From 986c9ff9b749e0eb9c1d827d15f04ec2e4d0ca85 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 12 Sep 2017 23:54:04 +0200 Subject: [PATCH] Added field names to first rules --- rules/apt/apt_cloudhopper.yml | 3 +++ rules/apt/apt_pandemic.yml | 7 +++++++ rules/apt/apt_zxshell.yml | 3 +++ rules/apt/crime_fireball.yml | 3 +++ rules/network/net_susp_network_scan.yml | 4 ++++ rules/proxy/proxy_empty_ua.yml | 4 ++++ rules/proxy/proxy_exe_download_susp_tlds.yml | 3 +++ rules/proxy/proxy_powershell_ua.yml | 4 ++++ rules/proxy/proxy_ua_apt.yml | 4 ++++ rules/proxy/proxy_ua_frameworks.yml | 4 ++++ rules/proxy/proxy_ua_hacktool.yml | 4 ++++ rules/proxy/proxy_ua_malware.yml | 4 ++++ rules/proxy/proxy_ua_suspicious.yml | 4 ++++ .../web_multiple_suspicious_resp_codes_single_source.yml | 4 ++++ rules/web/web_webshell_keyword.yml | 4 ++++ rules/windows/malware/sysmon_malware_notpetya.yml | 3 +++ rules/windows/malware/sysmon_malware_wannacry.yml | 3 +++ rules/windows/other/win_tool_psexec.yml | 6 ++++++ rules/windows/sysmon/sysmon_bitsadmin_download.yml | 3 +++ rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml | 7 +++++++ rules/windows/sysmon/sysmon_malware_script_dropper.yml | 3 +++ rules/windows/sysmon/sysmon_mshta_spawn_shell.yml | 3 +++ rules/windows/sysmon/sysmon_office_macro_cmd.yml | 3 +++ rules/windows/sysmon/sysmon_office_shell.yml | 3 +++ rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml | 3 +++ rules/windows/sysmon/sysmon_powershell_download.yml | 3 +++ rules/windows/sysmon/sysmon_susp_certutil_command.yml | 3 +++ rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml | 3 +++ rules/windows/sysmon/sysmon_susp_control_dll_load.yml | 3 +++ rules/windows/sysmon/sysmon_susp_execution_path.yml | 3 +++ .../sysmon/sysmon_susp_execution_path_webserver.yml | 3 +++ rules/windows/sysmon/sysmon_susp_mmc_source.yml | 3 +++ rules/windows/sysmon/sysmon_susp_net_execution.yml | 3 +++ .../windows/sysmon/sysmon_susp_powershell_parent_combo.yml | 3 +++ rules/windows/sysmon/sysmon_susp_recon_activity.yml | 3 +++ rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml | 3 +++ rules/windows/sysmon/sysmon_susp_schtask_creation.yml | 3 +++ rules/windows/sysmon/sysmon_susp_script_execution.yml | 3 +++ rules/windows/sysmon/sysmon_susp_svchost.yml | 3 +++ .../windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml | 3 +++ rules/windows/sysmon/sysmon_susp_wmi_execution.yml | 3 +++ rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml | 3 +++ rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml | 3 +++ rules/windows/sysmon/sysmon_webshell_detection.yml | 3 +++ rules/windows/sysmon/sysmon_webshell_spawn.yml | 3 +++ 45 files changed, 156 insertions(+) diff --git a/rules/apt/apt_cloudhopper.yml b/rules/apt/apt_cloudhopper.yml index 5249d4893..7b365fbdb 100644 --- a/rules/apt/apt_cloudhopper.yml +++ b/rules/apt/apt_cloudhopper.yml @@ -11,6 +11,9 @@ detection: Image: '*\cscript.exe' CommandLine: '*.vbs /shell *' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Unlikely level: critical diff --git a/rules/apt/apt_pandemic.yml b/rules/apt/apt_pandemic.yml index 670075e56..49cfe61df 100644 --- a/rules/apt/apt_pandemic.yml +++ b/rules/apt/apt_pandemic.yml @@ -19,6 +19,13 @@ detection: EventID: 1 Command: 'loaddll -a *' condition: selection1 or selection2 +fields: + - EventID + - CommandLine + - ParentCommandLine + - Image + - User + - TargetObject falsepositives: - unknown level: critical diff --git a/rules/apt/apt_zxshell.yml b/rules/apt/apt_zxshell.yml index d666ce3cf..ae3f0b971 100644 --- a/rules/apt/apt_zxshell.yml +++ b/rules/apt/apt_zxshell.yml @@ -12,6 +12,9 @@ detection: - 'rundll32.exe *,zxFunction*' - 'rundll32.exe *,RemoteDiskXXXXX' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Unlikely level: critical diff --git a/rules/apt/crime_fireball.yml b/rules/apt/crime_fireball.yml index 4be1055af..46c21dd9d 100644 --- a/rules/apt/crime_fireball.yml +++ b/rules/apt/crime_fireball.yml @@ -14,6 +14,9 @@ detection: EventID: 1 CommandLine: '*\rundll32.exe *,InstallArcherSvc' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index a86bd3a8f..c0de5d6fa 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -10,6 +10,10 @@ detection: condition: - selection | count(dst_port) by src_ip > 10 - selection | count(dst_ip) by src_ip > 10 +fields: + - src_ip + - dst_ip + - dst_port falsepositives: - Inventarization systems - Vulnerability scans diff --git a/rules/proxy/proxy_empty_ua.yml b/rules/proxy/proxy_empty_ua.yml index 62eb0edef..4ffd58f4b 100644 --- a/rules/proxy/proxy_empty_ua.yml +++ b/rules/proxy/proxy_empty_ua.yml @@ -12,6 +12,10 @@ detection: # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString - '' condition: selection +fields: + - ClientIP + - URL + - UserAgent falsepositives: - Unknown level: medium diff --git a/rules/proxy/proxy_exe_download_susp_tlds.yml b/rules/proxy/proxy_exe_download_susp_tlds.yml index 8fe720761..597200b45 100644 --- a/rules/proxy/proxy_exe_download_susp_tlds.yml +++ b/rules/proxy/proxy_exe_download_susp_tlds.yml @@ -28,6 +28,9 @@ detection: - '*.no' - '*.es' condition: selection +fields: + - ClientIP + - URL falsepositives: - All kind of software downloads level: low diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index fdaf98d03..7ce34000e 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -9,6 +9,10 @@ detection: selection: UserAgent: '* WindowsPowerShell/*' condition: selection +fields: + - ClientIP + - URL + - UserAgent falsepositives: - Administrative scripts that download files from the Internet - Administrative scripts that retrieve certain website contents diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index e600f6fc2..c15d8253a 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -25,6 +25,10 @@ detection: - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related condition: selection +fields: + - ClientIP + - URL + - UserAgent falsepositives: - Old browsers level: high diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index 0ee36c783..9beda694a 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -38,6 +38,10 @@ detection: - '*wordpress hash grabber*' - '*exploit*' condition: selection +fields: + - ClientIP + - URL + - UserAgent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index 251637b2f..122a7fb75 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -61,6 +61,10 @@ detection: # Hack tool - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/ condition: selection +fields: + - ClientIP + - URL + - UserAgent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index c6c7fb68b..e23da1e79 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -58,6 +58,10 @@ detection: - 'AutoIt' # Suspicious - base-lining recommended - 'IczelionDownLoad' condition: selection +fields: + - ClientIP + - URL + - UserAgent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index b37dd3bd9..89b0aae10 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -21,6 +21,10 @@ detection: - 'Mozila/*' # single 'l' - '_' condition: selection +fields: + - ClientIP + - URL + - UserAgent falsepositives: - Unknown level: high diff --git a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml index 315673e92..b2993d94a 100644 --- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml +++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml @@ -12,6 +12,10 @@ detection: - 500 timeframe: 10m condition: selection | count() by clientip > 10 +fields: + - client_ip + - url + - response falsepositives: - Unstable application - Application that misuses the response codes diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index be6d99fab..b2d8988ac 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -9,6 +9,10 @@ detection: - '=net%20user' - '=cmd%20/c%20' condition: keywords +fields: + - client_ip + - url + - response falsepositives: - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs - User searches in search boxes of the respective website diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml index ab5aa0fad..ecb66fb5c 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/malware/sysmon_malware_notpetya.yml @@ -27,6 +27,9 @@ detection: perfc_keyword: - '*\perfc.dat*' condition: fsutil_clean_journal or pipe_com or event_clean or rundll32_dash1 or perfc_keyword +fields: + - CommandLine + - ParentCommandLine falsepositives: - Admin activity level: critical diff --git a/rules/windows/malware/sysmon_malware_wannacry.yml b/rules/windows/malware/sysmon_malware_wannacry.yml index 963cc67b8..2f3cded0b 100644 --- a/rules/windows/malware/sysmon_malware_wannacry.yml +++ b/rules/windows/malware/sysmon_malware_wannacry.yml @@ -30,6 +30,9 @@ detection: - '*wbadmin delete catalog -quiet*' - '*@Please_Read_Me@.txt*' condition: selection1 or selection2 +fields: + - CommandLine + - ParentCommandLine falsepositives: - Diskpart.exe usage to manage partitions on the local hard drive level: critical diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 52aed3992..548ae6d52 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -18,6 +18,12 @@ detection: Image: '*\PSEXESVC.exe' User: 'NT AUTHORITY\SYSTEM' condition: service_installation or service_execution or sysmon_processcreation +fields: + - EventID + - CommandLine + - ParentCommandLine + - ServiceName + - ServiceFileName falsepositives: - unknown level: low diff --git a/rules/windows/sysmon/sysmon_bitsadmin_download.yml b/rules/windows/sysmon/sysmon_bitsadmin_download.yml index 2b72d1971..b84a21fc4 100644 --- a/rules/windows/sysmon/sysmon_bitsadmin_download.yml +++ b/rules/windows/sysmon/sysmon_bitsadmin_download.yml @@ -16,6 +16,9 @@ detection: CommandLine: - '/transfer' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Some legitimate apps use