├── 0331-sysmon_rules.xml
├── 0332-credential_access_rules.xml
├── 0802-sysmon-supplement.xml
├── 0803-wmic_malicious_rules.xml
├── 0804-defender_bypass.xml
├── 0805-v10-sysmon-modular_rules.xml
├── 0806-priv_esc_rules.xml
├── 0807-persistence_rules.xml
├── 0808-defense_evasion_rules.xml
├── 0809-execution_rules.xml
├── 0810-command_and_control_rules.xml
├── 0811-log_collection_rules.xml
├── 0812-lateral_movement.xml
├── 0815-exfiltration.xml
├── README.md
├── generate-config.sh
├── install-rules.sh
├── local_rules.xml
├── mapping
├── OSSEC-SYSMON_Coverage.json
├── OSSECSYSMON_Coverage.svg
├── attack.svg
└── layer.json
├── osquery.conf
├── response-scripts
└── dfir.ps1
├── sysmonconfig-05-16-20.xml
├── sysmonconfig-06-24-20.xml
├── sysmonconfig.xml
└── windows-agent.conf
/0331-sysmon_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | sysmon_event1
6 | \\powershell.exe||\\.ps1||\\.ps2
7 | Sysmon - Event 1: Powershell exe: $(win.eventdata.sourceImage)
8 | sysmon_event1,powershell_execution,
9 |
10 |
11 |
12 | sysmon_event1
13 | \\cmd.exe
14 | Sysmon - Event 2: CMD exe: $(win.eventdata.sourceImage)
15 | sysmon_event1,cmd_execution,
16 |
17 |
18 |
19 | 185001
20 | Network connection detected
21 | powershell.exe
22 | Powershell Network Connection
23 | sysmon_event3,network,
24 |
25 |
26 |
27 | 255000
28 | .doc
29 | Powershell Spawned from Office Doc
30 | MITRE,attack.t1059,attack.t1202,
31 |
32 |
33 |
34 | 255000
35 | .xls
36 | Powershell Spawned from Excel Doc
37 | MITRE,attack.t1059,attack.t1202,
38 |
39 |
40 |
41 | 255001
42 | WINWORD.EXE
43 | Command Line process spawned from Mircosoft Word Doc
44 | MITRE,attack.t1059,attack.t1202,
45 |
46 |
47 |
48 | 255001
49 | EXCEL.EXE
50 | Command Line process spawned from Mircosoft Excel Doc
51 | MITRE,attack.t1059,attack.t1202,
52 |
53 |
54 |
55 | sysmon_event1
56 | mshta.exe
57 | http
58 | Possible Malicious HTA file executed
59 | MITRE,attack.t1170,
60 |
61 |
62 |
63 | 255001
64 | POWERPNT.exe
65 | Command Line process spawned from Mircosoft Powerpoint Doc
66 | MITRE,attack.t1059,attack.t1202,
67 |
68 |
69 |
70 | 255001
71 | OUTLOOK.EXE
72 | Command Line process spawned from Mircosoft Outlook
73 | MITRE,attack.t1059,attack.t1202,
74 |
75 |
76 |
77 | 255001
78 | VISIO.exe
79 | Command Line process spawned from Mircosoft Visio Doc
80 | MITRE,attack.t1059,attack.t1202,
81 |
82 |
83 |
84 | 255001
85 | MSPUB.exe
86 | Command Line process spawned from Mircosoft Publisher Doc
87 | MITRE,attack.t1059,attack.t1202,
88 |
89 |
90 |
91 | 255000
92 | POWERPNT.exe
93 | Powershell Spawned from Powerpoint Doc
94 | MITRE,attack.t1059,attack.t1202,
95 |
96 |
97 |
98 | 255000
99 | OUTLOOK.EXE
100 | Powershell Spawned from Microsoft Outlook
101 | MITRE,attack.t1059,attack.t1202
102 |
103 |
104 |
105 | 255000
106 | MSPUB.exe
107 | Powershell Spawned from Microsoft Publisher
108 | MITRE,attack.t1059,attack.t1202,
109 |
110 |
111 |
112 | 255000
113 | VISIO.exe
114 | Powershell Spawned from Microsoft Visio
115 | MITRE,attack.t1059,attack.t1202,
116 |
117 |
118 |
119 | 255001
120 | regsvr32
121 | http
122 | MITRE ATT&CK T1117 - Regsvr32 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
123 | MITRE,attack.t1117,
124 |
125 |
126 |
127 | 255001
128 | cscript.exe
129 | http
130 | MITRE ATT&CK T1216 - Signed Script Proxy Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
131 | MITRE,attack.t1216,
132 |
133 |
134 |
135 | 255001
136 | sc.exe
137 | create|start|delete
138 | New Service Created with sc.exe : MITRE ATT&CK T1035 - Service Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.md
139 | MITRE,attack.t1035,
140 |
141 |
142 |
143 | 255000
144 | sc.exe
145 | create|start|delete
146 | New Service Created with sc.exe : MITRE ATT&CK T1035 - Service Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.md
147 | MITRE,attack.t1035,
148 |
149 |
150 |
151 |
152 |
--------------------------------------------------------------------------------
/0332-credential_access_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | sysmon_event1
6 | \\findstr.exe
7 | cpassword
8 | Finding Passwords in SYSVOL & Exploiting Group Policy Preferences : MITRE ATT&CK T1081 - https://adsecurity.org/?p=2288
9 | MITRE,attack.t1081,
10 |
11 |
12 |
13 | 255547
14 | HKLM\\System\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel
15 | ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue
16 | MITRE,attack.t1075
17 |
18 |
19 |
20 | 255547
21 | HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictSendingNTLMTraffic
22 | ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue
23 | MITRE,attack.t1075
24 |
25 |
26 |
27 | sysmon_event_11
28 | \\Temp\\debug.bin
29 | Detects possible SafetyKatz Behaviour
30 | MITRE,attack.t1003,sigma
31 |
32 |
33 |
34 | sysmon_event_10
35 | lsass.exe
36 | dbgcore
37 | ATT&CK T1003: dbgcore.DLL potentially used to dump credentials from LSASS
38 | MITRE,attack.t1003
39 |
40 |
41 |
42 | sysmon_event_13
43 | \\WDigest\\UseLogonCredential
44 | ATT&CK T1003: Detects possible Mimikatz Activity, registry edit for WDigest plain text credentials
45 | MITRE,attack.t1003,
46 |
47 |
48 |
49 | 255107
50 | \\MsMpEng.exe|\\ossec-agent.exe|\\wininit.exe|\\csrss.exe
51 | Whitelist Interaction with LSASS
52 | MITRE,attack.t1003,
53 |
54 |
55 |
56 | windows_application
57 | grabber_temp
58 | Microsoft Internet Explorer Passwords dumped, TTP indicative of Trickbot infection
59 | MITRE,attack.t1003
60 |
61 |
62 |
63 | 255531
64 | comsvcs.dll
65 | MiniDump|#24
66 | Comsvcs.dll potentially used to dump credentials from LSASS
67 | MITRE,attack.t1003
68 |
69 |
70 |
71 | 255524
72 | comsvcs.dll
73 | MiniDump|#24
74 | Comsvcs.dll potentially used to dump credentials from LSASS
75 | MITRE,attack.t1003
76 |
77 |
78 |
79 | 255524
80 | comsvcs.dll
81 | MiniDump|#24
82 | Comsvcs.dll potentially used to dump credentials from LSASS
83 | MITRE,attack.t1003
84 |
85 |
86 |
87 | sysmon_event1
88 | mimikatz
89 | Mimikatz potentially used to dump credentials from LSASS
90 | MITRE,attack.t1003
91 |
92 |
93 |
94 | sysmon_event1
95 | procdump
96 | lsass
97 | Procdump potentially used to dump credentials from LSASS
98 | MITRE,attack.t1003
99 |
100 |
101 |
102 | sysmon_event_10
103 | lsass.exe
104 | dbgcore
105 | dbgcore.DLL potentially used to dump credentials from LSASS
106 | MITRE,attack.t1003
107 |
108 |
109 |
110 |
--------------------------------------------------------------------------------
/0802-sysmon-supplement.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | 61600
6 | ^16$
7 | Sysmon - Event 16: ServiceConfigurationChange by $(win.eventdata.image)
8 | sysmon_event_16,
9 |
10 |
11 |
12 | 61600
13 | ^17$
14 | Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)
15 | sysmon_event_17,
16 |
17 |
18 |
19 | 61600
20 | ^18$
21 | Sysmon - Event 18: PipeEvent (Pipe Connected) by $(win.eventdata.image)
22 | sysmon_event_18,
23 |
24 |
25 |
26 | 61600
27 | ^19$
28 | Sysmon - Event 19: WmiEvent (WmiEventFilter activity detected) by $(win.eventdata.image)
29 | sysmon_event_19,
30 |
31 |
32 |
33 | 61600
34 | ^20$
35 | Sysmon - Event 20: WmiEvent (WmiEventConsumer activity detected) by $(win.eventdata.image)
36 | sysmon_event_20,
37 |
38 |
39 |
40 | 61600
41 | ^21$
42 | Sysmon - Event 21: WmiEvent (WmiEventConsumerToFilter activity detected) by $(win.eventdata.image)
43 | sysmon_event_21,
44 |
45 |
46 |
47 | 61600
48 | ^22$
49 | Sysmon - Event 22: DNSEvent (DNS query) by $(win.eventdata.image)
50 | sysmon_event_22,
51 |
52 |
53 |
54 | 61600
55 | ^23$
56 | Sysmon - Event 23: FileDelete (A file delete was detected) by $(win.eventdata.image)
57 | sysmon_event_23,
58 |
59 |
60 |
61 | 61600
62 | ^24$
63 | Sysmon - Event 24: ClipboardChange (New content in the clipboard) by $(win.eventdata.image)
64 | sysmon_event_24,
65 |
66 |
67 |
68 | 61600
69 | ^25$
70 | Sysmon - Event 25: ProcessTampering (Process image change) by $(win.eventdata.image)
71 | sysmon_event_25,
72 |
73 |
74 |
--------------------------------------------------------------------------------
/0803-wmic_malicious_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | sysmon_event1
6 | \\WMIC.exe
7 | process call create
8 | Using WMIC for process creation: https://attack.mitre.org/techniques/T1047/
9 | MITRE,attack.t1047
10 |
11 |
12 |
13 | sysmon_event1
14 | \\WMIC.exe
15 | /namespace:\\root\securitycenter2 path antivirusproduct
16 | Using WMIC for Antivirus Enumeration: https://attack.mitre.org/techniques/T1047/
17 | MITRE,attack.t1047
18 |
19 |
20 |
21 | sysmon_event1
22 | \\WMIC.exe
23 | /NAMESPACE:\\\\root\\directory\\ldap PATH ds_user
24 | Using WMIC for Domain User Enumeration: https://attack.mitre.org/techniques/T1047/
25 | MITRE,attack.t1047
26 |
27 |
28 |
29 | sysmon_event1
30 | \\WMIC.exe
31 | /NAMESPACE:\\\\root\\directory\\ldap PATH ds_group
32 | Using WMIC for Domain Group Enumeration: https://attack.mitre.org/techniques/T1047/
33 | MITRE,attack.t1047
34 |
35 |
36 |
37 | sysmon_event1
38 | \\WMIC.exe
39 | USERACCOUNT
40 | Using WMIC for Local Account Enumeration: https://attack.mitre.org/techniques/T1047/
41 | MITRE,attack.t1047
42 |
43 |
44 |
45 | sysmon_event1
46 | \\WMIC.exe
47 | NTDOMAIN
48 | Using WMIC for Domain Enumeration: https://attack.mitre.org/techniques/T1047/
49 | MITRE,attack.t1047
50 |
51 |
52 |
53 | sysmon_event1
54 | \\WMIC.exe
55 | gfe list brief
56 | Using WMIC for Host Patch Level Enumeration: https://attack.mitre.org/techniques/T1047/
57 | MITRE,attack.t1047
58 |
59 |
60 |
61 | sysmon_event1
62 | \\scrcons.exe
63 | WMI persistence Script Event Consumer File Write : https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
64 | MITRE,attack.t1084
65 |
66 |
67 |
68 | 255000
69 | \\WmiPrvSE.exe
70 | WmiPrvSE event spawning powershell
71 | MITRE,attack.t1047
72 |
73 |
74 |
75 | sysmon_event1
76 | \\WmiPrvSE.exe
77 | cmd.exe
78 | 127.0.0.1
79 | Red Team WMI technique matching Impacket wmiexec.py tooling
80 | MITRE,attack.t1047
81 |
82 |
83 |
84 |
--------------------------------------------------------------------------------
/0804-defender_bypass.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | windows
5 | Windows Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled
6 | Windows Defender: Realtime Detection Disabled: https://attack.mitre.org/techniques/T1089/
7 | gdpr_IV_35.7.d,MITRE,attack.t1089,defender
8 |
9 |
10 |
11 | windows
12 | 3002
13 | Windows Defender: Antivirus Rules Missing: https://attack.mitre.org/techniques/T1089/
14 | MITRE,attack.t1089,defender
15 |
16 |
17 |
18 |
19 | 255531
20 | DisableRealtimeMonitoring $true
21 | Defender Realtime Monitoring Disabled
22 | defender,attack.t1089
23 |
24 |
25 | 62100
26 | ^5001$
27 | Windows Defender Real-time Protection was disabled.
28 | defender,attack.t1089
29 |
30 |
31 | 62100
32 | ^1006$|^1116$
33 | Windows Defender found malware or other potentially unwanted software.
34 | defender,attack.t1089
35 |
36 |
37 | 62100
38 | ^1008$
39 | Windows Defender found malware and failed to clean it.
40 | defender,attack.t1089
41 |
42 |
43 | 62100
44 | ^1015$
45 | Windows Defender detected suspicious behavior.
46 | defender,attack.t1089
47 |
48 |
49 | 62100
50 | ^5010$
51 | Scanning for malware and other potentially unwanted software is disabled.
52 | defender,attack.t1089
53 |
54 |
55 | 62100
56 | ^5012$
57 | Scanning for viruses is disabled.
58 | defender,attack.t1089
59 |
60 |
61 | 62100
62 | ^5007$
63 | DisableBlockAtFirstSeen = 0x1
64 | Windows Defender Block At First Seen disabled
65 | defender,attack.t1089
66 |
67 |
68 | 62100
69 | ^5007$
70 | DisableBehaviorMonitoring
71 | Windows Defender Behavior Monitoring Was Configured
72 | defender,attack.t1089
73 |
74 |
75 | 62100
76 | ^5007$
77 | DisableRealtimeMonitoring
78 | Windows Defender Realtime Monitoring Was Configured
79 | defender,attack.t1089
80 |
81 |
82 | 62100
83 | ^5007$
84 | C:\\ = 0x0|D:\\ = 0x0|E:\\ = 0x0|F:\\ = 0x0
85 | Windows Defender Exclusion for Attached Drive
86 | defender,attack.t1089
87 |
88 |
89 |
--------------------------------------------------------------------------------
/0805-v10-sysmon-modular_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | sysmon_event8
6 | technique_name=Process Injection
7 | MITRE T1055 Process Injection: $(win.eventdata.image)
8 | MITRE,attack.t1055,
9 |
10 |
11 |
12 | sysmon_event1
13 | technique_name=Masquerading
14 | MITRE T1036 Masquerading: $(win.eventdata.image)
15 | MITRE,attack.t1036,
16 |
17 |
18 |
19 | sysmon_event1
20 | technique_name=Credential Dumping
21 | MITRE T1003 Credential Dumping: $(win.eventdata.image)
22 | MITRE,attack.t1003,
23 |
24 |
25 |
26 | sysmon_event_12
27 | technique_name=Winlogon Helper DLL
28 | MITRE T1004 Winlogon Helper DLL: $(win.eventdata.image)
29 | MITRE,attack.t1004,
30 |
31 |
32 |
33 | sysmon_event1
34 | technique_name=Data from Local System
35 | MITRE T1005 Data from Local System: $(win.eventdata.image)
36 | MITRE,attack.t1005,
37 |
38 |
39 |
40 | sysmon_event1
41 | technique_name=System Service Discovery
42 | MITRE T1007 System Service Discovery: $(win.eventdata.image)
43 | MITRE,attack.t1007,
44 |
45 |
46 |
47 | sysmon_event1
48 | technique_name=Query Registry
49 | MITRE T1012 Query registry: $(win.eventdata.image)
50 | MITRE,attack.t1012,
51 |
52 |
53 |
54 | sysmon_event_12
55 | technique_name=Forced Authentication
56 | MITRE T1013 Forced Authentication: $(win.eventdata.image)
57 | MITRE,attack.t1013,
58 |
59 |
60 |
61 | sysmon_event_12
62 | technique_name=Accessibility Features
63 | MITRE T1015 Accessibility Features: $(win.eventdata.image)
64 | MITRE,attack.t1015,
65 |
66 |
67 |
68 | sysmon_event3
69 | technique_name=System Network Configuration Discovery
70 | MITRE T1016 System Network Configuration Discovery: $(win.eventdata.image)
71 | MITRE,attack.t1016,
72 |
73 |
74 |
75 | sysmon_event1
76 | technique_name=Remote System Discovery
77 | MITRE T1018 Remote Systen Discovery: $(win.eventdata.image)
78 | MITRE,attack.t1018,
79 |
80 |
81 |
82 | sysmon_event2
83 | technique_name=Remote Services
84 | MITRE T1021 Remote Services : $(win.eventdata.image)
85 | MITRE,attack.t1021,
86 |
87 |
88 |
89 | sysmon_event1
90 | technique_name=Obfuscated Files or Information
91 | MITRE T1027 Obfuscated Files or Information : $(win.eventdata.image)
92 | MITRE,attack.t1027,
93 |
94 |
95 |
96 | sysmon_event1
97 | technique_name=Windows Remote Management
98 | MITRE T1028 Windows Remote Management: $(win.eventdata.image)
99 | MITRE,attack.t1028,
100 |
101 |
102 |
103 | sysmon_event1
104 | technique_name=Modify Existing Service
105 | MITRE T1031 Modify Existing Service : $(win.eventdata.image)
106 | MITRE,attack.t1031,
107 |
108 |
109 |
110 | sysmon_event1
111 | technique_name=System Owner/User Discovery
112 | MITRE T1033 System Owner/User Discovery : $(win.eventdata.image)
113 | MITRE,attack.t1033,
114 |
115 |
116 |
117 | sysmon_event1
118 | technique_name=Service Execution
119 | MITRE T1035 Service Execution: $(win.eventdata.image)
120 | MITRE,attack.t1035,
121 |
122 |
123 |
124 | sysmon_event_12
125 | technique_name=Logon Scripts
126 | MITRE T1037 Logon Scripts: $(win.eventdata.image)
127 | MITRE,attack.t1037,
128 |
129 |
130 |
131 | sysmon_event_12
132 | technique_name=Change Default File Association
133 | MITRE T1042 Change Default File Association: $(win.eventdata.image)
134 | MITRE,attack.t1042,
135 |
136 |
137 |
138 | sysmon_event3
139 | technique_name=Windows Management Instrumentation
140 | MITRE T1047 Windows Management Instrumentation : $(win.eventdata.image)
141 | MITRE,attack.t1047,
142 |
143 |
144 |
145 | sysmon_event1
146 | technique_name=System Network Connections Discovery
147 | MITRE T1049 System Network Connections Discovery: $(win.eventdata.image)
148 | MITRE,attack.t1049,
149 |
150 |
151 |
152 | sysmon_event1
153 | technique_name=Scheduled Task
154 | MITRE T1053 Scheduled Task: $(win.eventdata.image)
155 | MITRE,attack.t1053,
156 |
157 |
158 |
159 | sysmon_event1
160 | technique_name=Indicator Blocking
161 | MITRE T1054 Indicator Blocking : $(win.eventdata.image)
162 | MITRE,attack.t1054,
163 |
164 |
165 |
166 | sysmon_event1
167 | technique_name=Process Discovery
168 | MITRE T1057 Process Discovery: $(win.eventdata.image)
169 | MITRE,attack.t1057,
170 |
171 |
172 |
173 | sysmon_event1
174 | technique_name=Command-Line Interface
175 | MITRE T1059 Command-Line Interface: $(win.eventdata.image)
176 | MITRE,attack.t1059,
177 |
178 |
179 |
180 | sysmon_event_12
181 | technique_name=Registry Run Keys / Start Folder
182 | MITRE T1060 Registry Run Keys / Start Folder: $(win.eventdata.image)
183 | MITRE,attack.t1060,
184 |
185 |
186 |
187 | sysmon_event1
188 | technique_name=Security Software Discovery
189 | MITRE T1063 Security Software Discovery: $(win.eventdata.image)
190 | MITRE,attack.t1063,
191 |
192 |
193 |
194 | sysmon_event1
195 | technique_name=Permission Groups Discovery
196 | MITRE T1069 Permission Groups Discovery: $(win.eventdata.image)
197 | MITRE,attack.t1069,
198 |
199 |
200 |
201 | sysmon_event1
202 | technique_name=Indicator Removal on Host
203 | MITRE T1070 Indicator Removal on Host: $(win.eventdata.image)
204 | MITRE,attack.t1070,
205 |
206 |
207 |
208 | sysmon_event1
209 | technique_name=File and Directory Discovery
210 | MITRE T1083 File and Directory Discovery: $(win.eventdata.image)
211 | MITRE,attack.t1083,
212 |
213 |
214 |
215 | sysmon_event3
216 | technique_name=Rundll32
217 | MITRE T1085 Rundll32: $(win.eventdata.image)
218 | MITRE,attack.t1085,
219 |
220 |
221 |
222 | sysmon_event1
223 | technique_name=PowerShell
224 | MITRE T1086 Powershell: $(win.eventdata.image)
225 | MITRE,attack.t1086,
226 |
227 |
228 |
229 | sysmon_event1
230 | technique_name=Bypass User Account Control
231 | MITRE T1088 Bypass User Account Control: $(win.eventdata.image)
232 | MITRE,attack.t1088,
233 |
234 |
235 |
236 | sysmon_event1
237 | technique_name=Disabling Security Tools
238 | MITRE T1089 Disabling Security Tools: $(win.eventdata.image)
239 | MITRE,attack.t1089,
240 |
241 |
242 |
243 | sysmon_event1
244 | technique_name=Account Manipulation
245 | MITRE T1098 =Account Manipulation: $(win.eventdata.image)
246 | MITRE,attack.t1098,
247 |
248 |
249 |
250 | sysmon_event2
251 | technique_name=Timestomp
252 | MITRE T1099 Timestomp: $(win.eventdata.image)
253 | MITRE,attack.t1099,
254 |
255 |
256 |
257 | sysmon_event_12
258 | technique_name=Security Support Provider
259 | MITRE T1101 Security Support Provider: $(win.eventdata.image)
260 | MITRE,attack.t1101,
261 |
262 |
263 |
264 | sysmon_event_12
265 | technique_name=Appinit DLLs
266 | MITRE T1103 Appinit DLLs: $(win.eventdata.image)
267 | MITRE,attack.t1103,
268 |
269 |
270 |
271 | sysmon_event1
272 | technique_name=Remote File Copy
273 | MITRE T1105 Remote File Copy: $(win.eventdata.image)
274 | MITRE,attack.t1105,
275 |
276 |
277 |
278 | sysmon_event1
279 | technique_name=Modify Registry
280 | MITRE T1112 Modify Registry: $(win.eventdata.image)
281 | MITRE,attack.t1112,
282 |
283 |
284 |
285 | sysmon_event1
286 | technique_name=Regsvr32
287 | MITRE T1117 Regsvr32: $(win.eventdata.image)
288 | MITRE,attack.t1117,
289 |
290 |
291 |
292 | sysmon_event1
293 | technique_name=InstallUtil
294 | MITRE T1118 InstallUtil: $(win.eventdata.image)
295 | MITRE,attack.t1118,
296 |
297 |
298 |
299 | sysmon_event1
300 | technique_name=Regsvcs/Regasm
301 | MITRE T1121 Regsvcs/Regasm: $(win.eventdata.image)
302 | MITRE,attack.t1121,
303 |
304 |
305 |
306 | sysmon_event_12
307 | technique_name=Component Object Model Hijacking
308 | MITRE T1122 Component Object Model Hijacking: $(win.eventdata.image)
309 | MITRE,attack.t1122,
310 |
311 |
312 |
313 | sysmon_event1
314 | technique_name=Trusted Developer Utilities
315 | MITRE T1127 Trusted Developer Utilities: $(win.eventdata.image)
316 | MITRE,attack.t1127,
317 |
318 |
319 |
320 | sysmon_event_12
321 | technique_name=Netsh Helper DLL
322 | MITRE T1128 Netsh Helper DLL: $(win.eventdata.image)
323 | MITRE,attack.t1128,
324 |
325 |
326 |
327 | sysmon_event_12
328 | technique_name=Install Root Certificate
329 | MITRE T1130 Install Root Certificate: $(win.eventdata.image)
330 | MITRE,attack.t1130,
331 |
332 |
333 |
334 | sysmon_event_12
335 | technique_name=Authentication Package
336 | MITRE T1131 Authentication Package: $(win.eventdata.image)
337 | MITRE,attack.t1131,
338 |
339 |
340 |
341 | sysmon_event1
342 | technique_name=Access Token Manipulation
343 | MITRE T1134 Access Token Manipulation: $(win.eventdata.image)
344 | MITRE,attack.t1134,
345 |
346 |
347 |
348 | sysmon_event1
349 | technique_name=Application Shimming
350 | MITRE T1138 Application Shimming: $(win.eventdata.image)
351 | MITRE,attack.t1138,
352 |
353 |
354 |
355 | sysmon_event1
356 | technique_name=Hidden Files and Files Directories
357 | MITRE T1158 Hidden Files and Directories: $(win.eventdata.image)
358 | MITRE,attack.t1158,
359 |
360 |
361 |
362 | sysmon_event1
363 | technique_name=Mshta
364 | MITRE T1170 Mshta: $(win.eventdata.image)
365 | MITRE,attack.t1170,
366 |
367 |
368 |
369 | sysmon_event_12
370 | technique_name=AppCert DLLs
371 | MITRE T1182: $(win.eventdata.image)
372 | MITRE,attack.t1182,
373 |
374 |
375 |
376 | sysmon_event_12
377 | technique_name=Image File Execution Options Injection
378 | MITRE T1183 Image File Execution Options Injection: $(win.eventdata.image)
379 | MITRE,attack.t1183,
380 |
381 |
382 |
383 | sysmon_event_11
384 | technique_name=Forced Authentication
385 | MITRE T1187 Forced Authentication: $(win.eventdata.image)
386 | MITRE,attack.t1187,
387 |
388 |
389 |
390 | sysmon_event1
391 | technique_name=CMSTP
392 | MITRE T1191 CMSTP: $(win.eventdata.image)
393 | MITRE,attack.t1191,
394 |
395 |
396 |
397 | sysmon_event1
398 | technique_name=Control Panel Items
399 | MITRE T1196: $(win.eventdata.image)
400 | MITRE,attack.t1196,
401 |
402 |
403 |
404 | sysmon_event1
405 | technique_name=BITS Jobs
406 | MITRE T1197 BITS Jobs: $(win.eventdata.image)
407 | MITRE,attack.t1197,
408 |
409 |
410 |
411 | sysmon_event_12
412 | technique_name=SIP and Trust Provider Hijacking
413 | MITRE T1198 SIP and Trust Provider Hijacking: $(win.eventdata.image)
414 | MITRE,attack.t1198,
415 |
416 |
417 |
418 | sysmon_event1
419 | technique_name=Indirect Command Execution
420 | MITRE T1202 Indirect Command Execution: $(win.eventdata.image)
421 | MITRE,attack.t1202,
422 |
423 |
424 |
425 | sysmon_event_12
426 | technique_name=Time Providers
427 | MITRE T1209 Time Providers: $(win.eventdata.image)
428 | MITRE,attack.t1209,
429 |
430 |
431 |
432 | sysmon
433 | technique_name=Regsvr32
434 | MITRE T1218 Regsvr32: $(win.eventdata.image)
435 | MITRE,attack.t1218,
436 |
437 |
438 |
439 | sysmon_event1
440 | technique_name=Signed Binary Proxy Execution
441 | MITRE T1218 Signed Binary Proxy Execution: $(win.eventdata.image)
442 | MITRE,attack.t1218,
443 |
444 |
445 |
446 | sysmon
447 | technique_name=Signed Binary Proxy Execution
448 | MITRE T1218 Signed Script Proxy Execution: $(win.eventdata.image)
449 | MITRE,attack.t1218,
450 |
451 |
452 |
453 | sysmon_event3
454 | technique_name=Masquerading
455 | MITRE T1036 Masquerading: $(win.eventdata.image)
456 | MITRE,attack.t1036,
457 |
458 |
459 |
460 | sysmon
461 | technique_name=System Network Configuration Discovery
462 | MITRE T1016 System Network Configuration Discovery: $(win.eventdata.image)
463 | MITRE,attack.t1016,
464 |
465 |
466 |
467 | sysmon
468 | technique_name=Windows Remote Management
469 | MITRE T1028 Windows Remote Management: $(win.eventdata.image)
470 | MITRE,attack.t1028,
471 |
472 |
473 |
474 | sysmon
475 | technique_name=Service Execution
476 | MITRE T1035 Service Execution: $(win.eventdata.image)
477 | MITRE,attack.t1035,
478 |
479 |
480 |
481 | sysmon_event3
482 | technique_name=Regsvr32
483 | MITRE T1218 Regsvr32: $(win.eventdata.image)
484 | MITRE,attack.t1218,
485 |
486 |
487 |
488 | sysmon_event3
489 | technique_name=Commonly Used Port
490 | MITRE T043 Commonly Used Port: $(win.eventdata.image)
491 | MITRE,attack.t1043,
492 |
493 |
494 |
495 | sysmon_event3
496 | technique_name=PowerShell
497 | MITRE T1086 Powershell Network Connection: $(win.eventdata.image)
498 | MITRE,attack.t1086,
499 |
500 |
501 |
502 | sysmon_event3
503 | technique_name=Indirect Command Execution
504 | MITRE T1202 Indirect Command Execution Network Activity: $(win.eventdata.image)
505 | MITRE,attack.t1202,
506 |
507 |
508 |
509 | sysmon_event_13
510 | technique_name=Registry Run
511 | MITRE T1060 Run Key Persistence: $(win.eventdata.image)
512 | MITRE,attack.t1060,
513 |
514 |
515 |
516 | sysmon_event3
517 | technique_name=UnCommonly Used Port
518 | MITRE T1065 Commonly Used Port: $(win.eventdata.image)
519 | MITRE,attack.t1065,
520 |
521 |
522 |
523 | sysmon_event7
524 | technique_name=User Execution
525 | MITRE T1204 User Execution: $(win.eventdata.image)
526 | MITRE,attack.t204,
527 |
528 |
529 |
530 |
--------------------------------------------------------------------------------
/0806-priv_esc_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | 255531
6 | \\csc.exe
7 | cmdline
8 | ATT&CK T1055: Suspected Shellcode Compile on Endpoint
9 | MITRE,attack.t1055,
10 |
11 |
12 |
13 | 255500
14 | \\powershell.exe
15 | \\rundll32.exe
16 | ATT&CK T1055: Suspected Process Injection matching Cobalt Strike methods
17 | MITRE,attack.t1055,
18 |
19 |
20 |
21 | 255524
22 | \\\\.\\pipe\\
23 | Named Pipe potential Privilege Escalation (Meterpreter) T1134
24 | MITRE,attack.t1134,sysmon
25 |
26 |
27 |
28 | sysmon_event8
29 | rundll32.exe
30 | winlogon.exe|dllhost.exe|svchost.exe
31 | ATT&CK T1055: Process injections by $(win.eventdata.sourceImage) into $(win.eventdata.targetImage)
32 | MITRE,attack.t1055,sysmon
33 |
34 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/0807-persistence_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | sysmon_event_13
6 | services.exe
7 | ATT&CK T1058:Registry edit for new service
8 | MITRE,attack.t1058
9 |
10 |
11 |
12 |
13 | 255700
14 | \\.exe
15 | ATT&CK T1058:Executable written to Registry for Persistence
16 | MITRE,attack.t1058
17 |
18 |
19 |
20 | sysmon_event_11
21 | \\Programs\\Startup
22 | ATT&CK T1060: Potential Persistence Method via Startup Folder
23 | MITRE,attack.t1060
24 |
25 |
26 |
27 | 255702
28 | desktop.ini
29 | Startup Folder Whitelist
30 | MITRE,attack.t1060
31 |
32 |
33 |
34 | sysmon_event_11
35 | \\.scr
36 | ATT&CK T1180: Screensaver, unusual filetype anamoly .scr file detected
37 | MITRE,attack.t1180
38 |
39 |
40 |
41 | sysmon_event_13
42 | RunOnce
43 | ATT&CK T1547.001: Potential Run Key Persistence Setup
44 | MITRE,attack.t1547.001
45 |
46 |
47 |
48 | 255705
49 | \\OneDriveSetup.exe
50 | silence normal onedrive activity
51 | MITRE,attack.t1160
52 |
53 |
54 |
55 | 255702
56 | Explorer.EXE
57 | Startup Folder Whitelist
58 | MITRE,attack.t1060
59 |
60 |
61 |
62 | 255539
63 | Windows\\CurrentVersion\\Run
64 | Run Key Persistence Detected
65 | MITRE,attack.t1547.001
66 |
67 |
68 |
69 | 255572
70 | powershell
71 | ATT&CK T1547.001: Powershell in registry, potential malicious persistence
72 | MITRE,attack.t1547.001
73 |
74 |
75 |
76 | sysmon_event_12
77 | RunOnce
78 | ATT&CK T1547.001: Potential Run Key Persistence Setup
79 | MITRE,attack.t1547.001
80 |
81 |
82 |
83 | sysmon_event_11
84 | w3wp.exe
85 | asp|php|jsp
86 | ATT&CK T1505.003: Potential Webshell from IIS
87 | MITRE,attack.t1505.003
88 |
89 |
90 |
91 |
--------------------------------------------------------------------------------
/0808-defense_evasion_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | sysmon_event1
6 | \\mshta.exe
7 | browser_broker.exe
8 | ATT&CK T1170: MSHTA execution demiguise techniques
9 | MITRE,attack.t1170
10 |
11 |
12 |
13 | sysmon_event1
14 | \\mshta.exe
15 | chrome.exe
16 | ATT&CK T1170: MSHTA execution demiguise techniques
17 | MITRE,attack.t1170
18 |
19 |
20 |
21 | sysmon_event1
22 | firewall set opmode mode=disable
23 | ATT&CK T1089: Disabling the Windows Firewall
24 | MITRE,attack.t1089
25 |
26 |
27 |
28 | sysmon_event1
29 | advfirewall set currentprofile state off
30 | ATT&CK T1089: Disabling the Windows Firewall
31 | MITRE,attack.t1089
32 |
33 |
34 |
35 | sysmon_event_11
36 | \\.arj
37 | ATT&CK T1406: Filetype anomaly, unusual file type .arj
38 | MITRE,attack.t1406
39 |
40 |
41 |
42 | 255531
43 | sysmon64.exe
44 | -u
45 | Sysmon has been uninstalled
46 | MITRE,attack.t1089
47 |
48 |
49 |
50 | 255531
51 | fltmc.exe
52 | unload
53 | Unload Filter Driver, possibly sysmon
54 | MITRE,attack.t1089,sysmon
55 |
56 |
57 |
58 |
--------------------------------------------------------------------------------
/0809-execution_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 255531
5 | -e PAA|-en PAA|-enc PAA|-enco PAA|-encod PAA|JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ|QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA|kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA|IgAoACcAKgAnACkAOwAkA|IAKAAnACoAJwApADsAJA|iACgAJwAqACcAKQA7ACQA
6 | ATT&CK T1059: Powershell execution techniques seen with Emotet malware
7 | MITRE,attack.t1059
8 |
9 |
10 |
11 |
12 | 255531
13 | -noP -sta -w 1 -enc|-NoP -sta -NonI -W Hidden -Enc|-NoP -NonI -W Hidden -enc
14 | ATT&CK T1059: Powershell execution techniques default PowerShell Empire launcher
15 | MITRE,attack.t1059
16 |
17 |
18 |
19 | sysmon_event1
20 | certutil -urlcache -split -f
21 | ATT&CK T1059: CertUtil Download Technique
22 | MITRE,attack.t1059
23 |
24 |
25 |
26 | 255531
27 | -exec bypass -Noninteractive -windowstyle hidden -e
28 | ATT&CK T1059: Powershell execution techniques default Posh C2 launcher
29 | MITRE,attack.t1059
30 |
31 |
32 |
33 | 255531
34 | /w 1
35 | value.toString
36 | ATT&CK T1059: Powershell execution techniques default Unicorn Powershell Meterpreter launcher
37 | MITRE,attack.t1059
38 |
39 |
40 |
41 | 60100
42 | ^400$
43 | PowerShell
44 | Windows PowerShell was started.
45 |
46 |
47 |
48 | 60100
49 | ^800$
50 | PowerShell
51 | Windows PowerShell command executed.
52 |
53 |
54 |
55 | sysmon_event1
56 | englishsize|adamteapot|initijpn|classchx|choreengine|pixelproc|cablesongs|mscmsknown
57 | Potential Emotet Executable running detection
58 | MITRE,execution
59 |
60 |
61 |
62 | sysmon_event3
63 | englishsize|adamteapot|initijpn|classchx|choreengine|pixelproc|vertclient|cablesongs|mscmsknown
64 | Potential Emotet Executable running detection
65 | MITRE,execution
66 |
67 |
68 |
69 | sysmon_event1
70 | AppData\\Roaming
71 | ipconfig|workstation|domain_trusts
72 | Potential Trickbot Executable running local and domain reconnaissance
73 | MITRE,execution
74 |
75 |
76 |
77 | sysmon_event1
78 | Roaming\\NuiGet|Roaming\\HomeLan|Roaming\\netRest|Roaming\\netcloud|Roaming\\netRest
79 | Potential Emotet Executable running detection
80 | MITRE,execution
81 |
82 |
83 |
84 | sysmon_event3
85 | Roaming\\NuiGet|Roaming\\HomeLan|Roaming\\netRest|Roaming\\netcloud|Roaming\\netRest
86 | Potential Emotet Executable running detection
87 | MITRE,execution
88 |
89 |
90 |
91 | 255531
92 | RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
93 | ATT&CK T1485: Powershell Ransomware technique to delete shadow copies seen in Sodinokibi strains
94 | MITRE,attack.t1485,ransomware
95 |
96 |
97 |
98 | sysmon_event1
99 | WMIC.exe shadowcopy delete
100 | ATT&CK T1485: WMIC Ransomware technique to delete shadow copies seen in Robinhood strains
101 | MITRE,attack.t1485,ransomware
102 |
103 |
104 |
105 | sysmon_event1
106 | vssadmin delete shadows /all /quiet
107 | ATT&CK T1485:Ransomware technique to delete shadow copies
108 | MITRE,attack.t1485,ransomware
109 |
110 |
111 |
112 | sysmon_event1
113 | /c Bcdedit.exe /set {default} recoveryenabled no
114 | ATT&CK T1485:Ransomware technique to delete backups seen in Robinhood strains
115 | MITRE,attack.t1485,ransomware
116 |
117 |
118 |
119 | sysmon_event1
120 | wbadmin delete catalog -quiet
121 | ATT&CK T1485:Ransomware technique to delete backups seen in Wannacry strains
122 | MITRE,attack.t1485,ransomware
123 |
124 |
125 |
126 | sysmon_event1
127 | icacls . /grant Everyone:F /T /C /Q
128 | ATT&CK T1486:Ransomware technique to grant all permissions seen in Wannacry strains
129 | MITRE,attack.t1486,ransomware
130 |
131 |
132 |
133 | sysmon_event1
134 | gandcrab.bit|ransomware.bit|carder.bit
135 | ATT&CK T1486:Ransomware technique to look up Ransomware Domains seen in Gandcrab strain
136 | MITRE,attack.t1486,ransomware
137 |
138 |
139 |
140 | sysmon_event1
141 | EQNEDT32.EXE
142 | ATT&CK T1173: Potential use of Microsoft Equation Editor for Exploitation
143 | MITRE,attack.t1173,
144 |
145 |
146 |
147 | 255561
148 | \\powershell.exe
149 | ATT&CK T1117: Regsrv32 execution spawned from Powershell (Ursnif IOC)
150 | MITRE,attack.t1117
151 |
152 |
153 |
154 | 255901
155 | IwBwAGEAY
156 | ATT&CK T1059: Powershell Signature Matching Ursnif Malware
157 | MITRE,attack.t1059
158 |
159 |
160 |
161 | sysmon_event1
162 | \\wscript.exe
163 | ATT&CK T1064: WScript Execution $(win.eventdata.image)
164 | MITRE,attack.t1064
165 |
166 |
167 |
168 | 255559
169 | WINWORD.EXE
170 | ATT&CK T1064: Word Executing WScript $(win.eventdata.image)
171 | MITRE,attack.t1064
172 |
173 |
174 |
175 |
176 | 255531
177 | .doc
178 | Powershell Spawned from Office Doc
179 | MITRE,attack.t1059,attack.t1202,
180 |
181 |
182 |
183 | 255531
184 | .xls
185 | Powershell Spawned from Excel Doc
186 | MITRE,attack.t1059,attack.t1202,
187 |
188 |
189 |
190 | 255524
191 | WINWORD.EXE
192 | Command Line process spawned from Microsoft Word Doc
193 | MITRE,attack.t1059,attack.t1202,
194 |
195 |
196 |
197 | 255524
198 | EXCEL.EXE
199 | Command Line process spawned from Microsoft Excel Doc
200 | MITRE,attack.t1059,attack.t1202,
201 |
202 |
203 |
204 | 255524
205 | POWERPNT.exe
206 | Command Line process spawned from Microsoft Powerpoint Doc
207 | MITRE,attack.t1059,attack.t1202,
208 |
209 |
210 |
211 | 255524
212 | OUTLOOK.EXE
213 | Command Line process spawned from Microsoft Outlook
214 | MITRE,attack.t1059,attack.t1202,
215 |
216 |
217 |
218 | 255524
219 | VISIO.exe
220 | Command Line process spawned from Microsoft Visio Doc
221 | MITRE,attack.t1059,attack.t1202,
222 |
223 |
224 |
225 | 255524
226 | MSPUB.exe
227 | Command Line process spawned from Microsoft Publisher Doc
228 | MITRE,attack.t1059,attack.t1202,
229 |
230 |
231 |
232 | 255531
233 | POWERPNT.exe
234 | Powershell Spawned from Powerpoint Doc
235 | MITRE,attack.t1059,attack.t1202,
236 |
237 |
238 |
239 | 255531
240 | OUTLOOK.EXE
241 | Powershell Spawned from Microsoft Outlook
242 | MITRE,attack.t1059,attack.t1202
243 |
244 |
245 |
246 | 255531
247 | MSPUB.exe
248 | Powershell Spawned from Microsoft Publisher
249 | MITRE,attack.t1059,attack.t1202,
250 |
251 |
252 |
253 | 255531
254 | VISIO.exe
255 | Powershell Spawned from Microsoft Visio
256 | MITRE,attack.t1059,attack.t1202,
257 |
258 |
259 |
260 | 255524
261 | start microsoft-edge:http:
262 | Potential Trickbot behaviour spawning Microsoft Edge via the Commandline
263 | MITRE,
264 |
265 |
266 |
267 | sysmon_event1
268 | whoami.exe
269 | SYSTEM
270 | Whoami ran as SYSTEM user, potential user recon after privelge escalation
271 | MITRE,attack.t1033
272 |
273 |
274 |
275 | sysmon_event1
276 | CollectionMethod All
277 | Bloodhound Active Directory enumeration tool executed
278 | MITRE,attack.t1087
279 |
280 |
281 |
282 | sysmon_event1
283 | rar.exe
284 | Rar file archive action detected, potential data being staged for exfiltration
285 | MITRE,attack.t1002,attack.t1074
286 |
287 |
288 |
289 | sysmon_event1
290 | net.webclient
291 | downloadstring|downloadfile
292 | Potential powershell download anomaly investigate for potential malware
293 | MITRE,attack.t1086
294 |
295 |
296 |
297 | sysmon_event7
298 | Revoked
299 | T1073 Potential DLL Side Loading by Executable with Revoked Certificate: Image loaded by $(win.eventdata.image)
300 | MITRE,attack.t1073
301 |
302 |
303 |
304 | sysmon_event7
305 | false
306 | T1073 Potential DLL Side Loading by Unsigned Executable: Image loaded by $(win.eventdata.image)
307 | MITRE,attack.t1073
308 |
309 |
310 |
311 | sysmon_event_11
312 | WINWORD.EXE
313 | \\.exe
314 | WORD document wrote executable file: $(data.win.eventdata.targetfilenam)
315 | MITRE,
316 |
317 |
318 |
319 | 255531
320 | cmstp.exe
321 | .inf
322 | CMSTP Executing Remote Scriptlet - T1191
323 | MITRE,attack.t1089,Execution,sysmon
324 |
325 |
326 |
327 | 255531
328 | cmstp.exe
329 | .inf
330 | /au
331 | CMSTP Executing UAC Bypass - T1191
332 | MITRE,attack.t1089,Execution,sysmon
333 |
334 |
335 |
336 | 255531
337 | hh.exe
338 | .chm
339 | http|https
340 | Compiled HTML Help Remote Payload - T1223
341 | MITRE,attack.t1223,Execution,sysmon
342 |
343 |
344 |
345 | 255531
346 | control.exe
347 | .cpl
348 | Compiled HTML Help Local Payload - T1196
349 | MITRE,attack.t1196,Execution,sysmon
350 |
351 |
352 |
353 | 255561
354 | appdata
355 | .txt
356 | Ursnif DLL loading via Regsrv32 T1218
357 | MITRE,attack.t1218,Execution,sysmon
358 |
359 |
360 |
361 | 255551
362 | regread
363 | WScript.Shell
364 | Ursnif loading from Registry via MSHTA exec, T1170
365 | MITRE,attack.t1170,Execution,sysmon
366 |
367 |
368 |
369 | 255531
370 | SQB
371 | Encoded Powershell IEX, T1086
372 | MITRE,attack.t1086,Execution,sysmon
373 |
374 |
375 |
376 | sysmon_event3
377 | psexec
378 | potential lateral movement using psexec
379 | MITRE,attack.t1570,sysmon
380 |
381 |
382 |
383 | 255524
384 | 127.0.0.1\\
385 | ADMIN\$|C\$|IPC\$
386 | ATT&CK T1021.002: Execute command writing output to local Admin Share
387 | MITRE,attack.t1021.002,sysmon
388 |
389 |
390 |
391 | sysmon_event1
392 | w3wp.exe
393 | cmd.exe
394 | ATT&CK T1505.003: Potential webshell interaction
395 | MITRE,attack.t1505.003,sysmon
396 |
397 |
398 |
--------------------------------------------------------------------------------
/0810-command_and_control_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | sysmon_event3
5 | etc/lists/emotet-list
6 | IP connection to Emotet Command and Control
7 | emotet,
8 |
9 |
10 |
11 | sysmon_event3
12 | C:\\Windows\\System32\\wermgr.exe
13 | 449
14 | Wergmr connection on port 449 suspected Trickbot injected process C2 activity
15 | trickbot,
16 |
17 |
18 |
19 | sysmon_event3
20 | C:\\Windows\\System32\\svchost.exe
21 | 449
22 | Svchost connection on port 449 suspected Trickbot injected process C2 activity
23 | trickbot,
24 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/0811-log_collection_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 60000
5 | ^Microsoft-Windows-TerminalServices-LocalSessionManager/Operational$
6 | no_full_log
7 | Group of Windows rules for the System channel
8 |
9 |
10 | 60000
11 | ^Microsoft-Windows-SMBServer/Operational$
12 | no_full_log
13 | Group of Windows rules for the System channel
14 |
15 |
16 | 60000
17 | ^Microsoft-Windows-SMBServer/Connectivity$
18 | no_full_log
19 | Group of Windows rules for the System channel
20 |
21 |
22 | 60000
23 | ^Microsoft-Windows-SMBClient/Operational$
24 | no_full_log
25 | Group of Windows rules for the System channel
26 |
27 |
28 | 60000
29 | ^Microsoft-Windows-SmbClient/Connectivity$
30 | no_full_log
31 | Group of Windows rules for the System channel
32 |
33 |
34 | 60000
35 | ^Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational$
36 | no_full_log
37 | Group of Windows rules for the System channel
38 |
39 |
40 |
--------------------------------------------------------------------------------
/0812-lateral_movement.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | sysmon_event_11
5 | ^4$
6 | ATT&CK T1570: Executable transferred potentially by Psexec tool, potential lateral movement
7 | MITRE,attack.t1570
8 |
9 |
10 |
11 | 256200
12 | .exe
13 | ATT&CK T1570: Executable transferred potentially by Psexec tool, potential lateral movement
14 | MITRE,attack.t1570
15 |
16 |
17 |
18 | 255700
19 | %COMSPEC%
20 | ATT&CK T1543.003: %COMSPEC% Variable in Registry Service, potential lateral movement or persistence mechanism
21 | MITRE,attack.t1543.001
22 |
23 |
24 |
25 | 60106
26 | 10|12
27 | ATT&CK T1021/T1133: Successful RDP Logon from $(win.eventdata.ipAddress)
28 | MITRE,attack.t1021,attack.t1133
29 |
30 |
31 |
32 | sysmon_event_11
33 | Network Shortcuts
34 | c\$
35 | ATT&CK T1021.002: Remote System C$ drive mounted
36 | MITRE,attack.t1021.002
37 |
38 |
39 |
40 | 60106
41 | 9
42 | seclogo
43 | ATT&CK T1550.002: Potential Pass the Hash Attack
44 | MITRE,attack.t1550.002
45 |
46 |
47 |
48 | sysmon_event_17
49 | msagent_
50 | ATT&CK T1071: Cobalt Strike Named Pipe SMB Beacon usage
51 | MITRE,attack.t1071
52 |
53 |
54 |
55 |
56 |
57 |
--------------------------------------------------------------------------------
/0815-exfiltration.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | sysmon
5 | Rclone
6 | T1567.002 Rclone potential data exfiltration
7 |
8 |
9 |
10 | sysmon-modular
11 | Rclone
12 | T1567.002 Rclone potential data exfiltration
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ossec-sysmon
2 |
3 | ## A Ruleset to enhance detection capabilities of Ossec using Sysmon
4 |
5 | See the following post to see how this ruleset can help you detect Emotet and other malicious document malware.
