From fd823045a9127f2176b5ee7a26115714d42609e3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 16 Jan 2023 10:28:15 +0100 Subject: [PATCH 01/10] fix: fp in msiexec rule --- .../proc_creation_win_msiexec_install_quiet.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index dc758c9f6..0e96d1e40 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914244344799235 author: frack113 date: 2022/01/16 -modified: 2022/10/28 +modified: 2023/01/16 tags: - attack.defense_evasion - attack.t1218.007 @@ -43,6 +43,9 @@ detection: ParentImage|contains: '\AppData\Local\Temp\' filter_system_temp: ParentImage|startswith: 'C:\Windows\Temp\' + filter_ccm: + ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe' + IntegrityLevel: 'System' condition: all of selection_* and not 1 of filter_* falsepositives: - Legitimate script From e5fe4d5f4686f9cd8693a95932e231f092372f2d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 17 Jan 2023 01:00:24 +0100 Subject: [PATCH 02/10] feat: update config files - Update indentation of config files to 4 - Add new event logs --- tests/logsource.json | 233 +-- tools/config/elk-windows.yml | 273 +-- tools/config/elk-winlogbeat-sp.yml | 273 +-- tools/config/elk-winlogbeat.yml | 273 +-- tools/config/fireeye-helix.yml | 15 + tools/config/generic/windows-services.yml | 15 + tools/config/hawk.yml | 1860 ++++++++++--------- tools/config/logpoint-windows.yml | 269 +-- tools/config/logstash-windows.yml | 311 ++-- tools/config/powershell.yml | 353 ++-- tools/config/splunk-windows.yml | 393 ++-- tools/config/sumologic.yml | 423 +++-- tools/config/thor.yml | 919 ++++----- tools/config/winlogbeat-modules-enabled.yml | 380 ++-- tools/config/winlogbeat-old.yml | 425 +++-- tools/config/winlogbeat.yml | 35 +- tools/config/zircolite.yml | 17 +- 17 files changed, 3367 insertions(+), 3100 deletions(-) diff --git a/tests/logsource.json b/tests/logsource.json index ade003d67..47ff26a8d 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -1,76 +1,76 @@ { "title": "Field name by logsource", - "version": "20221231", + "version": "20230113", "legit":{ "windows":{ - "commun": ["EventID","Provider_Name"], + "commun": ["EventID", "Provider_Name"], "empty": [], "category":{ - "process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion", - "Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName", - "ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId", - "ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"], - "file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"], - "network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort", - "DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname", - "SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"], - "sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"], - "process_termination":["Image","ProcessGuid","ProcessId","User"], - "driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"], - "image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid", - "ProcessId","Product","Signature","SignatureStatus","Signed","User"], - "create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress", - "StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"], - "raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"], - "process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId", - "SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"], - "raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"], - "file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], - "registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"], - "registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject"], - "registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"], - "registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"], - "registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"], - "create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"], - "pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"], - "wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"], - "dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"], - "file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"], - "clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"], - "process_tampering":["Image","ProcessGuid","ProcessId","Type","User"], - "file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"], - "ps_module":["ContextInfo","UserData","Payload"], - "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"], - "file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"], - "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"], + "process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion", + "Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName", + "ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId", + "ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User"], + "file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort", + "DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname", + "SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User"], + "sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"], + "process_termination":["Image", "ProcessGuid", "ProcessId", "User"], + "driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"], + "image_load":["Company", "Description", "FileVersion", "Hashes", "Image", "ImageLoaded", "OriginalFileName", "ProcessGuid", + "ProcessId", "Product", "Signature", "SignatureStatus", "Signed", "User"], + "create_remote_thread":["NewThreadId", "SourceImage", "SourceProcessGuid", "SourceProcessId", "SourceUser", "StartAddress", + "StartFunction", "StartModule", "TargetImage", "TargetProcessGuid", "TargetProcessId", "TargetUser"], + "raw_access_thread":["Device", "Image", "ProcessGuid", "ProcessId", "User"], + "process_access":["CallTrace", "GrantedAccess", "SourceImage", "SourceProcessGUID", "SourceProcessId", "SourceThreadId", + "SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"], + "raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], + "registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"], + "registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"], + "registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"], + "registry_rename":["EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"], + "registry_event":["Details", "EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"], + "create_stream_hash":["Contents", "CreationUtcTime", "Hash", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "pipe_created":["EventType", "Image", "PipeName", "ProcessGuid", "ProcessId", "User"], + "wmi_event":["Consumer", "Destination", "EventNamespace", "EventType", "Filter", "Name", "Operation", "Query", "Type", "User"], + "dns_query":["Image", "ProcessGuid", "ProcessId", "QueryName", "QueryResults", "QueryStatus", "User"], + "file_delete":["Archived", "Hashes", "Image", "IsExecutable", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "clipboard_capture":["Archived", "ClientInfo", "Hashes", "Image", "ProcessGuid", "ProcessId", "Session", "User"], + "process_tampering":["Image", "ProcessGuid", "ProcessId", "Type", "User"], + "file_block":["Hashes", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "ps_module":["ContextInfo", "UserData", "Payload"], + "ps_script":["MessageNumber", "MessageTotal", "ScriptBlockText", "ScriptBlockId", "Path"], + "file_access":["Irp", "FileObject", "IssuingThreadId", "CreateOptions", "CreateAttributes", "ShareAccess", "FileName"], + "file_rename":["Irp", "FileObject", "FileKey", "ExtraInformation", "IssuingThreadId", "InfoClass", "FilePath"], "ps_classic_start":[], "ps_classic_provider_start":[], "sysmon_error":[] }, "service":{ "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"], - "bits-client":["RemoteName","LocalName","processPath","processId"], - "codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer", - "RequestedPolicy","ValidatedPolicy","Status"], - "diagnosis-scripted": ["PackagePath","PackageId"], - "firewall-as":["Action","ApplicationPath","ModifyingApplication"], - "ldap_debug":["ScopeOfSearch","SearchFilter","DistinguishedName","AttributeList","ProcessId"], - "ntlm":["CallerPID","ClientDomainName","ClientLUID","ClientUserName","DomainName","MechanismOID", - "ProcessName","SChannelName","SChannelType","TargetName","UserName","WorkstationName"], - "openssh":["process","payload"], - "security-mitigations":["ProcessPathLength","ProcessPath","ProcessCommandLineLength","ProcessCommandLine", - "ProcessId","ProcessCreateTime","ProcessStartKey","ProcessSignatureLevel", - "ProcessSectionSignatureLevel","ProcessProtection","TargetThreadId","TargetThreadCreateTime", - "RequiredSignatureLevel","SignatureLevel","ImageNameLength","ImageName"], - "shell-core":["Name","AppID","Flags"], - "smbclient-security":["Reason","Status","ShareNameLength","ShareName","ObjectNameLength","ObjectName", - "UserNameLength","UserName","ServerNameLength","ServerName"], - "taskscheduler":["TaskName","UserContext","Path","ProcessID","Priority","UserName"], - "terminalservices-localsessionmanager":["User","SessionID","Address"], - "iis":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method", - "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status", - "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent", - "cs-referer","cs-cookie"], + "bits-client":["RemoteName", "LocalName", "processPath", "processId"], + "codeintegrity-operational":["FileNameLength", "FileNameBuffer", "ProcessNameLength", "ProcessNameBuffer", + "RequestedPolicy", "ValidatedPolicy", "Status"], + "diagnosis-scripted": ["PackagePath", "PackageId"], + "firewall-as":["Action", "ApplicationPath", "ModifyingApplication"], + "ldap_debug":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"], + "ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID", + "ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"], + "openssh":["process", "payload"], + "security-mitigations":["ProcessPathLength", "ProcessPath", "ProcessCommandLineLength", "ProcessCommandLine", + "ProcessId", "ProcessCreateTime", "ProcessStartKey", "ProcessSignatureLevel", + "ProcessSectionSignatureLevel", "ProcessProtection", "TargetThreadId", "TargetThreadCreateTime", + "RequiredSignatureLevel", "SignatureLevel", "ImageNameLength", "ImageName"], + "shell-core":["Name", "AppID", "Flags"], + "smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName", + "UserNameLength", "UserName", "ServerNameLength", "ServerName"], + "taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"], + "terminalservices-localsessionmanager":["User", "SessionID", "Address"], + "iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", + "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status", + "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent", + "cs-referer", "cs-cookie"], "application":[], "sysmon":[], "powershell":[], @@ -89,44 +89,47 @@ "applocker":[], "vhdmp":[], "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"], - "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"] + "appxpackaging-om":["subjectName"], + "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"], + "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address", ""], + "appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"] } }, "linux":{ "commun": [], "empty": [], "category":{ - "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName", - "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes", - "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"], - "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname", - "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort", + "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", + "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", + "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"], + "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname", + "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort", "DestinationPortName"], - "process_termination": ["ProcessGuid","ProcessId","Image","User"], - "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"], - "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], - "sysmon_status": ["Configuration","ConfigurationFileHash"], - "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"] + "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"], + "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"], + "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], + "sysmon_status": ["Configuration", "ConfigurationFileHash"], + "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"] }, "service":{ - "auditd": ["a0","a1","a2","a3","a4","a5","a6","a7","a8","a9", - "acct","acl","action","added","addr","apparmor","arch","argc","audit_backlog_limit","audit_backlog_wait_time", - "audit_enabled","audit_failure","auid","banners","bool","bus","cap_fe,cap_fi","cap_fp","cap_fver","cap_pa","cap_pe","cap_pi", - "cap_pp","capability","category","cgroup","changed","cipher","class","cmd","code","comm","compat","cwd","daddr","data", - "default-context","dev","dev","device","dir","direction","dmac","dport","egid","enforcing","entries","errno","euid","exe", - "exit","fam","family","fd","fe","feature","fi","file","flags","format","fp","fsgid","fsuid","fver","gid","grantors","grp", - "hook","hostname","icmp_type","id","igid","img-ctx","inif","ino","inode","inode_gid","inode_uid","invalid_context","ioctlcmd", - "ip","ipid","ipx-net","item","items","iuid","kernel","key","kind","ksize","laddr","len","list","lport","mac","macproto","maj", - "major","minor","mode","model","msg","name","nametype","nargs","net","new","new_gid","new_lock","new_pe","new_pi","new_pp", - "new-chardev","new-disk","new-enabled","new-fs","new-level","new-log_passwd","new-mem","new-net","new-range","new-rng","new-role", - "new-seuser","new-vcpu","nlnk-fam","nlnk-grp","nlnk-pid","oauid","obj","obj_gid","obj_uid","ocomm","oflag","ogid","old","old_enforcing", - "old_lock","old_pa","old_pe","old_pi","old_pp","old_prom","old_val","old-auid","old-chardev","old-disk","old-enabled","old-fs", - "old-level","old-log_passwd","old-mem","old-net","old-range","old-rng","old-role","old-ses","old-seuser","old-vcpu","op","opid", - "oses","ouid","outif","pa","parent","path","pe","per","perm","perm_mask","permissive","pfs","pi","pid","pp","ppid","printer", - "proctitle","prom","proto","qbytes","range","rdev","reason","removed","res","resrc","result","role","rport","saddr","sauid", - "scontext","selected-context","seperm","seperms","seqno","seresult","ses","seuser","sgid","sig","sigev_signo","smac","spid", - "sport","state","subj","success","suid","syscall","table","tclass","tcontext","terminal","tty","type","uid","unit","uri","user", - "uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"], + "auditd": ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", + "acct", "acl", "action", "added", "addr", "apparmor", "arch", "argc", "audit_backlog_limit", "audit_backlog_wait_time", + "audit_enabled", "audit_failure", "auid", "banners", "bool", "bus", "cap_fe,cap_fi", "cap_fp", "cap_fver", "cap_pa", "cap_pe", "cap_pi", + "cap_pp", "capability", "category", "cgroup", "changed", "cipher", "class", "cmd", "code", "comm", "compat", "cwd", "daddr", "data", + "default-context", "dev", "dev", "device", "dir", "direction", "dmac", "dport", "egid", "enforcing", "entries", "errno", "euid", "exe", + "exit", "fam", "family", "fd", "fe", "feature", "fi", "file", "flags", "format", "fp", "fsgid", "fsuid", "fver", "gid", "grantors", "grp", + "hook", "hostname", "icmp_type", "id", "igid", "img-ctx", "inif", "ino", "inode", "inode_gid", "inode_uid", "invalid_context", "ioctlcmd", + "ip", "ipid", "ipx-net", "item", "items", "iuid", "kernel", "key", "kind", "ksize", "laddr", "len", "list", "lport", "mac", "macproto", "maj", + "major", "minor", "mode", "model", "msg", "name", "nametype", "nargs", "net", "new", "new_gid", "new_lock", "new_pe", "new_pi", "new_pp", + "new-chardev", "new-disk", "new-enabled", "new-fs", "new-level", "new-log_passwd", "new-mem", "new-net", "new-range", "new-rng", "new-role", + "new-seuser", "new-vcpu", "nlnk-fam", "nlnk-grp", "nlnk-pid", "oauid", "obj", "obj_gid", "obj_uid", "ocomm", "oflag", "ogid", "old", "old_enforcing", + "old_lock", "old_pa", "old_pe", "old_pi", "old_pp", "old_prom", "old_val", "old-auid", "old-chardev", "old-disk", "old-enabled", "old-fs", + "old-level", "old-log_passwd", "old-mem", "old-net", "old-range", "old-rng", "old-role", "old-ses", "old-seuser", "old-vcpu", "op", "opid", + "oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer", + "proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid", + "scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid", + "sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user", + "uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"], "vsftpd":[], "sshd":[], "syslog":[], @@ -142,13 +145,13 @@ "commun": [], "empty": ["not_found"], "category":{ - "proxy":["c-uri","c-uri-extension","c-uri-query","c-uri-stem","c-useragent","cs-bytes","cs-cookie", - "cs-host","cs-method","r-dns","cs-referrer","cs-version","sc-bytes","sc-status","src_ip","dst_ip", + "proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie", + "cs-host", "cs-method", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip", "cs-uri"], - "webserver":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method", - "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status", - "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent", - "cs-referer","cs-cookie"], + "webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", + "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status", + "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent", + "cs-referer", "cs-cookie"], "antivirus":[], "database":[], "dns":[], @@ -330,17 +333,17 @@ "commun": [], "empty": [], "category":{ - "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName", - "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes", - "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"], - "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname", - "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort", + "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", + "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", + "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"], + "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname", + "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort", "DestinationPortName"], - "process_termination": ["ProcessGuid","ProcessId","Image","User"], - "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"], - "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], - "sysmon_status": ["Configuration","ConfigurationFileHash"], - "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"] + "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"], + "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"], + "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], + "sysmon_status": ["Configuration", "ConfigurationFileHash"], + "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"] }, "service":{ } @@ -350,16 +353,16 @@ "windows":{ "category":{ "process_creation": ["GrandparentCommandLine"], - "network_connection": ["CommandLine","ParentImage"], - "create_remote_thread": ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage", - "SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine", - "IsInitialThread","RemoteCreation"], - "file_delete": ["CommandLine","ParentImage","ParentCommandLine"], - "file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"], + "network_connection": ["CommandLine", "ParentImage"], + "create_remote_thread": ["User", "SourceCommandLine", "SourceParentProcessId", "SourceParentImage", + "SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine", + "IsInitialThread", "RemoteCreation"], + "file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"], + "file_event": ["CommandLine", "ParentImage", "ParentCommandLine", "MagicHeader"], "image_load": ["CommandLine"], - "process_access": ["SourceCommandLine","CallTraceExtended"], - "file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"], - "file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"] + "process_access": ["SourceCommandLine", "CallTraceExtended"], + "file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"], + "file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"] }, "service":{} } diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index f087a54a4..e178e5baa 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -1,132 +1,147 @@ title: ELK Windows Indices and Mappings logsources: - windows: - product: windows - index: logstash-windows-* - windows-application: - product: windows - service: application - conditions: - EventLog: Application - windows-security: - product: windows - service: security - conditions: - EventLog: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - EventLog: Microsoft-Windows-Sysmon - windows-dns-server: - product: windows - service: dns-server - conditions: - EventLog: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - EventLog: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - EventLog: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - EventLog: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - EventLog: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - EventLog: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - EventLog: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - EventLog: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - EventLog: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - EventLog: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - EventLog: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - EventLog: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - EventLog: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - EventLog: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - EventLog: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - EventLog: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - EventLog: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: logstash-windows-* + windows-application: + product: windows + service: application + conditions: + EventLog: Application + windows-security: + product: windows + service: security + conditions: + EventLog: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + EventLog: Microsoft-Windows-Sysmon + windows-dns-server: + product: windows + service: dns-server + conditions: + EventLog: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + EventLog: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + EventLog: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + EventLog: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + EventLog: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + EventLog: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + EventLog: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventLog: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + EventLog: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + EventLog: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + EventLog: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + EventLog: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + EventLog: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + EventLog: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + EventLog: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + EventLog: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + EventLog: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + EventLog: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + EventLog: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + EventLog: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 422fbd79b..c5adcb9b0 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -1,134 +1,149 @@ title: ELK Ingested with Winlogbeat logsources: - windows: - product: windows - index: - windows-application: - product: windows - service: application - conditions: - log_name: Application - windows-security: - product: windows - service: security - conditions: - log_name: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - log_name: 'Microsoft-Windows-Sysmon/Operational' - windows-dns-server: - product: windows - service: dns-server - conditions: - log_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - log_name: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - log_name: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - log_name: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - log_name: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - log_name: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - log_name: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - log_name: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - log_name: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - log_name: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - log_name: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - log_name: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - log_name: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - log_name: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - log_name: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: + windows-application: + product: windows + service: application + conditions: + log_name: Application + windows-security: + product: windows + service: security + conditions: + log_name: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + log_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + log_name: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + log_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + log_name: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + log_name: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + log_name: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + log_name: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + log_name: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + log_name: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + log_name: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + log_name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + log_name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + log_name: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + log_name: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + log_name: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + log_name: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index de0288a21..c7ece3026 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -1,134 +1,149 @@ title: ELK Ingested with Winlogbeat logsources: - windows: - product: windows - index: winlogbeat-* - windows-application: - product: windows - service: application - conditions: - log_name: Application - windows-security: - product: windows - service: security - conditions: - log_name: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - log_name: 'Microsoft-Windows-Sysmon/Operational' - windows-dns-server: - product: windows - service: dns-server - conditions: - log_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - log_name: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - log_name: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - log_name: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - log_name: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - log_name: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - log_name: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - log_name: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - logname: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - logname: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - logname: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - logname: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - logname: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - logname: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - logname: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - logname: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - logname: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + log_name: Application + windows-security: + product: windows + service: security + conditions: + log_name: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + log_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + log_name: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + log_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + log_name: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + log_name: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + log_name: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + logname: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + logname: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + logname: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + logname: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + logname: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + logname: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + logname: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + logname: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + logname: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + logname: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + logname: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + logname: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 452a8cb1e..fbb3b0f5c 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -157,6 +157,21 @@ logsources: service: lsa-server conditions: channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + channel: 'Microsoft-Windows-AppModel-Runtime/Admin' linux: product: linux index: posix diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 19f3d92f7..b8c2b13b7 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -208,3 +208,18 @@ logsources: service: lsa-server conditions: Channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + Channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + Channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + Channel: 'Microsoft-Windows-AppModel-Runtime/Admin' diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index a33ae0ed6..441ac65d7 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -1,928 +1,942 @@ title: HAWK order: 20 backends: - - hawk + - hawk logsources: - antivirus: - category: antivirus - conditions: - vendor_type: 'Antivirus' - apache: - service: apache - conditions: - product_name: - - 'apache*' - - 'httpd*' - webserver: - category: webserver - conditions: - vendor_type: 'Webserver' - cisco: - product: cisco - conditions: - vendor_name: 'Cisco' - django: - product: django - conditions: - vendor_name: 'Django' - okta: - service: okta - conditions: - vendor_name: "Okta" - product_name: "Identity and Access Management" - onedrive: - service: onedrive - conditions: - vendor_name: "Microsoft" - product_name: "Onedrive" - onelogin-events: - service: onelogin.events - conditions: - vendor_name: "Microsoft" - product_name: "Onelogin" - microsoft365: - product: m365 - service: threat_management - conditions: - vendor_name: "Microsoft" - product_name: "365" - m365: - product: m365 - service: threat_management - conditions: - vendor_name: "Microsoft" - product_name: "365" - google-workspace: - service: google_workspace.admin - conditions: - vendor_name: "Google" - product_name: "Workspace" - guacamole: - service: guacamole - product_name: "Guacamole" - conditions: - vendor_name: "Guacamole" - google-cloud: - service: gcp.audit - conditions: - vendor_name: "Google" - product_name: "Cloud" - sshd: - service: sshd - conditions: - process_name: "sshd*" - syslog: - service: syslog - conditions: - process_name: "syslog*" - spring: - category: application - product: spring - conditions: - vendor_name: "Spring" - linux-audit: - product: linux - service: auditd - conditions: - vendor_name: "Linux" - product_name: "Audit" - modsecurity: - service: modsecurity - conditions: - process_name: "modsec*" - msexchange-management: - service: msexchange-management - conditions: - product_name: "MSExchange Management" - windows: - product: windows - index: windows - conditions: - vendor_name: "Microsoft" - windows-stream-hash: - product: windows - category: create_stream_hash - conditions: - product_name: "Sysmon" - vendor_id: "15" - windows-create-remote-thread: - product: windows - category: create_remote_thread - conditions: - product_name: "Sysmon" - vendor_id: "8" - windows-process-access: - product: windows - category: process_access - conditions: - product_name: "Sysmon" - vendor_id: "10" - windows-process-creation: - product: windows - category: process_creation - conditions: - product_name: "Sysmon" - vendor_id: "1" - windows-bits-client: - product: windows - service: bits-client - conditions: - event_channel: "Microsoft-Windows-Bits-Client/Operational" - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - event_channel: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - event_channel: 'Microsoft-Windows-LSA/Operational' - windows-network-connection: - product: windows - category: network_connection - conditions: - product_name: "Sysmon" - vendor_id: "3" - windows-sysmon-status: - product: windows - category: sysmon_status - conditions: - product_name: "Sysmon" - vendor_id: - - 4 - - 5 - windows-sysmon-error: - product: windows - category: sysmon_error - conditions: - product_name: "Sysmon" - vendor_id: "255" - windows-raw-access-thread: - product: windows - category: raw_access_thread - conditions: - product_name: "Sysmon" - vendor_id: 9 - windows-file-create: - product: windows - category: file_create - conditions: - product_name: "Sysmon" - vendor_id: "11" - windows-file-event: - product: windows - category: file_event - conditions: - product_name: "Sysmon" - vendor_id: "11" - windows-file-change: - product: windows - category: file_change - conditions: - product_name: "Sysmon" - vendor_id: "2" - windows-pipe-created: - product: windows - category: pipe_created - conditions: - product_name: "Sysmon" - vendor_id: - - 17 - - 18 - windows-dns-query: - product: windows - category: dns_query - conditions: - product_name: "Sysmon" - vendor_id: "22" - windows-file-delete: - product: windows - category: file_delete - conditions: - product_name: "Sysmon" - vendor_id: "23" - windows-kernel-file-rename: - product: windows - category: file_rename - conditions: - product_name: "Kernel-File" - windows-kernel-file-access: - product: windows - category: file_access - conditions: - product_name: "Kernel-File" - windows-wmi-sysmon: - product: windows - category: wmi_event - conditions: - product_name: "Sysmon" - vendor_id: - - 19 - - 20 - - 21 - windows-ldap-debug: - product: windows - category: ldap_debug - conditions: - event_channel: "Microsoft-Windows-LDAP-Client/Debug" - windows-driver-load: - product: windows - category: driver_load - conditions: - product_name: "Sysmon" - vendor_id: "6" - windows-image-load: - product: windows - category: image_load - conditions: - product_name: "Sysmon" - vendor_id: "7" - clamav: - service: clamav - conditions: - process_name: "clamav*" - aws-cloudtrail: - service: cloudtrail - conditions: - vendor_name: "AWS CloudTrail" - zeek: - product: zeek - conditions: - vendor_name: "Zeek" - vendor_type: "IDS" - firewall: - category: firewall - conditions: - vendor_type: - - "Firewall" - - "Router" - - "WAP" - zeek-category-dns: - category: dns - rewrite: - product: zeek - service: dns - zeek-category-proxy: - category: proxy - rewrite: - product: zeek - service: http - zeek-conn: - product: zeek - service: conn - conditions: - hawk_source: "conn.log" - zeek-conn_long: - product: zeek - service: conn_long - conditions: - hawk_source: "conn_long.log" - zeek-dce_rpc: - product: zeek - service: dce_rpc - conditions: - hawk_source: "dce_rpc.log" - zeek-dns: - product: zeek - service: dns - conditions: - hawk_source: "dns.log" - zeek-dnp3: - product: zeek - service: dnp3 - conditions: - hawk_source: "dnp3.log" - zeek-dpd: - product: zeek - service: dpd - conditions: - hawk_source: "dpd.log" - zeek-files: - product: zeek - service: files - conditions: - hawk_source: "files.log" - zeek-ftp: - product: zeek - service: ftp - conditions: - hawk_source: "ftp.log" - zeek-gquic: - product: zeek - service: gquic - conditions: - hawk_source: "gquic.log" - zeek-http: - product: zeek - service: http - conditions: - hawk_source: "http.log" - zeek-http2: - product: zeek - service: http2 - conditions: - hawk_source: "http2.log" - zeek-intel: - product: zeek - service: intel - conditions: - hawk_source: "intel.log" - zeek-irc: - product: zeek - service: irc - conditions: - hawk_source: "irc.log" - zeek-kerberos: - product: zeek - service: kerberos - conditions: - hawk_source: "kerberos.log" - zeek-known_certs: - product: zeek - service: known_certs - conditions: - hawk_source: "known_certs.log" - zeek-known_hosts: - product: zeek - service: known_hosts - conditions: - hawk_source: "known_hosts.log" - zeek-known_modbus: - product: zeek - service: known_modbus - conditions: - hawk_source: "known_modbus.log" - zeek-known_services: - product: zeek - service: known_services - conditions: - hawk_source: "known_services.log" - zeek-modbus: - product: zeek - service: modbus - conditions: - hawk_source: "modbus.log" - zeek-modbus_register_change: - product: zeek - service: modbus_register_change - conditions: - hawk_source: "modbus_register_change.log" - zeek-mqtt_connect: - product: zeek - service: mqtt_connect - conditions: - hawk_source: "mqtt_connect.log" - zeek-mqtt_publish: - product: zeek - service: mqtt_publish - conditions: - hawk_source: "mqtt_publish.log" - zeek-mqtt_subscribe: - product: zeek - service: mqtt_subscribe - conditions: - hawk_source: "mqtt_subscribe.log" - zeek-mysql: - product: zeek - service: mysql - conditions: - hawk_source: "mysql.log" - zeek-notice: - product: zeek - service: notice - conditions: - hawk_source: "notice.log" - zeek-ntlm: - product: zeek - service: ntlm - conditions: - hawk_source: "ntlm.log" - zeek-ntp: - product: zeek - service: ntp - conditions: - hawk_source: "ntp.log" - zeek-ocsp: - product: zeek - service: ntp - conditions: - hawk_source: "ocsp.log" - zeek-pe: - product: zeek - service: pe - conditions: - hawk_source: "pe.log" - zeek-pop3: - product: zeek - service: pop3 - conditions: - hawk_source: "pop3.log" - zeek-radius: - product: zeek - service: radius - conditions: - hawk_source: "radius.log" - zeek-rdp: - product: zeek - service: rdp - conditions: - hawk_source: "rdp.log" - zeek-rfb: - product: zeek - service: rfb - conditions: - hawk_source: "rfb.log" - zeek-sip: - product: zeek - service: sip - conditions: - hawk_source: "sip.log" - zeek-smb_files: - product: zeek - service: smb_files - conditions: - hawk_source: "smb_files.log" - zeek-smb_mapping: - product: zeek - service: smb_mapping - conditions: - hawk_source: "smb_mapping.log" - zeek-smtp: - product: zeek - service: smtp - conditions: - hawk_source: "smtp.log" - zeek-smtp_links: - product: zeek - service: smtp_links - conditions: - hawk_source: "smtp_links.log" - zeek-snmp: - product: zeek - service: snmp - conditions: - hawk_source: "snmp.log" - zeek-socks: - product: zeek - service: socks - conditions: - hawk_source: "socks.log" - zeek-software: - product: zeek - service: software - conditions: - hawk_source: "software.log" - zeek-ssh: - product: zeek - service: ssh - conditions: - hawk_source: "ssh.log" - zeek-ssl: - product: zeek - service: ssl - conditions: - hawk_source: "tls.log" - zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that - product: zeek - service: tls - conditions: - hawk_source: "tls.log" - zeek-syslog: - product: zeek - service: syslog - conditions: - hawk_source: "syslog.log" - zeek-tunnel: - product: zeek - service: tunnel - conditions: - hawk_source: "tunnel.log" - zeek-traceroute: - product: zeek - service: traceroute - conditions: - hawk_source: "traceroute.log" - zeek-weird: - product: zeek - service: weird - conditions: - hawk_source: "weird.log" - zeek-x509: - product: zeek - service: x509 - conditions: - hawk_source: "x509.log" - zeek-ip_search: - product: zeek - service: network - conditions: - hawk_source: - - "conn.log" - - "conn_long.log" - - "dce_rpc.log" - - "dhcp.log" - - "dnp3.log" - - "dns.log" - - "ftp.log" - - "gquic.log" - - "http.log" - - "irc.log" - - "kerberos.log" - - "modbus.log" - - "mqtt_connect.log" - - "mqtt_publish.log" - - "mqtt_subscribe.log" - - "mysql.log" - - "ntlm.log" - - "ntp.log" - - "radius.log" - - "rfb.log" - - "sip.log" - - "smb_files.log" - - "smb_mapping.log" - - "smtp.log" - - "smtp_links.log" - - "snmp.log" - - "socks.log" - - "ssh.log" - - "tls.log" #SSL - - "tunnel.log" - - "weird.log" - azure-signin: - product: azure - service: signinlogs - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - product_source: "signInAudits" - azure-auditlogs: - product: azure - service: auditlogs - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - product_source: "directoryAudits" - azure-activitylogs: - product: azure - service: activitylogs - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - azure-activity: - product: azure - service: azureactivity - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - microsoft-servicebus-client: - product: windows - service: microsoft-servicebus-client - conditions: - event_channel: 'Microsoft-ServiceBus-Client' - windows-application: - product: windows - service: application - conditions: - event_channel: 'Application' - windows-security: - product: windows - service: security - conditions: - event_channel: 'Security' - windows-system: - product: windows - service: system - conditions: - event_channel: 'System' - windows-sysmon: - product: windows - service: sysmon - conditions: - product_name: 'Sysmon' - windows-powershell: - product: windows - service: powershell - conditions: - product_name: 'PowerShell' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - product_name: 'Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - product_name: 'TaskScheduler' - windows-wmi: - product: windows - service: wmi - conditions: - product_name: 'WMI-Activity' - windows-dns-server: - product: windows - service: dns-server - conditions: - product_name: 'DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - product_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - product_name: 'DriverFrameworks-UserMode' - windows-ntlm: - product: windows - service: ntlm - conditions: - product_name: 'NTLM' - windows-dhcp: - product: windows - service: dhcp - conditions: - product_name: 'DHCP-Server' - windows-defender: - product: windows - service: windefend - conditions: - product_name: 'Windows Defender' - windows-applocker: - product: windows - service: applocker - conditions: - product_name: - - 'AppLocker' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - product_name: 'Windows Firewall With Advanced Security' - windows-ps-module: - product: windows - category: ps_module - conditions: - product_name: 'PowerShell' - vendor_id: 4103 - windows-ps-script: - product: windows - category: ps_script - conditions: - product_name: 'PowerShell' - vendor_id: 4104 - windows-ps-classic-start: - product: windows - category: ps_classic_start - conditions: - EventID: 400 - product_name: 'Windows PowerShell' - windows-ps-classic-provider: - product: windows - category: ps_classic_provider_start - conditions: - vendor_id: 600 - product_name: 'Windows PowerShell' - windows-ps-classic-script: - product: windows - category: ps_classic_script - conditions: - vendor_id: 800 - product_name: 'Windows PowerShell' - windows-service-bus: - service: Microsoft-ServiceBus-Client - conditions: - product_name: "Microsoft-ServiceBus-Client" - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - product_name: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - product_name: 'PrintService' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - product_name: 'PrintService' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - product_name: 'TerminalServices-LocalSessionManager' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - product_name: 'CodeIntegrity' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - product_name: 'SmbClient' - windows-registry: - product: windows - category: registry_event - conditions: - product_name: "Sysmon" - vendor_id: - - 12 - - 13 - - 14 - windows-registry-add: - product: windows - category: registry_add - conditions: - product_name: "Sysmon" - vendor_id: 12 - windows-registry-delete: - product: windows - category: registry_delete - conditions: - product_name: "Sysmon" - vendor_id: 12 - windows-registry-set: - product: windows - category: registry_set - conditions: - product_name: "Sysmon" - vendor_id: 13 - windows-registry-rename: - product: windows - category: registry_rename - conditions: - product_name: "Sysmon" - vendor_id: 14 - windows-file-block-executable: - product: windows - category: file_block - conditions: - product_name: "Sysmon" - vendor_id: 27 - #dns: - # category: dns - # conditions: - qflow: - product: qflow - netflow: - service: netflow - ipfix: - product: ipfix - flow: - product: flow + antivirus: + category: antivirus + conditions: + vendor_type: 'Antivirus' + apache: + service: apache + conditions: + product_name: + - 'apache*' + - 'httpd*' + webserver: + category: webserver + conditions: + vendor_type: 'Webserver' + cisco: + product: cisco + conditions: + vendor_name: 'Cisco' + django: + product: django + conditions: + vendor_name: 'Django' + okta: + service: okta + conditions: + vendor_name: "Okta" + product_name: "Identity and Access Management" + onedrive: + service: onedrive + conditions: + vendor_name: "Microsoft" + product_name: "Onedrive" + onelogin-events: + service: onelogin.events + conditions: + vendor_name: "Microsoft" + product_name: "Onelogin" + microsoft365: + product: m365 + service: threat_management + conditions: + vendor_name: "Microsoft" + product_name: "365" + m365: + product: m365 + service: threat_management + conditions: + vendor_name: "Microsoft" + product_name: "365" + google-workspace: + service: google_workspace.admin + conditions: + vendor_name: "Google" + product_name: "Workspace" + guacamole: + service: guacamole + product_name: "Guacamole" + conditions: + vendor_name: "Guacamole" + google-cloud: + service: gcp.audit + conditions: + vendor_name: "Google" + product_name: "Cloud" + sshd: + service: sshd + conditions: + process_name: "sshd*" + syslog: + service: syslog + conditions: + process_name: "syslog*" + spring: + category: application + product: spring + conditions: + vendor_name: "Spring" + linux-audit: + product: linux + service: auditd + conditions: + vendor_name: "Linux" + product_name: "Audit" + modsecurity: + service: modsecurity + conditions: + process_name: "modsec*" + msexchange-management: + service: msexchange-management + conditions: + product_name: "MSExchange Management" + windows: + product: windows + index: windows + conditions: + vendor_name: "Microsoft" + windows-stream-hash: + product: windows + category: create_stream_hash + conditions: + product_name: "Sysmon" + vendor_id: "15" + windows-create-remote-thread: + product: windows + category: create_remote_thread + conditions: + product_name: "Sysmon" + vendor_id: "8" + windows-process-access: + product: windows + category: process_access + conditions: + product_name: "Sysmon" + vendor_id: "10" + windows-process-creation: + product: windows + category: process_creation + conditions: + product_name: "Sysmon" + vendor_id: "1" + windows-bits-client: + product: windows + service: bits-client + conditions: + event_channel: "Microsoft-Windows-Bits-Client/Operational" + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + event_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + event_channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + event_channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + event_channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + event_channel: 'Microsoft-Windows-AppModel-Runtime/Admin' + windows-network-connection: + product: windows + category: network_connection + conditions: + product_name: "Sysmon" + vendor_id: "3" + windows-sysmon-status: + product: windows + category: sysmon_status + conditions: + product_name: "Sysmon" + vendor_id: + - 4 + - 5 + windows-sysmon-error: + product: windows + category: sysmon_error + conditions: + product_name: "Sysmon" + vendor_id: "255" + windows-raw-access-thread: + product: windows + category: raw_access_thread + conditions: + product_name: "Sysmon" + vendor_id: 9 + windows-file-create: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-file-event: + product: windows + category: file_event + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-file-change: + product: windows + category: file_change + conditions: + product_name: "Sysmon" + vendor_id: "2" + windows-pipe-created: + product: windows + category: pipe_created + conditions: + product_name: "Sysmon" + vendor_id: + - 17 + - 18 + windows-dns-query: + product: windows + category: dns_query + conditions: + product_name: "Sysmon" + vendor_id: "22" + windows-file-delete: + product: windows + category: file_delete + conditions: + product_name: "Sysmon" + vendor_id: "23" + windows-kernel-file-rename: + product: windows + category: file_rename + conditions: + product_name: "Kernel-File" + windows-kernel-file-access: + product: windows + category: file_access + conditions: + product_name: "Kernel-File" + windows-wmi-sysmon: + product: windows + category: wmi_event + conditions: + product_name: "Sysmon" + vendor_id: + - 19 + - 20 + - 21 + windows-ldap-debug: + product: windows + category: ldap_debug + conditions: + event_channel: "Microsoft-Windows-LDAP-Client/Debug" + windows-driver-load: + product: windows + category: driver_load + conditions: + product_name: "Sysmon" + vendor_id: "6" + windows-image-load: + product: windows + category: image_load + conditions: + product_name: "Sysmon" + vendor_id: "7" + clamav: + service: clamav + conditions: + process_name: "clamav*" + aws-cloudtrail: + service: cloudtrail + conditions: + vendor_name: "AWS CloudTrail" + zeek: + product: zeek + conditions: + vendor_name: "Zeek" + vendor_type: "IDS" + firewall: + category: firewall + conditions: + vendor_type: + - "Firewall" + - "Router" + - "WAP" + zeek-category-dns: + category: dns + rewrite: + product: zeek + service: dns + zeek-category-proxy: + category: proxy + rewrite: + product: zeek + service: http + zeek-conn: + product: zeek + service: conn + conditions: + hawk_source: "conn.log" + zeek-conn_long: + product: zeek + service: conn_long + conditions: + hawk_source: "conn_long.log" + zeek-dce_rpc: + product: zeek + service: dce_rpc + conditions: + hawk_source: "dce_rpc.log" + zeek-dns: + product: zeek + service: dns + conditions: + hawk_source: "dns.log" + zeek-dnp3: + product: zeek + service: dnp3 + conditions: + hawk_source: "dnp3.log" + zeek-dpd: + product: zeek + service: dpd + conditions: + hawk_source: "dpd.log" + zeek-files: + product: zeek + service: files + conditions: + hawk_source: "files.log" + zeek-ftp: + product: zeek + service: ftp + conditions: + hawk_source: "ftp.log" + zeek-gquic: + product: zeek + service: gquic + conditions: + hawk_source: "gquic.log" + zeek-http: + product: zeek + service: http + conditions: + hawk_source: "http.log" + zeek-http2: + product: zeek + service: http2 + conditions: + hawk_source: "http2.log" + zeek-intel: + product: zeek + service: intel + conditions: + hawk_source: "intel.log" + zeek-irc: + product: zeek + service: irc + conditions: + hawk_source: "irc.log" + zeek-kerberos: + product: zeek + service: kerberos + conditions: + hawk_source: "kerberos.log" + zeek-known_certs: + product: zeek + service: known_certs + conditions: + hawk_source: "known_certs.log" + zeek-known_hosts: + product: zeek + service: known_hosts + conditions: + hawk_source: "known_hosts.log" + zeek-known_modbus: + product: zeek + service: known_modbus + conditions: + hawk_source: "known_modbus.log" + zeek-known_services: + product: zeek + service: known_services + conditions: + hawk_source: "known_services.log" + zeek-modbus: + product: zeek + service: modbus + conditions: + hawk_source: "modbus.log" + zeek-modbus_register_change: + product: zeek + service: modbus_register_change + conditions: + hawk_source: "modbus_register_change.log" + zeek-mqtt_connect: + product: zeek + service: mqtt_connect + conditions: + hawk_source: "mqtt_connect.log" + zeek-mqtt_publish: + product: zeek + service: mqtt_publish + conditions: + hawk_source: "mqtt_publish.log" + zeek-mqtt_subscribe: + product: zeek + service: mqtt_subscribe + conditions: + hawk_source: "mqtt_subscribe.log" + zeek-mysql: + product: zeek + service: mysql + conditions: + hawk_source: "mysql.log" + zeek-notice: + product: zeek + service: notice + conditions: + hawk_source: "notice.log" + zeek-ntlm: + product: zeek + service: ntlm + conditions: + hawk_source: "ntlm.log" + zeek-ntp: + product: zeek + service: ntp + conditions: + hawk_source: "ntp.log" + zeek-ocsp: + product: zeek + service: ntp + conditions: + hawk_source: "ocsp.log" + zeek-pe: + product: zeek + service: pe + conditions: + hawk_source: "pe.log" + zeek-pop3: + product: zeek + service: pop3 + conditions: + hawk_source: "pop3.log" + zeek-radius: + product: zeek + service: radius + conditions: + hawk_source: "radius.log" + zeek-rdp: + product: zeek + service: rdp + conditions: + hawk_source: "rdp.log" + zeek-rfb: + product: zeek + service: rfb + conditions: + hawk_source: "rfb.log" + zeek-sip: + product: zeek + service: sip + conditions: + hawk_source: "sip.log" + zeek-smb_files: + product: zeek + service: smb_files + conditions: + hawk_source: "smb_files.log" + zeek-smb_mapping: + product: zeek + service: smb_mapping + conditions: + hawk_source: "smb_mapping.log" + zeek-smtp: + product: zeek + service: smtp + conditions: + hawk_source: "smtp.log" + zeek-smtp_links: + product: zeek + service: smtp_links + conditions: + hawk_source: "smtp_links.log" + zeek-snmp: + product: zeek + service: snmp + conditions: + hawk_source: "snmp.log" + zeek-socks: + product: zeek + service: socks + conditions: + hawk_source: "socks.log" + zeek-software: + product: zeek + service: software + conditions: + hawk_source: "software.log" + zeek-ssh: + product: zeek + service: ssh + conditions: + hawk_source: "ssh.log" + zeek-ssl: + product: zeek + service: ssl + conditions: + hawk_source: "tls.log" + zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that + product: zeek + service: tls + conditions: + hawk_source: "tls.log" + zeek-syslog: + product: zeek + service: syslog + conditions: + hawk_source: "syslog.log" + zeek-tunnel: + product: zeek + service: tunnel + conditions: + hawk_source: "tunnel.log" + zeek-traceroute: + product: zeek + service: traceroute + conditions: + hawk_source: "traceroute.log" + zeek-weird: + product: zeek + service: weird + conditions: + hawk_source: "weird.log" + zeek-x509: + product: zeek + service: x509 + conditions: + hawk_source: "x509.log" + zeek-ip_search: + product: zeek + service: network + conditions: + hawk_source: + - "conn.log" + - "conn_long.log" + - "dce_rpc.log" + - "dhcp.log" + - "dnp3.log" + - "dns.log" + - "ftp.log" + - "gquic.log" + - "http.log" + - "irc.log" + - "kerberos.log" + - "modbus.log" + - "mqtt_connect.log" + - "mqtt_publish.log" + - "mqtt_subscribe.log" + - "mysql.log" + - "ntlm.log" + - "ntp.log" + - "radius.log" + - "rfb.log" + - "sip.log" + - "smb_files.log" + - "smb_mapping.log" + - "smtp.log" + - "smtp_links.log" + - "snmp.log" + - "socks.log" + - "ssh.log" + - "tls.log" #SSL + - "tunnel.log" + - "weird.log" + azure-signin: + product: azure + service: signinlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + product_source: "signInAudits" + azure-auditlogs: + product: azure + service: auditlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + product_source: "directoryAudits" + azure-activitylogs: + product: azure + service: activitylogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activity: + product: azure + service: azureactivity + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + event_channel: 'Microsoft-ServiceBus-Client' + windows-application: + product: windows + service: application + conditions: + event_channel: 'Application' + windows-security: + product: windows + service: security + conditions: + event_channel: 'Security' + windows-system: + product: windows + service: system + conditions: + event_channel: 'System' + windows-sysmon: + product: windows + service: sysmon + conditions: + product_name: 'Sysmon' + windows-powershell: + product: windows + service: powershell + conditions: + product_name: 'PowerShell' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + product_name: 'Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + product_name: 'TaskScheduler' + windows-wmi: + product: windows + service: wmi + conditions: + product_name: 'WMI-Activity' + windows-dns-server: + product: windows + service: dns-server + conditions: + product_name: 'DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + product_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + product_name: 'DriverFrameworks-UserMode' + windows-ntlm: + product: windows + service: ntlm + conditions: + product_name: 'NTLM' + windows-dhcp: + product: windows + service: dhcp + conditions: + product_name: 'DHCP-Server' + windows-defender: + product: windows + service: windefend + conditions: + product_name: 'Windows Defender' + windows-applocker: + product: windows + service: applocker + conditions: + product_name: 'AppLocker' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + product_name: 'Windows Firewall With Advanced Security' + windows-ps-module: + product: windows + category: ps_module + conditions: + product_name: 'PowerShell' + vendor_id: 4103 + windows-ps-script: + product: windows + category: ps_script + conditions: + product_name: 'PowerShell' + vendor_id: 4104 + windows-ps-classic-start: + product: windows + category: ps_classic_start + conditions: + EventID: 400 + product_name: 'Windows PowerShell' + windows-ps-classic-provider: + product: windows + category: ps_classic_provider_start + conditions: + vendor_id: 600 + product_name: 'Windows PowerShell' + windows-ps-classic-script: + product: windows + category: ps_classic_script + conditions: + vendor_id: 800 + product_name: 'Windows PowerShell' + windows-service-bus: + service: Microsoft-ServiceBus-Client + conditions: + product_name: "Microsoft-ServiceBus-Client" + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + product_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + product_name: 'PrintService' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + product_name: 'PrintService' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + product_name: 'TerminalServices-LocalSessionManager' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + product_name: 'CodeIntegrity' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + product_name: 'SmbClient' + windows-registry: + product: windows + category: registry_event + conditions: + product_name: "Sysmon" + vendor_id: + - 12 + - 13 + - 14 + windows-registry-add: + product: windows + category: registry_add + conditions: + product_name: "Sysmon" + vendor_id: 12 + windows-registry-delete: + product: windows + category: registry_delete + conditions: + product_name: "Sysmon" + vendor_id: 12 + windows-registry-set: + product: windows + category: registry_set + conditions: + product_name: "Sysmon" + vendor_id: 13 + windows-registry-rename: + product: windows + category: registry_rename + conditions: + product_name: "Sysmon" + vendor_id: 14 + windows-file-block-executable: + product: windows + category: file_block + conditions: + product_name: "Sysmon" + vendor_id: 27 + #dns: + # category: dns + # conditions: + qflow: + product: qflow + netflow: + service: netflow + ipfix: + product: ipfix + flow: + product: flow fieldmappings: - dst: - - ip_dst_host - dst_ip: - - ip_dst - src: - - ip_src_host - src_ip: - - ip_src - IPAddress: ip_src - DNSAddress: dns_address - DCIPAddress: ip_src - category: vendor_category - error: error_code - key: event_key - payload: event_payload - weight: event_weight - account type: account_type - PrivilegeList: process_privileges - pid_user: event_username - sid: correlation_session_id - UserSid: correlation_session_id - TargetSid: target_session_id - TargetUserName: target_username - SamAccountName: target_username - AccountName: target_username - TargetDomainName: target_domain - DnsServerIpAddress: dns_address - QueryName: dns_query - AuthenticationPackageName: package_name - HostProcess: image - Application: image - ProcessName: image - TargetImage: target_image - ParentImage: parent_image - CallerProcessName: parent_image - ParentProcessName: parent_image - CommandLine: command - ProcessCommandLine: command - ParentCommandLine: parent_command - Imphash: file_hash_imphash - sha256: file_hash_sha256 - md5: file_hash_md5 - sha1: file_hash_sha1 - SubjectUserSid: correlation_session_id - SubjectSid: correlation_session_id - SubjectUserName: correlation_username - SubjectDomainName: correlation_domain - SubjectLogonId: correlation_logon_id - pid: event_pid - ProccessId: pid - NewProcessName: image - ServiceName: service_name - Service: service_name - ServiceFileName: filename - EventID: vendor_id - SourceImage: parent_image - ImageLoaded: image_loaded - Description: image_description - ScriptBlockText: value - Product: image_product - Company: image_company - CurrentDirectory: path - ShareName: path - RelativeTargetName: filename - TargetName: value - Initiated: value - Accesses: access_mask - LDAPDisplayName: distinguished_name - AttributeLDAPDisplayName: distinguished_name - AttributeValue: value - ParentProcessId: parent_pid - SourceProcessId: source_pid - TargetProcessId: target_pid - Signed: signature - Status: value - TargetFilename: filename - FileName: filename - TargetObject: object_target - ObjectClass: object_type - ObjectValueName: object_name - ObjectName: object_name - DeviceClassName: object_name - CallTrace: calltrace - IpAddress: ip_src - WorkstationName: ip_src_host - Workstation: ip_src_host - DestinationIp: ip_dst - DestinationHostname: ip_dst_host - DestinationPort: ip_dport - DestAddress: ip_dst - DestPort: ip_dport - SourceAddress: ip_src - SourcePort: ip_sport - GrantedAccess: access_mask - StartModule: target_process_name - TargetProcessAddress: process_address - TicketOptions: sys.ticket.options - TicketEncryptionType: sys.ticket.encryption.type - DetectionSource: value - Priority: event_priority - event_type_id: vendor_id - destination.port: ip_dport - user: correlation_username - User: correlation_username - # Provider_Name: channel - c-referer: http_referer - cs-referer: http_referer - cs-host: http_host - cs-method: http_method - c-uri: http_path - c-uri-stem: http_path - cs-uri: http_path - cs-uri-stem: http_path - c-agent: http_user_agent - cs-agent: http_user_agent - c-useragent: http_user_agent - cs-useragent: http_user_agent - cs-user-agent: http_user_agent - c-ip: ip_src - cs-ip: ip_src - s-ip: ip_dst - sc-ip: ip_dst - c-username: correlation_username - cs-username: correlation_username - s-computername: ip_dst_host - cs-uri-query: http_query - c-uri-query: http_query - sc-status: http_status_code - sc-bytes: http_content_length - user-agent: http_user_agent - cs-User-Agent: http_user_agent - r-dns: http_host - id.orig_h: ip_src - id.orig_p: ip_sport - id.resp_h: ip_dst - id.resp_p: ip_dport - host: ip_src - hostname: ip_src_host - port_num: ip_dport - dst_port: ip_dport - query: dns_query - orig_ip_bytes: net_if_out_bytes - resp_ip_bytes: net_if_in_bytes - QNAME: qname - Channel: event_channel + dst: + - ip_dst_host + dst_ip: + - ip_dst + src: + - ip_src_host + src_ip: + - ip_src + IPAddress: ip_src + DNSAddress: dns_address + DCIPAddress: ip_src + category: vendor_category + error: error_code + key: event_key + payload: event_payload + weight: event_weight + account type: account_type + PrivilegeList: process_privileges + pid_user: event_username + sid: correlation_session_id + UserSid: correlation_session_id + TargetSid: target_session_id + TargetUserName: target_username + SamAccountName: target_username + AccountName: target_username + TargetDomainName: target_domain + DnsServerIpAddress: dns_address + QueryName: dns_query + AuthenticationPackageName: package_name + HostProcess: image + Application: image + ProcessName: image + TargetImage: target_image + ParentImage: parent_image + CallerProcessName: parent_image + ParentProcessName: parent_image + CommandLine: command + ProcessCommandLine: command + ParentCommandLine: parent_command + Imphash: file_hash_imphash + sha256: file_hash_sha256 + md5: file_hash_md5 + sha1: file_hash_sha1 + SubjectUserSid: correlation_session_id + SubjectSid: correlation_session_id + SubjectUserName: correlation_username + SubjectDomainName: correlation_domain + SubjectLogonId: correlation_logon_id + pid: event_pid + ProccessId: pid + NewProcessName: image + ServiceName: service_name + Service: service_name + ServiceFileName: filename + EventID: vendor_id + SourceImage: parent_image + ImageLoaded: image_loaded + Description: image_description + ScriptBlockText: value + Product: image_product + Company: image_company + CurrentDirectory: path + ShareName: path + RelativeTargetName: filename + TargetName: value + Initiated: value + Accesses: access_mask + LDAPDisplayName: distinguished_name + AttributeLDAPDisplayName: distinguished_name + AttributeValue: value + ParentProcessId: parent_pid + SourceProcessId: source_pid + TargetProcessId: target_pid + Signed: signature + Status: value + TargetFilename: filename + FileName: filename + TargetObject: object_target + ObjectClass: object_type + ObjectValueName: object_name + ObjectName: object_name + DeviceClassName: object_name + CallTrace: calltrace + IpAddress: ip_src + WorkstationName: ip_src_host + Workstation: ip_src_host + DestinationIp: ip_dst + DestinationHostname: ip_dst_host + DestinationPort: ip_dport + DestAddress: ip_dst + DestPort: ip_dport + SourceAddress: ip_src + SourcePort: ip_sport + GrantedAccess: access_mask + StartModule: target_process_name + TargetProcessAddress: process_address + TicketOptions: sys.ticket.options + TicketEncryptionType: sys.ticket.encryption.type + DetectionSource: value + Priority: event_priority + event_type_id: vendor_id + destination.port: ip_dport + user: correlation_username + User: correlation_username + # Provider_Name: channel + c-referer: http_referer + cs-referer: http_referer + cs-host: http_host + cs-method: http_method + c-uri: http_path + c-uri-stem: http_path + cs-uri: http_path + cs-uri-stem: http_path + c-agent: http_user_agent + cs-agent: http_user_agent + c-useragent: http_user_agent + cs-useragent: http_user_agent + cs-user-agent: http_user_agent + c-ip: ip_src + cs-ip: ip_src + s-ip: ip_dst + sc-ip: ip_dst + c-username: correlation_username + cs-username: correlation_username + s-computername: ip_dst_host + cs-uri-query: http_query + c-uri-query: http_query + sc-status: http_status_code + sc-bytes: http_content_length + user-agent: http_user_agent + cs-User-Agent: http_user_agent + r-dns: http_host + id.orig_h: ip_src + id.orig_p: ip_sport + id.resp_h: ip_dst + id.resp_p: ip_dport + host: ip_src + hostname: ip_src_host + port_num: ip_dport + dst_port: ip_dport + query: dns_query + orig_ip_bytes: net_if_out_bytes + resp_ip_bytes: net_if_in_bytes + QNAME: qname + Channel: event_channel diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index c595abfd9..f66b38872 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -1,134 +1,149 @@ title: Logpoint order: 20 backends: - - logpoint + - logpoint logsources: - windows-security: - product: windows - service: security - conditions: - event_source: 'Microsoft-Windows-Security-Auditing' - windows-system: - product: windows - service: system - conditions: - event_source: 'Microsoft-Windows-Security-Auditing' - windows-dns-server: - product: windows - service: dns-server - conditions: - event_source: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - event_source: 'Microsoft-Windows-DHCP-Server/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - event_source: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - event_source: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - event_source: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - event_source: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - event_source: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - event_source: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - event_source: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - event_source: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - event_source: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - event_source: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - event_source: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - event_source: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - event_source: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - event_source: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - event_source: 'Microsoft-Windows-LSA/Operational' + windows-security: + product: windows + service: security + conditions: + event_source: 'Microsoft-Windows-Security-Auditing' + windows-system: + product: windows + service: system + conditions: + event_source: 'Microsoft-Windows-Security-Auditing' + windows-dns-server: + product: windows + service: dns-server + conditions: + event_source: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + event_source: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + event_source: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + event_source: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + event_source: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + event_source: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + event_source: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + event_source: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + event_source: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + event_source: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + event_source: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + event_source: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + event_source: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + event_source: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + event_source: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + event_source: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + event_source: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + event_source: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + event_source: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + event_source: 'Microsoft-Windows-AppModel-Runtime/Admin' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index cdf8d65f1..db51c787e 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -1,153 +1,168 @@ title: Logstash Windows common log sources order: 20 backends: - - es-qs - - es-dsl - - es-rule - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers + - es-qs + - es-dsl + - es-rule + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers logsources: - windows: - product: windows - index: logstash-windows-* - windows-application: - product: windows - service: application - conditions: - Channel: Application - windows-security: - product: windows - service: security - conditions: - Channel: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - Channel: Microsoft-Windows-Sysmon - windows-dns-server: - product: windows - service: dns-server - conditions: - Channel: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - Channel: 'Microsoft-Windows-DHCP-Server/Operational' - windows-defender: - product: windows - service: windefend - conditions: - Channel: 'Microsoft-Windows-Windows Defender/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - Channel: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - Channel: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - Channel: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - Channel: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - Channel: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - Channel: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - Channel: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - Channel: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - Channel: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - Channel: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - Channel: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - Channel: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - Channel: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - Channel: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - Channel: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: logstash-windows-* + windows-application: + product: windows + service: application + conditions: + Channel: Application + windows-security: + product: windows + service: security + conditions: + Channel: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + Channel: Microsoft-Windows-Sysmon + windows-dns-server: + product: windows + service: dns-server + conditions: + Channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + Channel: 'Microsoft-Windows-DHCP-Server/Operational' + windows-defender: + product: windows + service: windefend + conditions: + Channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + Channel: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + Channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + Channel: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + Channel: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + Channel: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + Channel: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + Channel: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + Channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + Channel: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + Channel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + Channel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + Channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + Channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + Channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + Channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + Channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + Channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + Channel: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index e26815896..9a912c3c2 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -1,173 +1,188 @@ title: Logsource to LogName mappings for PowerShell backend order: 20 backends: - - powershell + - powershell logsources: - windows-application: - product: windows - service: application - conditions: - LogName: 'Application' - windows-security: - product: windows - service: security - conditions: - LogName: 'Security' - windows-system: - product: windows - service: system - conditions: - LogName: 'System' - windows-sysmon: - product: windows - service: sysmon - conditions: - LogName: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - LogName: - - 'Microsoft-Windows-PowerShell/Operational' - - 'PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - LogName: 'Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - LogName: 'Microsoft-Windows-TaskScheduler/Operational' - windows-wmi: - product: windows - service: wmi - conditions: - LogName: 'Microsoft-Windows-WMI-Activity/Operational' - windows-dns-server: - product: windows - service: dns-server - conditions: - LogName: 'DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - LogName: 'Microsoft-Windows-DNS-Server/Audit' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - LogName: 'Microsoft-Windows-NTLM/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - LogName: 'Microsoft-Windows-DHCP-Server/Operational' - windows-defender: - product: windows - service: windefend - conditions: - LogName: 'Microsoft-Windows-Windows Defender/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - LogName: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - LogName: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - LogName: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - LogName: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - LogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - LogName: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - LogName: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - LogName: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - LogName: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - LogName: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - LogName: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - LogName: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - LogName: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - LogName: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - LogName: 'Microsoft-Windows-LSA/Operational' + windows-application: + product: windows + service: application + conditions: + LogName: 'Application' + windows-security: + product: windows + service: security + conditions: + LogName: 'Security' + windows-system: + product: windows + service: system + conditions: + LogName: 'System' + windows-sysmon: + product: windows + service: sysmon + conditions: + LogName: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + LogName: + - 'Microsoft-Windows-PowerShell/Operational' + - 'PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + LogName: 'Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + LogName: 'Microsoft-Windows-TaskScheduler/Operational' + windows-wmi: + product: windows + service: wmi + conditions: + LogName: 'Microsoft-Windows-WMI-Activity/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + LogName: 'DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + LogName: 'Microsoft-Windows-DNS-Server/Audit' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + LogName: 'Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + LogName: 'Microsoft-Windows-DHCP-Server/Operational' + windows-defender: + product: windows + service: windefend + conditions: + LogName: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + LogName: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + LogName: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + LogName: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + LogName: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + LogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + LogName: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + LogName: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + LogName: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + LogName: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + LogName: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + LogName: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + LogName: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + LogName: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + LogName: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + LogName: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + LogName: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + LogName: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + LogName: 'Microsoft-Windows-AppModel-Runtime/Admin' diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index a9f42d18d..bb5177e05 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -1,195 +1,210 @@ title: Splunk Windows log source conditions order: 20 backends: - - splunk - - splunkxml - - splunkdm + - splunk + - splunkxml + - splunkdm logsources: - windows-application: - product: windows - service: application - conditions: - source: 'WinEventLog:Application' - windows-security: - product: windows - service: security - conditions: - source: 'WinEventLog:Security' - windows-system: - product: windows - service: system - conditions: - source: 'WinEventLog:System' - windows-sysmon: - product: windows - service: sysmon - conditions: - source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' - windows-process-creation: - product: windows - service: sysmon - category: process_creation - # Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. - # This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here. - search: 'ParentProcessGuid EventCode=1' - windows-file-creation: - product: windows - service: sysmon - category: file_creation - search: 'TargetFilename EventCode=11' - windows-powershell: - product: windows - service: powershell - conditions: - source: - - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' - - 'WinEventLog:PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - source: 'WinEventLog:Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' - windows-wmi: - product: windows - service: wmi - conditions: - source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' - windows-dns-server: - product: windows - service: dns-server - category: dns - conditions: - source: 'WinEventLog:DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - source: 'WinEventLog:Microsoft-Windows-NTLM/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - source: - - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' - - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - source: 'WinEventLog:MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - source: 'WinEventLog:Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - source: 'WinEventLog:Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - source: 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - source: 'WinEventLog:Microsoft-Windows-SmbClient/Security' - windows-rpc-firewall: - product: rpc_firewall - category: application - conditions: - source: 'WinEventLog:RPCFW' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - source: - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - source: 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - source: 'WinEventLog:OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' - windows-defender: - product: windows - service: windefend - conditions: - source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - source: 'WinEventLog:Microsoft-Windows-LSA/Operational' + windows-application: + product: windows + service: application + conditions: + source: 'WinEventLog:Application' + windows-security: + product: windows + service: security + conditions: + source: 'WinEventLog:Security' + windows-system: + product: windows + service: system + conditions: + source: 'WinEventLog:System' + windows-sysmon: + product: windows + service: sysmon + conditions: + source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' + windows-process-creation: + product: windows + service: sysmon + category: process_creation + # Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. + # This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here. + search: 'ParentProcessGuid EventCode=1' + windows-file-creation: + product: windows + service: sysmon + category: file_creation + search: 'TargetFilename EventCode=11' + windows-powershell: + product: windows + service: powershell + conditions: + source: + - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' + - 'WinEventLog:PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + source: 'WinEventLog:Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' + windows-wmi: + product: windows + service: wmi + conditions: + source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' + windows-dns-server: + product: windows + service: dns-server + category: dns + conditions: + source: 'WinEventLog:DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + source: 'WinEventLog:Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + source: + - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' + - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + source: 'WinEventLog:MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + source: 'WinEventLog:Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + source: 'WinEventLog:Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + source: 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + source: 'WinEventLog:Microsoft-Windows-SmbClient/Security' + windows-rpc-firewall: + product: rpc_firewall + category: application + conditions: + source: 'WinEventLog:RPCFW' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + source: + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + source: 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + source: 'WinEventLog:OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' + windows-defender: + product: windows + service: windefend + conditions: + source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + source: 'WinEventLog:Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + source: 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + source: 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + source: 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin' fieldmappings: EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index c6addce9d..e5e427726 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -1,200 +1,241 @@ title: SumoLogic order: 20 backends: - - sumologic + - sumologic afl_fields: - - _index - - EventID - - CommandLine - - NewProcessName - - Image - - ParentImage - - ParentCommandLine - - ParentProcessName + - _index + - EventID + - CommandLine + - NewProcessName + - Image + - ParentImage + - ParentCommandLine + - ParentProcessName # Sumulogic mapping depends on customer configuration. Adapt to your context! # typically rule on _sourceCategory, _index or Field Extraction Rules (FER) # supposing existing FER for service, EventChannel, EventID logsources: - unix: - product: unix - index: UNIX - linux: - product: linux - index: LINUX - linux-sshd: - product: linux - service: sshd - index: LINUX - linux-auth: - product: linux - service: auth - index: LINUX - linux-clamav: - product: linux - service: clamav - index: LINUX - windows: - product: windows - index: WINDOWS - windows-sysmon: - product: windows - service: sysmon - conditions: - EventChannel: Microsoft-Windows-Sysmon - index: WINDOWS - windows-security: - product: windows - service: security - conditions: - EventChannel: Security - index: WINDOWS - windows-powershell: - product: windows - service: powershell - conditions: - EventChannel: - - Microsoft-Windows-Powershell - - PowerShellCore - index: WINDOWS - windows-system: - product: windows - service: system - conditions: - EventChannel: System - index: WINDOWS - windows-dhcp: - product: windows - service: dhcp - conditions: - EventChannel: Microsoft-Windows-DHCP-Server - index: WINDOWS - windows-ntlm: - product: windows - service: ntlm - conditions: - EventChannel: 'Microsoft-Windows-NTLM/Operational' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - EventChannel: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - EventChannel: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - EventChannel: 'Microsoft-Windows-SmbClient/Security' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - EventChannel: 'MSExchange Management' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - EventChannel: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - EventChannel: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - EventChannel: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - EventChannel: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - source: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - source: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - source: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - source: 'Microsoft-Windows-AppXDeploymentServer/Operational' - apache: - service: apache - index: WEBSERVER - apache2: - service: apache - index: WEBSERVER - webserver: - category: webserver - index: WEBSERVER - firewall: - category: firewall - index: FIREWALL - firewall2: - product: firewall - index: FIREWALL - network-dns: - category: dns - index: DNS - network-dns2: - product: dns - index: DNS - proxy: - category: proxy - index: PROXY - antivirus: - category: antivirus - index: ANTIVIRUS - application-sql: - product: sql - index: DATABASE - application-python: - product: python - index: APPLICATIONS - application-django: - product: django - index: DJANGO - application-rails: - product: rails - index: RAILS - application-spring: - product: spring - index: SPRING + unix: + product: unix + index: UNIX + linux: + product: linux + index: LINUX + linux-sshd: + product: linux + service: sshd + index: LINUX + linux-auth: + product: linux + service: auth + index: LINUX + linux-clamav: + product: linux + service: clamav + index: LINUX + windows: + product: windows + index: WINDOWS + windows-sysmon: + product: windows + service: sysmon + conditions: + EventChannel: Microsoft-Windows-Sysmon + index: WINDOWS + windows-security: + product: windows + service: security + conditions: + EventChannel: Security + index: WINDOWS + windows-powershell: + product: windows + service: powershell + conditions: + EventChannel: + - Microsoft-Windows-Powershell + - PowerShellCore + index: WINDOWS + windows-system: + product: windows + service: system + conditions: + EventChannel: System + index: WINDOWS + windows-dhcp: + product: windows + service: dhcp + conditions: + EventChannel: Microsoft-Windows-DHCP-Server + index: WINDOWS + windows-ntlm: + product: windows + service: ntlm + conditions: + EventChannel: 'Microsoft-Windows-NTLM/Operational' + index: WINDOWS + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + EventChannel: 'Microsoft-Windows-PrintService/Admin' + index: WINDOWS + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + EventChannel: 'Microsoft-Windows-PrintService/Operational' + index: WINDOWS + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + index: WINDOWS + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational' + index: WINDOWS + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + EventChannel: 'Microsoft-Windows-SmbClient/Security' + index: WINDOWS + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + EventChannel: 'MSExchange Management' + index: WINDOWS + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + index: WINDOWS + windows-bits-client: + product: windows + service: bits-client + conditions: + EventChannel: 'Microsoft-Windows-Bits-Client/Operational' + index: WINDOWS + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + EventChannel: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + index: WINDOWS + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + index: WINDOWS + windows-shell-core: + product: windows + service: shell-core + conditions: + EventChannel: 'Microsoft-Windows-Shell-Core/Operational' + index: WINDOWS + windows-openssh: + product: windows + service: openssh + conditions: + EventChannel: 'OpenSSH/Operational' + index: WINDOWS + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + EventChannel: 'Microsoft-Windows-LDAP-Client/Debug' + index: WINDOWS + windows-bitlocker: + product: windows + service: bitlocker + conditions: + EventChannel: 'Microsoft-Windows-BitLocker/BitLocker Management' + index: WINDOWS + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + EventChannel: 'Microsoft-Windows-VHDMP/Operational' + index: WINDOWS + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + EventChannel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + index: WINDOWS + windows-lsa-server: + product: windows + service: lsa-server + conditions: + EventChannel: 'Microsoft-Windows-LSA/Operational' + index: WINDOWS + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + EventChannel: 'Microsoft-Windows-AppxPackaging/Operational' + index: WINDOWS + windows-dns-client: + product: windows + service: dns-client + conditions: + EventChannel: 'Microsoft-Windows-DNS Client Events/Operational' + index: WINDOWS + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + EventChannel: 'Microsoft-Windows-AppModel-Runtime/Admin' + index: WINDOWS + apache: + service: apache + index: WEBSERVER + apache2: + service: apache + index: WEBSERVER + webserver: + category: webserver + index: WEBSERVER + firewall: + category: firewall + index: FIREWALL + firewall2: + product: firewall + index: FIREWALL + network-dns: + category: dns + index: DNS + network-dns2: + product: dns + index: DNS + proxy: + category: proxy + index: PROXY + antivirus: + category: antivirus + index: ANTIVIRUS + application-sql: + product: sql + index: DATABASE + application-python: + product: python + index: APPLICATIONS + application-django: + product: django + index: DJANGO + application-rails: + product: rails + index: RAILS + application-spring: + product: spring + index: SPRING # if no index, search in all indexes diff --git a/tools/config/thor.yml b/tools/config/thor.yml index f62d844c3..bdc8238a2 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -1,458 +1,473 @@ title: THOR order: 20 backends: - - thor + - thor # this configuration differs from other configurations and can not be used # with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK. logsources: - # log source configurations for generic sigma rules - process_creation_1: - category: process_creation - product: windows - conditions: - EventID: 1 - rewrite: - product: windows - service: sysmon - process_creation_2: - category: process_creation - product: windows - conditions: - EventID: 4688 - rewrite: - product: windows - service: security - fieldmappings: - Image: NewProcessName - ParentImage: ParentProcessName - network_connection: - category: network_connection - product: windows - conditions: - EventID: 3 - rewrite: - product: windows - service: sysmon - sysmon_status1: - category: sysmon_status - product: windows - conditions: - EventID: 4 - rewrite: - product: windows - service: sysmon - sysmon_status2: - category: sysmon_status - product: windows - conditions: - EventID: 16 - rewrite: - product: windows - service: sysmon - process_terminated: - category: process_termination - product: windows - conditions: - EventID: 5 - rewrite: - product: windows - service: sysmon - driver_loaded: - category: driver_load - product: windows - conditions: - EventID: 6 - rewrite: - product: windows - service: sysmon - image_loaded: - category: image_load - product: windows - conditions: - EventID: 7 - rewrite: - product: windows - service: sysmon - create_remote_thread: - category: create_remote_thread - product: windows - conditions: - EventID: 8 - rewrite: - product: windows - service: sysmon - raw_access_thread: - category: raw_access_thread - product: windows - conditions: - EventID: 9 - rewrite: - product: windows - service: sysmon - process_access: - category: process_access - product: windows - conditions: - EventID: 10 - rewrite: - product: windows - service: sysmon - file_creation: - category: file_event - product: windows - conditions: - EventID: 11 - rewrite: - product: windows - service: sysmon - registry_event1: - category: registry_event - product: windows - conditions: - EventID: 12 - rewrite: - product: windows - service: sysmon - registry_event2: - category: registry_event - product: windows - conditions: - EventID: 13 - rewrite: - product: windows - service: sysmon - registry_event3: - category: registry_event - product: windows - conditions: - EventID: 14 - rewrite: - product: windows - service: sysmon - registry_add: - category: registry_add - product: windows - conditions: - EventID: 12 - rewrite: - product: windows - service: sysmon - registry_delete: - category: registry_delete - product: windows - conditions: - EventID: 12 - rewrite: - product: windows - service: sysmon - registry_set: - category: registry_set - product: windows - conditions: - EventID: 13 - rewrite: - product: windows - service: sysmon - registry_rename: - category: registry_rename - product: windows - conditions: - EventID: 14 - rewrite: - product: windows - service: sysmon - create_stream_hash: - category: create_stream_hash - product: windows - conditions: - EventID: 15 - rewrite: - product: windows - service: sysmon - pipe_created1: - category: pipe_created - product: windows - conditions: - EventID: 17 - rewrite: - product: windows - service: sysmon - pipe_created2: - category: pipe_created - product: windows - conditions: - EventID: 18 - rewrite: - product: windows - service: sysmon - wmi_event1: - category: wmi_event - product: windows - conditions: - EventID: 19 - rewrite: - product: windows - service: sysmon - wmi_event2: - category: wmi_event - product: windows - conditions: - EventID: 20 - rewrite: - product: windows - service: sysmon - wmi_event3: - category: wmi_event - product: windows - conditions: - EventID: 21 - rewrite: - product: windows - service: sysmon - dns_query: - category: dns_query - product: windows - conditions: - EventID: 22 - rewrite: - product: windows - service: sysmon - file_delete: - category: file_delete - product: windows - conditions: - EventID: 23 - rewrite: - product: windows - service: sysmon - file_block: - category: file_block - product: windows - conditions: - EventID: 27 - rewrite: - product: windows - service: sysmon - sysmon_error: - category: sysmon_error - product: windows - conditions: - EventID: 255 - rewrite: - product: windows - service: sysmon - #PowerShell Operational - ps_module: - category: ps_module - product: windows - conditions: - EventID: 4103 - rewrite: - product: windows - service: powershell - ps_script: - category: ps_script - product: windows - conditions: - EventID: 4104 - rewrite: - product: windows - service: powershell - #Powershell "classic" channel - ps_classic_start: - category: ps_classic_start - product: windows - conditions: - EventID: 400 - rewrite: - product: windows - service: powershell-classic - ps_classic_provider_start: - category: ps_classic_provider_start - product: windows - conditions: - EventID: 600 - rewrite: - product: windows - service: powershell-classic - ps_classic_script: - category: ps_classic_script - product: windows - conditions: - EventID: 800 - rewrite: - product: windows - service: powershell-classic - # target system configurations - windows-application: - product: windows - service: application - sources: - - "WinEventLog:Application" - windows-security: - product: windows - service: security - sources: - - "WinEventLog:Security" - windows-system: - product: windows - service: system - sources: - - "WinEventLog:System" - windows-ntlm: - product: windows - service: ntlm - sources: - - "WinEventLog:Microsoft-Windows-NTLM/Operational" - windows-sysmon: - product: windows - service: sysmon - sources: - - "WinEventLog:Microsoft-Windows-Sysmon/Operational" - windows-powershell: - product: windows - service: powershell - sources: - - "WinEventLog:Microsoft-Windows-PowerShell/Operational" - - "WinEventLog:PowerShellCore/Operational" - windows-classicpowershell: - product: windows - service: powershell-classic - sources: - - "WinEventLog:Windows PowerShell" - windows-taskscheduler: - product: windows - service: taskscheduler - sources: - - "WinEventLog:Microsoft-Windows-TaskScheduler/Operational" - windows-wmi: - product: windows - service: wmi - sources: - - "WinEventLog:Microsoft-Windows-WMI-Activity/Operational" - windows-dhcp: - product: windows - service: dhcp - sources: - - "WinEventLog:Microsoft-Windows-DHCP-Server/Operational" - windows-printservice-admin: - product: windows - service: printservice-admin - sources: - - "WinEventLog:Microsoft-Windows-PrintService/Admin" - windows-smbclient-security: - product: windows - service: smbclient-security - sources: - - "WinEventLog:Microsoft-Windows-SmbClient/Security" - windows-printservice-operational: - product: windows - service: printservice-operational - sources: - - "WinEventLog:Microsoft-Windows-PrintService/Operational" - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - sources: - - 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - sources: - - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational" - windows-applocker: - product: windows - service: applocker - sources: - - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' - - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - sources: - - 'WinEventLog:MSExchange Management' - windows-defender: - product: windows - service: windefend - sources: - - 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' - windows-firewall-advanced-security: - product: windows - service: firewall-as - sources: - - 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - sources: - - 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - sources: - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - sources: - - 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - sources: - - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - sources: - - 'WinEventLog:OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - sources: - - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - sources: - - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp: - product: windows - service: vhdmp - sources: - - 'WinEventLog:Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - sources: - - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - sources: - - 'WinEventLog:Microsoft-Windows-LSA/Operational' - apache: - category: webserver - sources: - - "File:/var/log/apache/*.log" - - "File:/var/log/apache2/*.log" - - "File:/var/log/httpd/*.log" - linux-auth: - product: linux - service: auth - sources: - - "File:/var/log/auth.log" - - "File:/var/log/auth.log.?" - linux-syslog: - product: linux - service: syslog - sources: - - "File:/var/log/syslog" - - "File:/var/log/syslog.?" - logfiles: - category: logfile - sources: - - "File:*.log" + # log source configurations for generic sigma rules + process_creation_1: + category: process_creation + product: windows + conditions: + EventID: 1 + rewrite: + product: windows + service: sysmon + process_creation_2: + category: process_creation + product: windows + conditions: + EventID: 4688 + rewrite: + product: windows + service: security + fieldmappings: + Image: NewProcessName + ParentImage: ParentProcessName + network_connection: + category: network_connection + product: windows + conditions: + EventID: 3 + rewrite: + product: windows + service: sysmon + sysmon_status1: + category: sysmon_status + product: windows + conditions: + EventID: 4 + rewrite: + product: windows + service: sysmon + sysmon_status2: + category: sysmon_status + product: windows + conditions: + EventID: 16 + rewrite: + product: windows + service: sysmon + process_terminated: + category: process_termination + product: windows + conditions: + EventID: 5 + rewrite: + product: windows + service: sysmon + driver_loaded: + category: driver_load + product: windows + conditions: + EventID: 6 + rewrite: + product: windows + service: sysmon + image_loaded: + category: image_load + product: windows + conditions: + EventID: 7 + rewrite: + product: windows + service: sysmon + create_remote_thread: + category: create_remote_thread + product: windows + conditions: + EventID: 8 + rewrite: + product: windows + service: sysmon + raw_access_thread: + category: raw_access_thread + product: windows + conditions: + EventID: 9 + rewrite: + product: windows + service: sysmon + process_access: + category: process_access + product: windows + conditions: + EventID: 10 + rewrite: + product: windows + service: sysmon + file_creation: + category: file_event + product: windows + conditions: + EventID: 11 + rewrite: + product: windows + service: sysmon + registry_event1: + category: registry_event + product: windows + conditions: + EventID: 12 + rewrite: + product: windows + service: sysmon + registry_event2: + category: registry_event + product: windows + conditions: + EventID: 13 + rewrite: + product: windows + service: sysmon + registry_event3: + category: registry_event + product: windows + conditions: + EventID: 14 + rewrite: + product: windows + service: sysmon + registry_add: + category: registry_add + product: windows + conditions: + EventID: 12 + rewrite: + product: windows + service: sysmon + registry_delete: + category: registry_delete + product: windows + conditions: + EventID: 12 + rewrite: + product: windows + service: sysmon + registry_set: + category: registry_set + product: windows + conditions: + EventID: 13 + rewrite: + product: windows + service: sysmon + registry_rename: + category: registry_rename + product: windows + conditions: + EventID: 14 + rewrite: + product: windows + service: sysmon + create_stream_hash: + category: create_stream_hash + product: windows + conditions: + EventID: 15 + rewrite: + product: windows + service: sysmon + pipe_created1: + category: pipe_created + product: windows + conditions: + EventID: 17 + rewrite: + product: windows + service: sysmon + pipe_created2: + category: pipe_created + product: windows + conditions: + EventID: 18 + rewrite: + product: windows + service: sysmon + wmi_event1: + category: wmi_event + product: windows + conditions: + EventID: 19 + rewrite: + product: windows + service: sysmon + wmi_event2: + category: wmi_event + product: windows + conditions: + EventID: 20 + rewrite: + product: windows + service: sysmon + wmi_event3: + category: wmi_event + product: windows + conditions: + EventID: 21 + rewrite: + product: windows + service: sysmon + dns_query: + category: dns_query + product: windows + conditions: + EventID: 22 + rewrite: + product: windows + service: sysmon + file_delete: + category: file_delete + product: windows + conditions: + EventID: 23 + rewrite: + product: windows + service: sysmon + file_block: + category: file_block + product: windows + conditions: + EventID: 27 + rewrite: + product: windows + service: sysmon + sysmon_error: + category: sysmon_error + product: windows + conditions: + EventID: 255 + rewrite: + product: windows + service: sysmon + #PowerShell Operational + ps_module: + category: ps_module + product: windows + conditions: + EventID: 4103 + rewrite: + product: windows + service: powershell + ps_script: + category: ps_script + product: windows + conditions: + EventID: 4104 + rewrite: + product: windows + service: powershell + #Powershell "classic" channel + ps_classic_start: + category: ps_classic_start + product: windows + conditions: + EventID: 400 + rewrite: + product: windows + service: powershell-classic + ps_classic_provider_start: + category: ps_classic_provider_start + product: windows + conditions: + EventID: 600 + rewrite: + product: windows + service: powershell-classic + ps_classic_script: + category: ps_classic_script + product: windows + conditions: + EventID: 800 + rewrite: + product: windows + service: powershell-classic + # target system configurations + windows-application: + product: windows + service: application + sources: + - "WinEventLog:Application" + windows-security: + product: windows + service: security + sources: + - "WinEventLog:Security" + windows-system: + product: windows + service: system + sources: + - "WinEventLog:System" + windows-ntlm: + product: windows + service: ntlm + sources: + - "WinEventLog:Microsoft-Windows-NTLM/Operational" + windows-sysmon: + product: windows + service: sysmon + sources: + - "WinEventLog:Microsoft-Windows-Sysmon/Operational" + windows-powershell: + product: windows + service: powershell + sources: + - "WinEventLog:Microsoft-Windows-PowerShell/Operational" + - "WinEventLog:PowerShellCore/Operational" + windows-classicpowershell: + product: windows + service: powershell-classic + sources: + - "WinEventLog:Windows PowerShell" + windows-taskscheduler: + product: windows + service: taskscheduler + sources: + - "WinEventLog:Microsoft-Windows-TaskScheduler/Operational" + windows-wmi: + product: windows + service: wmi + sources: + - "WinEventLog:Microsoft-Windows-WMI-Activity/Operational" + windows-dhcp: + product: windows + service: dhcp + sources: + - "WinEventLog:Microsoft-Windows-DHCP-Server/Operational" + windows-printservice-admin: + product: windows + service: printservice-admin + sources: + - "WinEventLog:Microsoft-Windows-PrintService/Admin" + windows-smbclient-security: + product: windows + service: smbclient-security + sources: + - "WinEventLog:Microsoft-Windows-SmbClient/Security" + windows-printservice-operational: + product: windows + service: printservice-operational + sources: + - "WinEventLog:Microsoft-Windows-PrintService/Operational" + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + sources: + - 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + sources: + - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational" + windows-applocker: + product: windows + service: applocker + sources: + - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' + - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + sources: + - 'WinEventLog:MSExchange Management' + windows-defender: + product: windows + service: windefend + sources: + - 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' + windows-firewall-advanced-security: + product: windows + service: firewall-as + sources: + - 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + sources: + - 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + sources: + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + sources: + - 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + sources: + - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + sources: + - 'WinEventLog:OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + sources: + - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + sources: + - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp: + product: windows + service: vhdmp + sources: + - 'WinEventLog:Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + sources: + - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + sources: + - 'WinEventLog:Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + sources: + - 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + sources: + - 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + sources: + - 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin' + apache: + category: webserver + sources: + - "File:/var/log/apache/*.log" + - "File:/var/log/apache2/*.log" + - "File:/var/log/httpd/*.log" + linux-auth: + product: linux + service: auth + sources: + - "File:/var/log/auth.log" + - "File:/var/log/auth.log.?" + linux-syslog: + product: linux + service: syslog + sources: + - "File:/var/log/syslog" + - "File:/var/log/syslog.?" + logfiles: + category: logfile + sources: + - "File:*.log" diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index a9a6398a8..7ec1a3dee 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -1,179 +1,194 @@ title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules order: 20 backends: - - es-qs - - es-dsl - - es-rule - - es-rule-eql - - es-eql - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers + - es-qs + - es-dsl + - es-rule + - es-rule-eql + - es-eql + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers logsources: - windows: - product: windows - index: winlogbeat-* - windows-application: - product: windows - service: application - conditions: - winlog.channel: Application - windows-security: - product: windows - service: security - conditions: - winlog.channel: Security - windows-system: - product: windows - service: system - conditions: - winlog.channel: System - windows-sysmon: - product: windows - service: sysmon - conditions: - winlog.channel: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - winlog.channel: - - 'Microsoft-Windows-PowerShell/Operational' - - 'PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - winlog.channel: 'Windows PowerShell' - windows-dns-server: - product: windows - service: dns-server - conditions: - winlog.channel: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - winlog.channel: 'Microsoft-Windows-NTLM/Operational' - windows-defender: - product: windows - service: windefend - conditions: - winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - winlog.channel: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - winlog.channel: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - winlog.channel: 'Microsoft-Windows-SmbClient/Security' - windows-applocker: - product: windows - service: applocker - conditions: - winlog.channel: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - winlog.channel: 'MSExchange Management' - microsoft-servicebus-client: - product: windows - service: microsoft-servicebus-client - conditions: - winlog.channel: 'Microsoft-ServiceBus-Client' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - winlog.channel: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - winlog.channel: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - winlog.channel: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - winlog_channel: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - winlog_channel: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + winlog.channel: Application + windows-security: + product: windows + service: security + conditions: + winlog.channel: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System + windows-sysmon: + product: windows + service: sysmon + conditions: + winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: + - 'Microsoft-Windows-PowerShell/Operational' + - 'PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' + windows-dns-server: + product: windows + service: dns-server + conditions: + winlog.channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + winlog.channel: 'Microsoft-Windows-NTLM/Operational' + windows-defender: + product: windows + service: windefend + conditions: + winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + winlog.channel: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + winlog.channel: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + winlog.channel: 'Microsoft-Windows-SmbClient/Security' + windows-applocker: + product: windows + service: applocker + conditions: + winlog.channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + winlog.channel: 'MSExchange Management' + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + winlog.channel: 'Microsoft-ServiceBus-Client' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + winlog.channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + winlog.channel: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + winlog.channel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + winlog_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + winlog_channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' @@ -215,7 +230,7 @@ fieldmappings: default: winlog.event_data.ErrorCode FilePath: winlog.event_data.FilePath # Filename => category: antivirus - Filename: winlog.event_data.Filename + Filename: winlog.event_data.Filename LDAPDisplayName: winlog.event_data.LDAPDisplayName # Level => Source: MSExchange Control Panel EventID: 4 Level: winlog.event_data.Level @@ -229,7 +244,7 @@ fieldmappings: ProcessGuid: process.entity_id ProcessId: process.pid Image: process.executable - FileVersion: + FileVersion: category=process_creation: process.pe.file_version category=image_load: file.pe.file_version default: winlog.event_data.FileVersion @@ -242,15 +257,15 @@ fieldmappings: category=process_creation: process.pe.product category=image_load: file.pe.product default: winlog.event_data.Product - Company: + Company: category=process_creation: process.pe.company category=image_load: file.pe.company default: winlog.event_data.Company - OriginalFileName: + OriginalFileName: category=process_creation: process.pe.original_file_name category=image_load: file.pe.original_file_name default: winlog.event_data.OriginalFileName - CommandLine: + CommandLine: category=process_creation: process.command_line service=security: process.command_line service=powershell-classic: powershell.command.value @@ -270,10 +285,10 @@ fieldmappings: TargetFilename: file.path CreationUtcTime: winlog.event_data.CreationUtcTime PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime - Protocol: + Protocol: category=network_connection: network.transport default: winlog.event_data.Protocol - Initiated: + Initiated: category=network_connection: network.direction default: winlog.event_data.Initiated #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 @@ -291,7 +306,7 @@ fieldmappings: SchemaVersion: winlog.event_data.SchemaVersion ImageLoaded: file.path Signed: file.code_signature.signed - Signature: + Signature: category=driver_loaded: file.code_signature.subject_name category=image_loaded: file.code_signature.subject_name default: winlog.event_data.Signature @@ -347,7 +362,7 @@ fieldmappings: category=driver_load: hash.sha256 category=image_load: file.hash.sha256 default: process.hash.sha256 - Imphash: + Imphash: category=driver_load: hash.imphash category=image_load: file.hash.imphash default: process.pe.imphash @@ -357,7 +372,7 @@ fieldmappings: CommandName: powershell.command.name CommandPath: powershell.command.path CommandType: powershell.command.type - EngineVersion: + EngineVersion: service=powershell-classic: powershell.engine.version service=windefend: winlog.event_data.Engine\ Version default: winlog.event_data.EngineVersion @@ -630,4 +645,3 @@ fieldmappings: ApplicationPath: winlog.event_data.ApplicationPath ModifyingApplication: winlog.event_data.ModifyingApplication Action: winlog.event_data.Action - diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 8154dea1b..8c0a81c60 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -1,214 +1,229 @@ title: Elastic Winlogbeat (<=6.x) index pattern and field mapping order: 20 backends: - - es-qs - - es-dsl - - es-rule - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers + - es-qs + - es-dsl + - es-rule + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers logsources: - windows: - product: windows - index: winlogbeat-* - windows-application: - product: windows - service: application - conditions: - log_name: Application - windows-security: - product: windows - service: security - conditions: - log_name: Security - windows-system: - product: windows - service: system - conditions: - winlog.channel: System - windows-sysmon: - product: windows - service: sysmon - conditions: - log_name: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - winlog.channel: - - 'Microsoft-Windows-PowerShell/Operational' - - 'PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - winlog.channel: 'Windows PowerShell' - windows-dns-server: - product: windows - service: dns-server - conditions: - log_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - log_name: 'Microsoft-Windows-DHCP-Server/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - log_name: 'Microsoft-Windows-NTLM/Operational' - windows-defender: - product: windows - service: windefend - conditions: - log_name: 'Microsoft-Windows-Windows Defender/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - log_name: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - log_name: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - log_name: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - log_name: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - log_name: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - log_name: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - log_name: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - log_name: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + log_name: Application + windows-security: + product: windows + service: security + conditions: + log_name: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System + windows-sysmon: + product: windows + service: sysmon + conditions: + log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: + - 'Microsoft-Windows-PowerShell/Operational' + - 'PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' + windows-dns-server: + product: windows + service: dns-server + conditions: + log_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + log_name: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + log_name: 'Microsoft-Windows-NTLM/Operational' + windows-defender: + product: windows + service: windefend + conditions: + log_name: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + log_name: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + log_name: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + log_name: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + log_name: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + log_name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + log_name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + log_name: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + log_name: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + log_name: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + log_name: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: - EventID: event_id - AccessMask: event_data.AccessMask - AccountName: event_data.AccountName - AllowedToDelegateTo: event_data.AllowedToDelegateTo - AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName - AuditPolicyChanges: event_data.AuditPolicyChanges - AuthenticationPackageName: event_data.AuthenticationPackageName - CallingProcessName: event_data.CallingProcessName - CallTrace: event_data.CallTrace - Channel: winlog.channel - CommandLine: event_data.CommandLine - ComputerName: event_data.ComputerName - CurrentDirectory: event_data.CurrentDirectory - Description: event_data.Description - DestinationHostname: event_data.DestinationHostname - DestinationIp: event_data.DestinationIp - DestinationIsIpv6: event_data.DestinationIsIpv6 - DestinationPort: event_data.DestinationPort - Details: event_data.Details - EngineVersion: event_data.EngineVersion - EventType: event_data.EventType - FailureCode: event_data.FailureCode - FileName: event_data.FileName - GrantedAccess: event_data.GrantedAccess - GroupName: event_data.GroupName - GroupSid: event_data.GroupSid - Hashes: event_data.Hashes - HiveName: event_data.HiveName - HostVersion: event_data.HostVersion - Image: event_data.Image - ImageLoaded: event_data.ImageLoaded - ImagePath: event_data.ImagePath - Imphash: event_data.Imphash - IpAddress: event_data.IpAddress - KeyLength: event_data.KeyLength - LogonProcessName: event_data.LogonProcessName - LogonType: event_data.LogonType - NewProcessName: event_data.NewProcessName - ObjectClass: event_data.ObjectClass - ObjectName: event_data.ObjectName - ObjectType: event_data.ObjectType - ObjectValueName: event_data.ObjectValueName - ParentCommandLine: event_data.ParentCommandLine - ParentProcessName: event_data.ParentProcessName - ParentImage: event_data.ParentImage - Path: event_data.Path - PipeName: event_data.PipeName - ProcessCommandLine: event_data.ProcessCommandLine - ProcessName: event_data.ProcessName - Product: event_data.Product - Properties: event_data.Properties - ScriptBlockText: winlog.event_data.ScriptBlockText - SecurityID: event_data.SecurityID - ServiceFileName: event_data.ServiceFileName - ServiceName: event_data.ServiceName - ShareName: event_data.ShareName - Signature: event_data.Signature - Source: event_data.Source - SourceImage: event_data.SourceImage - StartModule: event_data.StartModule - Status: event_data.Status - SubjectUserName: event_data.SubjectUserName - SubjectUserSid: event_data.SubjectUserSid - TargetFilename: event_data.TargetFilename - TargetImage: event_data.TargetImage - TargetObject: event_data.TargetObject - TicketEncryptionType: event_data.TicketEncryptionType - TicketOptions: event_data.TicketOptions - User: event_data.User - WorkstationName: event_data.WorkstationName + EventID: event_id + AccessMask: event_data.AccessMask + AccountName: event_data.AccountName + AllowedToDelegateTo: event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName + AuditPolicyChanges: event_data.AuditPolicyChanges + AuthenticationPackageName: event_data.AuthenticationPackageName + CallingProcessName: event_data.CallingProcessName + CallTrace: event_data.CallTrace + Channel: winlog.channel + CommandLine: event_data.CommandLine + ComputerName: event_data.ComputerName + CurrentDirectory: event_data.CurrentDirectory + Description: event_data.Description + DestinationHostname: event_data.DestinationHostname + DestinationIp: event_data.DestinationIp + DestinationIsIpv6: event_data.DestinationIsIpv6 + DestinationPort: event_data.DestinationPort + Details: event_data.Details + EngineVersion: event_data.EngineVersion + EventType: event_data.EventType + FailureCode: event_data.FailureCode + FileName: event_data.FileName + GrantedAccess: event_data.GrantedAccess + GroupName: event_data.GroupName + GroupSid: event_data.GroupSid + Hashes: event_data.Hashes + HiveName: event_data.HiveName + HostVersion: event_data.HostVersion + Image: event_data.Image + ImageLoaded: event_data.ImageLoaded + ImagePath: event_data.ImagePath + Imphash: event_data.Imphash + IpAddress: event_data.IpAddress + KeyLength: event_data.KeyLength + LogonProcessName: event_data.LogonProcessName + LogonType: event_data.LogonType + NewProcessName: event_data.NewProcessName + ObjectClass: event_data.ObjectClass + ObjectName: event_data.ObjectName + ObjectType: event_data.ObjectType + ObjectValueName: event_data.ObjectValueName + ParentCommandLine: event_data.ParentCommandLine + ParentProcessName: event_data.ParentProcessName + ParentImage: event_data.ParentImage + Path: event_data.Path + PipeName: event_data.PipeName + ProcessCommandLine: event_data.ProcessCommandLine + ProcessName: event_data.ProcessName + Product: event_data.Product + Properties: event_data.Properties + ScriptBlockText: winlog.event_data.ScriptBlockText + SecurityID: event_data.SecurityID + ServiceFileName: event_data.ServiceFileName + ServiceName: event_data.ServiceName + ShareName: event_data.ShareName + Signature: event_data.Signature + Source: event_data.Source + SourceImage: event_data.SourceImage + StartModule: event_data.StartModule + Status: event_data.Status + SubjectUserName: event_data.SubjectUserName + SubjectUserSid: event_data.SubjectUserSid + TargetFilename: event_data.TargetFilename + TargetImage: event_data.TargetImage + TargetObject: event_data.TargetObject + TicketEncryptionType: event_data.TicketEncryptionType + TicketOptions: event_data.TicketOptions + User: event_data.User + WorkstationName: event_data.WorkstationName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index b7b9a5f5c..0fbbae00c 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -1,16 +1,16 @@ title: Elastic Winlogbeat (from 7.x) index pattern and field mapping order: 20 backends: - - es-qs - - es-dsl - - es-rule - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers - - opensearch-monitor + - es-qs + - es-dsl + - es-rule + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers + - opensearch-monitor logsources: windows: product: windows @@ -163,6 +163,21 @@ logsources: service: lsa-server conditions: winlog_channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml index b93527f5f..e1fa9f60d 100644 --- a/tools/config/zircolite.yml +++ b/tools/config/zircolite.yml @@ -128,4 +128,19 @@ logsources: product: windows service: lsa-server conditions: - Channel: 'Microsoft-Windows-LSA/Operational' \ No newline at end of file + Channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + Channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + Channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + Channel: 'Microsoft-Windows-AppModel-Runtime/Admin' From 85fb255bc9a45d42234c1c97648941b97ac36374 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 17 Jan 2023 01:00:44 +0100 Subject: [PATCH 03/10] feat: new rules and updates --- ...x_system_network_connections_discovery.yml | 7 ++-- ...time_sysinternals_tools_appx_execution.yml | 27 ++++++++++++++ ...n_appxpackaging_om_sups_appx_signature.yml | 24 +++++++++++++ .../win_dns_client__mal_cobaltstrike.yml | 32 +++++++++++++++++ .../win_dns_client_anonymfiles_com.yml | 26 ++++++++++++++ .../dns_client/win_dns_client_mega_nz.yml | 26 ++++++++++++++ .../dns_client/win_dns_client_tor_onion.yml | 26 ++++++++++++++ .../dns_client/win_dns_client_ufile_io.yml | 26 ++++++++++++++ ...in_security_susp_scheduled_task_delete.yml | 2 +- .../dns_query_win_anonymfiles_com.yml | 12 ++++--- ...ery_win_hybridconnectionmgr_servicebus.yml | 6 ++-- .../dns_query_win_mal_cobaltstrike.yml | 7 ++-- .../dns_query/dns_query_win_mega_nz.yml | 11 +++--- .../dns_query/dns_query_win_tor_onion.yml | 8 +++-- .../dns_query/dns_query_win_ufile_io.yml | 12 ++++--- ...e_event_win_powershell_exploit_scripts.yml | 4 ++- .../file_event_win_susp_adsi_cache_usage.yml | 4 ++- .../posh_pc_tamper_with_windows_defender.yml | 16 ++++++--- .../posh_ps_audio_exfiltration.yml | 36 +++++++++++++++++++ .../posh_ps_malicious_commandlets.yml | 9 ++++- .../posh_ps_tamper_defender.yml | 8 ++--- .../proc_creation_win_lolbin_susp_wsl.yml | 4 +-- .../proc_creation_win_malicious_cmdlets.yml | 7 +++- .../proc_creation_win_susp_psloglist.yml | 21 +++++++---- ...proc_creation_win_susp_schtasks_delete.yml | 2 +- ...roc_creation_win_susp_schtasks_disable.yml | 2 +- 26 files changed, 317 insertions(+), 48 deletions(-) create mode 100644 rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml create mode 100644 rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml create mode 100644 rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml create mode 100644 rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml create mode 100644 rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml create mode 100644 rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml create mode 100644 rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml index f9cdff1a1..ebae271a0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml @@ -22,10 +22,9 @@ detection: - '/lsof' - '/netstat' filter_landscape_sysinfo: - ParentCommandLine|contains|all: # "/usr/bin/python /usr/bin/landscape-sysinfo " - - '/usr/bin/python' - - '/usr/bin/landscape-sysinfo' - condition: selection and not filter_landscape_sysinfo + ParentCommandLine|contains: '/usr/bin/landscape-sysinfo' + Image|endswith: '/who' + condition: selection and not 1 of filter_* falsepositives: - Legitimate activities level: low diff --git a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml new file mode 100644 index 000000000..b62c4f02b --- /dev/null +++ b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -0,0 +1,27 @@ +title: Sysinternals Tools AppX Versions Execution +id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc +status: experimental +description: Detects execution of Sysinternals tools via an AppX package. Attackers could instal the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths +references: + - Internal Research +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + service: appmodel-runtime +detection: + selection: + EventID: 201 + ImageName: + - 'procdump.exe' + - 'psloglist.exe' + - 'psexec.exe' + - 'livekd.exe' + - 'ADExplorer.exe' + condition: selection +falsepositives: + - Legitimate usage of the applications from the Windows Store +level: medium diff --git a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml new file mode 100644 index 000000000..299085328 --- /dev/null +++ b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -0,0 +1,24 @@ +title: Suspicious Digital Signature Of AppX Package +id: b5aa7d60-c17e-4538-97de-09029d6cd76b +status: experimental +description: Detects execution of AppX packages with known suspicious or malicious signature +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + service: appxpackaging-om +detection: + selection: + EventID: 157 + # Add more known suspicious/malicious certificates used in different attacks + subjectName: 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml new file mode 100644 index 000000000..0516777e8 --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml @@ -0,0 +1,32 @@ +title: Suspicious Cobalt Strike DNS Beaconing - DNS Client +id: 0d18728b-f5bf-4381-9dcf-915539fff6c2 +related: + - id: f356a9c4-effd-4608-bbf8-408afd5cd006 + type: similar +status: test +description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons +references: + - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns + - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.command_and_control + - attack.t1071.004 +logsource: + product: windows + category: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection_eid: + EventID: 3008 + selection_query_1: + QueryName|startswith: + - 'aaa.stage.' + - 'post.1' + selection_query_2: + QueryName|contains: '.stage.123456.' + condition: selection_eid and 1 of selection_query_* +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml new file mode 100644 index 000000000..015750899 --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -0,0 +1,26 @@ +title: DNS Query for Anonfiles.com Domain - DNS Client +id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 +related: + - id: 065cceea-77ec-4030-9052-fc0affea7110 + type: similar +status: experimental +description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes +references: + - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.exfiltration + - attack.t1567.002 +logsource: + product: windows + category: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection: + EventID: 3008 + QueryName|contains: '.anonfiles.com' + condition: selection +falsepositives: + - Rare legitimate access to anonfiles.com +level: high diff --git a/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml new file mode 100644 index 000000000..a5b5a6933 --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml @@ -0,0 +1,26 @@ +title: DNS Query for MEGA.io Upload Domain - DNS Client +id: 66474410-b883-415f-9f8d-75345a0a66a6 +related: + - id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 + type: similar +status: test +description: Detects DNS queries for subdomains used for upload to MEGA.io +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.exfiltration + - attack.t1567.002 +logsource: + product: windows + category: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection: + EventID: 3008 + QueryName|contains: 'userstorage.mega.co.nz' + condition: selection +falsepositives: + - Legitimate DNS queries and usage of Mega +level: high diff --git a/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml new file mode 100644 index 000000000..f11c84f4d --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml @@ -0,0 +1,26 @@ +title: Query Tor Onion Address - DNS Client +id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 +related: + - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 + type: similar +status: experimental +description: Detects DNS resolution of an .onion address related to Tor routing networks +references: + - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ +author: Nasreddine Bencherchali +date: 2022/02/20 +tags: + - attack.command_and_control + - attack.t1090.003 +logsource: + product: windows + category: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection: + EventID: 3008 + QueryName|contains: '.onion' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml new file mode 100644 index 000000000..82266b8f3 --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml @@ -0,0 +1,26 @@ +title: DNS Query for Ufile.io Upload Domain - DNS Client +id: 090ffaad-c01a-4879-850c-6d57da98452d +related: + - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b + type: similar +status: experimental +description: Detects DNS queries to "ufile.io". Which is often abused by malware for upload and exfiltration +references: + - https://thedfirreport.com/2021/12/13/diavol-ransomware/ +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.exfiltration + - attack.t1567.002 +logsource: + product: windows + category: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection: + EventID: 3008 + QueryName|contains: 'ufile.io' + condition: selection +falsepositives: + - Legitimate DNS queries and usage of Ufile +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml index 5961c870d..b8f9859ca 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -8,7 +8,7 @@ related: - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d type: similar status: experimental -description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml index 4d5d8a6d6..23d3b71dd 100644 --- a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -1,11 +1,15 @@ -title: DNS Query for Anonfiles.com Domain +title: DNS Query for Anonfiles.com Domain - Sysmon id: 065cceea-77ec-4030-9052-fc0affea7110 +related: + - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 + type: similar status: experimental -description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes +description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: pH-T date: 2022/07/15 +modified: 2023/01/16 tags: - attack.exfiltration - attack.t1567.002 @@ -14,8 +18,8 @@ logsource: category: dns_query detection: selection: - QueryName|contains: .anonfiles.com + QueryName|contains: '.anonfiles.com' condition: selection falsepositives: - - Legitimate access to anonfiles.com + - Rare legitimate access to anonfiles.com level: high diff --git a/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml b/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml index bf93e948c..4529f5c21 100644 --- a/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml +++ b/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2021/04/12 -modified: 2022/10/09 +modified: 2023/01/16 tags: - attack.persistence - attack.t1554 @@ -15,8 +15,8 @@ logsource: category: dns_query detection: selection: - QueryName|contains: servicebus.windows.net - Image|contains: HybridConnectionManager + QueryName|contains: 'servicebus.windows.net' + Image|contains: 'HybridConnectionManager' condition: selection falsepositives: - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service diff --git a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml index 5307ae410..eb3e5fc11 100644 --- a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml @@ -1,5 +1,8 @@ -title: Suspicious Cobalt Strike DNS Beaconing +title: Suspicious Cobalt Strike DNS Beaconing - Sysmon id: f356a9c4-effd-4608-bbf8-408afd5cd006 +related: + - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2 + type: similar status: test description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons references: @@ -7,7 +10,7 @@ references: - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ author: Florian Roth date: 2021/11/09 -modified: 2022/12/25 +modified: 2023/01/16 tags: - attack.command_and_control - attack.t1071.004 diff --git a/rules/windows/dns_query/dns_query_win_mega_nz.yml b/rules/windows/dns_query/dns_query_win_mega_nz.yml index 47fd48c93..0e7122758 100644 --- a/rules/windows/dns_query/dns_query_win_mega_nz.yml +++ b/rules/windows/dns_query/dns_query_win_mega_nz.yml @@ -1,12 +1,15 @@ -title: DNS Query for MEGA.io Upload Domain +title: DNS Query for MEGA.io Upload Domain - Sysmon id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 +related: + - id: 66474410-b883-415f-9f8d-75345a0a66a6 + type: similar status: test description: Detects DNS queries for subdomains used for upload to MEGA.io references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ author: Aaron Greetham (@beardofbinary) - NCC Group date: 2021/05/26 -modified: 2022/10/09 +modified: 2023/01/16 tags: - attack.exfiltration - attack.t1567.002 @@ -15,8 +18,8 @@ logsource: category: dns_query detection: selection: - QueryName|contains: userstorage.mega.co.nz + QueryName|contains: 'userstorage.mega.co.nz' condition: selection falsepositives: - - Legitimate Mega upload + - Legitimate DNS queries and usage of Mega level: high diff --git a/rules/windows/dns_query/dns_query_win_tor_onion.yml b/rules/windows/dns_query/dns_query_win_tor_onion.yml index 00c07a185..266d2f40d 100644 --- a/rules/windows/dns_query/dns_query_win_tor_onion.yml +++ b/rules/windows/dns_query/dns_query_win_tor_onion.yml @@ -1,11 +1,15 @@ -title: Query Tor Onion Address +title: DNS Query Tor Onion Address - Sysmon id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 +related: + - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 + type: similar status: experimental -description: Detects DNS resolution of an .onion address related to Tor routing networks +description: Detects DNS queries to an ".onion" address related to Tor routing networks references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: frack113 date: 2022/02/20 +modified: 2023/01/16 tags: - attack.command_and_control - attack.t1090.003 diff --git a/rules/windows/dns_query/dns_query_win_ufile_io.yml b/rules/windows/dns_query/dns_query_win_ufile_io.yml index 0d171d615..654a68715 100644 --- a/rules/windows/dns_query/dns_query_win_ufile_io.yml +++ b/rules/windows/dns_query/dns_query_win_ufile_io.yml @@ -1,11 +1,15 @@ -title: DNS Query for Ufile.io Upload Domain +title: DNS Query for Ufile.io Upload Domain - Sysmon id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b +related: + - id: 090ffaad-c01a-4879-850c-6d57da98452d + type: similar status: experimental -description: Detects DNS queries for subdomains used for upload to ufile.io +description: Detects DNS queries to "ufile.io". Which is often abused by malware for upload and exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: yatinwad and TheDFIRReport date: 2022/06/23 +modified: 2023/01/16 tags: - attack.exfiltration - attack.t1567.002 @@ -14,8 +18,8 @@ logsource: category: dns_query detection: selection: - QueryName|contains: ufile.io + QueryName|contains: 'ufile.io' condition: selection falsepositives: - - Legitimate Ufile upload + - Legitimate DNS queries and usage of Ufile level: high diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index f613acb6e..17cbc6b9a 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -21,9 +21,10 @@ references: - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec - https://github.com/HarmJ0y/DAMP - https://github.com/samratashok/nishang + - https://github.com/DarkCoderSc/PowerRunAsSystem/ author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2023/01/09 +modified: 2023/01/16 tags: - attack.execution - attack.t1059.001 @@ -268,6 +269,7 @@ detection: - '\Parse_Keys.ps1' - '\Port-Scan.ps1' - '\PowerBreach.ps1' + - '\PowerRunAsSystem.psm1' - '\PowerSharpPack.ps1' - '\PowerUp.ps1' - '\PowerUpSQL.ps1' diff --git a/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml b/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml index 1d4ed95ed..d3b66f451 100755 --- a/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml +++ b/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml @@ -39,8 +39,10 @@ detection: - 'C:\Windows\system32\efsui.exe' - 'C:\Windows\system32\dsac.exe' filter_citrix: + # Example: + # TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* falsepositives: - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. level: high diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml index 5d193835b..b5e017597 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113 date: 2021/06/07 -modified: 2022/08/05 +modified: 2023/01/12 tags: - attack.defense_evasion - attack.t1562.001 @@ -18,9 +18,9 @@ logsource: category: ps_classic_provider_start definition: fields have to be extract from event detection: - tamper_ps_action: + selection_tamper_ps_action: HostApplication|contains: 'Set-MpPreference' - tamper_ps_option: + selection_tamper_ps_option: HostApplication|contains: - 'DisableRealtimeMonitoring 1' - 'DisableBehaviorMonitoring 1' @@ -42,7 +42,7 @@ detection: - 'DisableRemovableDriveScanning $true' - 'DisableScanningMappedNetworkDrivesForFullScan $true' - 'DisableScanningNetworkFiles $true' - tamper_default_actions_allow: + selection_tamper_other_default_actions_allow: HostApplication|contains|all: - 'Set-MpPreference' - Allow @@ -50,7 +50,13 @@ detection: - LowThreatDefaultAction - ModerateThreatDefaultAction - HighThreatDefaultAction - condition: all of tamper_ps_* or tamper_default_actions_allow + selection_tamper_other_alias: + HostApplication|contains: + - 'ltdefac ' + - 'mtdefac ' + - 'htdefac ' + - 'stdefac ' + condition: all of selection_tamper_ps_* or 1 of selection_tamper_other_* falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml new file mode 100644 index 000000000..7ed9e5e94 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -0,0 +1,36 @@ +title: Potential Data Exfiltration Via Audio File +id: e4f93c99-396f-47c8-bb0f-201b1fa69034 +status: experimental +description: Detects potential exfiltration attempt via audio file using PowerShell +references: + - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1 +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.exfiltration +logsource: + product: windows + service: powershell + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection_main: + ScriptBlockLogging|contains|all: + - '[System.Math]::' + - '[IO.FileMode]::' + - 'BinaryWriter' + selection_header_wav: + ScriptBlockLogging|contains|all: + # Byte chunks from the WAV header used in the example POC + # You can extend this for different audio formats by adding different selections + - '0x52' + - '0x49' + - '0x46' + - '0x57' + - '0x41' + - '0x56' + - '0x45' + - '0xAC' + condition: selection_main and 1 of selection_header_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 738b0a267..a30b8da6d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -3,6 +3,8 @@ id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 related: - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb type: similar + - id: 02030f2f-6199-49ec-b258-ea71b07e03dc + type: similar - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf type: obsoletes - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e @@ -23,9 +25,10 @@ references: - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP - https://github.com/samratashok/nishang + - https://github.com/DarkCoderSc/PowerRunAsSystem/ author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer date: 2017/03/05 -modified: 2023/01/05 +modified: 2023/01/16 tags: - attack.execution - attack.discovery @@ -121,6 +124,9 @@ detection: - 'Invoke-Gopher' - 'Invoke-Grouper' # Also Covers Invoke-GrouperX - 'Invoke-HandleKatz' + - 'Invoke-ImpersonatedProcess' + - 'Invoke-ImpersonateSystem' + - 'Invoke-InteractiveSystemPowerShell' - 'Invoke-Internalmonologue' - 'Invoke-Inveigh' - 'Invoke-InveighRelay' @@ -204,6 +210,7 @@ detection: - 'Invoke-SSHCommand' - 'Invoke-StandIn' - 'Invoke-StickyNotesExtract' + - 'Invoke-SystemCommand' - 'Invoke-Tater' - 'Invoke-Thunderfox' - 'Invoke-ThunderStruck' diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml index b1d7d2321..5d3f3d949 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -11,7 +11,7 @@ references: - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ author: frack113, elhoim, Tim Shelton (fps, alias support) date: 2022/01/16 -modified: 2023/01/06 +modified: 2023/01/12 tags: - attack.defense_evasion - attack.t1562.001 @@ -44,7 +44,7 @@ detection: - 'DisableRemovableDriveScanning $true' - 'DisableScanningMappedNetworkDrivesForFullScan $true' - 'DisableScanningNetworkFiles $true' - selection_default_actions_allow: + selection_other_default_actions_allow: ScriptBlockText|contains|all: - 'Set-MpPreference' - Allow @@ -52,13 +52,13 @@ detection: - LowThreatDefaultAction - ModerateThreatDefaultAction - HighThreatDefaultAction - selection_use_of_alias: + selection_other_use_of_alias: ScriptBlockText|contains: - 'ltdefac ' - 'mtdefac ' - 'htdefac ' - 'stdefac ' - condition: all of selection_options_disabling* or selection_default_actions_allow or selection_use_of_alias + condition: all of selection_options_disabling* or 1 of selection_other_* falsepositives: - Legitimate PowerShell scripts level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml index a13d2acbd..796381b09 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/nas_bench/status/1535431474429808642 author: 'oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali' date: 2020/10/05 -modified: 2022/06/11 +modified: 2023/01/16 tags: - attack.execution - attack.defense_evasion @@ -36,7 +36,7 @@ detection: CommandLine|contains|all: - ' -d ' - ' -e kill ' - condition: all of selection* and not 1 of filter_* + condition: all of selection_* and not 1 of filter_* falsepositives: - Automation and orchestration scripts may use this method execute scripts etc - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server) diff --git a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml index 0010cf33a..e38a5573f 100644 --- a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml @@ -19,9 +19,10 @@ references: - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP - https://github.com/samratashok/nishang + - https://github.com/DarkCoderSc/PowerRunAsSystem/ author: Nasreddine Bencherchali date: 2023/01/02 -modified: 2023/01/05 +modified: 2023/01/16 tags: - attack.execution - attack.discovery @@ -116,6 +117,9 @@ detection: - 'Invoke-Gopher' - 'Invoke-Grouper' # Also Covers Invoke-GrouperX - 'Invoke-HandleKatz' + - 'Invoke-ImpersonatedProcess' + - 'Invoke-ImpersonateSystem' + - 'Invoke-InteractiveSystemPowerShell' - 'Invoke-Internalmonologue' - 'Invoke-Inveigh' - 'Invoke-InveighRelay' @@ -199,6 +203,7 @@ detection: - 'Invoke-SSHCommand' - 'Invoke-StandIn' - 'Invoke-StickyNotesExtract' + - 'Invoke-SystemCommand' - 'Invoke-Tater' - 'Invoke-Thunderfox' - 'Invoke-ThunderStruck' diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml index ac00104db..7289529c2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml @@ -1,14 +1,15 @@ title: Suspicious Use of PsLogList id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc status: experimental -description: Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery. +description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs references: - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList -author: Nasreddine Bencherchali @nas_bench + - https://twitter.com/EricaZelic/status/1614075109827874817 +author: Nasreddine Bencherchali date: 2021/12/18 -modified: 2022/06/16 +modified: 2023/01/16 tags: - attack.discovery - attack.t1087 @@ -23,10 +24,12 @@ detection: - Image|endswith: - '\psloglist.exe' - '\psloglist64.exe' - selection_flgs: + selection_cli_eventlog: CommandLine|contains|all: - - 'security' - - 'accepteula' + - ' security' + - ' application' + - ' system' + selection_cli_flags: CommandLine|contains: - ' -d' - ' /d' @@ -34,7 +37,11 @@ detection: - ' /x' - ' -s' - ' /s' - condition: 1 of selection* + - ' -c' # Clear event log after displaying + - ' /c' + - ' -g' # Export an event log as an evt file. + - ' /g' + condition: selection_img or all of selection_cli_* falsepositives: - Another tool that uses the command line switches of PsLogList - Legitimate use of PsLogList by an administrator diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml index bf68f57b7..b08e23407 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -6,7 +6,7 @@ related: - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d type: similar status: experimental -description: Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities references: - Internal Research author: Nasreddine Bencherchali diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml index 8c6850ae3..5740a5f6f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml @@ -1,7 +1,7 @@ title: Disable Important Scheduled Task id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 status: experimental -description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task - https://twitter.com/MichalKoczwara/status/1553634816016498688 From 1c340493c652477b906d54fcc2038d769fdc4602 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 17 Jan 2023 01:13:50 +0100 Subject: [PATCH 04/10] fix: broken logsource --- .../builtin/dns_client/win_dns_client__mal_cobaltstrike.yml | 2 +- .../builtin/dns_client/win_dns_client_anonymfiles_com.yml | 2 +- rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml | 2 +- rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml | 2 +- rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml | 2 +- tests/logsource.json | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml index 0516777e8..be15f2373 100644 --- a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml +++ b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml @@ -15,7 +15,7 @@ tags: - attack.t1071.004 logsource: product: windows - category: dns-client + service: dns-client definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' detection: selection_eid: diff --git a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml index 015750899..467dbdcc0 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -14,7 +14,7 @@ tags: - attack.t1567.002 logsource: product: windows - category: dns-client + service: dns-client definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' detection: selection: diff --git a/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml index a5b5a6933..e58b68a6b 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml @@ -14,7 +14,7 @@ tags: - attack.t1567.002 logsource: product: windows - category: dns-client + service: dns-client definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' detection: selection: diff --git a/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml index f11c84f4d..7e1bb41d5 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml @@ -14,7 +14,7 @@ tags: - attack.t1090.003 logsource: product: windows - category: dns-client + service: dns-client definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' detection: selection: diff --git a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml index 82266b8f3..371f2ab3a 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml @@ -14,7 +14,7 @@ tags: - attack.t1567.002 logsource: product: windows - category: dns-client + service: dns-client definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' detection: selection: diff --git a/tests/logsource.json b/tests/logsource.json index 47ff26a8d..bd6ab2699 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -91,7 +91,7 @@ "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"], "appxpackaging-om":["subjectName"], "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"], - "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address", ""], + "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"], "appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"] } }, From 1c0bf6e262257eb3015240bc0ff2357341c8c698 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 17 Jan 2023 19:01:37 +0100 Subject: [PATCH 05/10] feat: update windows firewall rules --- ...x_system_network_connections_discovery.yml | 2 +- .../firewall_as/win_firewall_as_add_rule.yml | 9 ++++----- .../win_firewall_as_change_rule.yml | 12 +++++------ .../win_firewall_as_delete_all_rules.yml | 16 +++++++++++++++ .../win_firewall_as_delete_rule.yml | 20 +++++++++---------- ...ml => win_firewall_as_failed_load_gpo.yml} | 8 ++++---- ...t.yml => win_firewall_as_reset_config.yml} | 8 ++++---- .../win_firewall_as_setting_change.yml | 9 ++++----- 8 files changed, 48 insertions(+), 36 deletions(-) create mode 100644 rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml rename rules/windows/builtin/firewall_as/{win_firewall_as_failed.yml => win_firewall_as_failed_load_gpo.yml} (55%) rename rules/windows/builtin/firewall_as/{win_firewall_as_reset.yml => win_firewall_as_reset_config.yml} (54%) diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml index ebae271a0..0b2ca2e7a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md author: Daniil Yugoslavskiy, oscd.community date: 2020/10/19 -modified: 2023/01/13 +modified: 2023/01/17 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index 21f2c207d..ad1e4499e 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -1,19 +1,18 @@ -title: Added Rule in Windows Firewall with Advanced Security +title: New Firewall Rule Added In Windows Firewall Exception List id: cde0a575-7d3d-4a49-9817-b8004a7bf105 status: experimental -description: A rule has been modified in the Windows Firewall exception list +description: Detects when a rule has been added to the Windows Firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2022/11/01 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: 2004 + EventID: 2004 # A rule has been added to the Windows Defender Firewall exception list filter_block: Action: 2 filter_installations: diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index 62287d0b0..dede28059 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -1,21 +1,21 @@ -title: Modified Rule in Windows Firewall with Advanced Security +title: Firewall Rule Modified In The Windows Firewall Exception List id: 5570c4d9-8fdd-4622-965b-403a5a101aa0 status: experimental -description: A rule has been modified in the Windows Firewall exception list +description: Detects when a rule has been modified in the windows firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: 2005 - filter: + EventID: 2005 # A rule has been modified in the Windows Defender Firewall exception list + filter_generic: ModifyingApplication|startswith: - 'C:\Program Files (x86)\' - 'C:\Program Files\' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* level: low diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml new file mode 100644 index 000000000..c9f3ecf8c --- /dev/null +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -0,0 +1,16 @@ +title: All Rules Have Been Deleted From The Windows Firewall Configuration +id: 79609c82-a488-426e-abcf-9f341a39365d +status: experimental +description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +author: frack113, Nasreddine Bencherchali +date: 2023/01/17 +logsource: + product: windows + service: firewall-as +detection: + selection: + EventID: 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer + condition: selection +level: high diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index c0e528e34..3b2926ed1 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -1,28 +1,26 @@ -title: Delete Rule in Windows Firewall with Advanced Security +title: A Rule Has Been Deleted From The Windows Firewall Exception List id: c187c075-bb3e-4c62-b4fa-beae0ffc211f status: experimental -description: A rule has been deleted in the Windows Firewall exception list. +description: Detects when a singe rules or all of the rules have been deleted from the Windows Defender Firewall references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2022/10/18 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: - - 2006 - - 2033 #All rules - filter: - - ModifyingApplication: 'C:\Windows\System32\svchost.exe' - - ModifyingApplication|startswith: + EventID: 2006 # A rule has been deleted in the Windows Defender Firewall exception list + filter_generic: + ModifyingApplication|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' + filter_svchost: + ModifyingApplication: 'C:\Windows\System32\svchost.exe' filter_msmpeng: ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' ModifyingApplication|endswith: '\MsMpEng.exe' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* level: medium diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml similarity index 55% rename from rules/windows/builtin/firewall_as/win_firewall_as_failed.yml rename to rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index bb60ac051..8f3a23704 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -1,17 +1,17 @@ -title: Failed to Load Policy in Windows Firewall with Advanced Security +title: The Windows Defender Firewall service Failed To Load Group Policy id: 7ec15688-fd24-4177-ba43-1a950537ee39 status: experimental -description: The Windows Firewall service failed to load Group Policy. +description: Detects activity when The Windows Defender Firewall service failed to load Group Policy references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: 2009 + EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy condition: selection level: low diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml similarity index 54% rename from rules/windows/builtin/firewall_as/win_firewall_as_reset.yml rename to rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index ac11c5662..3f492f622 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -1,17 +1,17 @@ -title: Reset to Default Configuration Windows Firewall with Advanced Security +title: Windows Defender Firewall Has Been Reset To Its Default Configuration id: 04b60639-39c0-412a-9fbe-e82499c881a3 status: experimental -description: Windows Firewall has been reset to its default configuration. +description: Detects activity when Windows Defender Firewall has been reset to its default configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: 2032 + EventID: 2032 # Windows Defender Firewall has been reset to its default configuration condition: selection level: low diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index 725ebaff8..81bb75a6a 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -1,21 +1,20 @@ -title: Setting Change in Windows Firewall with Advanced Security +title: Windows Firewall Settings Have Been Changed id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064 status: experimental -description: Setting have been change in Windows Firewall +description: Detects activity when the settings of the Windows firewall have been changed references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2022/03/28 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: EventID: - 2002 # A Windows Firewall setting has changed. - - 2003 # A Windows Firewall setting in the %1 profile has changed. + - 2003 # A Windows Firewall setting in the profile has changed - 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied # - 2010 # Network profile changed on an interface. condition: selection From 8f46f2f0615ef9d068b7729c8ad92f8211c77db9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 17 Jan 2023 19:07:30 +0100 Subject: [PATCH 06/10] fix: fp in firewall rule --- .../firewall_as/win_firewall_as_delete_all_rules.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index c9f3ecf8c..fd09f8d20 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -12,5 +12,14 @@ logsource: detection: selection: EventID: 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer - condition: selection + filter_generic: + ModifyingApplication|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + filter_svchost: + ModifyingApplication: 'C:\Windows\System32\svchost.exe' + filter_msmpeng: + ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + ModifyingApplication|endswith: '\MsMpEng.exe' + condition: selection and not 1 of filter_* level: high From fbeb32e24f1792ba54229247c38de5da2049a064 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 17 Jan 2023 19:13:33 +0100 Subject: [PATCH 07/10] fix: broken winlogbeat bitlocker config --- tools/config/winlogbeat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 0fbbae00c..3ff08c4e1 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -147,7 +147,7 @@ logsources: product: windows service: bitlocker conditions: - winlog.channel: 'bitlocker' + winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' windows-vhdmp-operational: product: windows service: vhdmp From 4682f3fb7a070fc90b8157918e54e374e1063288 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 17 Jan 2023 19:14:32 +0100 Subject: [PATCH 08/10] fix: broken title --- .../builtin/firewall_as/win_firewall_as_failed_load_gpo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index 8f3a23704..41c42ba6e 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -1,4 +1,4 @@ -title: The Windows Defender Firewall service Failed To Load Group Policy +title: The Windows Defender Firewall Service Failed To Load Group Policy id: 7ec15688-fd24-4177-ba43-1a950537ee39 status: experimental description: Detects activity when The Windows Defender Firewall service failed to load Group Policy From f3171177d81436b00a693a2425d9f799df43ecaa Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Jan 2023 10:24:04 +0100 Subject: [PATCH 09/10] fix: apply suggestions from code review Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../powershell/powershell_script/posh_ps_audio_exfiltration.yml | 2 +- .../process_creation/proc_creation_win_susp_psloglist.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml index 7ed9e5e94..7c42b85da 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -10,7 +10,7 @@ tags: - attack.exfiltration logsource: product: windows - service: powershell + category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: selection_main: diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml index 7289529c2..7b47aaf7f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml @@ -25,7 +25,7 @@ detection: - '\psloglist.exe' - '\psloglist64.exe' selection_cli_eventlog: - CommandLine|contains|all: + CommandLine|contains: - ' security' - ' application' - ' system' From ff9844b8d71243dace90a831379a9cbe0a4b3284 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Jan 2023 10:47:40 +0100 Subject: [PATCH 10/10] fix: fp and broken field name --- .../powershell_script/posh_ps_audio_exfiltration.yml | 4 ++-- .../process_creation/proc_creation_win_susp_psloglist.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml index 7c42b85da..be3c5d3bb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -14,12 +14,12 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection_main: - ScriptBlockLogging|contains|all: + ScriptBlockText|contains|all: - '[System.Math]::' - '[IO.FileMode]::' - 'BinaryWriter' selection_header_wav: - ScriptBlockLogging|contains|all: + ScriptBlockText|contains|all: # Byte chunks from the WAV header used in the example POC # You can extend this for different audio formats by adding different selections - '0x52' diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml index 7b47aaf7f..9ff176fb9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml @@ -41,7 +41,7 @@ detection: - ' /c' - ' -g' # Export an event log as an evt file. - ' /g' - condition: selection_img or all of selection_cli_* + condition: all of selection_* falsepositives: - Another tool that uses the command line switches of PsLogList - Legitimate use of PsLogList by an administrator