723_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_outlook_temp.yml b/elastalert_rules/sigma_win_susp_outlook_temp.yml deleted file mode 100644 index a9317ca0..00000000 --- a/elastalert_rules/sigma_win_susp_outlook_temp.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious program execution in Outlook temp folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\Temporary\ Internet\ Files\\Content.Outlook\\*) -index: wazuh-alerts-3.x-* -name: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_ping_hex_ip.yml b/elastalert_rules/sigma_win_susp_ping_hex_ip.yml deleted file mode 100644 index d401db69..00000000 --- a/elastalert_rules/sigma_win_susp_ping_hex_ip.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a ping command that uses a hex encoded IP address -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\\ping.exe\ 0x* OR *\\ping\ 0x*) AND data.win.eventdata.image.keyword:(*ping.exe*)) -index: wazuh-alerts-3.x-* -name: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_powershell_empire_launch.yml b/elastalert_rules/sigma_win_susp_powershell_empire_launch.yml deleted file mode 100644 index c40c1136..00000000 --- a/elastalert_rules/sigma_win_susp_powershell_empire_launch.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious powershell command line parameters used in Empire -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ \-NoP\ \-sta\ \-NonI\ \-W\ Hidden\ \-Enc\ * OR *\ \-noP\ \-sta\ \-w\ 1\ \-enc\ * OR *\ \-NoP\ \-NonI\ \-W\ Hidden\ \-enc\ * OR *\ \-noP\ \-sta\ \-w\ 1\ \-enc* OR *\ \-enc\ \ SQB* OR *\ \-nop\ \-exec\ bypass\ \-EncodedCommand\ SQB*)) -index: wazuh-alerts-3.x-* -name: 79f4ede3-402e-41c8-bc3e-ebbf5f162581_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_powershell_empire_uac_bypass.yml b/elastalert_rules/sigma_win_susp_powershell_empire_uac_bypass.yml deleted file mode 100644 index 58dce021..00000000 --- a/elastalert_rules/sigma_win_susp_powershell_empire_uac_bypass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects some Empire PowerShell UAC bypass methods -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ \-NoP\ \-NonI\ \-w\ Hidden\ \-c\ $x\=$\(\(gp\ HKCU\:Software\\Microsoft\\Windows\ Update\).Update\)* OR *\ \-NoP\ \-NonI\ \-c\ $x\=$\(\(gp\ HKCU\:Software\\Microsoft\\Windows\ Update\).Update\);*)) -index: wazuh-alerts-3.x-* -name: 3268b746-88d8-4cd3-bffc-30077d02c787_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_powershell_enc_cmd.yml b/elastalert_rules/sigma_win_susp_powershell_enc_cmd.yml deleted file mode 100644 index b01435e2..00000000 --- a/elastalert_rules/sigma_win_susp_powershell_enc_cmd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ \-e\ JAB* OR *\ \-e\ \ JAB* OR *\ \-e\ \ \ JAB* OR *\ \-e\ \ \ \ JAB* OR *\ \-e\ \ \ \ \ JAB* OR *\ \-e\ \ \ \ \ \ JAB* OR *\ \-en\ JAB* OR *\ \-enc\ JAB* OR *\ \-enc*\ JAB* OR *\ \-w\ hidden\ \-e*\ JAB* OR *\ BA\^J\ e\- OR *\ \-e\ SUVYI* OR *\ \-e\ aWV4I* OR *\ \-e\ SQBFAFgA* OR *\ \-e\ aQBlAHgA* OR *\ \-enc\ SUVYI* OR *\ \-enc\ aWV4I* OR *\ \-enc\ SQBFAFgA* OR *\ \-enc\ aQBlAHgA* OR *\ \-e*\ IAA* OR *\ \-e*\ IAB* OR *\ \-e*\ UwB* OR *\ \-e*\ cwB* OR *.exe\ \-ENCOD\ *) AND (NOT (data.win.eventdata.commandLine.keyword:*\ \-ExecutionPolicy\ remotesigned\ *))) -index: wazuh-alerts-3.x-* -name: ca2092a1-c273-4878-9b4b-0d60115bf5ea_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_powershell_encoded_param.yml b/elastalert_rules/sigma_win_susp_powershell_encoded_param.yml deleted file mode 100644 index 657d735b..00000000 --- a/elastalert_rules/sigma_win_susp_powershell_encoded_param.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious encoded character syntax often used for defense evasion -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\(WCHAR\)0x*) -index: wazuh-alerts-3.x-* -name: e312efd0-35a1-407f-8439-b8d434b438a6_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_powershell_hidden_b64_cmd.yml b/elastalert_rules/sigma_win_susp_powershell_hidden_b64_cmd.yml deleted file mode 100644 index 6298575e..00000000 --- a/elastalert_rules/sigma_win_susp_powershell_hidden_b64_cmd.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects base64 encoded strings used in hidden malicious PowerShell command lines -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\powershell.exe AND data.win.eventdata.commandLine.keyword:*\ hidden\ * AND data.win.eventdata.commandLine.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*)) -index: wazuh-alerts-3.x-* -name: f26c6093-6f14-4b12-800f-0fcb46f5ffd0_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_powershell_parent_combo.yml b/elastalert_rules/sigma_win_susp_powershell_parent_combo.yml deleted file mode 100644 index 3321d574..00000000 --- a/elastalert_rules/sigma_win_susp_powershell_parent_combo.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious powershell invocations from interpreters or unusual programs -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.parentImage.keyword:(*\\wscript.exe OR *\\cscript.exe) AND data.win.eventdata.image.keyword:(*\\powershell.exe)) AND (NOT (data.win.eventdata.currentDirectory.keyword:*\\Health\ Service\ State\\*))) -index: wazuh-alerts-3.x-* -name: 95eadcb2-92e4-4ed1-9031-92547773a6db_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_powershell_parent_process.yml b/elastalert_rules/sigma_win_susp_powershell_parent_process.yml deleted file mode 100644 index aa29ceb0..00000000 --- a/elastalert_rules/sigma_win_susp_powershell_parent_process.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious parents of powershell.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.parentImage.keyword:(*\\mshta.exe OR *\\rundll32.exe OR *\\regsvr32.exe OR *\\services.exe OR *\\winword.exe OR *\\wmiprvse.exe OR *\\powerpnt.exe OR *\\excel.exe OR *\\msaccess.exe OR *\\mspub.exe OR *\\visio.exe OR *\\outlook.exe OR *\\amigo.exe OR *\\chrome.exe OR *\\firefox.exe OR *\\iexplore.exe OR *\\microsoftedgecp.exe OR *\\microsoftedge.exe OR *\\browser.exe OR *\\vivaldi.exe OR *\\safari.exe OR *\\sqlagent.exe OR *\\sqlserver.exe OR *\\sqlservr.exe OR *\\w3wp.exe OR *\\httpd.exe OR *\\nginx.exe OR *\\php\-cgi.exe OR *\\jbosssvc.exe OR *MicrosoftEdgeSH.exe) OR data.win.eventdata.parentImage.keyword:*tomcat*) AND (data.win.eventdata.commandLine.keyword:(*powershell* OR *pwsh*) OR data.win.eventdata.description:"Windows\ PowerShell" OR data.win.eventdata.product:"PowerShell\ Core\ 6")) -index: wazuh-alerts-3.x-* -name: 754ed792-634f-40ae-b3bc-e0448d33f695_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_procdump.yml b/elastalert_rules/sigma_win_susp_procdump.yml deleted file mode 100644 index 129dea89..00000000 --- a/elastalert_rules/sigma_win_susp_procdump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ \-ma\ *) AND data.win.eventdata.commandLine.keyword:(*\ lsass*)) OR data.win.eventdata.commandLine.keyword:(*\ \-ma\ ls*))) -index: wazuh-alerts-3.x-* -name: 5afee48e-67dd-4e03-a783-f74259dcf998_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_prog_location_process_starts.yml b/elastalert_rules/sigma_win_susp_prog_location_process_starts.yml deleted file mode 100644 index a747b5f9..00000000 --- a/elastalert_rules/sigma_win_susp_prog_location_process_starts.