6 |
7 | https://laskowski-tech.com/2018/11/28/detecting-emotet-and-other-downloader-malware-with-ossec-wazuh/
8 |
9 |
10 | 
11 |
12 | The 0805-sysmon-modular rules map to the Sysmon configuration by olafhartong and are tagged to the MITRE ATT&CK framework.
13 | You can find that at the following link.
14 |
15 | https://github.com/olafhartong/sysmon-modular
16 |
--------------------------------------------------------------------------------
/generate-config.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ########################################################################################
3 | #This script is used to generate a local_rules.xml file for Wazuh's Ossec implementation
4 | #
5 | #Edit the following based on the rules you want to implement
6 | #
7 |
8 | R331=$(pwd)/0331-sysmon_rules.xml
9 | R332=$(pwd)/0332-credential_access_rules.xml
10 | R802=$(pwd)/0802-sysmon-supplement.xml
11 | R803=$(pwd)/0803-wmic_malicious_rules.xml
12 | R804=$(pwd)/0804-defender_bypass.xml
13 | R805=$(pwd)/0805-sysmon-modular_rules.xml
14 | R805v10=$(pwd)/0805-v10-sysmon-modular_rules.xml
15 | R806=$(pwd)/0806-priv_esc_rules.xml
16 | R807=$(pwd)/0807-persistence_rules.xml
17 | R808=$(pwd)/0808-defense_evasion_rules.xml
18 | R809=$(pwd)/0809-execution_rules.xml
19 | R810=$(pwd)/0810-command_and_control_rules.xml
20 | R811=$(pwd)/0811-log_collection_rules.xml
21 | R812=$(pwd)/0812-lateral_movement.xml
22 | R815=$(pwd)/0815-exfiltration.xml
23 | RULESFILE=$(pwd)/local_rules.xml
24 | rm $RULESFILE
25 |
26 | echo -e "=== Generating Configuration file ===\n"
27 |
28 | touch $RULESFILE
29 |
30 | echo -e "Adding: \n$R331\n"; cat $R331 >> $RULESFILE
31 | echo -e "Adding: \n$R805v10\n"; cat $R805v10 >> $RULESFILE
32 | echo -e "Adding: \n$R332\n"; cat $R332 >> $RULESFILE
33 | echo -e "Adding: \n$R802\n"; cat $R802 >> $RULESFILE
34 | echo -e "Adding: \n$R803\n"; cat $R803 >> $RULESFILE
35 | echo -e "Adding: \n$R804\n"; cat $R804 >> $RULESFILE
36 | echo -e "Adding: \n$R806\n"; cat $R806 >> $RULESFILE
37 | echo -e "Adding: \n$R807\n"; cat $R807 >> $RULESFILE
38 | echo -e "Adding: \n$R808\n"; cat $R808 >> $RULESFILE
39 | echo -e "Adding: \n$R809\n"; cat $R809 >> $RULESFILE
40 | echo -e "Adding: \n$R811\n"; cat $R810 >> $RULESFILE
41 | echo -e "Adding: \n$R811\n"; cat $R811 >> $RULESFILE
42 | echo -e "Adding: \n$R812\n"; cat $R812 >> $RULESFILE
43 | echo -e "Adding: \n$R815\n"; cat $R815 >> $RULESFILE
44 |
45 | echo -e "You can find your configuration file here:"
46 | echo -e "$RULESFILE"
47 | echo -e "\nUse this to replace the /var/ossec/etc/rules/local_rules.xml on your Wazuh/Ossec Server"
48 |
--------------------------------------------------------------------------------
/install-rules.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | #choose y/N
4 | yesno(){ read -p "$question " choice;case "$choice" in y|Y|yes|Yes|YES ) decision=1;; n|N|no|No|NO ) decision=0;; * ) echo "invalid" && yesno; esac; }
5 |
6 | OGRULES=/var/ossec/etc/rules/local_rules.xml
7 | NEWRULES=$(pwd)/local_rules.xml
8 |
9 |
10 | #create backup of existing config
11 | echo -e "\nBacking up current Rules\n"
12 | sudo cp -av $OGRULES{,.$(date +%y%m%d-%H%M).bak}
13 |
14 |
15 | #add new rules
16 | echo -e "\nWriting new rules\n"
17 | sudo mv $NEWRULES $OGRULES
18 |
19 | echo -e "\nAdding of rules complete, restart Wazuh Manager for them to take effect\n systemctl restart wazuh-manager.service"
20 |
--------------------------------------------------------------------------------
/local_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | sysmon_event1
6 | \\powershell.exe||\\.ps1||\\.ps2
7 | Sysmon - Event 1: Powershell exe: $(win.eventdata.sourceImage)
8 | sysmon_event1,powershell_execution,
9 |
10 |
11 |
12 | sysmon_event1
13 | \\cmd.exe
14 | Sysmon - Event 2: CMD exe: $(win.eventdata.sourceImage)
15 | sysmon_event1,cmd_execution,
16 |
17 |
18 |
19 | 185001
20 | Network connection detected
21 | powershell.exe
22 | Powershell Network Connection
23 | sysmon_event3,network,
24 |
25 |
26 |
27 | 255000
28 | .doc
29 | Powershell Spawned from Office Doc
30 | MITRE,attack.t1059,attack.t1202,
31 |
32 |
33 |
34 | 255000
35 | .xls
36 | Powershell Spawned from Excel Doc
37 | MITRE,attack.t1059,attack.t1202,
38 |
39 |
40 |
41 | 255001
42 | WINWORD.EXE
43 | Command Line process spawned from Mircosoft Word Doc
44 | MITRE,attack.t1059,attack.t1202,
45 |
46 |
47 |
48 | 255001
49 | EXCEL.EXE
50 | Command Line process spawned from Mircosoft Excel Doc
51 | MITRE,attack.t1059,attack.t1202,
52 |
53 |
54 |
55 | sysmon_event1
56 | mshta.exe
57 | http
58 | Possible Malicious HTA file executed
59 | MITRE,attack.t1170,
60 |
61 |
62 |
63 | 255001
64 | POWERPNT.exe
65 | Command Line process spawned from Mircosoft Powerpoint Doc
66 | MITRE,attack.t1059,attack.t1202,
67 |
68 |
69 |
70 | 255001
71 | OUTLOOK.EXE
72 | Command Line process spawned from Mircosoft Outlook
73 | MITRE,attack.t1059,attack.t1202,
74 |
75 |
76 |
77 | 255001
78 | VISIO.exe
79 | Command Line process spawned from Mircosoft Visio Doc
80 | MITRE,attack.t1059,attack.t1202,
81 |
82 |
83 |
84 | 255001
85 | MSPUB.exe
86 | Command Line process spawned from Mircosoft Publisher Doc
87 | MITRE,attack.t1059,attack.t1202,
88 |
89 |
90 |
91 | 255000
92 | POWERPNT.exe
93 | Powershell Spawned from Powerpoint Doc
94 | MITRE,attack.t1059,attack.t1202,
95 |
96 |
97 |
98 | 255000
99 | OUTLOOK.EXE
100 | Powershell Spawned from Microsoft Outlook
101 | MITRE,attack.t1059,attack.t1202
102 |
103 |
104 |
105 | 255000
106 | MSPUB.exe
107 | Powershell Spawned from Microsoft Publisher
108 | MITRE,attack.t1059,attack.t1202,
109 |
110 |
111 |
112 | 255000
113 | VISIO.exe
114 | Powershell Spawned from Microsoft Visio
115 | MITRE,attack.t1059,attack.t1202,
116 |
117 |
118 |
119 | 255001
120 | regsvr32
121 | http
122 | MITRE ATT&CK T1117 - Regsvr32 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
123 | MITRE,attack.t1117,
124 |
125 |
126 |
127 | 255001
128 | cscript.exe
129 | http
130 | MITRE ATT&CK T1216 - Signed Script Proxy Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
131 | MITRE,attack.t1216,
132 |
133 |
134 |
135 | 255001
136 | sc.exe
137 | create|start|delete
138 | New Service Created with sc.exe : MITRE ATT&CK T1035 - Service Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.md
139 | MITRE,attack.t1035,
140 |
141 |
142 |
143 | 255000
144 | sc.exe
145 | create|start|delete
146 | New Service Created with sc.exe : MITRE ATT&CK T1035 - Service Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.md
147 | MITRE,attack.t1035,
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 | sysmon_event8
157 | technique_name=Process Injection
158 | MITRE T1055 Process Injection: $(win.eventdata.image)
159 | MITRE,attack.t1055,
160 |
161 |
162 |
163 | sysmon_event1
164 | technique_name=Masquerading
165 | MITRE T1036 Masquerading: $(win.eventdata.image)
166 | MITRE,attack.t1036,
167 |
168 |
169 |
170 | sysmon_event1
171 | technique_name=Credential Dumping
172 | MITRE T1003 Credential Dumping: $(win.eventdata.image)
173 | MITRE,attack.t1003,
174 |
175 |
176 |
177 | sysmon_event_12
178 | technique_name=Winlogon Helper DLL
179 | MITRE T1004 Winlogon Helper DLL: $(win.eventdata.image)
180 | MITRE,attack.t1004,
181 |
182 |
183 |
184 | sysmon_event1
185 | technique_name=Data from Local System
186 | MITRE T1005 Data from Local System: $(win.eventdata.image)
187 | MITRE,attack.t1005,
188 |
189 |
190 |
191 | sysmon_event1
192 | technique_name=System Service Discovery
193 | MITRE T1007 System Service Discovery: $(win.eventdata.image)
194 | MITRE,attack.t1007,
195 |
196 |
197 |
198 | sysmon_event1
199 | technique_name=Query Registry
200 | MITRE T1012 Query registry: $(win.eventdata.image)
201 | MITRE,attack.t1012,
202 |
203 |
204 |
205 | sysmon_event_12
206 | technique_name=Forced Authentication
207 | MITRE T1013 Forced Authentication: $(win.eventdata.image)
208 | MITRE,attack.t1013,
209 |
210 |
211 |
212 | sysmon_event_12
213 | technique_name=Accessibility Features
214 | MITRE T1015 Accessibility Features: $(win.eventdata.image)
215 | MITRE,attack.t1015,
216 |
217 |
218 |
219 | sysmon_event3
220 | technique_name=System Network Configuration Discovery
221 | MITRE T1016 System Network Configuration Discovery: $(win.eventdata.image)
222 | MITRE,attack.t1016,
223 |
224 |
225 |
226 | sysmon_event1
227 | technique_name=Remote System Discovery
228 | MITRE T1018 Remote Systen Discovery: $(win.eventdata.image)
229 | MITRE,attack.t1018,
230 |
231 |
232 |
233 | sysmon_event2
234 | technique_name=Remote Services
235 | MITRE T1021 Remote Services : $(win.eventdata.image)
236 | MITRE,attack.t1021,
237 |
238 |
239 |
240 | sysmon_event1
241 | technique_name=Obfuscated Files or Information
242 | MITRE T1027 Obfuscated Files or Information : $(win.eventdata.image)
243 | MITRE,attack.t1027,
244 |
245 |
246 |
247 | sysmon_event1
248 | technique_name=Windows Remote Management
249 | MITRE T1028 Windows Remote Management: $(win.eventdata.image)
250 | MITRE,attack.t1028,
251 |
252 |
253 |
254 | sysmon_event1
255 | technique_name=Modify Existing Service
256 | MITRE T1031 Modify Existing Service : $(win.eventdata.image)
257 | MITRE,attack.t1031,
258 |
259 |
260 |
261 | sysmon_event1
262 | technique_name=System Owner/User Discovery
263 | MITRE T1033 System Owner/User Discovery : $(win.eventdata.image)
264 | MITRE,attack.t1033,
265 |
266 |
267 |
268 | sysmon_event1
269 | technique_name=Service Execution
270 | MITRE T1035 Service Execution: $(win.eventdata.image)
271 | MITRE,attack.t1035,
272 |
273 |
274 |
275 | sysmon_event_12
276 | technique_name=Logon Scripts
277 | MITRE T1037 Logon Scripts: $(win.eventdata.image)
278 | MITRE,attack.t1037,
279 |
280 |
281 |
282 | sysmon_event_12
283 | technique_name=Change Default File Association
284 | MITRE T1042 Change Default File Association: $(win.eventdata.image)
285 | MITRE,attack.t1042,
286 |
287 |
288 |
289 | sysmon_event3
290 | technique_name=Windows Management Instrumentation
291 | MITRE T1047 Windows Management Instrumentation : $(win.eventdata.image)
292 | MITRE,attack.t1047,
293 |
294 |
295 |
296 | sysmon_event1
297 | technique_name=System Network Connections Discovery
298 | MITRE T1049 System Network Connections Discovery: $(win.eventdata.image)
299 | MITRE,attack.t1049,
300 |
301 |
302 |
303 | sysmon_event1
304 | technique_name=Scheduled Task
305 | MITRE T1053 Scheduled Task: $(win.eventdata.image)
306 | MITRE,attack.t1053,
307 |
308 |
309 |
310 | sysmon_event1
311 | technique_name=Indicator Blocking
312 | MITRE T1054 Indicator Blocking : $(win.eventdata.image)
313 | MITRE,attack.t1054,
314 |
315 |
316 |
317 | sysmon_event1
318 | technique_name=Process Discovery
319 | MITRE T1057 Process Discovery: $(win.eventdata.image)
320 | MITRE,attack.t1057,
321 |
322 |
323 |
324 | sysmon_event1
