From 4c54e8322afb8c4704c7eaaacaa22a5ce922cc6b Mon Sep 17 00:00:00 2001 From: ecco Date: Wed, 25 Sep 2019 11:11:22 -0400 Subject: [PATCH] sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives --- rules/windows/sysmon/sysmon_malware_backconnect_ports.yml | 1 + rules/windows/sysmon/sysmon_powershell_network_connection.yml | 1 + rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml | 3 ++- rules/windows/sysmon/sysmon_rundll32_net_connections.yml | 1 + rules/windows/sysmon/sysmon_susp_rdp.yml | 3 ++- rules/windows/sysmon/sysmon_win_binary_github_com.yml | 1 + rules/windows/sysmon/sysmon_win_binary_susp_com.yml | 1 + 7 files changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index bd18b1ea7..e35fc0170 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -15,6 +15,7 @@ logsource: detection: selection: EventID: 3 + Initiated: 'true' DestinationPort: - '4443' - '2448' diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index 019c15839..c9a362baf 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -14,6 +14,7 @@ detection: selection: EventID: 3 Image: '*\powershell.exe' + Initiated: 'true' filter: DestinationIp: - '10.*' diff --git a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml index 6ff58594e..03d1aa36a 100644 --- a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml @@ -17,6 +17,7 @@ detection: selection: EventID: 3 Image: '*\svchost.exe' + Initiated: 'true' SourcePort: 3389 DestinationIp: - '127.*' @@ -24,4 +25,4 @@ detection: condition: selection falsepositives: - unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index 02fe165c4..63df8dcea 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -16,6 +16,7 @@ detection: selection: EventID: 3 Image: '*\rundll32.exe' + Initiated: 'true' filter: DestinationIp: - '10.*' diff --git a/rules/windows/sysmon/sysmon_susp_rdp.yml b/rules/windows/sysmon/sysmon_susp_rdp.yml index 6efbd6114..a41b35770 100644 --- a/rules/windows/sysmon/sysmon_susp_rdp.yml +++ b/rules/windows/sysmon/sysmon_susp_rdp.yml @@ -15,7 +15,8 @@ logsource: detection: selection: EventID: 3 - DestinationPort: 3389 + DestinationPort: 3389 + Initiated: 'true' filter: Image: - '*\mstsc.exe' diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 51544f792..16e18b78e 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -14,6 +14,7 @@ logsource: detection: selection: EventID: 3 + Initiated: 'true' DestinationHostname: - '*.github.com' - '*.githubusercontent.com' diff --git a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml index 12f0fbc85..e83bf58a2 100644 --- a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml @@ -15,6 +15,7 @@ logsource: detection: selection: EventID: 3 + Initiated: 'true' DestinationHostname: - '*dl.dropboxusercontent.com' - '*.pastebin.com'