Merge pull request #211 from Cyb3rWard0g/master

Field-Index Mapping File & SIGMA Rules Field names fix

rules/windows/builtin/win_powershell_b64_shellcode.yml

@@ -23,9 +23,9 @@ logsource:
 detection:
     selection1:
         EventID: 4688
-        ProcesssCommandLine: '*AAAAYInlM*'
+        ProcessCommandLine: '*AAAAYInlM*'
     selection2:
-        ProcesssCommandLine: 
+        ProcessCommandLine: 
             - '*OiCAAAAYInlM*'
             - '*OiJAAAAYInlM*'
 ---

rules/windows/builtin/win_susp_powershell_enc_cmd.yml

@@ -16,7 +16,7 @@ detection:
             - '* -encodedcommand JAB*'
     # Google Rapid Response
     falsepositive1:
-        ImagePath: '*\GRR\*'
+        Image: '*\GRR\*'
     # PowerSponse deployments
     falsepositive2: 
         CommandLine: '* -ExecutionPolicy remotesigned *'

tools/config/helk.yml

@@ -30,13 +30,12 @@ logsources:
 defaultindex: logs-*
 fieldmappings:
     AccessMask: object_access_mask_requested
-    AccountName: 
-        EventID=7045: service_account_name
-        EventID=4624: user_name
+    AccountName: user_name
     AllowedToDelegateTo: user_attribute_allowed_todelegate
     AttributeLDAPDisplayName: dsobject_attribute_name
     AuditPolicyChanges: policy_changes
     AuthenticationPackageName: logon_authentication_package
+    CallingProcessName: process_path
     CallTrace: process_call_trace
     CommandLine: process_command_line
     Company: file_company
@@ -49,7 +48,7 @@ fieldmappings:
         EventID=20: wmi_consumer_destination
     DestinationHostname: dst_host_name
     DestinationIp: dst_ip
-    DestinationIsIpv6: dst_isipv6
+    DestinationIsIpv6: dst_is_ipv6
     DestinationPort: dst_port
     DestinationPortName: dst_port_name
     Details: 
@@ -63,6 +62,7 @@ fieldmappings:
     Filter:
         EventID=21: wmi_filter_path
     FailureCode: ticket_failure_code
+    FileName: file_name
     FileVersion: file_version
     GrantedAccess: process_granted_access
     GroupName: group_name
@@ -96,6 +96,8 @@ fieldmappings:
         EventID=21: wmi_operation
     OperationType: object_operation_type
     ParentImage: process_parent_path
+    PasswordLastSet: user_attribute_password_lastset
+    Path: process_path
     ParentCommandLine: process_parent_command_line
     PipeName: pipe_name
     ProcessName: process_path
@@ -129,19 +131,20 @@ fieldmappings:
         EventID=16: sysmon_configuration_state
     SubjectUserName: 
         EventID=4624: user_reporter_name
+        EventId=4648: user_name
         EventID=5140: user_name
     TargetFilename: file_name
     TargetImage: target_process_path
+    TargetProcessAddress: thread_start_address
     TargetObject: registry_key_path
-    TargetImage: target_process_path
     TaskName: task_name
     TicketEncryptionType: ticket_encryption_type
     TicketOptions: ticket_options
     Type:
         EventID=20: wmi_consumer_type
-    User: user
+    User: user_account
     UserName: user_name
     Version:
         EventID=4: sysmon_version
-    Workstation: source_host_name
-    WorkstationName: source_host_name
+    Workstation: src_host_name
+    WorkstationName: src_host_name