diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index 087e75fd4..69df7f046 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -1,5 +1,6 @@ title: Network Scans description: Detects many failed connection attempts to different ports or hosts +author: Thomas Patzke logsource: type: firewall detection: diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 77af083db..0ad63e2d0 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -1,7 +1,7 @@ title: Suspicious Kerberos RC4 Ticket Encryption status: experimental reference: https://adsecurity.org/?p=3458 -description: Detects logons using RC4 encryption type +description: Detects logons using RC4 encryption type logsource: - product: windows detection: diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index cee71ab3e..a645e11c2 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -3,8 +3,7 @@ status: experimental description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ) reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow logsource: - - product: windows - - service: Microsoft-Windows-Sysmon + - product: sysmon detection: selection: - EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index b34e29c02..d2ce0242f 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -3,8 +3,7 @@ status: experimental description: Detects certain DLL loads when Mimikatz gets executed reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ logsource: - - product: windows - - service: sysmon + - product: sysmon detection: dllload1: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index bd972d96e..cce8c2404 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -2,8 +2,7 @@ title: Password Dumper Remote Thread in LSASS description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundrets of events. author: Thomas Patzke logsource: - - product: windows - - service: sysmon + - product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 8b97faf52..c0b756306 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -2,8 +2,7 @@ title: Suspicious Driver Load from Temp description: Detetcs a driver load from a temporary directory author: Florian Roth logsource: - - product: windows - - service: sysmon + - product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index f52ce6441..d0e7172bc 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -3,8 +3,7 @@ status: experimental description: Processes started by MMC could by a sign of lateral movement using MMC application COM object reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: - - product: windows - - service: sysmon + - product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml index 568dfbc3e..da6206d34 100644 --- a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml +++ b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml @@ -2,8 +2,7 @@ title: Java running with Remote Debugging description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect author: Florian Roth logsource: - - product: windows - - service: sysmon + - product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/sysmon/sysmon_webshell_detection.yml index 00341b220..db7f9f0d9 100644 --- a/rules/windows/sysmon/sysmon_webshell_detection.yml +++ b/rules/windows/sysmon/sysmon_webshell_detection.yml @@ -2,8 +2,7 @@ title: Webshell Detection With Command Line Keywords description: Detects certain command line parameters often used during reconnissaince activity via web shells author: Florian Roth logsource: - - product: windows - - service: sysmon + - product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/sysmon/sysmon_webshell_spawn.yml index 5c42da8bc..bd499c012 100644 --- a/rules/windows/sysmon/sysmon_webshell_spawn.yml +++ b/rules/windows/sysmon/sysmon_webshell_spawn.yml @@ -3,8 +3,7 @@ status: experimental description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack author: Thomas Patzke logsource: - - product: windows - - service: sysmon + - product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational