From 03ec08f9336f67b772018bf035ffd26d826e69a7 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 20 Jul 2023 12:38:11 +0200
Subject: [PATCH] Add Sysmon 28-29 rules

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 .../sysmon/sysmon_file_block_shredding.yml    | 20 ++++++++++++++++++
 .../windows/sysmon/sysmon_file_executable.yml | 21 +++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_file_block_shredding.yml
 create mode 100644 rules/windows/sysmon/sysmon_file_executable.yml

diff --git a/rules/windows/sysmon/sysmon_file_block_shredding.yml b/rules/windows/sysmon/sysmon_file_block_shredding.yml
new file mode 100644
index 000000000..850eb0824
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_file_block_shredding.yml
@@ -0,0 +1,20 @@
+title: Sysmon Blocked File Shredding
+id: c3e5c1b1-45e9-4632-b242-27939c170239
+status: experimental
+description: Triggers on any Sysmon file block shredding event. Which should indicates a violation of the shredding policy set
+references:
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
+author: frack113
+date: 2023/07/20
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 28  # this is fine, we want to match any FileBlockShredding event
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules/windows/sysmon/sysmon_file_executable.yml b/rules/windows/sysmon/sysmon_file_executable.yml
new file mode 100644
index 000000000..6e8062620
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_file_executable.yml
@@ -0,0 +1,21 @@
+title: Sysmon File Executable Detected
+id: 693a44e9-7f26-4cb6-b787-214867672d3a
+status: experimental
+description: Triggers on any Sysmon file executable event. Which should indicates a violation of the shredding policy set
+references:
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
+    - https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
+author: frack113
+date: 2023/07/20
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 29  # this is fine, we want to match any FileBlockShredding event
+    condition: selection
+falsepositives:
+    - Unlikely
+level: medium