this, but limited. level: medium diff --git a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml index d315e2b92..e80e98459 100644 --- a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml @@ -16,6 +16,13 @@ detection: EventID: 13 TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll' condition: dnsadmin or dnsregmod +fields: + - EventID + - CommandLine + - ParentCommandLine + - Image + - User + - TargetObject falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_malware_script_dropper.yml b/rules/windows/sysmon/sysmon_malware_script_dropper.yml index 5e0450d5e..95b29fd80 100644 --- a/rules/windows/sysmon/sysmon_malware_script_dropper.yml +++ b/rules/windows/sysmon/sysmon_malware_script_dropper.yml @@ -25,6 +25,9 @@ detection: falsepositive: ParentImage: '*\winzip*' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Winzip - Other self-extractors diff --git a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml index f47751fbd..2cdefc3d0 100644 --- a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml +++ b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml @@ -25,6 +25,9 @@ detection: - '*/HP/HP*' - '*\HP\HP*' condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine falsepositives: - Printer software / driver installations level: high diff --git a/rules/windows/sysmon/sysmon_office_macro_cmd.yml b/rules/windows/sysmon/sysmon_office_macro_cmd.yml index c308cee13..c99d9737c 100644 --- a/rules/windows/sysmon/sysmon_office_macro_cmd.yml +++ b/rules/windows/sysmon/sysmon_office_macro_cmd.yml @@ -14,6 +14,9 @@ detection: - '*\EXCEL.EXE' Image: '*\cmd.exe' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index 9881f03ce..21d7ac123 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -26,6 +26,9 @@ detection: - '*\regsvr32.exe' # see https://twitter.com/subTee/status/899283365647458305 - '*\hh.exe' # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100 condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index 9ad900b70..fee494a62 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -137,6 +137,9 @@ detection: ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc ) +fields: + - CommandLine + - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/sysmon/sysmon_powershell_download.yml b/rules/windows/sysmon/sysmon_powershell_download.yml index 4ec6e7993..2bf867086 100644 --- a/rules/windows/sysmon/sysmon_powershell_download.yml +++ b/rules/windows/sysmon/sysmon_powershell_download.yml @@ -13,6 +13,9 @@ detection: - '*new-object system.net.webclient).downloadstring(*' - '*new-object system.net.webclient).downloadfile(*' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - unknown level: medium diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml index b4e3061c0..0576e250b 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml @@ -24,6 +24,9 @@ detection: - '*\certutil.exe *-URL*' - '*\certutil.exe *-ping*' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: high diff --git a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml index ca5283258..07880455f 100644 --- a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml +++ b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml @@ -15,6 +15,9 @@ detection: - 'cmd.exe /c *http://*%AppData%' - 'cmd.exe /c *https://*%AppData%' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - High level: medium diff --git a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml index 0d87903d4..d53839fc6 100644 --- a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml @@ -15,6 +15,9 @@ detection: filter: CommandLine: '*Shell32.dll*' condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/sysmon/sysmon_susp_execution_path.yml b/rules/windows/sysmon/sysmon_susp_execution_path.yml index 50aadb863..d1f06b220 100644 --- a/rules/windows/sysmon/sysmon_susp_execution_path.yml +++ b/rules/windows/sysmon/sysmon_susp_execution_path.yml @@ -19,6 +19,9 @@ detection: - '*\Windows\IME\*' - '*\Windows\addins\*' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml b/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml index 04b0220da..017d726cf 100644 --- a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml +++ b/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml @@ -20,6 +20,9 @@ detection: ParentImage: - '*\services.exe' condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine falsepositives: - Various applications - Tools that include ping or nslookup command invocations diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index c4a54c34a..826133637 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -13,6 +13,9 @@ detection: exclusion: CommandLine: '*\RunCmd.cmd' condition: selection and not exclusion +fields: + - CommandLine + - ParentCommandLine falsepositives: - unknown level: medium diff --git a/rules/windows/sysmon/sysmon_susp_net_execution.yml