diff --git a/rules/application/python/app_python_sql_exceptions.yml b/rules/application/python/app_python_sql_exceptions.yml index bb06459da..9b3aafead 100644 --- a/rules/application/python/app_python_sql_exceptions.yml +++ b/rules/application/python/app_python_sql_exceptions.yml @@ -11,12 +11,12 @@ logsource: category: application product: python detection: - exceptions: + selection: - DataError - IntegrityError - ProgrammingError - OperationalError - condition: exceptions + condition: selection falsepositives: - Application bugs level: medium diff --git a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml index 3010d07c2..e1305b103 100644 --- a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml @@ -13,12 +13,12 @@ logsource: product: linux service: auditd detection: - getcap: + selection: type: EXECVE a0: getcap a1: '-r' a2: '/' - condition: getcap + condition: selection tags: - attack.collection - attack.privilege_escalation diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml index 643168b45..ca7009ca1 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -12,7 +12,7 @@ logsource: product: linux service: auditd detection: - xclip: + selection: type: EXECVE a0: xclip a1: @@ -22,7 +22,7 @@ detection: - clipboard - clip a3: '-o' - condition: xclip + condition: selection tags: - attack.collection - attack.t1115 diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml index 181bf6528..9e3b3dce2 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -11,7 +11,7 @@ logsource: product: linux service: auditd detection: - xclip: + selection: type: EXECVE a0: xclip a1: @@ -23,7 +23,7 @@ detection: a3: '-t' a4|startswith: 'image/' a5: '-o' - condition: xclip + condition: selection tags: - attack.collection - attack.t1115 diff --git a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml index 30931daa9..70a8dec73 100644 --- a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml +++ b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -12,11 +12,11 @@ logsource: product: linux service: auditd detection: - wget: + selection: type: EXECVE a0: wget a1|startswith: '--post-file=' - condition: wget + condition: selection tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml index 14ee8b54b..11bdc3477 100644 --- a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml +++ b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml @@ -12,13 +12,13 @@ logsource: product: linux service: auditd detection: - service_stop: + selection: type: 'SERVICE_STOP' unit: - 'firewalld' - 'iptables' - 'ufw' - condition: service_stop + condition: selection falsepositives: - Admin activity level: high diff --git a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml index 399741fc4..941c1ad1d 100644 --- a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml +++ b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml @@ -13,11 +13,11 @@ logsource: product: linux service: auditd detection: - insmod: + selection: type: 'SYSCALL' comm: insmod exe: /usr/bin/kmod - condition: insmod + condition: selection falsepositives: - Unknown level: high diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml index b50ed1d29..cc4cd5189 100644 --- a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml @@ -17,7 +17,7 @@ logsource: product: linux service: auditd detection: - Steghide: + selection: type: EXECVE a0: steghide a1: embed @@ -27,4 +27,4 @@ detection: a4: - '-cf' - '-ef' - condition: Steghide + condition: selection diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml index f83cb4c66..cd596493c 100644 --- a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml @@ -17,7 +17,7 @@ logsource: product: linux service: auditd detection: - Steghide: + selection: type: EXECVE a0: steghide a1: extract @@ -25,4 +25,4 @@ detection: a3|endswith: - '.jpg' - '.png' - condition: Steghide + condition: selection diff --git a/rules/linux/builtin/lnx_crontab_file_modification.yml b/rules/linux/builtin/lnx_crontab_file_modification.yml index 63c0f965d..df1dd7e53 100644 --- a/rules/linux/builtin/lnx_crontab_file_modification.yml +++ b/rules/linux/builtin/lnx_crontab_file_modification.yml @@ -11,9 +11,9 @@ logsource: product: linux service: cron detection: - keyword: + keywords: - 'REPLACE' - condition: keyword + condition: keywords falsepositives: - Legitimate modification of crontab level: medium diff --git a/rules/linux/builtin/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml index 1ff8c18a3..2ddcb6d07 100644 --- a/rules/linux/builtin/lnx_ldso_preload_injection.yml +++ b/rules/linux/builtin/lnx_ldso_preload_injection.yml @@ -9,9 +9,9 @@ references: logsource: product: linux detection: - keyword: + keywords: - '/etc/ld.so.preload' - condition: keyword + condition: keywords falsepositives: - Rare temporary workaround for library misconfiguration level: high diff --git a/rules/linux/builtin/lnx_proxy_connection.yml b/rules/linux/builtin/lnx_proxy_connection.yml index 92d642389..8a527c94b 100644 --- a/rules/linux/builtin/lnx_proxy_connection.yml +++ b/rules/linux/builtin/lnx_proxy_connection.yml @@ -10,10 +10,10 @@ modified: 2021/11/27 logsource: product: linux detection: - keyword: + keywords: - 'http_proxy=*' - 'https_proxy=*' - condition: keyword + condition: keywords falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/builtin/lnx_shellshock.yml b/rules/linux/builtin/lnx_shellshock.yml index f842b16eb..dd7cbc8c6 100644 --- a/rules/linux/builtin/lnx_shellshock.yml +++ b/rules/linux/builtin/lnx_shellshock.yml @@ -10,12 +10,12 @@ references: logsource: product: linux detection: - keyword: + keywords: - '(){:;};' - '() {:;};' - '() { :;};' - '() { :; };' - condition: keyword + condition: keywords falsepositives: - Unknown level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml index 045007419..06fa3d0a0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml @@ -11,10 +11,10 @@ logsource: category: process_creation product: linux detection: - base64_execution: + selection: Image|endswith: '/base64' CommandLine|contains: '-d' - condition: base64_execution + condition: selection falsepositives: - Legitimate activities level: low diff --git a/rules/macos/process_creation/proc_creation_macos_base64_decode.yml b/rules/macos/process_creation/proc_creation_macos_base64_decode.yml index 1c997e44a..dd1a3dc4e 100644 --- a/rules/macos/process_creation/proc_creation_macos_base64_decode.yml +++ b/rules/macos/process_creation/proc_creation_macos_base64_decode.yml @@ -11,10 +11,10 @@ logsource: category: process_creation product: macos detection: - base64_execution: + selection: Image: '/usr/bin/base64' CommandLine|contains: '-d' - condition: base64_execution + condition: selection falsepositives: - Legitimate activities level: low diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 82bcef0f3..fe577fcd9 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -20,11 +20,11 @@ logsource: product: zeek service: dce_rpc detection: - efs_operation: + selection: operation|startswith: - 'Efs' - 'efs' - condition: efs_operation + condition: selection falsepositives: - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). level: medium diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index c8c0ccfad..b0cdb547f 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -23,7 +23,7 @@ logsource: product: zeek service: dce_rpc detection: - printer_operation: + selection: operation: - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c @@ -31,7 +31,7 @@ detection: - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59 - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09 - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 - condition: printer_operation + condition: selection falsepositives: - Legitimate remote alteration of a printer driver. level: medium diff --git a/rules/windows/builtin/dns_server/win_apt_gallium.yml b/rules/windows/builtin/dns_server/win_apt_gallium.yml index 9e3ff3d54..cc1c0ca84 100644 --- a/rules/windows/builtin/dns_server/win_apt_gallium.yml +++ b/rules/windows/builtin/dns_server/win_apt_gallium.yml @@ -19,7 +19,7 @@ logsource: product: windows service: dns-server detection: - c2_selection: + selection: EventID: 257 QNAME: - 'asyspy256.ddns.net' @@ -29,7 +29,7 @@ detection: - 'sz2016rose.ddns.net' - 'dffwescwer4325.myftp.biz' - 'cvdfhjh1231.ddns.net' - condition: c2_selection + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml index 8122f3c77..9d561344f 100644 --- a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml @@ -17,12 +17,12 @@ logsource: product: windows service: security detection: - powershell_as_service: + selection: EventID: 4697 ServiceFileName|contains: - 'powershell' - 'pwsh' - condition: powershell_as_service + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/security/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml index 900c55750..8df4d41a1 100644 --- a/rules/windows/builtin/security/win_security_wmi_persistence.yml +++ b/rules/windows/builtin/security/win_security_wmi_persistence.yml @@ -19,11 +19,11 @@ logsource: product: windows service: security detection: - wmi_subscription: + selection: EventID: 4662 ObjectType: 'WMI Namespace' ObjectName|contains: 'subscription' - condition: wmi_subscription + condition: selection falsepositives: - Unknown (data set is too small; further testing needed) level: medium \ No newline at end of file diff --git a/rules/windows/builtin/system/win_hack_smbexec.yml b/rules/windows/builtin/system/win_hack_smbexec.yml index 11a2242db..5d525fc2c 100644 --- a/rules/windows/builtin/system/win_hack_smbexec.yml +++ b/rules/windows/builtin/system/win_hack_smbexec.yml @@ -11,12 +11,12 @@ logsource: product: windows service: system detection: - service_installation: + selection: Provider_Name: 'Service Control Manager' EventID: 7045 ServiceName: 'BTOBTO' ImagePath|endswith: '\execute.bat' - condition: service_installation + condition: selection fields: - ServiceName - ServiceFileName diff --git a/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml index 70d19e55b..518019105 100644 --- a/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml @@ -14,13 +14,13 @@ logsource: product: windows service: system detection: - service_creation: + selection: Provider_Name: 'Service Control Manager' EventID: 7045 ImagePath|contains: - 'powershell' - 'pwsh' - condition: service_creation + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/system/win_system_defender_disabled.yml b/rules/windows/builtin/system/win_system_defender_disabled.yml index 1fd99e87b..8ca595d0a 100644 --- a/rules/windows/builtin/system/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/win_system_defender_disabled.yml @@ -18,14 +18,14 @@ logsource: product: windows service: system detection: - Selection: + selection: EventID: 7036 Provider_Name: 'Service Control Manager' param1: - 'Windows Defender Antivirus Service' - 'Service antivirus Microsoft Defender' #French OS param2: 'stopped' - condition: Selection + condition: selection falsepositives: - Administrator actions - Auto updates of Windows Defender causes restarts diff --git a/rules/windows/dns_query/dns_query_win_mega_nz.yml b/rules/windows/dns_query/dns_query_win_mega_nz.yml index a36942b9f..31d9cafc3 100644 --- a/rules/windows/dns_query/dns_query_win_mega_nz.yml +++ b/rules/windows/dns_query/dns_query_win_mega_nz.yml @@ -16,6 +16,6 @@ logsource: product: windows category: dns_query detection: - dns_request: + selection: QueryName|contains: userstorage.mega.co.nz - condition: dns_request \ No newline at end of file + condition: selection \ No newline at end of file diff --git a/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml index 468a4f5fe..1bb1c9653 100644 --- a/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml +++ b/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml @@ -17,11 +17,11 @@ logsource: product: windows category: driver_load detection: - powershell_as_service: + selection: ImageLoaded|contains: - 'powershell' - 'pwsh' - condition: powershell_as_service + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml b/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml index 11a4e147f..c497d9784 100644 --- a/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml +++ b/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml @@ -13,9 +13,9 @@ logsource: product: windows category: file_event detection: - mimikatz_memssp_filename: + selection: TargetFilename|endswith: 'mimilsa.log' - condition: mimikatz_memssp_filename + condition: selection falsepositives: - Unlikely level: critical diff --git a/rules/windows/file_event/file_event_win_office_persistence.yml b/rules/windows/file_event/file_event_win_office_persistence.yml index 658789a7a..16a87e66c 100644 --- a/rules/windows/file_event/file_event_win_office_persistence.yml +++ b/rules/windows/file_event/file_event_win_office_persistence.yml @@ -11,18 +11,18 @@ logsource: category: file_event product: windows detection: - wlldropped: + selection_wlldropped: TargetFilename|contains: \Microsoft\Word\Startup\ TargetFilename|endswith: .wll - xlldropped: + selection_xlldropped: TargetFilename|contains: \Microsoft\Excel\Startup\ TargetFilename|endswith: .xll - generic: + selection_generic: TargetFilename|contains: \Microsoft\Addins\ TargetFilename|endswith: - .xlam - .xla - condition: (wlldropped or xlldropped or generic) + condition: 1 of selection* falsepositives: - Legitimate add-ins level: high diff --git a/rules/windows/file_event/file_event_win_rclone_exec_file.yml b/rules/windows/file_event/file_event_win_rclone_exec_file.yml index d4323607d..126403a34 100644 --- a/rules/windows/file_event/file_event_win_rclone_exec_file.yml +++ b/rules/windows/file_event/file_event_win_rclone_exec_file.yml @@ -17,8 +17,8 @@ logsource: product: windows category: file_event detection: - file_selection: + selection: TargetFilename|contains|all: - ':\Users\' - '\.config\rclone\' - condition: file_selection \ No newline at end of file + condition: selection \ No newline at end of file diff --git a/rules/windows/file_event/file_event_win_tool_psexec.yml b/rules/windows/file_event/file_event_win_tool_psexec.yml index 5c75c696d..b51057aa6 100644 --- a/rules/windows/file_event/file_event_win_tool_psexec.yml +++ b/rules/windows/file_event/file_event_win_tool_psexec.yml @@ -27,9 +27,9 @@ logsource: category: file_event product: windows detection: - sysmon_filecreation: + selection: TargetFilename|endswith: '\PSEXESVC.exe' - condition: sysmon_filecreation + condition: selection falsepositives: - Unknown level: low \ No newline at end of file diff --git a/rules/windows/pipe_created/pipe_created_tool_psexec.yml b/rules/windows/pipe_created/pipe_created_tool_psexec.yml index d87a13800..4f8e61270 100644 --- a/rules/windows/pipe_created/pipe_created_tool_psexec.yml +++ b/rules/windows/pipe_created/pipe_created_tool_psexec.yml @@ -28,9 +28,9 @@ logsource: product: windows definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: - sysmon_pipecreated: + selection: PipeName: '\PSEXESVC' - condition: sysmon_pipecreated + condition: selection falsepositives: - Unknown level: low diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index 59544ca95..de75f44ae 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -15,7 +15,7 @@ logsource: category: ps_script definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: - Malicious: + selection: ScriptBlockText|contains: - 'AdjustTokenPrivileges' - 'IMAGE_NT_OPTIONAL_HDR64_MAGIC' @@ -37,7 +37,7 @@ detection: - 'TOKEN_QUERY' - 'Metasploit' - 'Mimikatz' - condition: Malicious + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml index f4ec3937c..4f328ea28 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml @@ -14,11 +14,11 @@ logsource: category: ps_script definition: Script block logging must be enabled detection: - dump: + selection: ScriptBlockText|contains|all: - 'Get-StorageDiagnosticInfo' - '-IncludeLiveDump' - condition: dump + condition: selection falsepositives: - Diagnostics level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index 619d40b01..d3da6ecfd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -15,7 +15,7 @@ logsource: category: ps_script definition: Script block logging must be enabled detection: - Nishang: + selection: ScriptBlockText|contains: - Add-ConstrainedDelegationBackdoor - Set-DCShadowPermissions @@ -88,7 +88,7 @@ detection: - NotAllNameSpaces - exfill - FakeDC - condition: Nishang + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml index d4b0c05ba..b4d4b54db 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml @@ -16,9 +16,9 @@ logsource: category: ps_script definition: Script Block Logging must be enabled detection: - PfxCertificate: + selection: ScriptBlockText|contains: 'Export-PfxCertificate' - condition: PfxCertificate + condition: selection falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml index 2df04d1f1..53b9343b1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml @@ -15,9 +15,9 @@ logsource: category: ps_script definition: Script Block Logging must be enabled detection: - select_LSASS: + selection: ScriptBlockText|contains: 'Get-Process lsass' - condition: select_LSASS + condition: selection falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml index 51c2a7a66..aa9f62c65 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -18,7 +18,7 @@ logsource: category: ps_script definition: Script block logging must be enabled for 4104 detection: - framework: + selection: ScriptBlockText|contains: - 'System.Reflection.Assembly.Load($' - '[System.Reflection.Assembly]::Load($' @@ -31,7 +31,7 @@ detection: # - 'FromBase64' - 'Invoke-WMIMethod' - 'http://127.0.0.1' - condition: framework + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml b/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml index ce0731a5d..3edf95205 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml @@ -17,7 +17,7 @@ logsource: product: windows category: process_creation detection: - exec_selection: + selection: sha1: - '53a44c2396d15c3a03723fa5e5db54cafd527635' - '9c5e496921e3bc882dc40694f1dcc3746a75db19' @@ -38,7 +38,7 @@ detection: - '4923d460e22fbbf165bbbaba168e5a46b8157d9f' - 'f201504bd96e81d0d350c3a8332593ee1c9e09de' - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' - condition: exec_selection + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml b/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml index d186a29de..7f43e5439 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml @@ -19,12 +19,12 @@ logsource: category: process_creation product: windows detection: - dnsadmin: + selection: Image|endswith: '\dnscmd.exe' CommandLine|contains|all: - '/config' - '/serverlevelplugindll' - condition: dnsadmin + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbas_diantz_ads.yml index d2d97f125..cd7c5c12c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_diantz_ads.yml @@ -13,12 +13,12 @@ logsource: category: process_creation product: windows detection: - lolbas: + selection: CommandLine|contains|all: - diantz.exe - .cab CommandLine|re: ':[^\\\\]' - condition: lolbas + condition: selection falsepositives: - Very Possible level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml b/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml index f52cc0c0c..5b7ef48c7 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml @@ -13,12 +13,12 @@ logsource: category: process_creation product: windows detection: - lolbas: + selection: CommandLine|contains|all: - diantz.exe - ' \\' - '.cab' - condition: lolbas + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml b/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml index 29691932e..5ad6aa943 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml @@ -11,11 +11,11 @@ logsource: category: process_creation product: windows detection: - lolbas: + selection: - CommandLine|contains: Extexport.exe - Image|endswith: '\Extexport.exe' - OriginalFileName: 'extexport.exe' - condition: lolbas + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml index 298fb9aa5..079772176 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml @@ -13,12 +13,12 @@ logsource: category: process_creation product: windows detection: - lolbas: + selection: CommandLine|contains|all: - extrac32.exe - .cab CommandLine|re: ':[^\\\\]' - condition: lolbas + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml index 8b5599f3e..9c00e2311 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml @@ -12,10 +12,10 @@ logsource: category: process_creation product: windows detection: - lolbas: + selection: Image|endswith: '\replace.exe' CommandLine|contains: '/a' - condition: lolbas + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_dir.yml index 5d9e52657..81cd2e782 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dir.yml @@ -10,12 +10,12 @@ logsource: category: process_creation product: windows detection: - dir: + selection: CommandLine|contains|all: - 'dir ' - ' /s' - ' /b' - condition: dir + condition: selection falsepositives: - Unknown level: low diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml index b2d5317a0..37f63ddbf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml @@ -11,7 +11,7 @@ logsource: category: process_creation product: windows detection: - network_cmd: + selection: CommandLine|contains: - 'ipconfig /all' - 'netsh interface show interface' @@ -19,7 +19,7 @@ detection: - 'nbtstat -n' - 'net config' - 'route print' - condition: network_cmd + condition: selection falsepositives: - Administrator, hotline ask to user level: low diff --git a/rules/windows/process_creation/proc_creation_win_susp_nmap.yml b/rules/windows/process_creation/proc_creation_win_susp_nmap.yml index 35c971ade..28482d55f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_nmap.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_nmap.yml @@ -11,9 +11,9 @@ logsource: category: process_creation product: windows detection: - nmap: + selection: OriginalFileName: nmap.exe - condition: nmap + condition: selection falsepositives: - Network administator computeur level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml b/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml index 8c7395284..88b0afc29 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml @@ -10,9 +10,9 @@ logsource: category: process_creation product: windows detection: - sc_query: + selection: CommandLine|contains: 'sc query' - condition: sc_query + condition: selection falsepositives: - Unknown level: low diff --git a/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml b/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml index cf30cd742..6e30626d7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml @@ -10,10 +10,10 @@ logsource: category: process_creation product: windows detection: - tasklist: + selection: - CommandLine|contains: tasklist - Image: C:\Windows\System32\tasklist.exe - condition: tasklist + condition: selection falsepositives: - Administrator, hotline ask to user level: low diff --git a/rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml index 8cd94e687..aeb8056b8 100644 --- a/rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml @@ -16,11 +16,11 @@ logsource: category: process_creation product: windows detection: - select_vbs: + selection: CommandLine|contains|all: - '\SyncAppvPublishingServer.vbs' - '"\n;' - condition: select_vbs + condition: selection fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_tool_psexec.yml b/rules/windows/process_creation/proc_creation_win_tool_psexec.yml index bb73949bd..194a60308 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_psexec.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_psexec.yml @@ -27,12 +27,12 @@ logsource: category: process_creation product: windows detection: - sysmon_processcreation: + selection: Image|endswith: '\PSEXESVC.exe' User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: sysmon_processcreation + condition: selection falsepositives: - Unknown level: low \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml b/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml index 9daf1df83..d948f9b39 100644 --- a/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml +++ b/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml @@ -10,12 +10,12 @@ logsource: category: process_creation product: windows detection: - sysmon: + selection: Image|endswith: - \Sysmon64.exe - \Sysmon.exe CommandLine|contains: '-u' - condition: sysmon + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml index d2230d682..01646bff3 100644 --- a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml @@ -12,9 +12,9 @@ logsource: category: registry_add product: windows detection: - create_keywords_reg: + selection: TargetObject|contains: 'UserInitMprLogonScript' - condition: create_keywords_reg + condition: selection falsepositives: - Exclude legitimate logon scripts level: high diff --git a/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml b/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml index 49c0ad34f..1c92e0558 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml @@ -15,9 +15,9 @@ logsource: category: registry_event product: windows detection: - ioc_1: + selection_ioc1: TargetObject: 'HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' - ioc_2: + selection_ioc2: TargetObject|startswith: - HKCU\SOFTWARE\App\ - HKLM\SOFTWARE\App\ @@ -28,7 +28,7 @@ detection: TargetObject|endswith: - Application - DefaultIcon - selection2: + selection_hkcu: TargetObject|startswith: 'HKCU\' TargetObject|contains: # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ @@ -38,7 +38,7 @@ detection: # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\ - 'Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\' - 'Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' - condition: ioc_1 or ioc_2 or selection2 + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml index 20f2abd92..ca584c21e 100755 --- a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -16,9 +16,9 @@ logsource: product: windows category: registry_event detection: - dnsregmod: + selection: TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' - condition: dnsregmod + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml index fdde0880b..8bbade159 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -14,9 +14,9 @@ logsource: product: windows category: registry_set detection: - mod_reg: + selection: TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' - condition: mod_reg + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_office_security.yml b/rules/windows/registry/registry_set/registry_set_office_security.yml index cc20f00f9..9ffd9993b 100644 --- a/rules/windows/registry/registry_set/registry_set_office_security.yml +++ b/rules/windows/registry/registry_set/registry_set_office_security.yml @@ -13,12 +13,12 @@ logsource: category: registry_set product: windows detection: - sec_settings: + selection: TargetObject|endswith: - '\Security\Trusted Documents\TrustRecords' - '\Security\AccessVBOM' - '\Security\VBAWarnings' - condition: sec_settings + condition: selection falsepositives: - Valid Macros and/or internal documents level: high diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index 2854b5e9c..30966acd5 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -12,10 +12,10 @@ logsource: product: windows category: registry_set detection: - methregistry: + selection: TargetObject|startswith: 'HKCU\' TargetObject|endswith: '\mscfile\shell\open\command' - condition: methregistry + condition: selection falsepositives: - Unknown level: critical diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index 20d7041bb..864a408e6 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -9,12 +9,12 @@ logsource: product: windows category: wmi_event detection: - selector: + selection: EventID: - 19 - 20 - 21 - condition: selector + condition: selection falsepositives: - Exclude legitimate (vetted) use of WMI event subscription in your network level: high