325 | technique_name=Command-Line Interface
326 | MITRE T1059 Command-Line Interface: $(win.eventdata.image)
327 | MITRE,attack.t1059,
328 |
329 |
330 |
331 | sysmon_event_12
332 | technique_name=Registry Run Keys / Start Folder
333 | MITRE T1060 Registry Run Keys / Start Folder: $(win.eventdata.image)
334 | MITRE,attack.t1060,
335 |
336 |
337 |
338 | sysmon_event1
339 | technique_name=Security Software Discovery
340 | MITRE T1063 Security Software Discovery: $(win.eventdata.image)
341 | MITRE,attack.t1063,
342 |
343 |
344 |
345 | sysmon_event1
346 | technique_name=Permission Groups Discovery
347 | MITRE T1069 Permission Groups Discovery: $(win.eventdata.image)
348 | MITRE,attack.t1069,
349 |
350 |
351 |
352 | sysmon_event1
353 | technique_name=Indicator Removal on Host
354 | MITRE T1070 Indicator Removal on Host: $(win.eventdata.image)
355 | MITRE,attack.t1070,
356 |
357 |
358 |
359 | sysmon_event1
360 | technique_name=File and Directory Discovery
361 | MITRE T1083 File and Directory Discovery: $(win.eventdata.image)
362 | MITRE,attack.t1083,
363 |
364 |
365 |
366 | sysmon_event3
367 | technique_name=Rundll32
368 | MITRE T1085 Rundll32: $(win.eventdata.image)
369 | MITRE,attack.t1085,
370 |
371 |
372 |
373 | sysmon_event1
374 | technique_name=PowerShell
375 | MITRE T1086 Powershell: $(win.eventdata.image)
376 | MITRE,attack.t1086,
377 |
378 |
379 |
380 | sysmon_event1
381 | technique_name=Bypass User Account Control
382 | MITRE T1088 Bypass User Account Control: $(win.eventdata.image)
383 | MITRE,attack.t1088,
384 |
385 |
386 |
387 | sysmon_event1
388 | technique_name=Disabling Security Tools
389 | MITRE T1089 Disabling Security Tools: $(win.eventdata.image)
390 | MITRE,attack.t1089,
391 |
392 |
393 |
394 | sysmon_event1
395 | technique_name=Account Manipulation
396 | MITRE T1098 =Account Manipulation: $(win.eventdata.image)
397 | MITRE,attack.t1098,
398 |
399 |
400 |
401 | sysmon_event2
402 | technique_name=Timestomp
403 | MITRE T1099 Timestomp: $(win.eventdata.image)
404 | MITRE,attack.t1099,
405 |
406 |
407 |
408 | sysmon_event_12
409 | technique_name=Security Support Provider
410 | MITRE T1101 Security Support Provider: $(win.eventdata.image)
411 | MITRE,attack.t1101,
412 |
413 |
414 |
415 | sysmon_event_12
416 | technique_name=Appinit DLLs
417 | MITRE T1103 Appinit DLLs: $(win.eventdata.image)
418 | MITRE,attack.t1103,
419 |
420 |
421 |
422 | sysmon_event1
423 | technique_name=Remote File Copy
424 | MITRE T1105 Remote File Copy: $(win.eventdata.image)
425 | MITRE,attack.t1105,
426 |
427 |
428 |
429 | sysmon_event1
430 | technique_name=Modify Registry
431 | MITRE T1112 Modify Registry: $(win.eventdata.image)
432 | MITRE,attack.t1112,
433 |
434 |
435 |
436 | sysmon_event1
437 | technique_name=Regsvr32
438 | MITRE T1117 Regsvr32: $(win.eventdata.image)
439 | MITRE,attack.t1117,
440 |
441 |
442 |
443 | sysmon_event1
444 | technique_name=InstallUtil
445 | MITRE T1118 InstallUtil: $(win.eventdata.image)
446 | MITRE,attack.t1118,
447 |
448 |
449 |
450 | sysmon_event1
451 | technique_name=Regsvcs/Regasm
452 | MITRE T1121 Regsvcs/Regasm: $(win.eventdata.image)
453 | MITRE,attack.t1121,
454 |
455 |
456 |
457 | sysmon_event_12
458 | technique_name=Component Object Model Hijacking
459 | MITRE T1122 Component Object Model Hijacking: $(win.eventdata.image)
460 | MITRE,attack.t1122,
461 |
462 |
463 |
464 | sysmon_event1
465 | technique_name=Trusted Developer Utilities
466 | MITRE T1127 Trusted Developer Utilities: $(win.eventdata.image)
467 | MITRE,attack.t1127,
468 |
469 |
470 |
471 | sysmon_event_12
472 | technique_name=Netsh Helper DLL
473 | MITRE T1128 Netsh Helper DLL: $(win.eventdata.image)
474 | MITRE,attack.t1128,
475 |
476 |
477 |
478 | sysmon_event_12
479 | technique_name=Install Root Certificate
480 | MITRE T1130 Install Root Certificate: $(win.eventdata.image)
481 | MITRE,attack.t1130,
482 |
483 |
484 |
485 | sysmon_event_12
486 | technique_name=Authentication Package
487 | MITRE T1131 Authentication Package: $(win.eventdata.image)
488 | MITRE,attack.t1131,
489 |
490 |
491 |
492 | sysmon_event1
493 | technique_name=Access Token Manipulation
494 | MITRE T1134 Access Token Manipulation: $(win.eventdata.image)
495 | MITRE,attack.t1134,
496 |
497 |
498 |
499 | sysmon_event1
500 | technique_name=Application Shimming
501 | MITRE T1138 Application Shimming: $(win.eventdata.image)
502 | MITRE,attack.t1138,
503 |
504 |
505 |
506 | sysmon_event1
507 | technique_name=Hidden Files and Files Directories
508 | MITRE T1158 Hidden Files and Directories: $(win.eventdata.image)
509 | MITRE,attack.t1158,
510 |
511 |
512 |
513 | sysmon_event1
514 | technique_name=Mshta
515 | MITRE T1170 Mshta: $(win.eventdata.image)
516 | MITRE,attack.t1170,
517 |
518 |
519 |
520 | sysmon_event_12
521 | technique_name=AppCert DLLs
522 | MITRE T1182: $(win.eventdata.image)
523 | MITRE,attack.t1182,
524 |
525 |
526 |
527 | sysmon_event_12
528 | technique_name=Image File Execution Options Injection
529 | MITRE T1183 Image File Execution Options Injection: $(win.eventdata.image)
530 | MITRE,attack.t1183,
531 |
532 |
533 |
534 | sysmon_event_11
535 | technique_name=Forced Authentication
536 | MITRE T1187 Forced Authentication: $(win.eventdata.image)
537 | MITRE,attack.t1187,
538 |
539 |
540 |
541 | sysmon_event1
542 | technique_name=CMSTP
543 | MITRE T1191 CMSTP: $(win.eventdata.image)
544 | MITRE,attack.t1191,
545 |
546 |
547 |
548 | sysmon_event1
549 | technique_name=Control Panel Items
550 | MITRE T1196: $(win.eventdata.image)
551 | MITRE,attack.t1196,
552 |
553 |
554 |
555 | sysmon_event1
556 | technique_name=BITS Jobs
557 | MITRE T1197 BITS Jobs: $(win.eventdata.image)
558 | MITRE,attack.t1197,
559 |
560 |
561 |
562 | sysmon_event_12
563 | technique_name=SIP and Trust Provider Hijacking
564 | MITRE T1198 SIP and Trust Provider Hijacking: $(win.eventdata.image)
565 | MITRE,attack.t1198,
566 |
567 |
568 |
569 | sysmon_event1
570 | technique_name=Indirect Command Execution
571 | MITRE T1202 Indirect Command Execution: $(win.eventdata.image)
572 | MITRE,attack.t1202,
573 |
574 |
575 |
576 | sysmon_event_12
577 | technique_name=Time Providers
578 | MITRE T1209 Time Providers: $(win.eventdata.image)
579 | MITRE,attack.t1209,
580 |
581 |
582 |
583 | sysmon
584 | technique_name=Regsvr32
585 | MITRE T1218 Regsvr32: $(win.eventdata.image)
586 | MITRE,attack.t1218,
587 |
588 |
589 |
590 | sysmon_event1
591 | technique_name=Signed Binary Proxy Execution
592 | MITRE T1218 Signed Binary Proxy Execution: $(win.eventdata.image)
593 | MITRE,attack.t1218,
594 |
595 |
596 |
597 | sysmon
598 | technique_name=Signed Binary Proxy Execution
599 | MITRE T1218 Signed Script Proxy Execution: $(win.eventdata.image)
600 | MITRE,attack.t1218,
601 |
602 |
603 |
604 | sysmon_event3
605 | technique_name=Masquerading
606 | MITRE T1036 Masquerading: $(win.eventdata.image)
607 | MITRE,attack.t1036,
608 |
609 |
610 |
611 | sysmon
612 | technique_name=System Network Configuration Discovery
613 | MITRE T1016 System Network Configuration Discovery: $(win.eventdata.image)
614 | MITRE,attack.t1016,
615 |
616 |
617 |
618 | sysmon
619 | technique_name=Windows Remote Management
620 | MITRE T1028 Windows Remote Management: $(win.eventdata.image)
621 | MITRE,attack.t1028,
622 |
623 |
624 |
625 | sysmon
626 | technique_name=Service Execution
627 | MITRE T1035 Service Execution: $(win.eventdata.image)
628 | MITRE,attack.t1035,
629 |
630 |
631 |
632 | sysmon_event3
633 | technique_name=Regsvr32
634 | MITRE T1218 Regsvr32: $(win.eventdata.image)
635 | MITRE,attack.t1218,
636 |
637 |
638 |
639 | sysmon_event3
640 | technique_name=Commonly Used Port
641 | MITRE T043 Commonly Used Port: $(win.eventdata.image)
642 | MITRE,attack.t1043,
643 |
644 |
645 |
646 | sysmon_event3
647 | technique_name=PowerShell
648 | MITRE T1086 Powershell Network Connection: $(win.eventdata.image)
649 | MITRE,attack.t1086,
650 |
651 |
652 |
653 | sysmon_event3
654 | technique_name=Indirect Command Execution
655 | MITRE T1202 Indirect Command Execution Network Activity: $(win.eventdata.image)
656 | MITRE,attack.t1202,
657 |
658 |
659 |
660 | sysmon_event_13
661 | technique_name=Registry Run
662 | MITRE T1060 Run Key Persistence: $(win.eventdata.image)
663 | MITRE,attack.t1060,
664 |
665 |
666 |
667 | sysmon_event3
668 | technique_name=UnCommonly Used Port
669 | MITRE T1065 Commonly Used Port: $(win.eventdata.image)
670 | MITRE,attack.t1065,
671 |
672 |
673 |
674 | sysmon_event7
675 | technique_name=User Execution
676 | MITRE T1204 User Execution: $(win.eventdata.image)
677 | MITRE,attack.t204,
678 |
679 |
680 |
681 |
682 |
683 |
684 |
685 | sysmon_event1
686 | \\findstr.exe
687 | cpassword
688 | Finding Passwords in SYSVOL & Exploiting Group Policy Preferences : MITRE ATT&CK T1081 - https://adsecurity.org/?p=2288
689 | MITRE,attack.t1081,
690 |
691 |
692 |
693 | 255547
694 | HKLM\\System\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel
695 | ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue
696 | MITRE,attack.t1075
697 |
698 |
699 |
700 | 255547
701 | HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictSendingNTLMTraffic
702 | ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue
703 | MITRE,attack.t1075
704 |
705 |
706 |
707 | sysmon_event_11
708 | \\Temp\\debug.bin
709 | Detects possible SafetyKatz Behaviour
710 | MITRE,attack.t1003,sigma
711 |
712 |
713 |
714 | sysmon_event_10
715 | lsass.exe
716 | dbgcore
717 | ATT&CK T1003: dbgcore.DLL potentially used to dump credentials from LSASS
718 | MITRE,attack.t1003
719 |
720 |
721 |
722 | sysmon_event_13
723 | \\WDigest\\UseLogonCredential
724 | ATT&CK T1003: Detects possible Mimikatz Activity, registry edit for WDigest plain text credentials
725 | MITRE,attack.t1003,
726 |
727 |
728 |
729 | 255107
730 | \\MsMpEng.exe|\\ossec-agent.exe|\\wininit.exe|\\csrss.exe
731 | Whitelist Interaction with LSASS
732 | MITRE,attack.t1003,
733 |
734 |
735 |
736 | windows_application
737 | grabber_temp
738 | Microsoft Internet Explorer Passwords dumped, TTP indicative of Trickbot infection
739 | MITRE,attack.t1003
740 |
741 |
742 |
743 | 255531
744 | comsvcs.dll
745 | MiniDump|#24
746 | Comsvcs.dll potentially used to dump credentials from LSASS
747 | MITRE,attack.t1003
748 |
749 |
750 |
751 | 255524
752 | comsvcs.dll
753 | MiniDump|#24
754 | Comsvcs.dll potentially used to dump credentials from LSASS
755 | MITRE,attack.t1003
756 |
757 |
758 |
759 | 255524
760 | comsvcs.dll
761 | MiniDump|#24
762 | Comsvcs.dll potentially used to dump credentials from LSASS
763 | MITRE,attack.t1003
764 |
765 |
766 |
767 | sysmon_event1
768 | mimikatz
769 | Mimikatz potentially used to dump credentials from LSASS
770 | MITRE,attack.t1003
771 |
772 |
773 |
774 | sysmon_event1
775 | procdump
776 | lsass
777 | Procdump potentially used to dump credentials from LSASS