b/rules/windows/sysmon/sysmon_susp_net_execution.yml index c0e42931a..2eb37dc79 100644 --- a/rules/windows/sysmon/sysmon_susp_net_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_net_execution.yml @@ -21,6 +21,9 @@ detection: - '* accounts*' - '* use*' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine. level: medium diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml index 13fa6bebe..2b4327d8b 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml @@ -17,6 +17,9 @@ detection: falsepositive: CurrentDirectory: '*\Health Service State\*' condition: selection and not falsepositive +fields: + - CommandLine + - ParentCommandLine falsepositives: - Microsoft Operations Manager (MOM) - Other scripts diff --git a/rules/windows/sysmon/sysmon_susp_recon_activity.yml b/rules/windows/sysmon/sysmon_susp_recon_activity.yml index e0addf980..00f385f4e 100644 --- a/rules/windows/sysmon/sysmon_susp_recon_activity.yml +++ b/rules/windows/sysmon/sysmon_susp_recon_activity.yml @@ -12,6 +12,9 @@ detection: - 'net group "domain admins" /domain' - 'net localgroup administrators' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Inventory tool runs - Penetration tests diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml index 295ee3449..b186c75c3 100644 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml @@ -31,6 +31,9 @@ detection: Image: '*\wscript.exe' ParentImage: '*\regsvr32.exe' condition: selection1 or selection2 or selection3 or selection4 +fields: + - CommandLine + - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml index 5b255d1e4..61bcac694 100644 --- a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml +++ b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml @@ -13,6 +13,9 @@ detection: filter: User: 'NT AUTHORITY\SYSTEM' condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine falsepositives: - Administrative activity - Software installation diff --git a/rules/windows/sysmon/sysmon_susp_script_execution.yml b/rules/windows/sysmon/sysmon_susp_script_execution.yml index 30cbf0aa6..8e11c69b5 100644 --- a/rules/windows/sysmon/sysmon_susp_script_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_script_execution.yml @@ -17,6 +17,9 @@ detection: - '*.js' - '*.vba' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. level: medium diff --git a/rules/windows/sysmon/sysmon_susp_svchost.yml b/rules/windows/sysmon/sysmon_susp_svchost.yml index 811fc71b8..c9107d19a 100644 --- a/rules/windows/sysmon/sysmon_susp_svchost.yml +++ b/rules/windows/sysmon/sysmon_susp_svchost.yml @@ -13,6 +13,9 @@ detection: filter: ParentImage: '*\services.exe' condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml index 591353152..8709b3701 100644 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml @@ -23,6 +23,9 @@ detection: - 'vssadmin delete shadows /for=C:' - 'reg SAVE HKLM\SYSTEM ' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Administrative activity level: high diff --git a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml index 1b7f37549..479fb4fe7 100644 --- a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml @@ -20,6 +20,9 @@ detection: - '* path FirewallProduct get *' - '* shadowcopy delete *' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Will need to be tuned - If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine. diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index 2893e3967..3472e28c3 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -18,6 +18,9 @@ detection: filterprocess: Image: '*\mmc.exe' condition: methregistry or ( methprocess and not filterprocess ) +fields: + - CommandLine + - ParentCommandLine falsepositives: - unknown level: critical diff --git a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml index 3a51df412..a2206407d 100644 --- a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml +++ b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml @@ -12,6 +12,9 @@ detection: - CommandLine: '*address=127.0.0.1*' - CommandLine: '*address=localhost*' condition: selection and not exclusion +fields: + - CommandLine + - ParentCommandLine falsepositives: - unknown level: medium diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/sysmon/sysmon_webshell_detection.yml index 0ce150e58..64945dc71 100644 --- a/rules/windows/sysmon/sysmon_webshell_detection.yml +++ b/rules/windows/sysmon/sysmon_webshell_detection.yml @@ -20,6 +20,9 @@ detection: - 'ping -n' - 'systeminfo' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/sysmon/sysmon_webshell_spawn.yml index 2a5801805..01fc3e417 100644 --- a/rules/windows/sysmon/sysmon_webshell_spawn.yml +++ b/rules/windows/sysmon/sysmon_webshell_spawn.yml @@ -19,6 +19,9 @@ detection: - '*\bash.exe' - '*\powershell.exe' condition: selection +fields: + - CommandLine + - ParentCommandLine falsepositives: - Particular web applications may spawn a shell process legitimately level: high