Nasreddine Bencherchali
e052677142
Create Release / Create Release (push) Has been cancelled
fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C: fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition fix: Credential Manager Access By Uncommon Application - Enhance FP filters fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost" fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location. fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters new: Communication To Uncommon Destination Ports new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension remove: Credential Dumping Tools Service Execution remove: New Service Uses Double Ampersand in Path remove: Powershell File and Directory Discovery remove: PowerShell Scripts Run by a Services remove: Security Event Log Cleared remove: Suspicious Get-WmiObject remove: Windows Defender Threat Detection Disabled update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage update: Failed Code Integrity Checks - Reduce level to informational update: HH.EXE Execution - Reduce level to low update: Locked Workstation - Reduce level to informational update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports update: PUA - Nmap/Zenmap Execution - Reduce level to medium update: PUA - Process Hacker Execution - Reduce level to medium update: PUA - Radmin Viewer Utility Execution - Reduce level to medium update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:" update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition update: Suspicious Schtasks From Env Var Folder - Reduce level to medium update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium update: Whoami Utility Execution - Reduce level to low update: Whoami.EXE Execution With Output Option - Reduce level to medium update: Windows Defender Malware Detection History Deletion - Reduce level to informational update: WMI Event Consumer Created Named Pipe - Reduce leve to medium --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Thanks: @Blackmore-Robert Thanks: @swachchhanda000 Thanks: @celalettin-turgut Thanks: @AaronS97
573 lines
16 KiB
YAML
573 lines
16 KiB
YAML
title: THOR
|
|
order: 20
|
|
backends:
|
|
- thor
|
|
# this configuration differs from other configurations and can not be used
|
|
# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.
|
|
logsources:
|
|
# log source configurations for generic sigma rules
|
|
process_creation_1:
|
|
category: process_creation
|
|
product: windows
|
|
conditions:
|
|
EventID: 1
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_creation_2:
|
|
category: process_creation
|
|
product: windows
|
|
conditions:
|
|
EventID: 4688
|
|
rewrite:
|
|
product: windows
|
|
service: security
|
|
fieldmappings:
|
|
Image: NewProcessName
|
|
ParentImage: ParentProcessName
|
|
network_connection:
|
|
category: network_connection
|
|
product: windows
|
|
conditions:
|
|
EventID: 3
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
sysmon_status1:
|
|
category: sysmon_status
|
|
product: windows
|
|
conditions:
|
|
EventID: 4
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
sysmon_status2:
|
|
category: sysmon_status
|
|
product: windows
|
|
conditions:
|
|
EventID: 16
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_terminated:
|
|
category: process_termination
|
|
product: windows
|
|
conditions:
|
|
EventID: 5
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
driver_loaded:
|
|
category: driver_load
|
|
product: windows
|
|
conditions:
|
|
EventID: 6
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
image_loaded:
|
|
category: image_load
|
|
product: windows
|
|
conditions:
|
|
EventID: 7
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
create_remote_thread:
|
|
category: create_remote_thread
|
|
product: windows
|
|
conditions:
|
|
EventID: 8
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
raw_access_thread:
|
|
category: raw_access_thread
|
|
product: windows
|
|
conditions:
|
|
EventID: 9
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_access:
|
|
category: process_access
|
|
product: windows
|
|
conditions:
|
|
EventID: 10
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_creation:
|
|
category: file_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 11
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_event1:
|
|
category: registry_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 12
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_event2:
|
|
category: registry_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 13
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_event3:
|
|
category: registry_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 14
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_add:
|
|
category: registry_add
|
|
product: windows
|
|
conditions:
|
|
EventID: 12
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_delete:
|
|
category: registry_delete
|
|
product: windows
|
|
conditions:
|
|
EventID: 12
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_set:
|
|
category: registry_set
|
|
product: windows
|
|
conditions:
|
|
EventID: 13
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_rename:
|
|
category: registry_rename
|
|
product: windows
|
|
conditions:
|
|
EventID: 14
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
create_stream_hash:
|
|
category: create_stream_hash
|
|
product: windows
|
|
conditions:
|
|
EventID: 15
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
pipe_created1:
|
|
category: pipe_created
|
|
product: windows
|
|
conditions:
|
|
EventID: 17
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
pipe_created2:
|
|
category: pipe_created
|
|
product: windows
|
|
conditions:
|
|
EventID: 18
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
wmi_event1:
|
|
category: wmi_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 19
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
wmi_event2:
|
|
category: wmi_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 20
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
wmi_event3:
|
|
category: wmi_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 21
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
dns_query:
|
|
category: dns_query
|
|
product: windows
|
|
conditions:
|
|
EventID: 22
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_delete:
|
|
category: file_delete
|
|
product: windows
|
|
conditions:
|
|
EventID: 23
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
clipboard_change:
|
|
category: clipboard_change
|
|
product: windows
|
|
conditions:
|
|
EventID: 24
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_tampering:
|
|
category: process_tampering
|
|
product: windows
|
|
conditions:
|
|
EventID: 25
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_delete_detected:
|
|
category: file_delete_detected
|
|
product: windows
|
|
conditions:
|
|
EventID: 26
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_block_executable:
|
|
category: file_block_executable
|
|
product: windows
|
|
conditions:
|
|
EventID: 27
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_block_shredding:
|
|
category: file_block_shredding
|
|
product: windows
|
|
conditions:
|
|
EventID: 28
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_executable_detected:
|
|
category: file_executable_detected
|
|
product: windows
|
|
conditions:
|
|
EventID: 29
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
sysmon_error:
|
|
category: sysmon_error
|
|
product: windows
|
|
conditions:
|
|
EventID: 255
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
# PowerShell Operational
|
|
ps_module:
|
|
category: ps_module
|
|
product: windows
|
|
conditions:
|
|
EventID: 4103
|
|
rewrite:
|
|
product: windows
|
|
service: powershell
|
|
ps_script:
|
|
category: ps_script
|
|
product: windows
|
|
conditions:
|
|
EventID: 4104
|
|
rewrite:
|
|
product: windows
|
|
service: powershell
|
|
# Powershell "classic" channel
|
|
ps_classic_start:
|
|
category: ps_classic_start
|
|
product: windows
|
|
conditions:
|
|
EventID: 400
|
|
rewrite:
|
|
product: windows
|
|
service: powershell-classic
|
|
ps_classic_provider_start:
|
|
category: ps_classic_provider_start
|
|
product: windows
|
|
conditions:
|
|
EventID: 600
|
|
rewrite:
|
|
product: windows
|
|
service: powershell-classic
|
|
ps_classic_script:
|
|
category: ps_classic_script
|
|
product: windows
|
|
conditions:
|
|
EventID: 800
|
|
rewrite:
|
|
product: windows
|
|
service: powershell-classic
|
|
# target system configurations
|
|
windows-application:
|
|
product: windows
|
|
service: application
|
|
sources:
|
|
- "WinEventLog:Application"
|
|
windows-security:
|
|
product: windows
|
|
service: security
|
|
sources:
|
|
- "WinEventLog:Security"
|
|
windows-system:
|
|
product: windows
|
|
service: system
|
|
sources:
|
|
- "WinEventLog:System"
|
|
windows-ntlm:
|
|
product: windows
|
|
service: ntlm
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-NTLM/Operational"
|
|
windows-sysmon:
|
|
product: windows
|
|
service: sysmon
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-Sysmon/Operational"
|
|
windows-powershell:
|
|
product: windows
|
|
service: powershell
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-PowerShell/Operational"
|
|
- "WinEventLog:PowerShellCore/Operational"
|
|
windows-classicpowershell:
|
|
product: windows
|
|
service: powershell-classic
|
|
sources:
|
|
- "WinEventLog:Windows PowerShell"
|
|
windows-taskscheduler:
|
|
product: windows
|
|
service: taskscheduler
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-TaskScheduler/Operational"
|
|
windows-wmi:
|
|
product: windows
|
|
service: wmi
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-WMI-Activity/Operational"
|
|
windows-dhcp:
|
|
product: windows
|
|
service: dhcp
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-DHCP-Server/Operational"
|
|
windows-printservice-admin:
|
|
product: windows
|
|
service: printservice-admin
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-PrintService/Admin"
|
|
windows-smbclient-security:
|
|
product: windows
|
|
service: smbclient-security
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-SmbClient/Security"
|
|
windows-smbclient-connectivity:
|
|
product: windows
|
|
service: smbclient-connectivity
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-SmbClient/Connectivity"
|
|
windows-printservice-operational:
|
|
product: windows
|
|
service: printservice-operational
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-PrintService/Operational"
|
|
windows-terminalservices-localsessionmanager-operational:
|
|
product: windows
|
|
service: terminalservices-localsessionmanager
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
|
|
windows-codeintegrity-operational:
|
|
product: windows
|
|
service: codeintegrity-operational
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational"
|
|
windows-applocker:
|
|
product: windows
|
|
service: applocker
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
|
|
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
|
|
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
|
|
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
|
|
windows-msexchange-management:
|
|
product: windows
|
|
service: msexchange-management
|
|
sources:
|
|
- 'WinEventLog:MSExchange Management'
|
|
windows-defender:
|
|
product: windows
|
|
service: windefend
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
|
|
windows-defender-antivirus-mapping:
|
|
category: antivirus
|
|
conditions:
|
|
EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
|
|
- 1006
|
|
- 1007
|
|
- 1008
|
|
- 1009
|
|
- 1010
|
|
- 1011
|
|
- 1012
|
|
- 1017
|
|
- 1018
|
|
- 1019
|
|
- 1115
|
|
- 1116
|
|
rewrite:
|
|
product: windows
|
|
service: windefend
|
|
fieldmappings:
|
|
Signature: ThreatName
|
|
Filename: Path
|
|
windows-firewall-advanced-security:
|
|
product: windows
|
|
service: firewall-as
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
|
|
windows-bits-client:
|
|
product: windows
|
|
service: bits-client
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
|
|
windows-security-mitigations:
|
|
product: windows
|
|
service: security-mitigations
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
|
|
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
|
|
windows-diagnosis:
|
|
product: windows
|
|
service: diagnosis-scripted
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
|
|
windows-shell-core:
|
|
product: windows
|
|
service: shell-core
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
|
|
windows-openssh:
|
|
product: windows
|
|
service: openssh
|
|
sources:
|
|
- 'WinEventLog:OpenSSH/Operational'
|
|
windows-ldap-debug:
|
|
product: windows
|
|
service: ldap_debug
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
|
|
windows-bitlocker:
|
|
product: windows
|
|
service: bitlocker
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
|
|
windows-vhdmp:
|
|
product: windows
|
|
service: vhdmp
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
|
|
windows-appxdeployment-server:
|
|
product: windows
|
|
service: appxdeployment-server
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
|
|
windows-lsa-server:
|
|
product: windows
|
|
service: lsa-server
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-LSA/Operational'
|
|
windows-appxpackaging-om:
|
|
product: windows
|
|
service: appxpackaging-om
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational'
|
|
windows-dns-client:
|
|
product: windows
|
|
service: dns-client
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational'
|
|
windows-appmodel-runtime:
|
|
product: windows
|
|
service: appmodel-runtime
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin'
|
|
windows-capi2:
|
|
product: windows
|
|
service: capi2
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-CAPI2/Operational'
|
|
windows-certificateservicesclient-lifecycle:
|
|
product: windows
|
|
service: certificateservicesclient-lifecycle-system
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'
|
|
windows-kernel-shimengine:
|
|
product: windows
|
|
service: kernel-shimengine
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Operational'
|
|
- 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Diagnostic'
|
|
windows-application-experience:
|
|
product: windows
|
|
service: application-experience
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Telemetry'
|
|
- 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'
|
|
windows-ntfs:
|
|
product: windows
|
|
service: ntfs
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Ntfs/Operational'
|
|
windows-hyper-v-worker:
|
|
product: windows
|
|
service: hyper-v-worker
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Hyper-V-Worker'
|
|
apache:
|
|
category: webserver
|
|
sources:
|
|
- "File:/var/log/apache/*.log"
|
|
- "File:/var/log/apache2/*.log"
|
|
- "File:/var/log/httpd/*.log"
|
|
linux-auth:
|
|
product: linux
|
|
service: auth
|
|
sources:
|
|
- "File:/var/log/auth.log"
|
|
- "File:/var/log/auth.log.?"
|
|
linux-syslog:
|
|
product: linux
|
|
service: syslog
|
|
sources:
|
|
- "File:/var/log/syslog"
|
|
- "File:/var/log/syslog.?"
|
|
logfiles:
|
|
category: logfile
|
|
sources:
|
|
- "File:*.log"
|