valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1030 from stevengoossensB/master

Browse Source 
Updated sysmon config and rewrite rules to use categories
This commit is contained in:
Florian Roth 2021-04-23 16:52:25 +02:00 committed by GitHub
commit c7ce9154d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
51 changed files with 160 additions and 187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml
View File

@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -29,14 +29,11 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
EventID: 4697

2
rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
View File

@ -31,7 +31,7 @@ detection:
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
EventID: 6

11
rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
View File

@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -29,14 +29,11 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
EventID: 4697

15
rules/windows/builtin/win_invoke_obfuscation_var+_services.yml
View File

@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -29,14 +29,11 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
logsource:
product: windows
service: security
detection:
detection:
selection:
EventID: 4697
EventID: 4697

11
rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
View File

@ -16,9 +16,9 @@ falsepositives:
- unknown
level: medium
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -29,14 +29,11 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
EventID: 4697

9
rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
View File

@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: medium
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -29,10 +29,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows

9
rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
View File

@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -29,10 +29,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows

9
rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
View File

@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -29,10 +29,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows

9
rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml → rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
View File

@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -29,10 +29,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows

9
rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
View File

@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -29,10 +29,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows

11
rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
View File

@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -29,14 +29,11 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
EventID: 4697

9
rules/windows/builtin/win_mal_creddumper.yml
View File

@ -21,7 +21,7 @@ tags:
- attack.t1569.002
- attack.s0005
detection:
selection_1:
selection:
- ServiceName|contains:
- 'fgexec'
- 'wceservice'
@ -39,7 +39,7 @@ detection:
- 'gsecdump'
- 'servpw'
- 'pwdump'
condition: selection and selection_1
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
@ -53,10 +53,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows

9
rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
View File

@ -14,7 +14,7 @@ tags:
- attack.t1134.001
- attack.t1134.002
detection:
selection_1:
selection:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd'
@ -32,7 +32,7 @@ detection:
- 'rundll32'
- '.dll,a'
- '/p:'
condition: selection and selection_1
condition: selection
fields:
- ComputerName
- SubjectDomainName
@ -51,10 +51,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows

3
rules/windows/builtin/win_net_ntlm_downgrade.yml
View File

@ -20,10 +20,9 @@ level: critical
---
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection1:
EventID: 13
TargetObject|contains|all:
- 'SYSTEM\'
- 'ControlSet'

9
rules/windows/builtin/win_tap_driver_installation.yml
View File

@ -12,9 +12,9 @@ falsepositives:
- Legitimate OpenVPN TAP insntallation
level: medium
detection:
selection_1:
selection:
ImagePath|contains: 'tap0901'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@ -25,10 +25,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows

2
rules/windows/sysmon/sysmon_cactustorch.yml → rules/windows/create_remote_thread/sysmon_cactustorch.yml
View File

@ -10,7 +10,7 @@ date: 2019/02/01
modified: 2020/08/28
logsource:
product: windows
service: sysmon
category: create_remote_thread
detection:
selection:
EventID: 8

3
rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml → rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
View File

@ -14,10 +14,9 @@ date: 2018/11/30
modified: 2020/08/28
logsource:
product: windows
service: sysmon
category: create_remote_thread
detection:
selection:
EventID: 8
TargetProcessAddress|endswith:
- '0B80'
- '0C7C'

3
rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml → rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
View File

@ -13,10 +13,9 @@ tags:
- attack.t1055.001
logsource:
product: windows
service: sysmon
category: create_remote_thread
detection:
selection:
EventID: 8
StartModule|endswith: '\kernel32.dll'
StartFunction: 'LoadLibraryA'
condition: selection

3
rules/windows/sysmon/sysmon_password_dumper_lsass.yml → rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml
View File

@ -9,10 +9,9 @@ date: 2017/02/19
modified: 2021/04/01
logsource:
product: windows
service: sysmon
category: create_remote_thread
detection:
selection:
EventID: 8
TargetImage: 'C:\Windows\System32\lsass.exe'
StartModule: ''
condition: selection

2
rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml → rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml
View File

@ -8,7 +8,7 @@ references:
date: 2018/06/25
logsource:
product: windows
service: sysmon
category: create_remote_thread
detection:
selection:
EventID: 8

3
rules/windows/sysmon/sysmon_suspicious_remote_thread.yml → rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml
View File

@ -14,14 +14,13 @@ references:
- https://lolbas-project.github.io
logsource:
product: windows
service: sysmon
category: create_remote_thread
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1055
detection:
selection:
EventID: 8
SourceImage|endswith:
- '\bash.exe'
- '\cvtres.exe'

6
rules/windows/sysmon/sysmon_ads_executable.yml → rules/windows/create_stream_hash/sysmon_ads_executable.yml
View File

@ -14,16 +14,14 @@ date: 2018/06/03
modified: 2020/08/26
logsource:
product: windows
service: sysmon
category: create_stream_hash
definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
selection:
EventID: 15
filter1:
Imphash: '00000000000000000000000000000000'
filter2:
Imphash: null
condition: selection and not 1 of filter*
condition: not 1 of filter*
fields:
- TargetFilename
- Image

3
rules/windows/sysmon/sysmon_regedit_export_to_ads.yml → rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml
View File

@ -12,10 +12,9 @@ author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020/10/07
logsource:
product: windows
service: sysmon
category: create_stream_hash
detection:
selection:
EventID: 15
Image|endswith: '\regedit.exe'
condition: selection
fields:

3
rules/windows/sysmon/sysmon_possible_dns_rebinding.yml → rules/windows/dns_query/sysmon_possible_dns_rebinding.yml
View File

@ -12,10 +12,9 @@ tags:
- attack.t1189
logsource:
product: windows
service: sysmon
category: dns_query
detection:
dns_answer:
EventID: 22
QueryName: '*'
QueryStatus: '0'
filter_int_ip:

3
rules/windows/sysmon/sysmon_sysinternals_sdelete_file_deletion.yml → rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml
View File

@ -12,10 +12,9 @@ references:
- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
logsource:
product: windows
service: sysmon
category: file_delete
detection:
selection:
EventID: 23
TargetFilename|endswith:
- '.AAA'
- '.ZZZ'

3
rules/windows/sysmon/sysmon_startup_folder_file_write.yml → rules/windows/file_event/sysmon_startup_folder_file_write.yml
View File

@ -12,10 +12,9 @@ references:
- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
logsource:
product: windows
service: sysmon
category: file_event
detection:
selection:
EventID: 11
TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'
condition: selection
falsepositives:

3
rules/windows/sysmon/sysmon_susp_pfx_file_creation.yml → rules/windows/file_event/sysmon_susp_pfx_file_creation.yml
View File

@ -12,10 +12,9 @@ references:
- https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
logsource:
product: windows
service: sysmon
category: file_event
detection:
selection:
EventID: 11
TargetFilename|endswith: '.pfx'
condition: selection
falsepositives:

2
rules/windows/sysmon/sysmon_susp_system_drawing_load.yml → rules/windows/image_load/sysmon_susp_system_drawing_load.yml
View File

@ -12,7 +12,7 @@ references:
- https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html
logsource:
product: windows
service: image_load
category: image_load
detection:
selection:
ImageLoaded|endswith: '\System.Drawing.ni.dll'

2
rules/windows/malware/mal_azorult_reg.yml
View File

@ -11,7 +11,7 @@ tags:
- attack.t1112
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection:
EventID:

3
rules/windows/malware/win_mal_blue_mockingbird.yml
View File

@ -37,9 +37,8 @@ detection:
---
logsource:
product: windows
service: sysmon
category: registry_event
detection:
mod_reg:
EventID: 13
TargetObject|endswith:
- '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'

2
rules/windows/malware/win_mal_flowcloud.yml
View File

@ -11,7 +11,7 @@ tags:
date: 2020/06/09
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection:
EventID:

8
rules/windows/malware/win_mal_octopus_scanner.yml
View File

@ -11,15 +11,13 @@ author: NVISO
date: 2020/06/09
logsource:
product: windows
service: sysmon
category: file_event
detection:
filecreate:
EventID: 11
selection:
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Cache134.dat'
- '\AppData\Local\Microsoft\ExplorerSync.db'
condition: filecreate and selection
condition: selection
falsepositives:
- Unknown
level: high
level: high

3
rules/windows/malware/win_mal_ursnif.yml
View File

@ -12,10 +12,9 @@ author: megan201296
date: 2019/02/13
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection:
EventID: 13
TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\'
condition: selection
falsepositives:

3
rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml → rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
View File

@ -13,10 +13,9 @@ tags:
- attack.t1059.001
logsource:
product: windows
service: sysmon
category: pipe_created
detection:
selection:
EventID: 17
PipeName|startswith: '\PSHost'
filter:
Image|endswith:

5
rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml → rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml
View File

@ -10,13 +10,10 @@ tags:
author: Markus Neis
logsource:
product: windows
service: sysmon
category: pipe_created
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
detection:
selection:
EventID:
- 17
- 18
PipeName:
- '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
- '\userpipe' # ruag apt case

3
rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml → rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml
View File

@ -15,10 +15,9 @@ tags:
- attack.t1003.005
logsource:
product: windows
service: sysmon
category: pipe_created
detection:
selection:
EventID: 17
PipeName|contains:
- '\lsadump'
- '\cachedump'

7
rules/windows/sysmon/sysmon_mal_namedpipes.yml → rules/windows/pipe_created/sysmon_mal_namedpipes.yml
View File

@ -8,13 +8,10 @@ date: 2017/11/06
author: Florian Roth
logsource:
product: windows
service: sysmon
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
category: pipe_created
definition: 'Note that you have to configure logging for PipeEvents in Sysmon config'
detection:
selection:
EventID:
- 17
- 18
PipeName:
- '\isapi_http' # Uroburos Malware Named Pipe
- '\isapi_dg' # Uroburos Malware Named Pipe

3
rules/windows/sysmon/sysmon_powershell_execution_pipe.yml → rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml
View File

@ -11,10 +11,9 @@ references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
logsource:
product: windows
service: sysmon
category: pipe_created
detection:
selection:
EventID: 17
PipeName|startswith: '\PSHost'
condition: selection
falsepositives:

5
rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml → rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml
View File

@ -11,13 +11,10 @@ tags:
- attack.t1021.002
logsource:
product: windows
service: sysmon
category: pipe_created
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
detection:
selection:
EventID:
- 17
- 18
PipeName|startswith:
- 'psexec'
- 'paexec'

4
rules/windows/powershell/powershell_code_injection.yml
View File

@ -11,12 +11,10 @@ tags:
- attack.t1059.001
logsource:
product: windows
service: sysmon
category: create_remote_thread
definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
detection:
selection:
EventID:
- 8
SourceImage|endswith: '\powershell.exe'
condition: selection
falsepositives:

6
rules/windows/powershell/powershell_suspicious_profile_create.yml
View File

@ -9,10 +9,8 @@ date: 2019/10/24
modified: 2020/08/24
logsource:
product: windows
service: sysmon
category: file_event
detection:
event:
EventID: 11
target1:
TargetFilename|contains|all:
- '\My Documents\PowerShell\'
@ -21,7 +19,7 @@ detection:
TargetFilename|contains|all:
- 'C:\Windows\System32\WindowsPowerShell\v1.0\'
- '\profile.ps1'
condition: event and (target1 or target2)
condition: target1 or target2
falsepositives:
- System administrator create Powershell profile manually
level: high

0
rules/windows/process_creation/cmstp_execution.yml → rules/windows/process_creation/sysmon_cmstp_execution.yml
View File

3
rules/windows/process_creation/win_apt_unidentified_nov_18.yml
View File

@ -28,9 +28,8 @@ detection:
# Sysmon: File Creation (ID 11)
logsource:
product: windows
service: sysmon
category: file_event
detection:
selection2:
EventID: 11
TargetFilename|contains:
- 'ds7002.lnk'

2
rules/windows/process_creation/win_hktl_createminidump.yml
View File

@ -26,7 +26,7 @@ detection:
---
logsource:
product: windows
service: sysmon
category: file_event
detection:
selection:
EventID: 11

5
rules/windows/process_creation/win_silenttrinity_stage_use.yml
View File

@ -23,8 +23,5 @@ logsource:
product: windows
---
logsource:
category: image_load
product: windows
service: sysmon
detection:
selection:
EventID: 7

6
rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml → rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
View File

@ -10,10 +10,8 @@ tags:
- attack.t1006
logsource:
product: windows
service: sysmon
category: raw_access_thread
detection:
selection:
EventID: 9
filter_1:
Device|contains: floppy
filter_2:
@ -32,7 +30,7 @@ detection:
- '\dfsrs.exe'
- '\vds.exe'
- '\lsass.exe'
condition: selection and not filter_1 and not filter_2
condition: not filter_1 and not filter_2
fields:
- ComputerName
- Image

3
rules/windows/sysmon/sysmon_new_application_appcompat.yml → rules/windows/registry_event/sysmon_new_application_appcompat.yml
View File

@ -12,10 +12,9 @@ references:
- https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection:
EventID: 13
TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
condition: selection
falsepositives:

3
rules/windows/sysmon/sysmon_removal_com_hijacking_registry_key.yml → rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml
View File

@ -15,10 +15,9 @@ references:
- https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection:
EventID: 12
EventType: 'DeleteKey'
TargetObject|endswith: '\shell\open\command'
condition: selection

2
rules/windows/sysmon/sysmon_wmi_event_subscription.yml → rules/windows/wmi_event/sysmon_wmi_event_subscription.yml
View File

@ -10,7 +10,7 @@ author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
logsource:
product: windows
service: sysmon
category: wmi_event
detection:
selector:
EventID:

2
rules/windows/sysmon/sysmon_wmi_susp_scripting.yml → rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
View File

@ -13,7 +13,7 @@ tags:
- attack.t1059.005
logsource:
product: windows
service: sysmon
category: wmi_event
detection:
selection:
EventID: 20

92
tools/config/generic/sysmon.yml
View File

@ -17,11 +17,59 @@ logsources:
rewrite:
product: windows
service: sysmon
dns_query:
category: dns_query
process_terminated:
category: process_termination
product: windows
conditions:
EventID: 22
EventID: 5
rewrite:
product: windows
service: sysmon
driver_loaded:
category: driver_load
product: windows
conditions:
EventID: 6
rewrite:
product: windows
service: sysmon
image_loaded:
category: image_load
product: windows
conditions:
EventID: 7
rewrite:
product: windows
service: sysmon
create_remote_thread:
category: create_remote_thread
product: windows
conditions:
EventID: 8
rewrite:
product: windows
service: sysmon
raw_access_thread:
category: raw_access_thread
product: windows
conditions:
EventID: 9
rewrite:
product: windows
service: sysmon
process_access:
category: process_access
product: windows
conditions:
EventID: 10
rewrite:
product: windows
service: sysmon
file_creation:
category: file_event
product: windows
conditions:
EventID: 11
rewrite:
product: windows
service: sysmon
@ -36,44 +84,48 @@ logsources:
rewrite:
product: windows
service: sysmon
file_creation:
category: file_event
create_stream_hash:
category: create_stream_hash
product: windows
conditions:
EventID: 11
EventID: 15
rewrite:
product: windows
service: sysmon
process_access:
category: process_access
pipe_created:
category: pipe_created
product: windows
conditions:
EventID: 10
EventID:
- 17
- 18
rewrite:
product: windows
service: sysmon
image_loaded:
category: image_load
wmi_event:
category: wmi_event
product: windows
conditions:
EventID: 7
EventID:
- 19
- 20
- 21
rewrite:
product: windows
service: sysmon
driver_loaded:
category: driver_load
dns_query:
category: dns_query
product: windows
conditions:
EventID: 6
EventID: 22
rewrite:
product: windows
service: sysmon
process_terminated:
category: process_termination
file_delete:
category: file_delete
product: windows
conditions:
EventID: 5
EventID: 23
rewrite:
product: windows
service: sysmon
service: sysmon