security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704)

Browse Source 
* Replace source.address to source.ip for compatibility

* Change query

* Missing and condition

(cherry picked from commit cbf0798646)
This commit is contained in:
Jonhnathan
2022-01-13 16:40:10 -03:00
committed by github-actions[bot]
parent 6d784aa605
commit 9dc4500cd7
10 changed files with 22 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/lateral_movement_dcom_hta.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/03"
maturity = "production"
updated_date = "2021/10/13"
updated_date = "2022/01/13"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ sequence with maxspan=1m
] by host.id, process.entity_id
[network where event.type == "start" and process.name : "mshta.exe" and
network.direction : ("incoming", "ingress") and network.transport == "tcp" and
source.port > 49151 and destination.port > 49151 and not source.address in ("127.0.0.1", "::1")
source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1"
] by host.id, process.entity_id
'''
rules/windows/lateral_movement_dcom_mmc20.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/06"
maturity = "production"
updated_date = "2021/10/13"
updated_date = "2022/01/13"
[rule]
author = ["Elastic"]
@@ -24,8 +24,8 @@ type = "eql"
query = '''
sequence by host.id with maxspan=1m
[network where event.type == "start" and process.name : "mmc.exe" and
source.port >= 49152 and destination.port >= 49152 and source.address not in ("127.0.0.1", "::1") and
[network where event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and
destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and
network.direction : ("incoming", "ingress") and network.transport == "tcp"
] by process.entity_id
[process where event.type in ("start", "process_started") and process.parent.name : "mmc.exe"
rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/06"
maturity = "production"
updated_date = "2021/10/13"
updated_date = "2022/01/13"
[rule]
author = ["Elastic"]
@@ -26,7 +26,7 @@ query = '''
sequence by host.id with maxspan=5s
[network where event.type == "start" and process.name : "explorer.exe" and
network.direction : ("incoming", "ingress") and network.transport == "tcp" and
source.port > 49151 and destination.port > 49151 and not source.address in ("127.0.0.1", "::1")
source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1"
] by process.entity_id
[process where event.type in ("start", "process_started") and
process.parent.name : "explorer.exe"
rules/windows/lateral_movement_executable_tool_transfer_smb.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/10"
maturity = "production"
updated_date = "2021/10/13"
updated_date = "2022/01/13"
[rule]
author = ["Elastic"]
@@ -23,8 +23,8 @@ type = "eql"
query = '''
sequence by host.id with maxspan=30s
[network where event.type == "start" and process.pid == 4 and destination.port == 445 and
network.direction : ("incoming", "ingress") and network.transport == "tcp" and
source.address != "127.0.0.1" and source.address != "::1"
network.direction : ("incoming", "ingress") and
network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1"
] by process.entity_id
/* add more executable extensions here if they are not noisy in your environment */
[file where event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id
rules/windows/lateral_movement_incoming_winrm_shell_execution.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/24"
maturity = "production"
updated_date = "2021/10/13"
updated_date = "2022/01/13"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ type = "eql"
query = '''
sequence by host.id with maxspan=30s
[network where process.pid == 4 and network.direction : ("incoming", "ingress") and
destination.port in (5985, 5986) and network.protocol == "http" and not source.address in ("::1", "127.0.0.1")
destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"
]
[process where event.type == "start" and process.parent.name : "winrshost.exe" and not process.name : "conhost.exe"]
'''
rules/windows/lateral_movement_incoming_wmi.toml
+2 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/15"
maturity = "production"
updated_date = "2021/10/13"
updated_date = "2022/01/13"
[rule]
author = ["Elastic"]
@@ -26,8 +26,7 @@ sequence by host.id with maxspan = 2s
/* Accepted Incoming RPC connection by Winmgmt service */
[network where process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and
source.address != "127.0.0.1" and source.address != "::1" and
source.port >= 49152 and destination.port >= 49152
source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152
]
/* Excluding Common FPs Nessus and SCCM */
rules/windows/lateral_movement_powershell_remoting_target.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/24"
maturity = "production"
updated_date = "2021/10/13"
updated_date = "2022/01/13"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ type = "eql"
query = '''
sequence by host.id with maxspan = 30s
[network where network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and
network.protocol == "http" and source.address != "127.0.0.1" and source.address != "::1"
network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"
]
[process where event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"]
'''
rules/windows/lateral_movement_rdp_sharprdp_target.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/11"
maturity = "production"
updated_date = "2021/10/13"
updated_date = "2022/01/13"
[rule]
author = ["Elastic"]
@@ -30,7 +30,7 @@ query = '''
sequence by host.id with maxspan=1m
[network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and
network.direction : ("incoming", "ingress") and network.transport == "tcp" and
source.address != "127.0.0.1" and source.address != "::1"
source.ip != "127.0.0.1" and source.ip != "::1"
]
[registry where process.name : "explorer.exe" and
rules/windows/lateral_movement_remote_services.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/16"
maturity = "production"
updated_date = "2021/10/13"
updated_date = "2022/01/13"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ query = '''
sequence with maxspan=1s
[network where process.name : "services.exe" and
network.direction : ("incoming", "ingress") and network.transport == "tcp" and
source.port >= 49152 and destination.port >= 49152 and source.address not in ("127.0.0.1", "::1")
source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1"
] by host.id, process.entity_id
[process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and
rules/windows/lateral_movement_scheduled_task_target.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/20"
maturity = "production"
updated_date = "2021/10/13"
updated_date = "2022/01/13"
[rule]
author = ["Elastic"]
@@ -58,7 +58,7 @@ query = '''
sequence by host.id, process.entity_id with maxspan = 1m
[network where process.name : "svchost.exe" and
network.direction : ("incoming", "ingress") and source.port >= 49152 and destination.port >= 49152 and
source.address != "127.0.0.1" and source.address != "::1"
source.ip != "127.0.0.1" and source.ip != "::1"
]
[registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"]
'''