refactor: sysmon rule cleanup > generlization

rules/windows/file_event/sysmon_office_persistence.yml

@@ -0,0 +1,30 @@
+title: Microsoft Office Add-In Loading
+id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
+status: experimental
+description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
+references:
+    - Internal Research
+tags:
+    - attack.persistence
+    - attack.t1137
+author: NVISO
+date: 2020/05/11
+logsource:
+    category: file_event
+    product: windows
+detection:
+    wlldropped:
+        TargetFilename|contains: \Microsoft\Word\Startup\
+        TargetFilename|endswith: .wll
+    xlldropped:
+        TargetFilename|contains: \Microsoft\Excel\Startup\
+        TargetFilename|endswith: .xll
+    generic:
+        TargetFilename|contains: \Microsoft\Addins\
+        TargetFilename|endswith:
+            - .xlam
+            - .xla
+    condition: (wlldropped or xlldropped or generic)
+falsepositives:
+    - Legitimate add-ins
+level: high

rules/windows/image_load/sysmon_susp_fax_dll.yml

@@ -0,0 +1,33 @@
+title: Fax Service DLL Search Order Hijack
+id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
+status: experimental
+description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
+references:
+    - https://windows-internals.com/faxing-your-way-to-system/
+author: NVISO
+date: 2020/05/04
+modified: 2020/07/01
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.t1073
+    - attack.t1038
+    - attack.t1112
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+        - fxssvc.exe
+        ImageLoaded|endswith:
+        - ualapi.dll
+    filter:
+        ImageLoaded|startswith:
+        - C:\Windows\WinSxS\
+    condition: selection and not filter
+falsepositives:
+    - Unlikely
+level: high

rules/windows/network_connection/sysmon_regsvr32_network_activity.yml

@@ -13,15 +13,12 @@ tags:
 author: Dmitriy Lifanov, oscd.community
 status: experimental
 date: 2019/10/25
-modified: 2019/11/10
+modified: 2020/07/01
 logsource:
+    category: network_connection
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID:
-            - 3
-            - 22
         Image|endswith: '\regsvr32.exe'
     condition: selection
 fields:

rules/windows/process_creation/sysmon_hack_wce.yml

@@ -0,0 +1,27 @@
+title: Windows Credential Editor
+id: 7aa7009a-28b9-4344-8c1f-159489a390df
+description: Detects the use of Windows Credential Editor (WCE)
+author: Florian Roth
+references:
+    - https://www.ampliasecurity.com/research/windows-credentials-editor/
+date: 2019/12/31
+modified: 2020/07/01
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Imphash: 
+          - a53a02b997935fd8eedcb5f7abab9b9f
+          - e96a73c7bf33a464c510ede582318bf2
+    selection2:
+        CommandLine|endswith: '.exe -S'
+        ParentImage|endswith: '\services.exe'
+    condition: 1 of them
+falsepositives:
+    - 'Another service that uses a single -s command line switch'
+level: critical

rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml

@@ -1,4 +1,3 @@
-action: global
 title: Logon Scripts (UserInitMprLogonScript)
 id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
 status: experimental
@@ -12,11 +11,7 @@ tags:
     - attack.lateral_movement
 author: Tom Ueltschi (@c_APT_ure)
 date: 2019/01/12
-falsepositives:
-    - exclude legitimate logon scripts
-    - penetration tests, red teaming
-level: high
----
+modified: 2020/07/01
 logsource:
     category: process_creation
     product: windows
@@ -29,25 +24,10 @@ detection:
         CommandLine|contains:
             - 'netlogon.bat'
             - 'UsrLogon.cmd'
-    condition: exec_selection and not exec_exclusion1 and not exec_exclusion2
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
     create_keywords_cli:
         CommandLine: '*UserInitMprLogonScript*'
-    condition: create_keywords_cli
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    create_selection_reg:
-        EventID:
-            - 12
-            - 13
-            - 14
-    create_keywords_reg:
-        TargetObject: '*UserInitMprLogonScript*'
-    condition: create_selection_reg and create_keywords_reg
+    condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli
+falsepositives:
+    - exclude legitimate logon scripts
+    - penetration tests, red teaming
+level: high

rules/windows/registry_event/sysmon_cve-2020-1048.yml

@@ -11,13 +11,10 @@ tags:
     - attack.persistence
     - attack.execution
 logsource:
-    service: sysmon
     product: windows
+    category: registry_event
 detection:        
-    selection: 
-        EventID: 
-            - 12
-            - 13 
+    selection:
         TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
         EventType:
             - SetValue

rules/windows/registry_event/sysmon_etw_disabled.yml

@@ -19,10 +19,9 @@ tags:
     - attack.t1112
 logsource:
     product: windows
-    service: sysmon
+    category: registry_event
 detection:
     selection:
-        EventID: 13
         TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
         Details: 'DWORD (0x00000000)'
     condition: selection

rules/windows/registry_event/sysmon_hack_wce.yml

@@ -1,4 +1,3 @@
-action: global
 title: Windows Credential Editor
 id: 7aa7009a-28b9-4344-8c1f-159489a390df
 description: Detects the use of Windows Credential Editor (WCE)
@@ -10,23 +9,6 @@ tags:
     - attack.credential_access
     - attack.t1003
     - attack.s0005
-falsepositives:
-    - 'Another service that uses a single -s command line switch'
-level: critical
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Imphash: 
-          - a53a02b997935fd8eedcb5f7abab9b9f
-          - e96a73c7bf33a464c510ede582318bf2
-    selection2:
-        CommandLine|endswith: '.exe -S'
-        ParentImage|endswith: '\services.exe'
-    condition: 1 of them
----
 logsource:
     category: registry_event
     product: windows
@@ -34,3 +16,6 @@ detection:
     selection:       
         TargetObject|contains: Services\WCESERVICE\Start
     condition: selection
+falsepositives:
+    - 'Another service that uses a single -s command line switch'
+level: critical

rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml

@@ -0,0 +1,25 @@
+title: Logon Scripts (UserInitMprLogonScript)
+id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
+status: experimental
+description: Detects creation or execution of UserInitMprLogonScript persistence method
+references:
+    - https://attack.mitre.org/techniques/T1037/
+tags:
+    - attack.t1037
+    - attack.t1037.001
+    - attack.persistence
+    - attack.lateral_movement
+author: Tom Ueltschi (@c_APT_ure)
+date: 2019/01/12
+modified: 2020/07/01
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    create_keywords_reg:
+        TargetObject: '*UserInitMprLogonScript*'
+    condition: create_keywords_reg
+falsepositives:
+    - exclude legitimate logon scripts
+    - penetration tests, red teaming
+level: high

rules/windows/registry_event/sysmon_reg_office_security.yml

@@ -4,27 +4,26 @@ status: experimental
 description: Detects registry changes to Office macro settings
 author: Trent Liffick (@tliffick)
 date: 2020/05/22
+modified: 2020/07/01
 references:
+    - Internal Research
 tags:
     - attack.defense_evasion
     - attack.t1112
-falsepositives:
-    - Valid Macros and/or internal documents
-level: high
 logsource:
-  service: sysmon
-  product: windows
+    category: registry_event
+    product: windows
 detection:
     sec_settings:
-      EventID:
-            - 12
-            - 13
-      TargetObject|endswith:
+        TargetObject|endswith:
             - '*\Security\Trusted Documents\TrustRecords'
             - '*\Security\AccessVBOM'
             - '*\Security\VBAWarnings'
-      EventType:
+        EventType:
             - SetValue
             - DeleteValue
             - CreateValue
     condition: sec_settings
+falsepositives:
+    - Valid Macros and/or internal documents
+level: high

rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml

@@ -4,17 +4,15 @@ status: experimental
 description: Detects a method to load DLL via LSASS process using an undocumented Registry key
 author: Florian Roth
 date: 2019/10/16
+modified: 2020/07/01
 references:
     - https://blog.xpnsec.com/exploring-mimikatz-part-1/
     - https://twitter.com/SBousseaden/status/1183745981189427200
 logsource:
+    category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID:
-            - 12
-            - 13
         TargetObject:
             - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
             - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'

rules/windows/registry_event/sysmon_susp_mic_cam_access.yml

@@ -10,11 +10,10 @@ tags:
     - attack.t1125
     - attack.t1123
 logsource:
-    category: sysmon
+    category: registry_event
     product: windows
 detection:
     selection_1:
-        EventId: 13
         TargetObject|contains:
             - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged
     selection_2:

rules/windows/sysmon/sysmon_office_persistence.yml

@@ -1,32 +0,0 @@
-title: Microsoft Office Add-In Loading
-id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
-status: experimental
-description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
-references:
-  - Internal research
-tags:
-  - attack.persistence
-  - attack.t1137
-author: NVISO
-date: 2020/05/11
-logsource:
-  product: windows
-  service: sysmon
-detection:
-  selection:
-    EventID: 11 #FileCreate
-  wlldropped:
-    TargetFilename|contains: \Microsoft\Word\Startup\
-    TargetFilename|endswith: .wll
-  xlldropped:
-    TargetFilename|contains: \Microsoft\Excel\Startup\
-    TargetFilename|endswith: .xll
-  generic:
-    TargetFilename|contains: \Microsoft\Addins\
-    TargetFilename|endswith:
-      - .xlam
-      - .xla
-  condition: selection and (wlldropped or xlldropped or generic)
-falsepositives:
-  - Legitimate add-ins
-level: high

rules/windows/sysmon/sysmon_susp_fax_dll.yml

@@ -1,33 +0,0 @@
-title: Fax Service DLL Search Order Hijack
-id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
-status: experimental
-description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
-references:
-  - https://windows-internals.com/faxing-your-way-to-system/
-author: NVISO
-date: 2020/05/04
-tags:
-  - attack.persistence
-  - attack.defense_evasion
-  - attack.t1073
-  - attack.t1038
-  - attack.t1112
-  - attack.t1574.001
-  - attack.t1574.002
-logsource:
-  product: windows
-  service: sysmon
-detection:
-  selection:
-    EventID: 7 #ImageLoaded
-    Image|endswith:
-      - fxssvc.exe
-    ImageLoaded|endswith:
-      - ualapi.dll
-  filter:
-    ImageLoaded|startswith:
-      - C:\Windows\WinSxS\
-  condition: selection and not filter
-falsepositives:
-  - Unlikely
-level: high

tools/config/generic/sysmon.yml

@@ -13,7 +13,9 @@ logsources:
         category: network_connection
         product: windows
         conditions:
-            EventID: 3
+            EventID: 
+                - 3
+                - 22
         rewrite:
             product: windows
             service: sysmon