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects programs running in suspicious files system locations -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\$Recycle.bin OR *\\Users\\Public\\* OR C\:\\Perflogs\\* OR *\\Windows\\Fonts\\* OR *\\Windows\\IME\\* OR *\\Windows\\addins\\* OR *\\Windows\\debug\\*)) -index: wazuh-alerts-3.x-* -name: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_ps_appdata.yml b/elastalert_rules/sigma_win_susp_ps_appdata.yml deleted file mode 100644 index e82b2177..00000000 --- a/elastalert_rules/sigma_win_susp_ps_appdata.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\ \/c\ powershell*\\AppData\\Local\\* OR *\ \/c\ powershell*\\AppData\\Roaming\\*)) -index: wazuh-alerts-3.x-* -name: ac175779-025a-4f12-98b0-acdaeb77ea85_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_ps_downloadfile.yml b/elastalert_rules/sigma_win_susp_ps_downloadfile.yml deleted file mode 100644 index b084b9e0..00000000 --- a/elastalert_rules/sigma_win_susp_ps_downloadfile.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*powershell* AND data.win.eventdata.commandLine.keyword:*.DownloadFile* AND data.win.eventdata.commandLine.keyword:*System.Net.WebClient*) -index: wazuh-alerts-3.x-* -name: 8f70ac5f-1f6f-4f8e-b454-db19561216c5_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_psexec.yml b/elastalert_rules/sigma_win_susp_psexec.yml deleted file mode 100644 index b7862e93..00000000 --- a/elastalert_rules/sigma_win_susp_psexec.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one -filter: -- query: - query_string: - query: ((data.win.system.eventID:"5145" AND data.win.eventdata.shareName.keyword:\\*\\IPC$ AND data.win.eventdata.relativeTargetName.keyword:(*\-stdin OR *\-stdout OR *\-stderr)) AND (NOT (data.win.system.eventID:"5145" AND data.win.eventdata.shareName.keyword:\\*\\IPC$ AND data.win.eventdata.relativeTargetName.keyword:PSEXESVC*))) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_psexec -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_psexec_eula.yml b/elastalert_rules/sigma_win_susp_psexec_eula.yml deleted file mode 100644 index 7624d878..00000000 --- a/elastalert_rules/sigma_win_susp_psexec_eula.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect ed user accept agreement execution in psexec commandline -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\psexec.exe AND data.win.eventdata.commandLine.keyword:*accepteula*) -index: wazuh-alerts-3.x-* -name: 730fc21b-eaff-474b-ad23-90fd265d4988_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_psr_capture_screenshots.yml b/elastalert_rules/sigma_win_susp_psr_capture_screenshots.yml deleted file mode 100644 index 85af3f30..00000000 --- a/elastalert_rules/sigma_win_susp_psr_capture_screenshots.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The psr.exe captures desktop screenshots and saves them on the local machine -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\Psr.exe AND data.win.eventdata.commandLine.keyword:*\/start*) -index: wazuh-alerts-3.x-* -name: 2158f96f-43c2-43cb-952a-ab4580f32382_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_raccess_sensitive_fext.yml b/elastalert_rules/sigma_win_susp_raccess_sensitive_fext.yml deleted file mode 100644 index 91aa5850..00000000 --- a/elastalert_rules/sigma_win_susp_raccess_sensitive_fext.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects known sensitive file extensions accessed on a network share -filter: -- query: - query_string: - query: (data.win.system.eventID:("5145") AND data.win.eventdata.relativeTargetName.keyword:(*.pst OR *.ost OR *.msg OR *.nst OR *.oab OR *.edb OR *.nsf OR *.bak OR *.dmp OR *.kirbi OR *\\groups.xml OR *.rdp)) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_raccess_sensitive_fext -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_rar_flags.yml b/elastalert_rules/sigma_win_susp_rar_flags.yml deleted file mode 100644 index 42850102..00000000 --- a/elastalert_rules/sigma_win_susp_rar_flags.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\ \-hp* AND data.win.eventdata.commandLine.keyword:*\ \-m*) -index: wazuh-alerts-3.x-* -name: faa48cae-6b25-4f00-a094-08947fef582f_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_rasdial_activity.yml b/elastalert_rules/sigma_win_susp_rasdial_activity.yml deleted file mode 100644 index f765b76f..00000000 --- a/elastalert_rules/sigma_win_susp_rasdial_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious process related to rasdial.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*rasdial.exe)) -index: wazuh-alerts-3.x-* -name: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_rc4_kerberos.yml b/elastalert_rules/sigma_win_susp_rc4_kerberos.yml deleted file mode 100644 index e2dde970..00000000 --- a/elastalert_rules/sigma_win_susp_rc4_kerberos.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects service ticket requests using RC4 encryption type -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4769" AND ticket_options:"0x40810000" AND ticket_encryption_type:"0x17") AND (NOT (data.win.eventdata.serviceName.keyword:$*))) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_rc4_kerberos -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_recon_activity.yml b/elastalert_rules/sigma_win_susp_recon_activity.yml deleted file mode 100644 index a5c7c97a..00000000 --- a/elastalert_rules/sigma_win_susp_recon_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious command line activity on Windows systems -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine:("net\ group\ \"domain\ admins\"\ \/domain" OR "net\ localgroup\ administrators" OR "net\ group\ \"enterprise\ admins\"\ \/domain")) -index: wazuh-alerts-3.x-* -name: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_regsvr32_anomalies.yml b/elastalert_rules/sigma_win_susp_regsvr32_anomalies.yml deleted file mode 100644 index 6b749449..00000000 --- a/elastalert_rules/sigma_win_susp_regsvr32_anomalies.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects various anomalies in relation to regsvr32.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:*\\regsvr32.exe AND data.win.eventdata.commandLine.keyword:*\\Temp\\*) OR (data.win.eventdata.image.keyword:*\\regsvr32.exe AND data.win.eventdata.parentImage.keyword:*\\powershell.exe) OR (data.win.eventdata.image.keyword:*\\regsvr32.exe AND data.win.eventdata.parentImage.keyword:*\\cmd.exe) OR (data.win.eventdata.image.keyword:*\\regsvr32.exe AND data.win.eventdata.commandLine.keyword:(*\/i\:http*\ scrobj.dll OR *\/i\:ftp*\ scrobj.dll)) OR (data.win.eventdata.image.keyword:*\\wscript.exe AND data.win.eventdata.parentImage.keyword:*\\regsvr32.exe) OR (data.win.eventdata.image.keyword:*\\EXCEL.EXE AND data.win.eventdata.commandLine.keyword:*..\\..\\..\\Windows\\System32\\regsvr32.exe\ *))) -index: wazuh-alerts-3.x-* -name: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_regsvr32_flags_anomaly.yml b/elastalert_rules/sigma_win_susp_regsvr32_flags_anomaly.yml deleted file mode 100644 index 62451554..00000000 --- a/elastalert_rules/sigma_win_susp_regsvr32_flags_anomaly.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\regsvr32.exe AND data.win.eventdata.commandLine.keyword:*\ \/i\:*) AND (NOT (data.win.eventdata.commandLine.keyword:*\ \/n\ *))) -index: wazuh-alerts-3.x-* -name: b236190c-1c61-41e9-84b3-3fe03f6d76b0_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_renamed_dctask64.yml b/elastalert_rules/sigma_win_susp_renamed_dctask64.yml deleted file mode 100644 index dd870de0..00000000 --- a/elastalert_rules/sigma_win_susp_renamed_dctask64.