From a0486edeeaf8b1710c7d692dc85969bf027b426e Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Tue, 11 Dec 2018 09:27:26 +0300 Subject: [PATCH] Field-Index Mapping File & SIGMA Rules Field names fix + Updated HELK field-index mapping file + After going through all the fields with 'fieldlist' output, I found a few rules that fixed. --- .../builtin/win_powershell_b64_shellcode.yml | 4 ++-- .../builtin/win_susp_powershell_enc_cmd.yml | 2 +- tools/config/helk.yml | 19 +++++++++++-------- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/win_powershell_b64_shellcode.yml b/rules/windows/builtin/win_powershell_b64_shellcode.yml index 898c73b59..7ccb1bffe 100644 --- a/rules/windows/builtin/win_powershell_b64_shellcode.yml +++ b/rules/windows/builtin/win_powershell_b64_shellcode.yml @@ -23,9 +23,9 @@ logsource: detection: selection1: EventID: 4688 - ProcesssCommandLine: '*AAAAYInlM*' + ProcessCommandLine: '*AAAAYInlM*' selection2: - ProcesssCommandLine: + ProcessCommandLine: - '*OiCAAAAYInlM*' - '*OiJAAAAYInlM*' --- diff --git a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml index 1e54ec971..1a6b9d7f0 100644 --- a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml @@ -16,7 +16,7 @@ detection: - '* -encodedcommand JAB*' # Google Rapid Response falsepositive1: - ImagePath: '*\GRR\*' + Image: '*\GRR\*' # PowerSponse deployments falsepositive2: CommandLine: '* -ExecutionPolicy remotesigned *' diff --git a/tools/config/helk.yml b/tools/config/helk.yml index 3d66e8c84..60423a454 100644 --- a/tools/config/helk.yml +++ b/tools/config/helk.yml @@ -30,13 +30,12 @@ logsources: defaultindex: logs-* fieldmappings: AccessMask: object_access_mask_requested - AccountName: - EventID=7045: service_account_name - EventID=4624: user_name + AccountName: user_name AllowedToDelegateTo: user_attribute_allowed_todelegate AttributeLDAPDisplayName: dsobject_attribute_name AuditPolicyChanges: policy_changes AuthenticationPackageName: logon_authentication_package + CallingProcessName: process_path CallTrace: process_call_trace CommandLine: process_command_line Company: file_company @@ -49,7 +48,7 @@ fieldmappings: EventID=20: wmi_consumer_destination DestinationHostname: dst_host_name DestinationIp: dst_ip - DestinationIsIpv6: dst_isipv6 + DestinationIsIpv6: dst_is_ipv6 DestinationPort: dst_port DestinationPortName: dst_port_name Details: @@ -63,6 +62,7 @@ fieldmappings: Filter: EventID=21: wmi_filter_path FailureCode: ticket_failure_code + FileName: file_name FileVersion: file_version GrantedAccess: process_granted_access GroupName: group_name @@ -96,6 +96,8 @@ fieldmappings: EventID=21: wmi_operation OperationType: object_operation_type ParentImage: process_parent_path + PasswordLastSet: user_attribute_password_lastset + Path: process_path ParentCommandLine: process_parent_command_line PipeName: pipe_name ProcessName: process_path @@ -129,19 +131,20 @@ fieldmappings: EventID=16: sysmon_configuration_state SubjectUserName: EventID=4624: user_reporter_name + EventId=4648: user_name EventID=5140: user_name TargetFilename: file_name TargetImage: target_process_path + TargetProcessAddress: thread_start_address TargetObject: registry_key_path - TargetImage: target_process_path TaskName: task_name TicketEncryptionType: ticket_encryption_type TicketOptions: ticket_options Type: EventID=20: wmi_consumer_type - User: user + User: user_account UserName: user_name Version: EventID=4: sysmon_version - Workstation: source_host_name - WorkstationName: source_host_name \ No newline at end of file + Workstation: src_host_name + WorkstationName: src_host_name \ No newline at end of file