From 6c19303aa442f81bf4e4f5cfd6d5718a7790065a Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 10:48:13 +0100 Subject: [PATCH] normalize logsource --- .../builtin/win_hybridconnectionmgr_svc_running.yml | 2 +- .../edr/edr_command_execution_by_office_applications.yml | 7 ++++--- rules/windows/other/win_ldap_recon.yml | 2 +- rules/windows/other/win_system_defender_disabled.yml | 4 ++-- tools/config/winlogbeat-modules-enabled.yml | 5 +++++ 5 files changed, 13 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml index f2fb29d7d..de445a56a 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: product: windows - service: Microsoft-ServiceBus-Client + service: microsoft-servicebus-client detection: selection: EventID: diff --git a/rules/windows/edr/edr_command_execution_by_office_applications.yml b/rules/windows/edr/edr_command_execution_by_office_applications.yml index 19133d219..d8496c10d 100644 --- a/rules/windows/edr/edr_command_execution_by_office_applications.yml +++ b/rules/windows/edr/edr_command_execution_by_office_applications.yml @@ -1,4 +1,4 @@ -title: WMI Command Execution by Office Applications +title: EDR WMI Command Execution by Office Applications id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815 description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 references: @@ -13,9 +13,10 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: - product: EndPoint Detection Logs - category: process_creation + product: windows + category: edr detection: #useful_information: Add more office applications to the rule logic of choice selection1: diff --git a/rules/windows/other/win_ldap_recon.yml b/rules/windows/other/win_ldap_recon.yml index ee8ff3db5..e0a9559dd 100644 --- a/rules/windows/other/win_ldap_recon.yml +++ b/rules/windows/other/win_ldap_recon.yml @@ -9,8 +9,8 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs logsource: - category: ldap_query product: windows + service: ldap_debug definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging' detection: generic_search: diff --git a/rules/windows/other/win_system_defender_disabled.yml b/rules/windows/other/win_system_defender_disabled.yml index 15114f1dc..1d4838ea0 100644 --- a/rules/windows/other/win_system_defender_disabled.yml +++ b/rules/windows/other/win_system_defender_disabled.yml @@ -5,7 +5,7 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/09/21 +modified: 2021/11/09 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -17,7 +17,7 @@ tags: - attack.t1562.001 logsource: product: windows - category: system + service: system detection: selection3: EventID: 7036 diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index d7ec0f095..07c3c4e09 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -100,6 +100,11 @@ logsources: service: msexchange-management conditions: winlog.channel: 'MSExchange Management' + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + winlog.channel: 'Microsoft-ServiceBus-Client' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'