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND hash_imphash:("6834B1B94E49701D77CCB3C0895E1AFD" OR "6834b1b94e49701d77ccb3c0895e1afd") AND (NOT (data.win.eventdata.image.keyword:*\\dctask64.exe))) -index: wazuh-alerts-3.x-* -name: 340a090b-c4e9-412e-bb36-b4b16fe96f9b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_renamed_debugview.yml b/elastalert_rules/sigma_win_susp_renamed_debugview.yml deleted file mode 100644 index 6646ab46..00000000 --- a/elastalert_rules/sigma_win_susp_renamed_debugview.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious renamed SysInternals DebugView execution -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.product:("Sysinternals\ DebugView" OR "Sysinternals\ Debugview") AND (NOT (OriginalFilename:"Dbgview.exe" AND data.win.eventdata.image.keyword:*\\Dbgview.exe))) -index: wazuh-alerts-3.x-* -name: cd764533-2e07-40d6-a718-cfeec7f2da7f_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_rottenpotato.yml b/elastalert_rules/sigma_win_susp_rottenpotato.yml deleted file mode 100644 index 8eea31d6..00000000 --- a/elastalert_rules/sigma_win_susp_rottenpotato.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like -filter: -- query: - query_string: - query: (data.win.system.eventID:"4624" AND data.win.eventdata.logonType:"3" AND TargetUserName:"ANONYMOUS_LOGON" AND data.win.eventdata.sourceHostname:"\-" AND SourceNetworkAddress:"127.0.0.1") -index: wazuh-alerts-3.x-* -name: sigma_win_susp_rottenpotato -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_run_locations.yml b/elastalert_rules/sigma_win_susp_run_locations.yml deleted file mode 100644 index 6d83d21d..00000000 --- a/elastalert_rules/sigma_win_susp_run_locations.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious process run from unusual locations -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\:\\RECYCLER\\* OR *\:\\SystemVolumeInformation\\* OR C\:\\Windows\\Tasks\\* OR C\:\\Windows\\debug\\* OR C\:\\Windows\\fonts\\* OR C\:\\Windows\\help\\* OR C\:\\Windows\\drivers\\* OR C\:\\Windows\\addins\\* OR C\:\\Windows\\cursors\\* OR C\:\\Windows\\system32\\tasks\\*)) -index: wazuh-alerts-3.x-* -name: 15b75071-74cc-47e0-b4c6-b43744a62a2b_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_rundll32_activity.yml b/elastalert_rules/sigma_win_susp_rundll32_activity.yml deleted file mode 100644 index c838fbf4..00000000 --- a/elastalert_rules/sigma_win_susp_rundll32_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious process related to rundll32 based on arguments -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\\rundll32.exe*\ url.dll,*OpenURL\ * OR *\\rundll32.exe*\ url.dll,*OpenURLA\ * OR *\\rundll32.exe*\ url.dll,*FileProtocolHandler\ * OR *\\rundll32.exe*\ zipfldr.dll,*RouteTheCall\ * OR *\\rundll32.exe*\ Shell32.dll,*Control_RunDLL\ * OR *\\rundll32.exe\ javascript\:* OR *\ url.dll,*OpenURL\ * OR *\ url.dll,*OpenURLA\ * OR *\ url.dll,*FileProtocolHandler\ * OR *\ zipfldr.dll,*RouteTheCall\ * OR *\ Shell32.dll,*Control_RunDLL\ * OR *\ javascript\:* OR *.RegisterXLL*)) -index: wazuh-alerts-3.x-* -name: e593cf51-88db-4ee1-b920-37e89012a3c9_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_rundll32_by_ordinal.yml b/elastalert_rules/sigma_win_susp_rundll32_by_ordinal.yml deleted file mode 100644 index 6df4c509..00000000 --- a/elastalert_rules/sigma_win_susp_rundll32_by_ordinal.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\\rundll32.exe\ *,#*) -index: wazuh-alerts-3.x-* -name: e79a9e79-eb72-4e78-a628-0e7e8f59e89c_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_sam_dump.yml b/elastalert_rules/sigma_win_susp_sam_dump.yml deleted file mode 100644 index 98ece342..00000000 --- a/elastalert_rules/sigma_win_susp_sam_dump.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers -filter: -- query: - query_string: - query: (data.win.system.eventID:"16" AND data.win.system.message.keyword:(*\\AppData\\Local\\Temp\\SAM\-*.dmp\ *)) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_sam_dump -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_schtask_creation.yml b/elastalert_rules/sigma_win_susp_schtask_creation.yml deleted file mode 100644 index 70d36809..00000000 --- a/elastalert_rules/sigma_win_susp_schtask_creation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of scheduled tasks in user session -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\schtasks.exe AND data.win.eventdata.commandLine.keyword:*\ \/create\ *) AND (NOT (user_account:"NT\ AUTHORITY\\SYSTEM"))) -index: wazuh-alerts-3.x-* -name: 92626ddd-662c-49e3-ac59-f6535f12d189_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_script_execution.yml b/elastalert_rules/sigma_win_susp_script_execution.yml deleted file mode 100644 index a6769d95..00000000 --- a/elastalert_rules/sigma_win_susp_script_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious file execution by wscript and cscript -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\wscript.exe OR *\\cscript.exe) AND data.win.eventdata.commandLine.keyword:(*.jse* OR *.vbe* OR *.js* OR *.vba*)) -index: wazuh-alerts-3.x-* -name: 1e33157c-53b1-41ad-bbcc-780b80b58288_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_sdelete.yml b/elastalert_rules/sigma_win_susp_sdelete.yml deleted file mode 100644 index 04bb0d35..00000000 --- a/elastalert_rules/sigma_win_susp_sdelete.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects renaming of file while deletion with SDelete tool -filter: -- query: - query_string: - query: (data.win.system.eventID:("4656" OR "4663" OR "4658") AND data.win.eventdata.objectName.keyword:(*.AAA OR *.ZZZ)) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_sdelete -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_security_eventlog_cleared.yml b/elastalert_rules/sigma_win_susp_security_eventlog_cleared.yml deleted file mode 100644 index 33dbd297..00000000 --- a/elastalert_rules/sigma_win_susp_security_eventlog_cleared.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities -filter: -- query: - query_string: - query: data.win.system.eventID:("517" OR "1102") -index: wazuh-alerts-3.x-* -name: sigma_win_susp_security_eventlog_cleared -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_service_path_modification.yml b/elastalert_rules/sigma_win_susp_service_path_modification.yml deleted file mode 100644 index 2668f264..00000000 --- a/elastalert_rules/sigma_win_susp_service_path_modification.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects service path modification to powershell/cmd -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\sc.exe AND data.win.eventdata.commandLine.keyword:*config* AND data.win.eventdata.commandLine.keyword:*binpath* AND data.win.eventdata.commandLine.keyword:(*powershell* OR *cmd*)) -index: wazuh-alerts-3.x-* -name: 138d3531-8793-4f50-a2cd-f291b2863d78_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_shell_spawn_from_mssql.yml b/elastalert_rules/sigma_win_susp_shell_spawn_from_mssql.yml deleted file mode 100644 index 497c5576..00000000 --- a/elastalert_rules/sigma_win_susp_shell_spawn_from_mssql.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\sqlservr.exe AND data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\sh.exe OR *\\bash.exe OR *\\powershell.exe OR *\\bitsadmin.exe)) -index: wazuh-alerts-3.x-* -name: 869b9ca7-9ea2-4a5a-8325-e80e62f75445_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_squirrel_lolbin.yml b/elastalert_rules/sigma_win_susp_squirrel_lolbin.yml deleted file mode 100644 index f4f9a080..00000000 --- a/elastalert_rules/sigma_win_susp_squirrel_lolbin.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Possible Squirrel Packages Manager as Lolbin -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\update.exe) AND data.win.eventdata.commandLine.keyword:(*\-\-processStart*.exe* OR *\-\-processStartAndWait*.exe* OR *\-\-createShortcut*.exe*)) -index: wazuh-alerts-3.x-* -name: fa4b21c9-0057-4493-b289-2556416ae4d7_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_svchost.yml b/elastalert_rules/sigma_win_susp_svchost.yml deleted file mode 100644 index 84a82bf9..00000000 --- a/elastalert_rules/sigma_win_susp_svchost.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious svchost process start -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\svchost.exe AND (NOT (data.win.eventdata.parentImage.keyword:(*\\services.exe OR *\\MsMpEng.exe OR *\\Mrt.exe OR *\\rpcnet.exe OR *\\svchost.exe)))) AND (NOT (NOT _exists_:data.win.eventdata.parentImage))) -index: wazuh-alerts-3.x-* -name: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_svchost_no_cli.yml b/elastalert_rules/sigma_win_susp_svchost_no_cli.yml deleted file mode 100644 index 04552fc0..00000000 --- a/elastalert_rules/sigma_win_susp_svchost_no_cli.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*svchost.exe AND data.win.eventdata.image.keyword:*\\svchost.exe) AND (NOT (data.win.eventdata.parentImage.keyword:(*\\rpcnet.exe OR *\\rpcnetp.exe)))) -index: wazuh-alerts-3.x-* -name: 16c37b52-b141-42a5-a3ea-bbe098444397_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_sysprep_appdata.yml b/elastalert_rules/sigma_win_susp_sysprep_appdata.yml deleted file mode 100644 index 610ea805..00000000 --- a/elastalert_rules/sigma_win_susp_sysprep_appdata.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:(*\\sysprep.exe\ *\\AppData\\* OR sysprep.exe\ *\\AppData\\*)) -index: wazuh-alerts-3.x-* -name: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_sysvol_access.yml b/elastalert_rules/sigma_win_susp_sysvol_access.yml deleted file mode 100644 index d0a45a5a..00000000 --- a/elastalert_rules/sigma_win_susp_sysvol_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Access to Domain Group Policies stored in SYSVOL -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\\SYSVOL\\*\\policies\\*) -index: wazuh-alerts-3.x-* -name: 05f3c945-dcc8-4393-9f3d-af65077a8f86_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_taskmgr_localsystem.yml b/elastalert_rules/sigma_win_susp_taskmgr_localsystem.yml deleted file mode 100644 index 6a39530f..00000000 --- a/elastalert_rules/sigma_win_susp_taskmgr_localsystem.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND user_account:"NT\ AUTHORITY\\SYSTEM" AND data.win.eventdata.image.keyword:*\\taskmgr.exe) -index: wazuh-alerts-3.x-* -name: 9fff585c-c33e-4a86-b3cd-39312079a65f_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_taskmgr_parent.yml b/elastalert_rules/sigma_win_susp_taskmgr_parent.yml deleted file mode 100644 index c9cb34ad..00000000 --- a/elastalert_rules/sigma_win_susp_taskmgr_parent.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the creation of a process from Windows task manager -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\taskmgr.exe AND (NOT (data.win.eventdata.image.keyword:(*\\resmon.exe OR *\\mmc.exe OR *\\taskmgr.exe)))) -index: wazuh-alerts-3.x-* -name: 3d7679bd-0c00-440c-97b0-3f204273e6c7_0 -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_time_modification.yml b/elastalert_rules/sigma_win_susp_time_modification.yml deleted file mode 100644 index 1228a808..00000000 --- a/elastalert_rules/sigma_win_susp_time_modification.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect scenarios where a potentially unauthorized application or user is modifying the system time. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4616" AND (NOT (((data.win.eventdata.processName:"C\:\\Program\ Files\\VMware\\VMware\ Tools\\vmtoolsd.exe" OR data.win.eventdata.processName:"C\:\\Windows\\System32\\VBoxService.exe") OR (data.win.eventdata.processName:"C\:\\Windows\\System32\\svchost.exe" AND SubjectUserSid:"S\-1\-5\-19"))))) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_time_modification -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_tscon_localsystem.yml b/elastalert_rules/sigma_win_susp_tscon_localsystem.yml deleted file mode 100644 index db5dd012..00000000 --- a/elastalert_rules/sigma_win_susp_tscon_localsystem.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a tscon.exe start as LOCAL SYSTEM -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND user_account:"NT\ AUTHORITY\\SYSTEM" AND data.win.eventdata.image.keyword:*\\tscon.exe) -index: wazuh-alerts-3.x-* -name: 9847f263-4a81-424f-970c-875dab15b79b_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_tscon_rdp_redirect.yml b/elastalert_rules/sigma_win_susp_tscon_rdp_redirect.yml deleted file mode 100644 index bee9eb4c..00000000 --- a/elastalert_rules/sigma_win_susp_tscon_rdp_redirect.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious RDP session redirect using tscon.exe -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*\ \/dest\:rdp\-tcp\:*) -index: wazuh-alerts-3.x-* -name: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_use_of_csharp_console.yml b/elastalert_rules/sigma_win_susp_use_of_csharp_console.yml deleted file mode 100644 index a288696c..00000000 --- a/elastalert_rules/sigma_win_susp_use_of_csharp_console.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of CSharp interactive console by PowerShell -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\csi.exe AND data.win.eventdata.parentImage.keyword:*\\powershell.exe AND data.win.eventdata.originalFileName:"csi.exe") -index: wazuh-alerts-3.x-* -name: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_userinit_child.yml b/elastalert_rules/sigma_win_susp_userinit_child.yml deleted file mode 100644 index 74413003..00000000 --- a/elastalert_rules/sigma_win_susp_userinit_child.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a suspicious child process of userinit -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.parentImage.keyword:*\\userinit.exe AND (NOT (data.win.eventdata.commandLine.keyword:*\\netlogon\\*))) AND (NOT (data.win.eventdata.image.keyword:*\\explorer.exe))) -index: wazuh-alerts-3.x-* -name: b655a06a-31c0-477a-95c2-3726b83d649d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_vssadmin_ntds_activity.yml b/elastalert_rules/sigma_win_susp_vssadmin_ntds_activity.yml deleted file mode 100644 index 92a7661a..00000000 --- a/elastalert_rules/sigma_win_susp_vssadmin_ntds_activity.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely -filter: -- query: - query_string: - query: 'data.win.eventdata.commandLine.keyword:(vssadmin.exe\ Delete\ Shadows OR vssadmin\ create\ shadow\ \/for\=C\: OR copy\ \\?\\GLOBALROOT\\Device\\*\\windows\\ntds\\ntds.dit OR copy\ \\?\\GLOBALROOT\\Device\\*\\config\\SAM OR vssadmin\ delete\ shadows\ \/for\=C\: OR reg\ SAVE\ HKLM\\SYSTEM\ OR esentutl.exe\ \/y\ \/vss\ *\\ntds.dit* OR esentutl.exe\ \/y\ \/vss\ *\\SAM OR esentutl.exe\ \/y\ \/vss\ *\\SYSTEM)' -index: wazuh-alerts-3.x-* -name: sigma_win_susp_vssadmin_ntds_activity -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_whoami.yml b/elastalert_rules/sigma_win_susp_whoami.yml deleted file mode 100644 index 64bccae5..00000000 --- a/elastalert_rules/sigma_win_susp_whoami.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND (data.win.eventdata.image.keyword:*\\whoami.exe OR data.win.eventdata.originalFileName:"whoami.exe")) -index: wazuh-alerts-3.x-* -name: e28a5a99-da44-436d-b7a0-2afc20a5f413_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_wmi_execution.yml b/elastalert_rules/sigma_win_susp_wmi_execution.yml deleted file mode 100644 index a5624ae6..00000000 --- a/elastalert_rules/sigma_win_susp_wmi_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI executing suspicious commands -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\wmic.exe) AND data.win.eventdata.commandLine.keyword:(*\/NODE\:*process\ call\ create\ * OR *\ path\ AntiVirusProduct\ get\ * OR *\ path\ FirewallProduct\ get\ * OR *\ shadowcopy\ delete\ *)) -index: wazuh-alerts-3.x-* -name: 526be59f-a573-4eea-b5f7-f0973207634d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_wmi_login.yml b/elastalert_rules/sigma_win_susp_wmi_login.yml deleted file mode 100644 index 3101ba08..00000000 --- a/elastalert_rules/sigma_win_susp_wmi_login.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detection of logins performed with WMI -filter: -- query: - query_string: - query: (data.win.system.eventID:"4624" AND data.win.eventdata.processName.keyword:*\\WmiPrvSE.exe) -index: wazuh-alerts-3.x-* -name: sigma_win_susp_wmi_login -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_susp_wmic_proc_create_rundll32.yml b/elastalert_rules/sigma_win_susp_wmic_proc_create_rundll32.yml deleted file mode 100644 index e31795ea..00000000 --- a/elastalert_rules/sigma_win_susp_wmic_proc_create_rundll32.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI executing rundll32 -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*process\ call\ create* AND data.win.eventdata.commandLine.keyword:*rundll32*) -index: wazuh-alerts-3.x-* -name: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_suspicious_outbound_kerberos_connection.yml b/elastalert_rules/sigma_win_suspicious_outbound_kerberos_connection.yml deleted file mode 100644 index 921b7a8f..00000000 --- a/elastalert_rules/sigma_win_suspicious_outbound_kerberos_connection.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. -filter: -- query: - query_string: - query: ((data.win.system.eventID:"5156" AND data.win.eventdata.destinationPort:"88") AND (NOT (data.win.eventdata.image.keyword:(*\\lsass.exe OR *\\opera.exe OR *\\chrome.exe OR *\\firefox.exe)))) -index: wazuh-alerts-3.x-* -name: sigma_win_suspicious_outbound_kerberos_connection -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_svcctl_remote_service.yml b/elastalert_rules/sigma_win_svcctl_remote_service.yml deleted file mode 100644 index c9b9d15f..00000000 --- a/elastalert_rules/sigma_win_svcctl_remote_service.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects remote service activity via remote access to the svcctl named pipe -filter: -- query: - query_string: - query: (data.win.system.eventID:"5145" AND data.win.eventdata.shareName.keyword:\\*\\IPC$ AND data.win.eventdata.relativeTargetName:"svcctl" AND Accesses.keyword:*WriteData*) -index: wazuh-alerts-3.x-* -name: sigma_win_svcctl_remote_service -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_syskey_registry_access.yml b/elastalert_rules/sigma_win_syskey_registry_access.yml deleted file mode 100644 index c4706aee..00000000 --- a/elastalert_rules/sigma_win_syskey_registry_access.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects handle requests and access operations to specific registry keys to calculate the SysKey -filter: -- query: - query_string: - query: (data.win.system.eventID:("4656" OR "4663") AND data.win.eventdata.objectType:"key" AND data.win.eventdata.objectName.keyword:(*lsa\\JD OR *lsa\\GBG OR *lsa\\Skew1 OR *lsa\\Data)) -index: wazuh-alerts-3.x-* -name: sigma_win_syskey_registry_access -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_sysmon_driver_unload.yml b/elastalert_rules/sigma_win_sysmon_driver_unload.yml deleted file mode 100644 index 7506a9b0..00000000 --- a/elastalert_rules/sigma_win_sysmon_driver_unload.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect possible Sysmon driver unload -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\fltmc.exe AND data.win.eventdata.commandLine.keyword:*unload* AND data.win.eventdata.commandLine.keyword:*sys*) -index: wazuh-alerts-3.x-* -name: 4d7cda18-1b12-4e52-b45c-d28653210df8_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_system_exe_anomaly.yml b/elastalert_rules/sigma_win_system_exe_anomaly.yml deleted file mode 100644 index 226bf37e..00000000 --- a/elastalert_rules/sigma_win_system_exe_anomaly.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a Windows program executable started in a suspicious folder -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\svchost.exe OR *\\rundll32.exe OR *\\services.exe OR *\\powershell.exe OR *\\regsvr32.exe OR *\\spoolsv.exe OR *\\lsass.exe OR *\\smss.exe OR *\\csrss.exe OR *\\conhost.exe OR *\\wininit.exe OR *\\lsm.exe OR *\\winlogon.exe OR *\\explorer.exe OR *\\taskhost.exe OR *\\Taskmgr.exe OR *\\sihost.exe OR *\\RuntimeBroker.exe OR *\\smartscreen.exe OR *\\dllhost.exe OR *\\audiodg.exe OR *\\wlanext.exe) AND (NOT (data.win.eventdata.image.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\system32\\* OR C\:\\Windows\\SysWow64\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\explorer.exe OR C\:\\Windows\\winsxs\\* OR C\:\\Windows\\WinSxS\\* OR \\SystemRoot\\System32\\*)))) -index: wazuh-alerts-3.x-* -name: e4a6b256-3e47-40fc-89d2-7a477edd6915_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_tap_driver_installation.yml b/elastalert_rules/sigma_win_tap_driver_installation.yml deleted file mode 100644 index df7d2803..00000000 --- a/elastalert_rules/sigma_win_tap_driver_installation.yml +++ /dev/null @@ -1,43 +0,0 @@ -alert: -- debug -description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques -filter: -- query: - query_string: - query: (data.win.system.eventID:"7045" AND ImagePath.keyword:*tap0901*) -index: wazuh-alerts-3.x-* -name: sigma_win_tap_driver_installation -priority: 3 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques -filter: -- query: - query_string: - query: (data.win.system.eventID:"6" AND ImagePath.keyword:*tap0901*) -index: wazuh-alerts-3.x-* -name: sigma_win_tap_driver_installation -priority: 3 -realert: - minutes: 0 -type: any - -alert: -- debug -description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques -filter: -- query: - query_string: - query: (data.win.system.eventID:"4697" AND ImagePath.keyword:*tap0901*) -index: wazuh-alerts-3.x-* -name: sigma_win_tap_driver_installation -priority: 3 -realert: - minutes: 0 -type: any - - diff --git a/elastalert_rules/sigma_win_tap_installer_execution.yml b/elastalert_rules/sigma_win_tap_installer_execution.yml deleted file mode 100644 index 6d3df88a..00000000 --- a/elastalert_rules/sigma_win_tap_installer_execution.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\tapinstall.exe) -index: wazuh-alerts-3.x-* -name: 99793437-3e16-439b-be0f-078782cf953d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_task_folder_evasion.yml b/elastalert_rules/sigma_win_task_folder_evasion.yml deleted file mode 100644 index 19943164..00000000 --- a/elastalert_rules/sigma_win_task_folder_evasion.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr -filter: -- query: - query_string: - query: (data.win.eventdata.commandLine.keyword:(*echo\ * OR *copy\ * OR *type\ * OR *file\ createnew*) AND data.win.eventdata.commandLine.keyword:(*\ C\:\\Windows\\System32\\Tasks\\* OR *\ C\:\\Windows\\SysWow64\\Tasks\\*)) -index: wazuh-alerts-3.x-* -name: cc4e02ba-9c06-48e2-b09e-2500cace9ae0_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_termserv_proc_spawn.yml b/elastalert_rules/sigma_win_termserv_proc_spawn.yml deleted file mode 100644 index 71af758f..00000000 --- a/elastalert_rules/sigma_win_termserv_proc_spawn.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentCommandLine.keyword:*\\svchost.exe*termsvcs AND (NOT (data.win.eventdata.image.keyword:*\\rdpclip.exe))) -index: wazuh-alerts-3.x-* -name: 1012f107-b8f1-4271-af30-5aed2de89b39_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_tool_psexec1.yml b/elastalert_rules/sigma_win_tool_psexec1.yml deleted file mode 100644 index 3b462990..00000000 --- a/elastalert_rules/sigma_win_tool_psexec1.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PsExec service installation and execution events (service and Sysmon) -filter: -- query: - query_string: - query: (data.win.eventdata.serviceName:"PSEXESVC" AND ((data.win.system.eventID:"7045" AND data.win.eventdata.imagePath.keyword:*\\PSEXESVC.exe) OR data.win.system.eventID:"7036")) -index: wazuh-alerts-3.x-* -name: sigma_win_tool_psexec -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_tool_psexec2.yml b/elastalert_rules/sigma_win_tool_psexec2.yml deleted file mode 100644 index 8e26e7e7..00000000 --- a/elastalert_rules/sigma_win_tool_psexec2.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects PsExec service installation and execution events (service and Sysmon) -filter: -- query: - query_string: - query: (data.win.eventdata.image.keyword:*\\PSEXESVC.exe AND user_account:"NT\ AUTHORITY\\SYSTEM") -index: wazuh-alerts-3.x-* -name: sigma_win_tool_psexec -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_transferring_files_with_credential_data_via_network_shares.yml b/elastalert_rules/sigma_win_transferring_files_with_credential_data_via_network_shares.yml deleted file mode 100644 index 1af5c57c..00000000 --- a/elastalert_rules/sigma_win_transferring_files_with_credential_data_via_network_shares.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Transfering files with well-known filenames (sensitive files with credential data) using network shares -filter: -- query: - query_string: - query: (data.win.system.eventID:"5145" AND data.win.eventdata.relativeTargetName.keyword:(*\\mimidrv* OR *\\lsass* OR *\\windows\\minidump\\* OR *\\hiberfil* OR *\\sqldmpr* OR *\\sam* OR *\\ntds.dit* OR *\\security*)) -index: wazuh-alerts-3.x-* -name: sigma_win_transferring_files_with_credential_data_via_network_shares -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_trust_discovery.yml b/elastalert_rules/sigma_win_trust_discovery.yml deleted file mode 100644 index 2120c58d..00000000 --- a/elastalert_rules/sigma_win_trust_discovery.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:*\\nltest.exe AND data.win.eventdata.commandLine.keyword:(*domain_trusts* OR *all_trusts* OR *\/dclist*)) OR (data.win.eventdata.image.keyword:*\\dsquery.exe AND data.win.eventdata.commandLine.keyword:*trustedDomain*))) -index: wazuh-alerts-3.x-* -name: 3bad990e-4848-4a78-9530-b427d854aac0_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_uac_cmstp.yml b/elastalert_rules/sigma_win_uac_cmstp.yml deleted file mode 100644 index 5e828a1e..00000000 --- a/elastalert_rules/sigma_win_uac_cmstp.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\cmstp.exe AND data.win.eventdata.commandLine.keyword:(*\/s* OR *\/au*)) -index: wazuh-alerts-3.x-* -name: e66779cc-383e-4224-a3a4-267eeb585c40_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_uac_fodhelper.yml b/elastalert_rules/sigma_win_uac_fodhelper.yml deleted file mode 100644 index e56fbe8f..00000000 --- a/elastalert_rules/sigma_win_uac_fodhelper.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\fodhelper.exe) -index: wazuh-alerts-3.x-* -name: 7f741dcf-fc22-4759-87b4-9ae8376676a2_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_uac_wsreset.yml b/elastalert_rules/sigma_win_uac_wsreset.yml deleted file mode 100644 index 9618b5ee..00000000 --- a/elastalert_rules/sigma_win_uac_wsreset.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\wsreset.exe AND (NOT (data.win.eventdata.image.keyword:*\\conhost.exe))) -index: wazuh-alerts-3.x-* -name: d797268e-28a9-49a7-b9a8-2f5039011c5c_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_usb_device_plugged.yml b/elastalert_rules/sigma_win_usb_device_plugged.yml deleted file mode 100644 index 7e92547c..00000000 --- a/elastalert_rules/sigma_win_usb_device_plugged.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects plugged USB devices -filter: -- query: - query_string: - query: data.win.system.eventID:("2003" OR "2100" OR "2102") -index: wazuh-alerts-3.x-* -name: sigma_win_usb_device_plugged -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_user_added_to_local_administrators.yml b/elastalert_rules/sigma_win_user_added_to_local_administrators.yml deleted file mode 100644 index d4238e21..00000000 --- a/elastalert_rules/sigma_win_user_added_to_local_administrators.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4732" AND (group_name:"Administrators" OR group_sid:"S\-1\-5\-32\-544")) AND (NOT (SubjectUserName.keyword:*$))) -index: wazuh-alerts-3.x-* -name: sigma_win_user_added_to_local_administrators -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/elastalert_rules/sigma_win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml deleted file mode 100644 index 91ca2ba6..00000000 --- a/elastalert_rules/sigma_win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. -filter: -- query: - query_string: - query: (data.win.system.eventID:"4673" AND Service:"LsaRegisterLogonProcess\(\)" AND Keywords:"0x8010000000000000") -index: wazuh-alerts-3.x-* -name: sigma_win_user_couldnt_call_privileged_service_lsaregisterlogonprocess -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_user_creation.yml b/elastalert_rules/sigma_win_user_creation.yml deleted file mode 100644 index f66cf4d5..00000000 --- a/elastalert_rules/sigma_win_user_creation.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs. -filter: -- query: - query_string: - query: data.win.system.eventID:"4720" -index: wazuh-alerts-3.x-* -name: sigma_win_user_creation -priority: 4 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_user_driver_loaded.yml b/elastalert_rules/sigma_win_user_driver_loaded.yml deleted file mode 100644 index a45d4e35..00000000 --- a/elastalert_rules/sigma_win_user_driver_loaded.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff. -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4673" AND PrivilegeList:"SeLoadDriverPrivilege" AND Service:"\-") AND (NOT (data.win.eventdata.processName.keyword:(*\\Windows\\System32\\Dism.exe* OR *\\Windows\\System32\\rundll32.exe* OR *\\Windows\\System32\\fltMC.exe* OR *\\Windows\\HelpPane.exe* OR *\\Windows\\System32\\mmc.exe* OR *\\Windows\\System32\\svchost.exe* OR *\\Windows\\System32\\wimserv.exe* OR *\\procexp64.exe* OR *\\procexp.exe* OR *\\procmon64.exe* OR *\\procmon.exe* OR *\\Google\\Chrome\\Application\\chrome.exe*)))) -index: wazuh-alerts-3.x-* -name: sigma_win_user_driver_loaded -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/elastalert_rules/sigma_win_using_sc_to_change_sevice_image_path_by_non_admin.yml deleted file mode 100644 index 7294d7c6..00000000 --- a/elastalert_rules/sigma_win_using_sc_to_change_sevice_image_path_by_non_admin.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\sc.exe AND IntegrityLevel:"Medium" AND ((data.win.eventdata.commandLine.keyword:*config* AND data.win.eventdata.commandLine.keyword:*binPath*) OR (data.win.eventdata.commandLine.keyword:*failure* AND data.win.eventdata.commandLine.keyword:*command*))) -index: wazuh-alerts-3.x-* -name: d937b75f-a665-4480-88a5-2f20e9f9b22a_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_vul_cve_2020_0688.yml b/elastalert_rules/sigma_win_vul_cve_2020_0688.yml deleted file mode 100644 index 19847bae..00000000 --- a/elastalert_rules/sigma_win_vul_cve_2020_0688.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 -filter: -- query: - query_string: - query: ((data.win.system.eventID:"4" AND data.win.eventdata.source Name:"MSExchange\ Control\ Panel" AND Level:"Error") AND "*&__VIEWSTATE\=*") -index: wazuh-alerts-3.x-* -name: sigma_win_vul_cve_2020_0688 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_vul_cve_2020_1472.yml b/elastalert_rules/sigma_win_vul_cve_2020_1472.yml deleted file mode 100644 index f80228a3..00000000 --- a/elastalert_rules/sigma_win_vul_cve_2020_1472.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472. -filter: -- query: - query_string: - query: data.win.system.eventID:("5829") -index: wazuh-alerts-3.x-* -name: sigma_win_vul_cve_2020_1472 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_vul_java_remote_debugging.yml b/elastalert_rules/sigma_win_vul_java_remote_debugging.yml deleted file mode 100644 index f12b4ebb..00000000 --- a/elastalert_rules/sigma_win_vul_java_remote_debugging.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.commandLine.keyword:*transport\=dt_socket,address\=* AND (NOT (data.win.eventdata.commandLine.keyword:*address\=127.0.0.1* OR data.win.eventdata.commandLine.keyword:*address\=localhost*))) -index: wazuh-alerts-3.x-* -name: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_webshell_detection.yml b/elastalert_rules/sigma_win_webshell_detection.yml deleted file mode 100644 index 3b816f19..00000000 --- a/elastalert_rules/sigma_win_webshell_detection.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects certain command line parameters often used during reconnaissance activity via web shells -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:(*\\apache* OR *\\tomcat* OR *\\w3wp.exe OR *\\php\-cgi.exe OR *\\nginx.exe OR *\\httpd.exe) AND data.win.eventdata.commandLine.keyword:(*whoami* OR *net\ user\ * OR *ping\ \-n\ * OR *systeminfo OR *&cd&echo* OR *cd\ \/d*)) -index: wazuh-alerts-3.x-* -name: bed2a484-9348-4143-8a8a-b801c979301c_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_webshell_recon_detection.yml b/elastalert_rules/sigma_win_webshell_recon_detection.yml deleted file mode 100644 index 9b28be83..00000000 --- a/elastalert_rules/sigma_win_webshell_recon_detection.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:(*\\apache* OR *\\tomcat* OR *\\w3wp.exe* OR *\\php\-cgi.exe* OR *\\nginx.exe* OR *\\httpd.exe*) AND data.win.eventdata.image.keyword:(*\\cmd.exe) AND data.win.eventdata.commandLine.keyword:(*perl\ \-\-help* OR *python\ \-\-help* OR *wget\ \-\-help* OR *perl\ \-h*)) -index: wazuh-alerts-3.x-* -name: f64e5c19-879c-4bae-b471-6d84c8339677_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_webshell_spawn.yml b/elastalert_rules/sigma_win_webshell_spawn.yml deleted file mode 100644 index e738949d..00000000 --- a/elastalert_rules/sigma_win_webshell_spawn.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:(*\\w3wp.exe OR *\\httpd.exe OR *\\nginx.exe OR *\\php\-cgi.exe OR *\\tomcat.exe) AND data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\sh.exe OR *\\bash.exe OR *\\powershell.exe OR *\\bitsadmin.exe)) -index: wazuh-alerts-3.x-* -name: 8202070f-edeb-4d31-a010-a26c72ac5600_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_whoami_as_system.yml b/elastalert_rules/sigma_win_whoami_as_system.yml deleted file mode 100644 index 35b0f4cd..00000000 --- a/elastalert_rules/sigma_win_whoami_as_system.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND user_account:"NT\ AUTHORITY\\SYSTEM" AND data.win.eventdata.image.keyword:*\\whoami.exe) -index: wazuh-alerts-3.x-* -name: 80167ada-7a12-41ed-b8e9-aa47195c66a1_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_win10_sched_task_0day.yml b/elastalert_rules/sigma_win_win10_sched_task_0day.yml deleted file mode 100644 index 929790c5..00000000 --- a/elastalert_rules/sigma_win_win10_sched_task_0day.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects Task Scheduler .job import arbitrary DACL write\par -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\schtasks.exe AND data.win.eventdata.commandLine.keyword:*\/change*\/TN*\/RU*\/RP*) -index: wazuh-alerts-3.x-* -name: 931b6802-d6a6-4267-9ffa-526f57f22aaf_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_wmi_backdoor_exchange_transport_agent.yml b/elastalert_rules/sigma_win_wmi_backdoor_exchange_transport_agent.yml deleted file mode 100644 index 1ca4a4bd..00000000 --- a/elastalert_rules/sigma_win_wmi_backdoor_exchange_transport_agent.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\EdgeTransport.exe) -index: wazuh-alerts-3.x-* -name: 797011dc-44f4-4e6f-9f10-a8ceefbe566b_0 -priority: 1 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_wmi_persistence.yml b/elastalert_rules/sigma_win_wmi_persistence.yml deleted file mode 100644 index 1f138f20..00000000 --- a/elastalert_rules/sigma_win_wmi_persistence.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher) -filter: -- query: - query_string: - query: ((data.win.system.eventID:"5861" AND data.win.system.message.keyword:(*ActiveScriptEventConsumer* OR *CommandLineEventConsumer* OR *CommandLineTemplate*)) OR data.win.system.eventID:"5859") -index: wazuh-alerts-3.x-* -name: sigma_win_wmi_persistence -priority: 3 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_wmi_persistence_script_event_consumer.yml b/elastalert_rules/sigma_win_wmi_persistence_script_event_consumer.yml deleted file mode 100644 index bb4116df..00000000 --- a/elastalert_rules/sigma_win_wmi_persistence_script_event_consumer.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI script event consumers -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image:"C\:\\WINDOWS\\system32\\wbem\\scrcons.exe" AND data.win.eventdata.parentImage:"C\:\\Windows\\System32\\svchost.exe") -index: wazuh-alerts-3.x-* -name: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_wmi_spwns_powershell.yml b/elastalert_rules/sigma_win_wmi_spwns_powershell.yml deleted file mode 100644 index 22943ada..00000000 --- a/elastalert_rules/sigma_win_wmi_spwns_powershell.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects WMI spawning PowerShell -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:(*\\wmiprvse.exe) AND data.win.eventdata.image.keyword:(*\\powershell.exe)) -index: wazuh-alerts-3.x-* -name: 692f0bec-83ba-4d04-af7e-e884a96059b6_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_wmiprvse_spawning_process.yml b/elastalert_rules/sigma_win_wmiprvse_spawning_process.yml deleted file mode 100644 index 97653120..00000000 --- a/elastalert_rules/sigma_win_wmiprvse_spawning_process.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects wmiprvse spawning processes -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:*\\WmiPrvSe.exe AND (NOT (data.win.eventdata.logonId:"0x3e7" OR user_account:"NT\ AUTHORITY\\SYSTEM" OR data.win.eventdata.image.keyword:(*\\WmiPrvSE.exe OR *\\WerFault.exe)))) -index: wazuh-alerts-3.x-* -name: d21374ff-f574-44a7-9998-4a8c8bf33d7d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_workflow_compiler.yml b/elastalert_rules/sigma_win_workflow_compiler.yml deleted file mode 100644 index 53a7b08d..00000000 --- a/elastalert_rules/sigma_win_workflow_compiler.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:*\\Microsoft.Workflow.Compiler.exe) -index: wazuh-alerts-3.x-* -name: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_wsreset_uac_bypass.yml b/elastalert_rules/sigma_win_wsreset_uac_bypass.yml deleted file mode 100644 index 73df564d..00000000 --- a/elastalert_rules/sigma_win_wsreset_uac_bypass.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND data.win.eventdata.parentImage.keyword:(*\\WSreset.exe)) -index: wazuh-alerts-3.x-* -name: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae_0 -priority: 2 -realert: - minutes: 0 -type: any diff --git a/elastalert_rules/sigma_win_xsl_script_processing.yml b/elastalert_rules/sigma_win_xsl_script_processing.yml deleted file mode 100644 index e4c2fd8d..00000000 --- a/elastalert_rules/sigma_win_xsl_script_processing.yml +++ /dev/null @@ -1,13 +0,0 @@ -alert: -- debug -description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses -filter: -- query: - query_string: - query: (data.win.system.eventID:"1" AND ((data.win.eventdata.image.keyword:*\\wmic.exe AND data.win.eventdata.commandLine.keyword:*\/format*) OR data.win.eventdata.image.keyword:*\\msxsl.exe)) -index: wazuh-alerts-3.x-* -name: 05c36dd6-79d6-4a9a-97da-3db20298ab2d_0 -priority: 3 -realert: - minutes: 0 -type: any diff --git a/tools/pull-sigma.sh b/tools/pull-sigma.sh index 851f650f..32908574 100755 --- a/tools/pull-sigma.sh +++ b/tools/pull-sigma.sh @@ -19,54 +19,54 @@ echo "------------------------------------------------" echo " " rule_counter=0 ESALERT_HOME="../elastalert_rules" -# Windows rules -for rule_category in ../rules/windows/* ; do - echo " " - echo "Working on Folder: $rule_category:" - echo "-------------------------------------------------------------" - if [ "$rule_category" == ../rules/windows/process_creation ]; then - for rule in $rule_category/* ; do - if [ $rule != ../rules/windows/process_creation/win_mal_adwind.yml ]; - then - if SIGMAremoveNearRules "$rule"; then - continue - else - echo "[+++] Processing Windows process creation rule: $rule .." - ./sigmac -t elastalert -c config/generic/sysmon.yml -c config/wazuh.yml -o ${ESALERT_HOME}/sigma_$(basename $rule) "$rule" - # Give unique rule name for sysmon - sed -i '' 's/^name: /name: Sysmon_/' ${ESALERT_HOME}/sigma_sysmon_$(basename $rule) - ./sigmac -t elastalert -c config/generic/windows-audit.yml -c config/wazuh.yml -o ${ESALERT_HOME}/sigma_sysmon_$(basename $rule) "$rule" - #ls -la "${ESALERT_HOME}"/rules/sigma_sysmon_"$(basename "${rule}")" - rule_counter=$[$rule_counter +1] - fi - fi - done - else - for rule in $rule_category/* ; do - if SIGMAremoveNearRules "$rule"; then - continue - else - echo "[+++] Processing additional Windows rule: $rule .." - ./sigmac -t elastalert -c config/wazuh.yml -o ${ESALERT_HOME}/sigma_$(basename $rule) "$rule"rules/sigma_$(basename $rule) $rule - sed -i '' "s/^name: .*/name: sigma_$(basename -s .yml $rule)/" ${ESALERT_HOME}/sigma_$(basename $rule) - rule_counter=$[$rule_counter +1] - fi - done - fi -done +# # Windows rules +# for rule_category in ../rules/windows/* ; do +# echo " " +# echo "Working on Folder: $rule_category:" +# echo "-------------------------------------------------------------" +# if [ "$rule_category" == ../rules/windows/process_creation ]; then +# for rule in $rule_category/* ; do +# if [ $rule != ../rules/windows/process_creation/win_mal_adwind.yml ]; +# then +# if SIGMAremoveNearRules "$rule"; then +# continue +# else +# echo "[+++] Processing Windows process creation rule: $rule .." +# ./sigmac -t elastalert -c config/generic/sysmon.yml -c config/wazuh.yml -o "${ESALERT_HOME}"/sigma_"$(basename "$rule")" "$rule" +# # Give unique rule name for sysmon +# sed -i '' 's/^name: /name: Sysmon_/' "${ESALERT_HOME}"/sigma_sysmon_"$(basename "$rule")" +# ./sigmac -t elastalert -c config/generic/windows-audit.yml -c config/wazuh.yml -o ${ESALERT_HOME}/sigma_sysmon_"$(basename "$rule")" "$rule" +# #ls -la "${ESALERT_HOME}"/rules/sigma_sysmon_"$(basename "${rule}")" +# rule_counter=$[$rule_counter +1] +# fi +# fi +# done +# else +# for rule in $rule_category/* ; do +# if SIGMAremoveNearRules "$rule"; then +# continue +# else +# echo "[+++] Processing additional Windows rule: $rule .." +# ./sigmac -t elastalert -c config/wazuh.yml -o "${ESALERT_HOME}"/sigma_"$(basename "$rule")" "$rule"rules/sigma_"$(basename "$rule")" $rule +# sed -i '' "s/^name: .*/name: sigma_"$(basename -s .yml "$rule")"/" "${ESALERT_HOME}"/sigma_"$(basename "$rule")" +# rule_counter=$[$rule_counter +1] +# fi +# done +# fi +# done # Apt rules echo " " echo "Working on Folder: apt:" echo "-------------------------------------------------------------" -for rule in rules/apt/* ; do +for rule in ../rules/apt/* ; do if SIGMAremoveNearRules "$rule"; then continue else echo "[+++] Processing apt rule: $rule .." - ./sigmac -t elastalert -c config/generic/sysmon.yml -c config/wazuh.yml -o ${ESALERT_HOME}/sigma_apt_$(basename $rule) "$rule" + ./sigmac -t elastalert -c config/generic/sysmon.yml -c config/wazuh.yml -o "${ESALERT_HOME}"/sigma_apt_"$(basename "$rule")" "$rule" # Give unique rule name for sysmon - sed -i '' 's/^name: /name: Sysmon_/' ${ESALERT_HOME}/sigma_sysmon_apt_$(basename $rule) - ./sigmac -t elastalert -c config/generic/windows-audit.yml -c config/wazuh.yml -o ${ESALERT_HOME}/sigma_sysmon_apt_$(basename $rule) "$rule" + sed -i '' 's/^name: /name: Sysmon_/' "${ESALERT_HOME}"/sigma_sysmon_apt_"$(basename "$rule")" + ./sigmac -t elastalert -c config/generic/windows-audit.yml -c config/wazuh.yml -o "${ESALERT_HOME}"/sigma_sysmon_apt_"$(basename "$rule")" "$rule" rule_counter=$[$rule_counter +1] fi done