diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index 4bf1c83e5..087e75fd4 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -1,5 +1,7 @@ title: Network Scans description: Detects many failed connection attempts to different ports or hosts +logsource: + type: firewall detection: selection: log: network diff --git a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml index 57a31033f..d2c1942c1 100644 --- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml +++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml @@ -1,10 +1,10 @@ title: Multiple suspicious Response Codes caused by Single Client description: Detects possible exploitation activity or bugs in a web application +author: Thomas Patzke +logsource: + type: webserver detection: selection: - log: - - access.log - - error.log response: - 400 - 401 diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index cd8584c1c..f2cf40427 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -1,10 +1,9 @@ title: Webshell Detection by Keyword -description: Detects webshells that use GET requests by keyword sarches in URL strings +description: Detects webshells that use GET requests by keyword sarches in URL strings +author: Florian Roth +logsource: + type: webserver detection: - selection: - log: - - access.log - - error.log keywords: - '=whoami' - '=net%20user' diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 9ef69b2ba..5f27e5232 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -1,5 +1,8 @@ title: Mimikatz Usage description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) +author: Florian Roth +logsource: + - product: windows detection: selection: EventLog: diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index ad0125603..a2af653f8 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -1,5 +1,8 @@ title: Relevant Anti-Virus Event description: This detection method points out highly relevant Antivirus events +author: Florian Roth +logsource: + - product: windows detection: selection: EventLog: Application diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 43ef48536..1c37eed66 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,13 +1,15 @@ title: Eventlog Cleared -description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities +description: One of the Windows Eventlogs has been cleared +reference: https://twitter.com/deviouspolack/status/832535435960209408 +author: Florian Roth +logsource: + - product: windows detection: selection: - EventLog: Security - EventID: - - 517 - - 1102 + EventLog: System + EventID: 104 condition: selection falsepositives: - - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - - System provisioning (system reset before the golden image creation) -level: high + - Unknown +level: medium + diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index 55a17e3d6..98fab85d7 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -1,6 +1,8 @@ title: Account Tampering - Suspicious Failed Logon Reasons description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. +author: Florian Roth logsource: + - product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index 7cd8b2069..144012487 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -1,5 +1,8 @@ title: Multiple Failed Logins with Different Accounts from Single Source System description: Detects suspicious failed logins with different user accounts from a single source system +author: Florian Roth +logsource: + - product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/win_susp_kerberos_manipulation.yml index 7f7aaa37c..d92ec2eec 100644 --- a/rules/windows/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/win_susp_kerberos_manipulation.yml @@ -1,5 +1,8 @@ title: Kerberos Manipulation description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages +author: Florian Roth +logsource: + - product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 89b4114d2..e30a97562 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -2,6 +2,8 @@ title: Password Dumper Activity on LSASS description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental reference: https://twitter.com/jackcr/status/807385668833968128 +logsource: + - product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 3f1edc393..77af083db 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -2,6 +2,8 @@ title: Suspicious Kerberos RC4 Ticket Encryption status: experimental reference: https://adsecurity.org/?p=3458 description: Detects logons using RC4 encryption type +logsource: + - product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml new file mode 100644 index 000000000..fd5986837 --- /dev/null +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -0,0 +1,16 @@ +title: Security Eventlog Cleared +description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities +author: Florian Roth +logsource: + - product: windows +detection: + selection: + EventLog: Security + EventID: + - 517 + - 1102 + condition: selection +falsepositives: + - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) + - System provisioning (system reset before the golden image creation) +level: high diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index 90c5ed748..cee71ab3e 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -2,6 +2,9 @@ title: Mimikatz Detection LSASS Access status: experimental description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ) reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow +logsource: + - product: windows + - service: Microsoft-Windows-Sysmon detection: selection: - EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index 1b8a6809e..b34e29c02 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -2,6 +2,9 @@ title: Mimikatz In-Memory Detection status: experimental description: Detects certain DLL loads when Mimikatz gets executed reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ +logsource: + - product: windows + - service: sysmon detection: dllload1: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index aa29c5c2e..bd972d96e 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -1,6 +1,9 @@ title: Password Dumper Remote Thread in LSASS description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundrets of events. -reference: Internal research +author: Thomas Patzke +logsource: + - product: windows + - service: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 4ef9dd05d..8b97faf52 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -1,5 +1,9 @@ title: Suspicious Driver Load from Temp description: Detetcs a driver load from a temporary directory +author: Florian Roth +logsource: + - product: windows + - service: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index 9ab5d339b..f52ce6441 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -2,6 +2,9 @@ title: Proceses created by MMC status: experimental description: Processes started by MMC could by a sign of lateral movement using MMC application COM object reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ +logsource: + - product: windows + - service: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational @@ -13,4 +16,4 @@ detection: condition: selection and not exclusion falsepositives: - unknown -level: high +level: medium diff --git a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml index f5329300f..568dfbc3e 100644 --- a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml +++ b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml @@ -1,5 +1,9 @@ title: Java running with Remote Debugging description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect +author: Florian Roth +logsource: + - product: windows + - service: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/sysmon/sysmon_webshell_detection.yml index f54e3640e..00341b220 100644 --- a/rules/windows/sysmon/sysmon_webshell_detection.yml +++ b/rules/windows/sysmon/sysmon_webshell_detection.yml @@ -1,5 +1,9 @@ title: Webshell Detection With Command Line Keywords -description: Detects certain command line parameters often used during reconnissaince activity via web shells +description: Detects certain command line parameters often used during reconnissaince activity via web shells +author: Florian Roth +logsource: + - product: windows + - service: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/sysmon/sysmon_webshell_spawn.yml index e468356e3..5c42da8bc 100644 --- a/rules/windows/sysmon/sysmon_webshell_spawn.yml +++ b/rules/windows/sysmon/sysmon_webshell_spawn.yml @@ -1,6 +1,10 @@ title: Shells spawned by Web Servers status: experimental description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack +author: Thomas Patzke +logsource: + - product: windows + - service: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational