From d5133bcdd70e7e2dd51f3402eed32697ef1926d3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 16 Aug 2022 19:47:44 +0100 Subject: [PATCH 1/2] Update Sysmon --- .../windows/sysmon/sysmon_file_block_exe.yml | 20 ++++++ tools/config/generic/sysmon.yml | 64 ++++++++++++++++--- 2 files changed, 76 insertions(+), 8 deletions(-) create mode 100644 rules/windows/sysmon/sysmon_file_block_exe.yml diff --git a/rules/windows/sysmon/sysmon_file_block_exe.yml b/rules/windows/sysmon/sysmon_file_block_exe.yml new file mode 100644 index 000000000..534d5a90b --- /dev/null +++ b/rules/windows/sysmon/sysmon_file_block_exe.yml @@ -0,0 +1,20 @@ +title: Sysmon Blocked Executable +id: 23b71bc5-953e-4971-be4c-c896cda73fc2 +description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set +status: experimental +author: Nasreddine Bencherchali +date: 2022/08/16 +references: + - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e +tags: + - attack.defense_evasion +logsource: + product: windows + category: file_block +detection: + selection: + Image: '*' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index 9926a51bd..ca18574c4 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -51,6 +51,14 @@ logsources: rewrite: product: windows service: sysmon + sysmon_status_linux: + category: sysmon_status + product: linux + conditions: + EventID: 16 + rewrite: + product: linux + service: sysmon process_terminated: category: process_termination product: windows @@ -59,6 +67,14 @@ logsources: rewrite: product: windows service: sysmon + process_terminated_linux: + category: process_termination + product: linux + conditions: + EventID: 5 + rewrite: + product: linux + service: sysmon driver_loaded: category: driver_load product: windows @@ -98,7 +114,15 @@ logsources: EventID: 10 rewrite: product: windows - service: sysmon + service: sysmon + raw_access_read_linux: + category: raw_access_read + product: linux + conditions: + EventID: 9 + rewrite: + product: linux + service: sysmon file_creation: category: file_event product: windows @@ -107,6 +131,14 @@ logsources: rewrite: product: windows service: sysmon + file_creation_linux: + category: file_event + product: linux + conditions: + EventID: 11 + rewrite: + product: linux + service: sysmon registry_add: category: registry_add product: windows @@ -127,7 +159,7 @@ logsources: category: registry_set product: windows conditions: - EventID: 13 + EventID: 13 rewrite: product: windows service: sysmon @@ -143,9 +175,9 @@ logsources: category: registry_event product: windows conditions: - EventID: - - 12 - - 13 + EventID: + - 12 + - 13 - 14 rewrite: product: windows @@ -162,7 +194,7 @@ logsources: category: pipe_created product: windows conditions: - EventID: + EventID: - 17 - 18 rewrite: @@ -172,7 +204,7 @@ logsources: category: wmi_event product: windows conditions: - EventID: + EventID: - 19 - 20 - 21 @@ -191,12 +223,20 @@ logsources: category: file_delete product: windows conditions: - EventID: + EventID: - 23 - 26 rewrite: product: windows service: sysmon + file_delete_linux: + category: file_delete + product: linux + conditions: + EventID: 23 + rewrite: + product: linux + service: sysmon clipboard_capture: category: clipboard_capture product: windows @@ -213,6 +253,14 @@ logsources: rewrite: product: windows service: sysmon + file_block: + category: file_block + product: windows + conditions: + EventID: 27 + rewrite: + product: windows + service: sysmon sysmon_error: category: sysmon_error product: windows From f37fd2375b826ef39cf7a9925fe48f52d1651e5d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 16 Aug 2022 20:18:46 +0100 Subject: [PATCH 2/2] Update config --- tools/config/fortisiem-windows.yml | 2 +- tools/config/hawk.yml | 14 ++++++++++---- tools/config/thor.yml | 10 +++++++++- 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/tools/config/fortisiem-windows.yml b/tools/config/fortisiem-windows.yml index 2e6e05490..04fad9e26 100644 --- a/tools/config/fortisiem-windows.yml +++ b/tools/config/fortisiem-windows.yml @@ -111,7 +111,7 @@ logsources: category: process_termination product: windows conditions: - eventType: Win-Sysmon-5-Process-Terminated + eventType: Win-Sysmon-5-Process-Terminated rewrite: product: windows service: sysmon diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 2930e0f25..ac1386872 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -139,7 +139,7 @@ logsources: category: sysmon_status conditions: product_name: "Sysmon" - vendor_id: + vendor_id: - 4 - 5 windows-sysmon-error: @@ -171,7 +171,7 @@ logsources: category: pipe_created conditions: product_name: "Sysmon" - vendor_id: + vendor_id: - 17 - 18 windows-dns-query: @@ -204,7 +204,7 @@ logsources: vendor_id: - 19 - 20 - - 21 + - 21 windows-ldap-query: product: windows category: ldap_query @@ -720,7 +720,7 @@ logsources: category: registry_event conditions: product_name: "Sysmon" - vendor_id: + vendor_id: - 12 - 13 - 14 @@ -748,6 +748,12 @@ logsources: conditions: product_name: "Sysmon" vendor_id: 14 + windows-file-block-executable: + product: windows + category: file_block + conditions: + product_name: "Sysmon" + vendor_id: 27 #dns: # category: dns # conditions: diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 6cddafdd6..460359217 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -152,7 +152,7 @@ logsources: EventID: 13 rewrite: product: windows - service: sysmon + service: sysmon registry_rename: category: registry_rename product: windows @@ -225,6 +225,14 @@ logsources: rewrite: product: windows service: sysmon + file_block: + category: file_block + product: windows + conditions: + EventID: 27 + rewrite: + product: windows + service: sysmon sysmon_error: category: sysmon_error product: windows