security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rules Tuning] Add support for Sysmon ImageLoad Events (#2215)

Browse Source 
* [Rules Tuning] Add support for Sysmon ImageLoad Events

added correct event.category and event.action to rules using library events to support sysmon eventid 7.

`event.category == "library"` --> `(event.category == "process" and event.action : "Image loaded*")`

`dll.name` --> `file.name`

* added Suspicious RDP ActiveX Client Loaded

* Delete workspace.xml

(cherry picked from commit 50bb821708)
This commit is contained in:
Samirbous
2022-08-02 18:40:26 +02:00
committed by github-actions[bot]
parent ad1e7fbde9
commit 979ca1dfab
9 changed files with 34 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/execution_scheduled_task_powershell_source.toml
+3 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/15"
maturity = "production"
updated_date = "2021/10/17"
updated_date = "2022/08/02"
[rule]
author = ["Elastic"]
@@ -26,7 +26,8 @@ type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan = 5s
[library where dll.name : "taskschd.dll" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")]
[any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
(dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")]
[network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")]
'''