Merge pull request #3385 from nasbench/nasbench-rule-devel
Update Sysmon Config
This commit is contained in:
Florian Roth
@@ -0,0 +1,20 @@
|
||||
title: Sysmon Blocked Executable
|
||||
id: 23b71bc5-953e-4971-be4c-c896cda73fc2
|
||||
description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set
|
||||
status: experimental
|
||||
author: Nasreddine Bencherchali
|
||||
date: 2022/08/16
|
||||
references:
|
||||
- https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
logsource:
|
||||
product: windows
|
||||
category: file_block
|
||||
detection:
|
||||
selection:
|
||||
Image: '*'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unlikely
|
||||
level: high
|
||||
@@ -111,7 +111,7 @@ logsources:
|
||||
category: process_termination
|
||||
product: windows
|
||||
conditions:
|
||||
eventType: Win-Sysmon-5-Process-Terminated
|
||||
eventType: Win-Sysmon-5-Process-Terminated
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
|
||||
@@ -51,6 +51,14 @@ logsources:
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
sysmon_status_linux:
|
||||
category: sysmon_status
|
||||
product: linux
|
||||
conditions:
|
||||
EventID: 16
|
||||
rewrite:
|
||||
product: linux
|
||||
service: sysmon
|
||||
process_terminated:
|
||||
category: process_termination
|
||||
product: windows
|
||||
@@ -59,6 +67,14 @@ logsources:
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
process_terminated_linux:
|
||||
category: process_termination
|
||||
product: linux
|
||||
conditions:
|
||||
EventID: 5
|
||||
rewrite:
|
||||
product: linux
|
||||
service: sysmon
|
||||
driver_loaded:
|
||||
category: driver_load
|
||||
product: windows
|
||||
@@ -98,7 +114,15 @@ logsources:
|
||||
EventID: 10
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
service: sysmon
|
||||
raw_access_read_linux:
|
||||
category: raw_access_read
|
||||
product: linux
|
||||
conditions:
|
||||
EventID: 9
|
||||
rewrite:
|
||||
product: linux
|
||||
service: sysmon
|
||||
file_creation:
|
||||
category: file_event
|
||||
product: windows
|
||||
@@ -107,6 +131,14 @@ logsources:
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
file_creation_linux:
|
||||
category: file_event
|
||||
product: linux
|
||||
conditions:
|
||||
EventID: 11
|
||||
rewrite:
|
||||
product: linux
|
||||
service: sysmon
|
||||
registry_add:
|
||||
category: registry_add
|
||||
product: windows
|
||||
@@ -127,7 +159,7 @@ logsources:
|
||||
category: registry_set
|
||||
product: windows
|
||||
conditions:
|
||||
EventID: 13
|
||||
EventID: 13
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
@@ -143,9 +175,9 @@ logsources:
|
||||
category: registry_event
|
||||
product: windows
|
||||
conditions:
|
||||
EventID:
|
||||
- 12
|
||||
- 13
|
||||
EventID:
|
||||
- 12
|
||||
- 13
|
||||
- 14
|
||||
rewrite:
|
||||
product: windows
|
||||
@@ -162,7 +194,7 @@ logsources:
|
||||
category: pipe_created
|
||||
product: windows
|
||||
conditions:
|
||||
EventID:
|
||||
EventID:
|
||||
- 17
|
||||
- 18
|
||||
rewrite:
|
||||
@@ -172,7 +204,7 @@ logsources:
|
||||
category: wmi_event
|
||||
product: windows
|
||||
conditions:
|
||||
EventID:
|
||||
EventID:
|
||||
- 19
|
||||
- 20
|
||||
- 21
|
||||
@@ -191,12 +223,20 @@ logsources:
|
||||
category: file_delete
|
||||
product: windows
|
||||
conditions:
|
||||
EventID:
|
||||
EventID:
|
||||
- 23
|
||||
- 26
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
file_delete_linux:
|
||||
category: file_delete
|
||||
product: linux
|
||||
conditions:
|
||||
EventID: 23
|
||||
rewrite:
|
||||
product: linux
|
||||
service: sysmon
|
||||
clipboard_capture:
|
||||
category: clipboard_capture
|
||||
product: windows
|
||||
@@ -213,6 +253,14 @@ logsources:
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
file_block:
|
||||
category: file_block
|
||||
product: windows
|
||||
conditions:
|
||||
EventID: 27
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
sysmon_error:
|
||||
category: sysmon_error
|
||||
product: windows
|
||||
|
||||
+10
-4
@@ -139,7 +139,7 @@ logsources:
|
||||
category: sysmon_status
|
||||
conditions:
|
||||
product_name: "Sysmon"
|
||||
vendor_id:
|
||||
vendor_id:
|
||||
- 4
|
||||
- 5
|
||||
windows-sysmon-error:
|
||||
@@ -171,7 +171,7 @@ logsources:
|
||||
category: pipe_created
|
||||
conditions:
|
||||
product_name: "Sysmon"
|
||||
vendor_id:
|
||||
vendor_id:
|
||||
- 17
|
||||
- 18
|
||||
windows-dns-query:
|
||||
@@ -204,7 +204,7 @@ logsources:
|
||||
vendor_id:
|
||||
- 19
|
||||
- 20
|
||||
- 21
|
||||
- 21
|
||||
windows-ldap-query:
|
||||
product: windows
|
||||
category: ldap_query
|
||||
@@ -720,7 +720,7 @@ logsources:
|
||||
category: registry_event
|
||||
conditions:
|
||||
product_name: "Sysmon"
|
||||
vendor_id:
|
||||
vendor_id:
|
||||
- 12
|
||||
- 13
|
||||
- 14
|
||||
@@ -748,6 +748,12 @@ logsources:
|
||||
conditions:
|
||||
product_name: "Sysmon"
|
||||
vendor_id: 14
|
||||
windows-file-block-executable:
|
||||
product: windows
|
||||
category: file_block
|
||||
conditions:
|
||||
product_name: "Sysmon"
|
||||
vendor_id: 27
|
||||
#dns:
|
||||
# category: dns
|
||||
# conditions:
|
||||
|
||||
@@ -152,7 +152,7 @@ logsources:
|
||||
EventID: 13
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
service: sysmon
|
||||
registry_rename:
|
||||
category: registry_rename
|
||||
product: windows
|
||||
@@ -225,6 +225,14 @@ logsources:
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
file_block:
|
||||
category: file_block
|
||||
product: windows
|
||||
conditions:
|
||||
EventID: 27
|
||||
rewrite:
|
||||
product: windows
|
||||
service: sysmon
|
||||
sysmon_error:
|
||||
category: sysmon_error
|
||||
product: windows
|
||||
|
||||
Reference in New Issue
Block a user