diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml new file mode 100644 index 000000000..7fee46f14 --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml @@ -0,0 +1,25 @@ +title: Malicious AppX Package Installed +id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce +status: experimental +description: Detects installation of known malicious appx packages +references: + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ + - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/ +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 401 + # Add more malicious package names + # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ + PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9' + condition: selection +falsepositives: + - Rare occasions where a malicious package uses the exact same name and version as a legtimate application +level: medium diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml new file mode 100644 index 000000000..5399760e3 --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml @@ -0,0 +1,24 @@ +title: Suspicious AppX Package Installation Attempt +id: 898d5fc9-fbc3-43de-93ad-38e97237c344 +status: experimental +description: Detects an appx package installation with the error code "0x80073cff". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 401 + ErrorCode: '0x80073cff' # Check ref section to learn more about this error code + condition: selection +falsepositives: + - Legitimate AppX packages not signed by MS used part of an enterprise +level: medium diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml new file mode 100644 index 000000000..fe381e85b --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml @@ -0,0 +1,42 @@ +title: Suspicious Remote AppX Package Locations +id: 8b48ad89-10d8-4382-a546-50588c410f0d +status: experimental +description: Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 854 + Path|contains: + - 'transfer.sh' + - 'raw.githubusercontent.com' + - 'gist.githubusercontent.com' + - 'pastebin.com' + - 'cdn.discordapp.com/attachments/' + - 'mediafire.com' + - 'mega.nz' + - 'ddns.net' + - '.paste.ee' + - '.hastebin.com' + - '.ghostbin.co/' + - 'ufile.io' + - 'storage.googleapis.com' + - 'anonfiles.com' + - 'send.exploit.in' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml new file mode 100644 index 000000000..73ee87ff0 --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml @@ -0,0 +1,37 @@ +title: Suspicious AppX Package Locations +id: 5cdeaf3d-1489-477c-95ab-c318559fc051 +status: experimental +description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 854 + Path|contains: + # Paths can be written using forward slash if the "file://" protocol is used + - 'C:\Users\Public\' + - '/users/public/' + - 'C:\PerfLogs\' + - 'C:/perflogs/' + - '\Desktop\' + - '/desktop/' + - '\Downloads\' + - '/Downloads/' + - 'C:\Windows\Temp\' + - 'C:/Windows/Temp/' + - '\AppdData\Local\Temp\' + - '/AppdData/Local/Temp/' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml new file mode 100644 index 000000000..937a84dfa --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml @@ -0,0 +1,37 @@ +title: Uncommon AppX Package Locations +id: c977cb50-3dff-4a9f-b873-9290f56132f1 +status: experimental +description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 854 + filter_generic: + Path|contains: + # Paths can be written using forward slash if the "file://" protocol is used + - 'C:\Program Files\WindowsApps\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\SystemApps\' + - 'C:\Windows\PrintDialog\' + - 'C:\Windows\ImmersiveControlPanel\' + - 'x-windowsupdate://' + - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/' + filter_specific: + Path|contains: + - 'https://statics.teams.cdn.office.net/' + - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968 + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml b/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml similarity index 78% rename from rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml rename to rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml index 83f059132..6bd3dfe0f 100644 --- a/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml +++ b/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml @@ -1,13 +1,13 @@ -title: AppInstaller Attempts From URL by DNS +title: AppX Package Installation Attempts Via AppInstaller id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a status: test -description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL +description: AppInstaller.exe is spawned by the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL references: - https://twitter.com/notwhickey/status/1333900137232523264 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ author: frack113 date: 2021/11/24 -modified: 2022/12/25 +modified: 2023/01/12 tags: - attack.command_and_control - attack.t1105 diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 92e9ce7ff..baed83349 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -1,5 +1,12 @@ title: Change PowerShell Policies to an Insecure Level - PowerShell id: 61d0475c-173f-4844-86f7-f3eebae1c66b +related: + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry + type: similar status: experimental description: Detects use of Set-ExecutionPolicy to set insecure policies references: diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index bb444d03d..0fc1790c3 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 author: frack113 date: 2023/01/07 -modified: 2023/01/09 +modified: 2023/01/11 tags: - attack.defense_evasion - attack.t1562.002 @@ -20,12 +20,20 @@ detection: CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+' CallTrace|contains: '|UNKNOWN(' CallTrace|endswith: ')' - filter_msbuild: - SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' - SourceImage|endswith: - - '\MSBuild\Current\Bin\amd64\MSBuild.exe' - - '\MSBuild\Current\Bin\MSBuild.exe' - TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' + filter_generic: + SourceImage|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + TargetImage|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + filter_thor: + SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' + SourceImage|endswith: '\thor\thor64.exe' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml b/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml index fe1e866c1..b94636117 100644 --- a/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml +++ b/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml @@ -1,5 +1,12 @@ title: Change PowerShell Policies to an Insecure Level id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 +related: + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock + type: similar + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry + type: similar status: experimental description: Detects use of executionpolicy option to set insecure policies references: diff --git a/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml b/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml new file mode 100644 index 000000000..7844a5267 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml @@ -0,0 +1,34 @@ +title: Potential PowerShell Execution Policy Tampering - ProcCreation +id: cf2e938e-9a3e-4fe8-a347-411642b28a9f +related: + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # ProcCreation Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock + type: similar +status: experimental +description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine +references: + - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + selection_path: + CommandLine|contains: + - '\ShellIds\Microsoft.PowerShell\ExecutionPolicy' + - '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy' + selection_values: + CommandLine|contains: + - 'Bypass' + - 'RemoteSigned' + - 'Unrestricted' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml new file mode 100644 index 000000000..fccb3b1b4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -0,0 +1,38 @@ +title: Suspicious Windows App Activity +id: f91ed517-a6ba-471d-9910-b3b4a398c0f3 +status: experimental +description: Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution +references: + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ +author: Nasreddine Bencherchali +date: 2023/01/12 +tags: + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + selection_parent: + #GrandParentImage|endswith: '\sihost.exe' + ParentImage|contains: 'C:\Program Files\WindowsApps\' + selection_susp_img: + Image|endswith: + # You can add more LOLBINs + - '\poweshell.exe' + - '\pwsh.exe' + - '\rundll32.exe' + - '\regsvr32.exe' + - '\mshta.exe' + - '\cscript.exe' + - '\wscript.exe' + selection_susp_cli: + # You can add more suspicious keywords + CommandLine|contains: + - 'cmd /c' + - 'Invoke-' + - 'Base64' + condition: selection_parent and 1 of selection_susp_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index dfb0314f7..e07ac11d2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -6,7 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: frack113, Tim Shelton (update fp) date: 2022/12/05 -modified: 2023/01/10 +modified: 2023/01/11 tags: - attack.privilege_escalation - attack.defense_evasion @@ -53,6 +53,10 @@ detection: ParentImage|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\' ParentImage|endswith: '\CitrixReceiverUpdater.exe' Image|endswith: '\cmd.exe' + filter_thor: + ParentImage|endswith: '\python.exe' + CommandLine: 'C:\WINDOWS\system32\cmd.exe /c "ver"' + CurrentDirectory|contains: 'C:\WINDOWS\Temp\asgard2-agent\' condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml new file mode 100644 index 000000000..408d48a90 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml @@ -0,0 +1,28 @@ +title: Potential Signing Bypass Via Windows Developer Features +id: a383dec4-deec-4e6e-913b-ed9249670848 +status: experimental +description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\SystemSettingsAdminFlows.exe' + - OriginalFileName: 'SystemSettingsAdminFlows.EXE' + selection_flag: + CommandLine|contains: 'TurnOnDeveloperFeatures' + selection_options: + CommandLine|contains: + - 'DeveloperUnlock' + - 'EnableSideloading' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml new file mode 100644 index 000000000..eb935678c --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -0,0 +1,41 @@ +title: Potential PowerShell Execution Policy Tampering +id: fad91067-08c5-4d1a-8d8c-d96a21b37814 +related: + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock + type: similar +status: experimental +description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|endswith: + # Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux + # Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there + # Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3 + - '\ShellIds\Microsoft.PowerShell\ExecutionPolicy' + - '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy' + Details|contains: + - 'Bypass' + - 'RemoteSigned' + - 'Unrestricted' + filter_svchost: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: medium diff --git a/tests/logsource.json b/tests/logsource.json index 9d3897280..a6f8cb803 