security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Posh BBRs (#4372)

Browse Source
This commit is contained in:
Jonhnathan
2025-01-15 11:00:21 -03:00
committed by GitHub
parent c912b78586
commit 74f11dbf7f
3 changed files with 15 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/defense_evasion_posh_defender_tampering.toml
+7 -2
View File
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
creation_date = "2024/09/11"
integration = ["windows"]
maturity = "production"
updated_date = "2024/10/28"
updated_date = "2025/01/13"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -58,7 +58,12 @@ event.category: "process" and host.os.type:windows and
DisableRealtimeMonitoring or LowThreatDefaultAction or
ModerateThreatDefaultAction or HighThreatDefaultAction
)
)
) and
not powershell.file.script_block_text : (
("cmdletization" and "cdxml-Help.xml") or
("function Set-MpPreference" and "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType")
) and
not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM"
'''
rules_building_block/discovery_posh_generic.toml
+4 -3
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
updated_date = "2025/01/13"
[rule]
@@ -63,7 +63,7 @@ event.category:process and host.os.type:windows and
("Get-WmiObject" or "gwmi" or "Get-CimInstance" or
"gcim" or "Management.ManagementObjectSearcher" or
"System.Management.ManagementClass" or
"[WmiClass]" or "[WMI]") and
"[WmiClass]") and
(
"AntiVirusProduct" or "CIM_BIOSElement" or "CIM_ComputerSystem" or "CIM_Product" or "CIM_DiskDrive" or
"CIM_LogicalDisk" or "CIM_NetworkAdapter" or "CIM_StorageVolume" or "CIM_OperatingSystem" or
@@ -136,7 +136,8 @@ event.category:process and host.os.type:windows and
"Microsoft.PowerShell.Core\Export-ModuleMember" and
"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter"
) or
"CmdletsToExport=@(\"Add-Content\","
"CmdletsToExport=@(\"Add-Content\"," or
("cmdletization" and "cdxml-Help.xml")
) and
not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
'''
rules_building_block/lateral_movement_posh_winrm_activity.toml
+4 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
updated_date = "2025/01/13"
[rule]
author = ["Elastic"]
@@ -57,7 +57,9 @@ event.category:process and host.os.type:windows and
) and
not user.id : "S-1-5-18" and
not file.directory : (
"C:\\Program Files\\LogicMonitor\\Agent\\tmp"
"C:\\Program Files\\LogicMonitor\\Agent\\tmp" or
"C:\\Program Files\\WindowsPowerShell\\Modules\\icinga-powershell-framework\\cache" or
"C:\\Program Files\\WindowsPowerShell\\Modules\\SmartCardTools\\1.2.2"
) and not
powershell.file.script_block_text : (
"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')" and