diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index bd18b1ea7..e35fc0170 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -15,6 +15,7 @@ logsource: detection: selection: EventID: 3 + Initiated: 'true' DestinationPort: - '4443' - '2448' diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index 019c15839..c9a362baf 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -14,6 +14,7 @@ detection: selection: EventID: 3 Image: '*\powershell.exe' + Initiated: 'true' filter: DestinationIp: - '10.*' diff --git a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml index 6ff58594e..03d1aa36a 100644 --- a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml @@ -17,6 +17,7 @@ detection: selection: EventID: 3 Image: '*\svchost.exe' + Initiated: 'true' SourcePort: 3389 DestinationIp: - '127.*' @@ -24,4 +25,4 @@ detection: condition: selection falsepositives: - unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index 02fe165c4..63df8dcea 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -16,6 +16,7 @@ detection: selection: EventID: 3 Image: '*\rundll32.exe' + Initiated: 'true' filter: DestinationIp: - '10.*' diff --git a/rules/windows/sysmon/sysmon_susp_rdp.yml b/rules/windows/sysmon/sysmon_susp_rdp.yml index 6efbd6114..a41b35770 100644 --- a/rules/windows/sysmon/sysmon_susp_rdp.yml +++ b/rules/windows/sysmon/sysmon_susp_rdp.yml @@ -15,7 +15,8 @@ logsource: detection: selection: EventID: 3 - DestinationPort: 3389 + DestinationPort: 3389 + Initiated: 'true' filter: Image: - '*\mstsc.exe' diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 51544f792..16e18b78e 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -14,6 +14,7 @@ logsource: detection: selection: EventID: 3 + Initiated: 'true' DestinationHostname: - '*.github.com' - '*.githubusercontent.com' diff --git a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml index 12f0fbc85..e83bf58a2 100644 --- a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml @@ -15,6 +15,7 @@ logsource: detection: selection: EventID: 3 + Initiated: 'true' DestinationHostname: - '*dl.dropboxusercontent.com' - '*.pastebin.com'