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -87,7 +87,8 @@ "printservice-admin":[], "msexchange-management":[], "applocker":[], - "vhdmp":[] + "vhdmp":[], + "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"] } }, "linux":{ diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index fbc7f26be..082e16543 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -118,5 +118,10 @@ logsources: product: windows service: vhdmp conditions: - EventLog: 'Microsoft-Windows-VHDMP-Operational' + EventLog: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 90684e8a8..ef8f00c8c 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -118,7 +118,12 @@ logsources: product: windows service: vhdmp conditions: - log_name: 'Microsoft-Windows-VHDMP-Operational' + log_name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 12c12844b..bddb77bb4 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -118,7 +118,12 @@ logsources: product: windows service: vhdmp conditions: - logname: 'Microsoft-Windows-VHDMP-Operational' + logname: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + logname: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index f1bdce047..22ad9942b 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -146,7 +146,12 @@ logsources: product: windows service: vhdmp conditions: - channel: 'Microsoft-Windows-VHDMP-Operational' + channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' linux: product: linux index: posix diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index d8cbb3456..6ee5072bd 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -197,5 +197,9 @@ logsources: product: windows service: vhdmp conditions: - Provider_Name: 'Microsoft-Windows-VHDMP-Operational' - \ No newline at end of file + Provider_Name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + Provider_Name: 'Microsoft-Windows-AppXDeploymentServer/Operational' diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index c32fb1483..7c0a87300 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -132,7 +132,12 @@ logsources: product: windows service: vhdmp conditions: - event_channel: 'Microsoft-Windows-VHDMP-Operational' + event_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' windows-network-connection: product: windows category: network_connection diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index ee500508b..ab59c8ae7 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -118,7 +118,12 @@ logsources: product: windows service: vhdmp conditions: - event_source: 'Microsoft-Windows-VHDMP-Operational' + event_source: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 3ac6dcb3b..b78d770c5 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -139,5 +139,10 @@ logsources: product: windows service: vhdmp conditions: - Channel: 'Microsoft-Windows-VHDMP-Operational' + Channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 43da93080..567bcb7bf 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -160,4 +160,9 @@ logsources: product: windows service: vhdmp conditions: - LogName: 'Microsoft-Windows-VHDMP-Operational' + LogName: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational' diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 5c0daafeb..c7715c29c 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -180,6 +180,11 @@ logsources: product: windows service: vhdmp conditions: - source: 'Microsoft-Windows-VHDMP-Operational' + source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' fieldmappings: EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index a496b4b44..c6addce9d 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -149,7 +149,12 @@ logsources: product: windows service: vhdmp conditions: - source: 'Microsoft-Windows-VHDMP-Operational' + source: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + source: 'Microsoft-Windows-AppXDeploymentServer/Operational' apache: service: apache index: WEBSERVER diff --git a/tools/config/thor.yml b/tools/config/thor.yml index c472f5e7e..e28c22134 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -424,6 +424,11 @@ logsources: service: vhdmp sources: - 'WinEventLog:Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + sources: + - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' apache: category: webserver sources: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 7d8189e32..449d5f68b 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -163,7 +163,12 @@ logsources: product: windows service: vhdmp conditions: - winlog_channel: 'Microsoft-Windows-VHDMP-Operational' + winlog_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index f0dc37930..1ad65cd76 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -126,7 +126,12 @@ logsources: product: windows service: vhdmp conditions: - log_name: 'Microsoft-Windows-VHDMP-Operational' + log_name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index b2716b44c..cfc9f432f 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -152,7 +152,12 @@ logsources: product: windows service: vhdmp conditions: - winlog_channel: 'Microsoft-Windows-VHDMP-Operational' + winlog_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml index 4cc5d945f..6a1814574 100644 --- a/tools/config/zircolite.yml +++ b/tools/config/zircolite.yml @@ -113,9 +113,14 @@ logsources: product: windows service: bits-client conditions: - Channel: 'Microsoft-Windows-Bits-Client/Operational' + Channel: 'Microsoft-Windows-Bits-Client/Operational' windows-vhdmp-Operational: product: windows service: vhdmp conditions: - Channel: 'Microsoft-Windows-VHDMP-Operational' + Channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'