778 | MITRE,attack.t1003
779 |
780 |
781 |
782 | sysmon_event_10
783 | lsass.exe
784 | dbgcore
785 | dbgcore.DLL potentially used to dump credentials from LSASS
786 | MITRE,attack.t1003
787 |
788 |
789 |
790 |
791 |
792 |
793 |
794 | 61600
795 | ^16$
796 | Sysmon - Event 16: ServiceConfigurationChange by $(win.eventdata.image)
797 | sysmon_event_16,
798 |
799 |
800 |
801 | 61600
802 | ^17$
803 | Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)
804 | sysmon_event_17,
805 |
806 |
807 |
808 | 61600
809 | ^18$
810 | Sysmon - Event 18: PipeEvent (Pipe Connected) by $(win.eventdata.image)
811 | sysmon_event_18,
812 |
813 |
814 |
815 | 61600
816 | ^19$
817 | Sysmon - Event 19: WmiEvent (WmiEventFilter activity detected) by $(win.eventdata.image)
818 | sysmon_event_19,
819 |
820 |
821 |
822 | 61600
823 | ^20$
824 | Sysmon - Event 20: WmiEvent (WmiEventConsumer activity detected) by $(win.eventdata.image)
825 | sysmon_event_20,
826 |
827 |
828 |
829 | 61600
830 | ^21$
831 | Sysmon - Event 21: WmiEvent (WmiEventConsumerToFilter activity detected) by $(win.eventdata.image)
832 | sysmon_event_21,
833 |
834 |
835 |
836 | 61600
837 | ^22$
838 | Sysmon - Event 22: DNSEvent (DNS query) by $(win.eventdata.image)
839 | sysmon_event_22,
840 |
841 |
842 |
843 | 61600
844 | ^23$
845 | Sysmon - Event 23: FileDelete (A file delete was detected) by $(win.eventdata.image)
846 | sysmon_event_23,
847 |
848 |
849 |
850 | 61600
851 | ^24$
852 | Sysmon - Event 24: ClipboardChange (New content in the clipboard) by $(win.eventdata.image)
853 | sysmon_event_24,
854 |
855 |
856 |
857 | 61600
858 | ^25$
859 | Sysmon - Event 25: ProcessTampering (Process image change) by $(win.eventdata.image)
860 | sysmon_event_25,
861 |
862 |
863 |
864 |
865 |
866 |
867 | sysmon_event1
868 | \\WMIC.exe
869 | process call create
870 | Using WMIC for process creation: https://attack.mitre.org/techniques/T1047/
871 | MITRE,attack.t1047
872 |
873 |
874 |
875 | sysmon_event1
876 | \\WMIC.exe
877 | /namespace:\\root\securitycenter2 path antivirusproduct
878 | Using WMIC for Antivirus Enumeration: https://attack.mitre.org/techniques/T1047/
879 | MITRE,attack.t1047
880 |
881 |
882 |
883 | sysmon_event1
884 | \\WMIC.exe
885 | /NAMESPACE:\\\\root\\directory\\ldap PATH ds_user
886 | Using WMIC for Domain User Enumeration: https://attack.mitre.org/techniques/T1047/
887 | MITRE,attack.t1047
888 |
889 |
890 |
891 | sysmon_event1
892 | \\WMIC.exe
893 | /NAMESPACE:\\\\root\\directory\\ldap PATH ds_group
894 | Using WMIC for Domain Group Enumeration: https://attack.mitre.org/techniques/T1047/
895 | MITRE,attack.t1047
896 |
897 |
898 |
899 | sysmon_event1
900 | \\WMIC.exe
901 | USERACCOUNT
902 | Using WMIC for Local Account Enumeration: https://attack.mitre.org/techniques/T1047/
903 | MITRE,attack.t1047
904 |
905 |
906 |
907 | sysmon_event1
908 | \\WMIC.exe
909 | NTDOMAIN
910 | Using WMIC for Domain Enumeration: https://attack.mitre.org/techniques/T1047/
911 | MITRE,attack.t1047
912 |
913 |
914 |
915 | sysmon_event1
916 | \\WMIC.exe
917 | gfe list brief
918 | Using WMIC for Host Patch Level Enumeration: https://attack.mitre.org/techniques/T1047/
919 | MITRE,attack.t1047
920 |
921 |
922 |
923 | sysmon_event1
924 | \\scrcons.exe
925 | WMI persistence Script Event Consumer File Write : https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
926 | MITRE,attack.t1084
927 |
928 |
929 |
930 | 255000
931 | \\WmiPrvSE.exe
932 | WmiPrvSE event spawning powershell
933 | MITRE,attack.t1047
934 |
935 |
936 |
937 | sysmon_event1
938 | \\WmiPrvSE.exe
939 | cmd.exe
940 | 127.0.0.1
941 | Red Team WMI technique matching Impacket wmiexec.py tooling
942 | MITRE,attack.t1047
943 |
944 |
945 |
946 |
947 |
948 |
949 | windows
950 | Windows Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled
951 | Windows Defender: Realtime Detection Disabled: https://attack.mitre.org/techniques/T1089/
952 | gdpr_IV_35.7.d,MITRE,attack.t1089,defender
953 |
954 |
955 |
956 | windows
957 | 3002
958 | Windows Defender: Antivirus Rules Missing: https://attack.mitre.org/techniques/T1089/
959 | MITRE,attack.t1089,defender
960 |
961 |
962 |
963 |
964 | 255531
965 | DisableRealtimeMonitoring $true
966 | Defender Realtime Monitoring Disabled
967 | defender,attack.t1089
968 |
969 |
970 | 62100
971 | ^5001$
972 | Windows Defender Real-time Protection was disabled.
973 | defender,attack.t1089
974 |
975 |
976 | 62100
977 | ^1006$|^1116$
978 | Windows Defender found malware or other potentially unwanted software.
979 | defender,attack.t1089
980 |
981 |
982 | 62100
983 | ^1008$
984 | Windows Defender found malware and failed to clean it.
985 | defender,attack.t1089
986 |
987 |
988 | 62100
989 | ^1015$
990 | Windows Defender detected suspicious behavior.
991 | defender,attack.t1089
992 |
993 |
994 | 62100
995 | ^5010$
996 | Scanning for malware and other potentially unwanted software is disabled.
997 | defender,attack.t1089
998 |
999 |
1000 | 62100
1001 | ^5012$
1002 | Scanning for viruses is disabled.
1003 | defender,attack.t1089
1004 |
1005 |
1006 | 62100
1007 | ^5007$
1008 | DisableBlockAtFirstSeen = 0x1
1009 | Windows Defender Block At First Seen disabled
1010 | defender,attack.t1089
1011 |
1012 |
1013 | 62100
1014 | ^5007$
1015 | DisableBehaviorMonitoring
1016 | Windows Defender Behavior Monitoring Was Configured
1017 | defender,attack.t1089
1018 |
1019 |
1020 | 62100
1021 | ^5007$
1022 | DisableRealtimeMonitoring
1023 | Windows Defender Realtime Monitoring Was Configured
1024 | defender,attack.t1089
1025 |
1026 |
1027 | 62100
1028 | ^5007$
1029 | C:\\ = 0x0|D:\\ = 0x0|E:\\ = 0x0|F:\\ = 0x0
1030 | Windows Defender Exclusion for Attached Drive
1031 | defender,attack.t1089
1032 |
1033 |
1034 |
1035 |
1036 |
1037 |
1038 | 255531
1039 | \\csc.exe
1040 | cmdline
1041 | ATT&CK T1055: Suspected Shellcode Compile on Endpoint
1042 | MITRE,attack.t1055,
1043 |
1044 |
1045 |
1046 | 255500
1047 | \\powershell.exe
1048 | \\rundll32.exe
1049 | ATT&CK T1055: Suspected Process Injection matching Cobalt Strike methods
1050 | MITRE,attack.t1055,
1051 |
1052 |
1053 |
1054 | 255524
1055 | \\\\.\\pipe\\
1056 | Named Pipe potential Privilege Escalation (Meterpreter) T1134
1057 | MITRE,attack.t1134,sysmon
1058 |
1059 |
1060 |
1061 | sysmon_event8
1062 | rundll32.exe
1063 | winlogon.exe|dllhost.exe|svchost.exe
1064 | ATT&CK T1055: Process injections by $(win.eventdata.sourceImage) into $(win.eventdata.targetImage)
1065 | MITRE,attack.t1055,sysmon
1066 |
1067 |
1068 |
1069 |
1070 |
1071 |
1072 |
1073 |
1074 |
1075 | sysmon_event_13
1076 | services.exe
1077 | ATT&CK T1058:Registry edit for new service
1078 | MITRE,attack.t1058
1079 |
1080 |
1081 |
1082 |
1083 | 255700
1084 | \\.exe
1085 | ATT&CK T1058:Executable written to Registry for Persistence
1086 | MITRE,attack.t1058
1087 |
1088 |
1089 |
1090 | sysmon_event_11
1091 | \\Programs\\Startup
1092 | ATT&CK T1060: Potential Persistence Method via Startup Folder
1093 | MITRE,attack.t1060
1094 |
1095 |
1096 |
1097 | 255702
1098 | desktop.ini
1099 | Startup Folder Whitelist
1100 | MITRE,attack.t1060
1101 |
1102 |
1103 |
1104 | sysmon_event_11
1105 | \\.scr
1106 | ATT&CK T1180: Screensaver, unusual filetype anamoly .scr file detected
1107 | MITRE,attack.t1180
1108 |
1109 |
1110 |
1111 | sysmon_event_13
1112 | RunOnce
1113 | ATT&CK T1547.001: Potential Run Key Persistence Setup
1114 | MITRE,attack.t1547.001
1115 |
1116 |
1117 |
1118 | 255705
1119 | \\OneDriveSetup.exe
1120 | silence normal onedrive activity
1121 | MITRE,attack.t1160
1122 |
1123 |
1124 |
1125 | 255702
1126 | Explorer.EXE
1127 | Startup Folder Whitelist
1128 | MITRE,attack.t1060
1129 |
1130 |
1131 |
1132 | 255539
1133 | Windows\\CurrentVersion\\Run
1134 | Run Key Persistence Detected
1135 | MITRE,attack.t1547.001
1136 |
1137 |
1138 |
1139 | 255572
1140 | powershell
1141 | ATT&CK T1547.001: Powershell in registry, potential malicious persistence
1142 | MITRE,attack.t1547.001
1143 |
1144 |
1145 |
1146 | sysmon_event_12
1147 | RunOnce
1148 | ATT&CK T1547.001: Potential Run Key Persistence Setup
1149 | MITRE,attack.t1547.001
1150 |
1151 |
1152 |
1153 | sysmon_event_11
1154 | w3wp.exe
1155 | asp|php|jsp
1156 | ATT&CK T1505.003: Potential Webshell from IIS
1157 | MITRE,attack.t1505.003
1158 |
1159 |
1160 |
1161 |
1162 |
1163 |
1164 |
1165 | sysmon_event1
1166 | \\mshta.exe
1167 | browser_broker.exe
1168 | ATT&CK T1170: MSHTA execution demiguise techniques
1169 | MITRE,attack.t1170
1170 |
1171 |
1172 |
1173 | sysmon_event1
1174 | \\mshta.exe
1175 | chrome.exe
1176 | ATT&CK T1170: MSHTA execution demiguise techniques
1177 | MITRE,attack.t1170
1178 |
1179 |
1180 |
1181 | sysmon_event1
1182 | firewall set opmode mode=disable
1183 | ATT&CK T1089: Disabling the Windows Firewall
1184 | MITRE,attack.t1089
1185 |
1186 |
1187 |
1188 | sysmon_event1
1189 | advfirewall set currentprofile state off
1190 | ATT&CK T1089: Disabling the Windows Firewall
1191 | MITRE,attack.t1089
1192 |
1193 |
1194 |
1195 | sysmon_event_11
1196 | \\.arj
1197 | ATT&CK T1406: Filetype anomaly, unusual file type .arj
1198 | MITRE,attack.t1406
1199 |
1200 |
1201 |
1202 | 255531
1203 | sysmon64.exe
1204 | -u
1205 | Sysmon has been uninstalled
1206 | MITRE,attack.t1089
1207 |
1208 |
1209 |
1210 | 255531
1211 | fltmc.exe
1212 | unload
1213 | Unload Filter Driver, possibly sysmon
1214 | MITRE,attack.t1089,sysmon
1215 |
1216 |
1217 |
1218 |
1219 |
1220 |
1221 | 255531
1222 | -e PAA|-en PAA|-enc PAA|-enco PAA|-encod PAA|JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ|QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA|kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA|IgAoACcAKgAnACkAOwAkA|IAKAAnACoAJwApADsAJA|iACgAJwAqACcAKQA7ACQA
1223 | ATT&CK T1059: Powershell execution techniques seen with Emotet malware
1224 | MITRE,attack.t1059
1225 |
1226 |
1227 |
1228 |
1229 | 255531
1230 | -noP -sta -w 1 -enc|-NoP -sta -NonI -W Hidden -Enc|-NoP -NonI -W Hidden -enc
1231 | ATT&CK T1059: Powershell execution techniques default PowerShell Empire launcher
1232 | MITRE,attack.t1059
1233 |
1234 |
1235 |
1236 | sysmon_event1
1237 | certutil -urlcache -split -f
1238 | ATT&CK T1059: CertUtil Download Technique
1239 | MITRE,attack.t1059
1240 |
1241 |
1242 |
1243 | 255531
1244 | -exec bypass -Noninteractive -windowstyle hidden -e
1245 | ATT&CK T1059: Powershell execution techniques default Posh C2 launcher
1246 | MITRE,attack.t1059
1247 |
1248 |
1249 |
1250 | 255531
1251 | /w 1
1252 | value.toString
1253 | ATT&CK T1059: Powershell execution techniques default Unicorn Powershell Meterpreter launcher
1254 | MITRE,attack.t1059
1255 |
1256 |
1257 |
1258 | 60100
1259 | ^400$
1260 | PowerShell
1261 | Windows PowerShell was started.
1262 |
1263 |
1264 |
1265 | 60100
1266 | ^800$
1267 | PowerShell
1268 | Windows PowerShell command executed.
1269 |
1270 |
1271 |
1272 | sysmon_event1
1273 | englishsize|adamteapot|initijpn|classchx|choreengine|pixelproc|cablesongs|mscmsknown
1274 | Potential Emotet Executable running detection
1275 | MITRE,execution
1276 |
1277 |
1278 |
1279 | sysmon_event3
1280 | englishsize|adamteapot|initijpn|classchx|choreengine|pixelproc|vertclient|cablesongs|mscmsknown
1281 | Potential Emotet Executable running detection
1282 | MITRE,execution
1283 |
1284 |
1285 |
1286 | sysmon_event1
1287 | AppData\\Roaming
1288 | ipconfig|workstation|domain_trusts
1289 | Potential Trickbot Executable running local and domain reconnaissance
1290 | MITRE,execution
1291 |
1292 |
1293 |
1294 | sysmon_event1
1295 | Roaming\\NuiGet|Roaming\\HomeLan|Roaming\\netRest|Roaming\\netcloud|Roaming\\netRest
1296 | Potential Emotet Executable running detection
1297 | MITRE,execution
1298 |
1299 |
1300 |
1301 | sysmon_event3
1302 | Roaming\\NuiGet|Roaming\\HomeLan|Roaming\\netRest|Roaming\\netcloud|Roaming\\netRest
1303 | Potential Emotet Executable running detection
1304 | MITRE,execution
1305 |
1306 |
1307 |
1308 | 255531
1309 | RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
1310 | ATT&CK T1485: Powershell Ransomware technique to delete shadow copies seen in Sodinokibi strains
1311 | MITRE,attack.t1485,ransomware
1312 |
1313 |
1314 |
1315 | sysmon_event1
1316 | WMIC.exe shadowcopy delete
1317 | ATT&CK T1485: WMIC Ransomware technique to delete shadow copies seen in Robinhood strains
1318 | MITRE,attack.t1485,ransomware
1319 |
1320 |
1321 |
1322 | sysmon_event1
1323 | vssadmin delete shadows /all /quiet
1324 | ATT&CK T1485:Ransomware technique to delete shadow copies
1325 | MITRE,attack.t1485,ransomware
1326 |
1327 |
1328 |
1329 | sysmon_event1
1330 | /c Bcdedit.exe /set {default} recoveryenabled no
1331 | ATT&CK T1485:Ransomware technique to delete backups seen in Robinhood strains
1332 | MITRE,attack.t1485,ransomware
1333 |
1334 |
1335 |
1336 | sysmon_event1
1337 | wbadmin delete catalog -quiet
1338 | ATT&CK T1485:Ransomware technique to delete backups seen in Wannacry strains
1339 | MITRE,attack.t1485,ransomware
1340 |
1341 |
1342 |
1343 | sysmon_event1
1344 | icacls . /grant Everyone:F /T /C /Q
1345 | ATT&CK T1486:Ransomware technique to grant all permissions seen in Wannacry strains
1346 | MITRE,attack.t1486,ransomware
1347 |
1348 |
1349 |
1350 | sysmon_event1
1351 | gandcrab.bit|ransomware.bit|carder.bit
1352 | ATT&CK T1486:Ransomware technique to look up Ransomware Domains seen in Gandcrab strain
1353 | MITRE,attack.t1486,ransomware
1354 |
1355 |
1356 |
1357 | sysmon_event1
1358 | EQNEDT32.EXE
1359 | ATT&CK T1173: Potential use of Microsoft Equation Editor for Exploitation
1360 | MITRE,attack.t1173,
1361 |
1362 |
1363 |
1364 | 255561
1365 | \\powershell.exe
1366 | ATT&CK T1117: Regsrv32 execution spawned from Powershell (Ursnif IOC)
1367 | MITRE,attack.t1117
1368 |
1369 |
1370 |
1371 | 255901
1372 | IwBwAGEAY
1373 | ATT&CK T1059: Powershell Signature Matching Ursnif Malware
1374 | MITRE,attack.t1059
1375 |
1376 |
1377 |
1378 | sysmon_event1
1379 | \\wscript.exe
1380 | ATT&CK T1064: WScript Execution $(win.eventdata.image)
1381 | MITRE,attack.t1064
1382 |
1383 |
1384 |
1385 | 255559
1386 | WINWORD.EXE
1387 | ATT&CK T1064: Word Executing WScript $(win.eventdata.image)
1388 | MITRE,attack.t1064
1389 |
1390 |
1391 |
1392 |
1393 | 255531
1394 | .doc
1395 | Powershell Spawned from Office Doc
1396 | MITRE,attack.t1059,attack.t1202,
1397 |
1398 |
1399 |
1400 | 255531
1401 | .xls
1402 | Powershell Spawned from Excel Doc
1403 | MITRE,attack.t1059,attack.t1202,
1404 |
1405 |
1406 |
1407 | 255524
1408 | WINWORD.EXE
1409 | Command Line process spawned from Microsoft Word Doc
1410 | MITRE,attack.t1059,attack.t1202,
1411 |
1412 |
1413 |
1414 | 255524
1415 | EXCEL.EXE
1416 | Command Line process spawned from Microsoft Excel Doc
1417 | MITRE,attack.t1059,attack.t1202,
1418 |
1419 |
1420 |
1421 | 255524
1422 | POWERPNT.exe
1423 | Command Line process spawned from Microsoft Powerpoint Doc
1424 | MITRE,attack.t1059,attack.t1202,
1425 |
1426 |
1427 |
1428 | 255524
1429 | OUTLOOK.EXE
1430 | Command Line process spawned from Microsoft Outlook
1431 | MITRE,attack.t1059,attack.t1202,
1432 |
1433 |
1434 |
1435 | 255524
1436 | VISIO.exe
1437 | Command Line process spawned from Microsoft Visio Doc
1438 | MITRE,attack.t1059,attack.t1202,
1439 |
1440 |
1441 |
1442 | 255524
1443 | MSPUB.exe
1444 | Command Line process spawned from Microsoft Publisher Doc
1445 | MITRE,attack.t1059,attack.t1202,
1446 |
1447 |
1448 |
1449 | 255531
1450 | POWERPNT.exe
1451 | Powershell Spawned from Powerpoint Doc
1452 | MITRE,attack.t1059,attack.t1202,
1453 |
1454 |
1455 |
1456 | 255531
1457 | OUTLOOK.EXE
1458 | Powershell Spawned from Microsoft Outlook
1459 | MITRE,attack.t1059,attack.t1202
1460 |
1461 |
1462 |
1463 | 255531
1464 | MSPUB.exe
1465 | Powershell Spawned from Microsoft Publisher
1466 | MITRE,attack.t1059,attack.t1202,
1467 |
1468 |
1469 |
1470 | 255531
1471 | VISIO.exe
1472 | Powershell Spawned from Microsoft Visio
1473 | MITRE,attack.t1059,attack.t1202,
1474 |
1475 |
1476 |
1477 | 255524
1478 | start microsoft-edge:http:
1479 | Potential Trickbot behaviour spawning Microsoft Edge via the Commandline
1480 | MITRE,
1481 |
1482 |
1483 |
1484 | sysmon_event1
1485 | whoami.exe
1486 | SYSTEM
1487 | Whoami ran as SYSTEM user, potential user recon after privelge escalation
1488 | MITRE,attack.t1033
1489 |
1490 |
1491 |
1492 | sysmon_event1
1493 | CollectionMethod All
1494 | Bloodhound Active Directory enumeration tool executed
1495 | MITRE,attack.t1087
1496 |
1497 |
1498 |
1499 | sysmon_event1
1500 | rar.exe
1501 | Rar file archive action detected, potential data being staged for exfiltration
1502 | MITRE,attack.t1002,attack.t1074
1503 |
1504 |
1505 |
1506 | sysmon_event1
1507 | net.webclient
1508 | downloadstring|downloadfile
1509 | Potential powershell download anomaly investigate for potential malware
1510 | MITRE,attack.t1086
1511 |
1512 |
1513 |
1514 | sysmon_event7
1515 | Revoked
1516 | T1073 Potential DLL Side Loading by Executable with Revoked Certificate: Image loaded by $(win.eventdata.image)
1517 | MITRE,attack.t1073
1518 |
1519 |
1520 |
1521 | sysmon_event7
1522 | false
1523 | T1073 Potential DLL Side Loading by Unsigned Executable: Image loaded by $(win.eventdata.image)
1524 | MITRE,attack.t1073
1525 |
1526 |
1527 |
1528 | sysmon_event_11
1529 | WINWORD.EXE
1530 | \\.exe
1531 | WORD document wrote executable file: $(data.win.eventdata.targetfilenam)
1532 | MITRE,
1533 |
1534 |
1535 |
1536 | 255531
1537 | cmstp.exe
1538 | .inf
1539 | CMSTP Executing Remote Scriptlet - T1191
1540 | MITRE,attack.t1089,Execution,sysmon
1541 |
1542 |
1543 |
1544 | 255531
1545 | cmstp.exe
1546 | .inf
1547 | /au
1548 | CMSTP Executing UAC Bypass - T1191
1549 | MITRE,attack.t1089,Execution,sysmon
1550 |
1551 |
1552 |
1553 | 255531
1554 | hh.exe
1555 | .chm
1556 | http|https
1557 | Compiled HTML Help Remote Payload - T1223
1558 | MITRE,attack.t1223,Execution,sysmon
1559 |
1560 |
1561 |
1562 | 255531
1563 | control.exe
1564 | .cpl
1565 | Compiled HTML Help Local Payload - T1196
1566 | MITRE,attack.t1196,Execution,sysmon
1567 |
1568 |
1569 |
1570 | 255561
1571 | appdata
1572 | .txt
1573 | Ursnif DLL loading via Regsrv32 T1218
1574 | MITRE,attack.t1218,Execution,sysmon
1575 |
1576 |
1577 |
1578 | 255551
1579 | regread
1580 | WScript.Shell
1581 | Ursnif loading from Registry via MSHTA exec, T1170
1582 | MITRE,attack.t1170,Execution,sysmon
1583 |
1584 |
1585 |
1586 | 255531
1587 | SQB
1588 | Encoded Powershell IEX, T1086
1589 | MITRE,attack.t1086,Execution,sysmon
1590 |
1591 |
1592 |
1593 | sysmon_event3
1594 | psexec
1595 | potential lateral movement using psexec
1596 | MITRE,attack.t1570,sysmon
1597 |
1598 |
1599 |
1600 | 255524
1601 | 127.0.0.1\\
1602 | ADMIN\$|C\$|IPC\$
1603 | ATT&CK T1021.002: Execute command writing output to local Admin Share
1604 | MITRE,attack.t1021.002,sysmon
1605 |
1606 |
1607 |
1608 | sysmon_event1
1609 | w3wp.exe
1610 | cmd.exe
1611 | ATT&CK T1505.003: Potential webshell interaction
1612 | MITRE,attack.t1505.003,sysmon
1613 |
1614 |
1615 |
1616 |
1617 |
1618 | sysmon_event3
1619 | etc/lists/emotet-list
1620 | IP connection to Emotet Command and Control
1621 | emotet,
1622 |
1623 |
1624 |
1625 | sysmon_event3
1626 | C:\\Windows\\System32\\wermgr.exe
1627 | 449
1628 | Wergmr connection on port 449 suspected Trickbot injected process C2 activity
1629 | trickbot,
1630 |
1631 |
1632 |
1633 | sysmon_event3
1634 | C:\\Windows\\System32\\svchost.exe
1635 | 449
1636 | Svchost connection on port 449 suspected Trickbot injected process C2 activity
1637 | trickbot,
1638 |
1639 |
1640 |
1641 |
1642 |
1643 |
1644 |
1645 | 60000
1646 | ^Microsoft-Windows-TerminalServices-LocalSessionManager/Operational$
1647 | no_full_log
1648 | Group of Windows rules for the System channel
1649 |
1650 |
1651 | 60000
1652 | ^Microsoft-Windows-SMBServer/Operational$
1653 | no_full_log
1654 | Group of Windows rules for the System channel
1655 |
1656 |
1657 | 60000
1658 | ^Microsoft-Windows-SMBServer/Connectivity$
1659 | no_full_log
1660 | Group of Windows rules for the System channel
1661 |
1662 |
1663 | 60000
1664 | ^Microsoft-Windows-SMBClient/Operational$
1665 | no_full_log
1666 | Group of Windows rules for the System channel
1667 |
1668 |
1669 | 60000
1670 | ^Microsoft-Windows-SmbClient/Connectivity$
1671 | no_full_log
1672 | Group of Windows rules for the System channel
1673 |
1674 |
1675 | 60000
1676 | ^Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational$
1677 | no_full_log
1678 | Group of Windows rules for the System channel
1679 |
1680 |
1681 |
1682 |
1683 |
1684 | sysmon_event_11
1685 | ^4$
1686 | ATT&CK T1570: Executable transferred potentially by Psexec tool, potential lateral movement
1687 | MITRE,attack.t1570
1688 |
1689 |
1690 |
1691 | 256200
1692 | .exe
1693 | ATT&CK T1570: Executable transferred potentially by Psexec tool, potential lateral movement
1694 | MITRE,attack.t1570
1695 |
1696 |
1697 |
1698 | 255700
1699 | %COMSPEC%
1700 | ATT&CK T1543.003: %COMSPEC% Variable in Registry Service, potential lateral movement or persistence mechanism
1701 | MITRE,attack.t1543.001
1702 |
1703 |
1704 |
1705 | 60106
1706 | 10|12
1707 | ATT&CK T1021/T1133: Successful RDP Logon from $(win.eventdata.ipAddress)
1708 | MITRE,attack.t1021,attack.t1133
1709 |
1710 |
1711 |
1712 | sysmon_event_11
1713 | Network Shortcuts
1714 | c\$
1715 | ATT&CK T1021.002: Remote System C$ drive mounted
1716 | MITRE,attack.t1021.002
1717 |
1718 |
1719 |
1720 | 60106
1721 | 9
1722 | seclogo
1723 | ATT&CK T1550.002: Potential Pass the Hash Attack
1724 | MITRE,attack.t1550.002
1725 |
1726 |
1727 |
1728 | sysmon_event_17
1729 | msagent_
1730 | ATT&CK T1071: Cobalt Strike Named Pipe SMB Beacon usage
1731 | MITRE,attack.t1071
1732 |
1733 |
1734 |
1735 |
1736 |
1737 |
1738 |
1739 |
1740 | sysmon
1741 | Rclone
1742 | T1567.002 Rclone potential data exfiltration
1743 |
1744 |
1745 |
1746 | sysmon-modular
1747 | Rclone
1748 | T1567.002 Rclone potential data exfiltration
1749 |
1750 |
1751 |
1752 |
--------------------------------------------------------------------------------
/mapping/OSSEC-SYSMON_Coverage.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "OSSEC-SYSMON Coverage",
3 | "version": "2.2",
4 | "domain": "mitre-enterprise",
5 | "description": "",
6 | "filters": {
7 | "stages": [
8 | "act"
9 | ],
10 | "platforms": [
11 | "Windows",
12 | "Linux",
13 | "macOS"
14 | ]
15 | },
16 | "sorting": 0,
17 | "viewMode": 0,
18 | "hideDisabled": false,
19 | "techniques": [
20 | {
21 | "techniqueID": "T1134",
22 | "tactic": "defense-evasion",
23 | "color": "#c6dbef",
24 | "comment": "",
25 | "enabled": true,
26 | "metadata": []
27 | },
28 | {
29 | "techniqueID": "T1134",
30 | "tactic": "privilege-escalation",
31 | "color": "#c6dbef",
32 | "comment": "",
33 | "enabled": true,
34 | "metadata": []
35 | },
36 | {
37 | "techniqueID": "T1015",
38 | "tactic": "persistence",
39 | "color": "#c6dbef",
40 | "comment": "",
41 | "enabled": true,
42 | "metadata": []
43 | },
44 | {
45 | "techniqueID": "T1015",
46 | "tactic": "privilege-escalation",
47 | "color": "#c6dbef",
48 | "comment": "",
49 | "enabled": true,
50 | "metadata": []
51 | },
52 | {
53 | "techniqueID": "T1098",
54 | "tactic": "credential-access",
55 | "color": "#c6dbef",
56 | "comment": "",
57 | "enabled": true,
58 | "metadata": []
59 | },
60 | {
61 | "techniqueID": "T1098",
62 | "tactic": "persistence",
63 | "color": "#c6dbef",
64 | "comment": "",
65 | "enabled": true,
66 | "metadata": []
67 | },
68 | {
69 | "techniqueID": "T1182",
70 | "tactic": "persistence",
71 | "color": "#c6dbef",
72 | "comment": "",
73 | "enabled": true,
74 | "metadata": []
75 | },
76 | {
77 | "techniqueID": "T1182",
78 | "tactic": "privilege-escalation",
79 | "color": "#c6dbef",
80 | "comment": "",
81 | "enabled": true,
82 | "metadata": []
83 | },
84 | {
85 | "techniqueID": "T1103",
86 | "tactic": "persistence",
87 | "color": "#c6dbef",
88 | "comment": "",
89 | "enabled": true,
90 | "metadata": []
91 | },
92 | {
93 | "techniqueID": "T1103",
94 | "tactic": "privilege-escalation",
95 | "color": "#c6dbef",
96 | "comment": "",
97 | "enabled": true,
98 | "metadata": []
99 | },
100 | {
101 | "techniqueID": "T1138",
102 | "tactic": "persistence",
103 | "color": "#c6dbef",
104 | "comment": "",
105 | "enabled": true,
106 | "metadata": []
107 | },
108 | {
109 | "techniqueID": "T1138",
110 | "tactic": "privilege-escalation",
111 | "color": "#c6dbef",
112 | "comment": "",
113 | "enabled": true,
114 | "metadata": []
115 | },
116 | {
117 | "techniqueID": "T1131",
118 | "tactic": "persistence",
119 | "color": "#c6dbef",
120 | "comment": "",
121 | "enabled": true,
122 | "metadata": []
123 | },
124 | {
125 | "techniqueID": "T1197",
126 | "tactic": "defense-evasion",
127 | "color": "#c6dbef",
128 | "comment": "",
129 | "enabled": true,
130 | "metadata": []
131 | },
132 | {
133 | "techniqueID": "T1197",
134 | "tactic": "persistence",
135 | "color": "#c6dbef",
136 | "comment": "",
137 | "enabled": true,
138 | "metadata": []
139 | },
140 | {
141 | "techniqueID": "T1088",
142 | "tactic": "defense-evasion",
143 | "color": "#c6dbef",
144 | "comment": "",
145 | "enabled": true,
146 | "metadata": []
147 | },
148 | {
149 | "techniqueID": "T1088",
150 | "tactic": "privilege-escalation",
151 | "color": "#c6dbef",
152 | "comment": "",
153 | "enabled": true,
154 | "metadata": []
155 | },
156 | {
157 | "techniqueID": "T1191",
158 | "tactic": "defense-evasion",
159 | "color": "#c6dbef",
160 | "comment": "",
161 | "enabled": true,
162 | "metadata": []
163 | },
164 | {
165 | "techniqueID": "T1191",
166 | "tactic": "execution",
167 | "color": "#c6dbef",
168 | "comment": "",
169 | "enabled": true,
170 | "metadata": []
171 | },
172 | {
173 | "techniqueID": "T1042",
174 | "tactic": "persistence",
175 | "color": "#c6dbef",
176 | "comment": "",
177 | "enabled": true,
178 | "metadata": []
179 | },
180 | {
181 | "techniqueID": "T1059",
182 | "tactic": "execution",
183 | "color": "#3182bd",
184 | "comment": "",
185 | "enabled": true,
186 | "metadata": []
187 | },
188 | {
189 | "techniqueID": "T1043",
190 | "tactic": "command-and-control",
191 | "color": "#c6dbef",
192 | "comment": "",
193 | "enabled": true,
194 | "metadata": []
195 | },
196 | {
197 | "techniqueID": "T1122",
198 | "tactic": "defense-evasion",
199 | "color": "#c6dbef",
200 | "comment": "",
201 | "enabled": true,
202 | "metadata": []
203 | },
204 | {
205 | "techniqueID": "T1122",
206 | "tactic": "persistence",
207 | "color": "#c6dbef",
208 | "comment": "",
209 | "enabled": true,
210 | "metadata": []
211 | },
212 | {
213 | "techniqueID": "T1196",
214 | "tactic": "defense-evasion",
215 | "color": "#c6dbef",
216 | "comment": "",
217 | "enabled": true,
218 | "metadata": []
219 | },
220 | {
221 | "techniqueID": "T1196",
222 | "tactic": "execution",
223 | "color": "#c6dbef",
224 | "comment": "",
225 | "enabled": true,
226 | "metadata": []
227 | },
228 | {
229 | "techniqueID": "T1003",
230 | "tactic": "credential-access",
231 | "color": "#6baed6",
232 | "comment": "",
233 | "enabled": true,
234 | "metadata": []
235 | },
236 | {
237 | "techniqueID": "T1081",
238 | "tactic": "credential-access",
239 | "color": "#c6dbef",
240 | "comment": "",
241 | "enabled": true,
242 | "metadata": []
243 | },
244 | {
245 | "techniqueID": "T1485",
246 | "tactic": "impact",
247 | "color": "#6baed6",
248 | "comment": "",
249 | "enabled": true,
250 | "metadata": []
251 | },
252 | {
253 | "techniqueID": "T1486",
254 | "tactic": "impact",
255 | "color": "#6baed6",
256 | "comment": "",
257 | "enabled": true,
258 | "metadata": []
259 | },
260 | {
261 | "techniqueID": "T1005",
262 | "tactic": "collection",
263 | "color": "#c6dbef",
264 | "comment": "",
265 | "enabled": true,
266 | "metadata": []
267 | },
268 | {
269 | "techniqueID": "T1089",
270 | "tactic": "defense-evasion",
271 | "color": "#6baed6",
272 | "comment": "",
273 | "enabled": true,
274 | "metadata": []
275 | },
276 | {
277 | "techniqueID": "T1173",
278 | "tactic": "execution",
279 | "color": "#c6dbef",
280 | "comment": "",
281 | "enabled": true,
282 | "metadata": []
283 | },
284 | {
285 | "techniqueID": "T1083",
286 | "tactic": "discovery",
287 | "color": "#c6dbef",
288 | "comment": "",
289 | "enabled": true,
290 | "metadata": []
291 | },
292 | {
293 | "techniqueID": "T1187",
294 | "tactic": "credential-access",
295 | "color": "#c6dbef",
296 | "comment": "",
297 | "enabled": true,
298 | "metadata": []
299 | },
300 | {
301 | "techniqueID": "T1158",
302 | "tactic": "defense-evasion",
303 | "color": "#c6dbef",
304 | "comment": "",
305 | "enabled": true,
306 | "metadata": []
307 | },
308 | {
309 | "techniqueID": "T1158",
310 | "tactic": "persistence",
311 | "color": "#c6dbef",
312 | "comment": "",
313 | "enabled": true,
314 | "metadata": []
315 | },
316 | {
317 | "techniqueID": "T1183",
318 | "tactic": "privilege-escalation",
319 | "color": "#c6dbef",
320 | "comment": "",
321 | "enabled": true,
322 | "metadata": []
323 | },
324 | {
325 | "techniqueID": "T1183",
326 | "tactic": "persistence",
327 | "color": "#c6dbef",
328 | "comment": "",
329 | "enabled": true,
330 | "metadata": []
331 | },
332 | {
333 | "techniqueID": "T1183",
334 | "tactic": "defense-evasion",
335 | "color": "#c6dbef",
336 | "comment": "",
337 | "enabled": true,
338 | "metadata": []
339 | },
340 | {
341 | "techniqueID": "T1054",
342 | "tactic": "defense-evasion",
343 | "color": "#c6dbef",
344 | "comment": "",
345 | "enabled": true,
346 | "metadata": []
347 | },
348 | {
349 | "techniqueID": "T1070",
350 | "tactic": "defense-evasion",
351 | "color": "#c6dbef",
352 | "comment": "",
353 | "enabled": true,
354 | "metadata": []
355 | },
356 | {
357 | "techniqueID": "T1202",
358 | "tactic": "defense-evasion",
359 | "color": "#c6dbef",
360 | "comment": "",
361 | "enabled": true,
362 | "metadata": []
363 | },
364 | {
365 | "techniqueID": "T1130",
366 | "tactic": "defense-evasion",
367 | "color": "#c6dbef",
368 | "comment": "",
369 | "enabled": true,
370 | "metadata": []
371 | },
372 | {
373 | "techniqueID": "T1118",
374 | "tactic": "defense-evasion",
375 | "color": "#c6dbef",
376 | "comment": "",
377 | "enabled": true,
378 | "metadata": []
379 | },
380 | {
381 | "techniqueID": "T1118",
382 | "tactic": "execution",
383 | "color": "#c6dbef",
384 | "comment": "",
385 | "enabled": true,
386 | "metadata": []
387 | },
388 | {
389 | "techniqueID": "T1037",
390 | "tactic": "lateral-movement",
391 | "color": "#c6dbef",
392 | "comment": "",
393 | "enabled": true,
394 | "metadata": []
395 | },
396 | {
397 | "techniqueID": "T1037",
398 | "tactic": "persistence",
399 | "color": "#c6dbef",
400 | "comment": "",
401 | "enabled": true,
402 | "metadata": []
403 | },
404 | {
405 | "techniqueID": "T1036",
406 | "tactic": "defense-evasion",
407 | "color": "#9ecae1",
408 | "comment": "",
409 | "enabled": true,
410 | "metadata": []
411 | },
412 | {
413 | "techniqueID": "T1031",
414 | "tactic": "persistence",
415 | "color": "#c6dbef",
416 | "comment": "",
417 | "enabled": true,
418 | "metadata": []
419 | },
420 | {
421 | "techniqueID": "T1112",
422 | "tactic": "defense-evasion",
423 | "color": "#c6dbef",
424 | "comment": "",
425 | "enabled": true,
426 | "metadata": []
427 | },
428 | {
429 | "techniqueID": "T1170",
430 | "tactic": "defense-evasion",
431 | "color": "#6baed6",
432 | "comment": "",
433 | "enabled": true,
434 | "metadata": []
435 | },
436 | {
437 | "techniqueID": "T1170",
438 | "tactic": "execution",
439 | "color": "#6baed6",
440 | "comment": "",
441 | "enabled": true,
442 | "metadata": []
443 | },
444 | {
445 | "techniqueID": "T1128",
446 | "tactic": "persistence",
447 | "color": "#c6dbef",
448 | "comment": "",
449 | "enabled": true,
450 | "metadata": []
451 | },
452 | {
453 | "techniqueID": "T1027",
454 | "tactic": "defense-evasion",
455 | "color": "#c6dbef",
456 | "comment": "",
457 | "enabled": true,
458 | "metadata": []
459 | },
460 | {
461 | "techniqueID": "T1075",
462 | "tactic": "lateral-movement",
463 | "color": "#9ecae1",
464 | "comment": "",
465 | "enabled": true,
466 | "metadata": []
467 | },
468 | {
469 | "techniqueID": "T1069",
470 | "tactic": "discovery",
471 | "color": "#c6dbef",
472 | "comment": "",
473 | "enabled": true,
474 | "metadata": []
475 | },
476 | {
477 | "techniqueID": "T1013",
478 | "tactic": "persistence",
479 | "color": "#c6dbef",
480 | "comment": "",
481 | "enabled": true,
482 | "metadata": []
483 | },
484 | {
485 | "techniqueID": "T1013",
486 | "tactic": "privilege-escalation",
487 | "color": "#c6dbef",
488 | "comment": "",
489 | "enabled": true,
490 | "metadata": []
491 | },
492 | {
493 | "techniqueID": "T1086",
494 | "tactic": "execution",
495 | "color": "#9ecae1",
496 | "comment": "",
497 | "enabled": true,
498 | "metadata": []
499 | },
500 | {
501 | "techniqueID": "T1057",
502 | "tactic": "discovery",
503 | "color": "#c6dbef",
504 | "comment": "",
505 | "enabled": true,
506 | "metadata": []
507 | },
508 | {
509 | "techniqueID": "T1055",
510 | "tactic": "defense-evasion",
511 | "color": "#9ecae1",
512 | "comment": "",
513 | "enabled": true,
514 | "metadata": []
515 | },
516 | {
517 | "techniqueID": "T1055",
518 | "tactic": "privilege-escalation",
519 | "color": "#9ecae1",
520 | "comment": "",
521 | "enabled": true,
522 | "metadata": []
523 | },
524 | {
525 | "techniqueID": "T1012",
526 | "tactic": "discovery",
527 | "color": "#c6dbef",
528 | "comment": "",
529 | "enabled": true,
530 | "metadata": []
531 | },
532 | {
533 | "techniqueID": "T1060",
534 | "tactic": "persistence",
535 | "color": "#9ecae1",
536 | "comment": "",
537 | "enabled": true,
538 | "metadata": []
539 | },
540 | {
541 | "techniqueID": "T1121",
542 | "tactic": "defense-evasion",
543 | "color": "#c6dbef",
544 | "comment": "",
545 | "enabled": true,
546 | "metadata": []
547 | },
548 | {
549 | "techniqueID": "T1121",
550 | "tactic": "execution",
551 | "color": "#c6dbef",
552 | "comment": "",
553 | "enabled": true,
554 | "metadata": []
555 | },
556 | {
557 | "techniqueID": "T1117",
558 | "tactic": "defense-evasion",
559 | "color": "#6baed6",
560 | "comment": "",
561 | "enabled": true,
562 | "metadata": []
563 | },
564 | {
565 | "techniqueID": "T1117",
566 | "tactic": "execution",
567 | "color": "#6baed6",
568 | "comment": "",
569 | "enabled": true,
570 | "metadata": []
571 | },
572 | {
573 | "techniqueID": "T1105",
574 | "tactic": "command-and-control",
575 | "color": "#c6dbef",
576 | "comment": "",
577 | "enabled": true,
578 | "metadata": []
579 | },
580 | {
581 | "techniqueID": "T1105",
582 | "tactic": "lateral-movement",
583 | "color": "#c6dbef",
584 | "comment": "",
585 | "enabled": true,
586 | "metadata": []
587 | },
588 | {
589 | "techniqueID": "T1021",
590 | "tactic": "lateral-movement",
591 | "color": "#c6dbef",
592 | "comment": "",
593 | "enabled": true,
594 | "metadata": []
595 | },
596 | {
597 | "techniqueID": "T1018",
598 | "tactic": "discovery",
599 | "color": "#c6dbef",
600 | "comment": "",
601 | "enabled": true,
602 | "metadata": []
603 | },
604 | {
605 | "techniqueID": "T1085",
606 | "tactic": "defense-evasion",
607 | "color": "#c6dbef",
608 | "comment": "",
609 | "enabled": true,
610 | "metadata": []
611 | },
612 | {
613 | "techniqueID": "T1085",
614 | "tactic": "execution",
615 | "color": "#c6dbef",
616 | "comment": "",
617 | "enabled": true,
618 | "metadata": []
619 | },
620 | {
621 | "techniqueID": "T1198",
622 | "tactic": "defense-evasion",
623 | "color": "#c6dbef",
624 | "comment": "",
625 | "enabled": true,
626 | "metadata": []
627 | },
628 | {
629 | "techniqueID": "T1198",
630 | "tactic": "persistence",
631 | "color": "#c6dbef",
632 | "comment": "",
633 | "enabled": true,
634 | "metadata": []
635 | },
636 | {
637 | "techniqueID": "T1053",
638 | "tactic": "execution",
639 | "color": "#c6dbef",
640 | "comment": "",
641 | "enabled": true,
642 | "metadata": []
643 | },
644 | {
645 | "techniqueID": "T1053",
646 | "tactic": "persistence",
647 | "color": "#c6dbef",
648 | "comment": "",
649 | "enabled": true,
650 | "metadata": []
651 | },
652 | {
653 | "techniqueID": "T1053",
654 | "tactic": "privilege-escalation",
655 | "color": "#c6dbef",
656 | "comment": "",
657 | "enabled": true,
658 | "metadata": []
659 | },
660 | {
661 | "techniqueID": "T1064",
662 | "tactic": "defense-evasion",
663 | "color": "#9ecae1",
664 | "comment": "",
665 | "enabled": true,
666 | "metadata": []
667 | },
668 | {
669 | "techniqueID": "T1064",
670 | "tactic": "execution",
671 | "color": "#9ecae1",
672 | "comment": "",
673 | "enabled": true,
674 | "metadata": []
675 | },
676 | {
677 | "techniqueID": "T1063",
678 | "tactic": "discovery",
679 | "color": "#c6dbef",
680 | "comment": "",
681 | "enabled": true,
682 | "metadata": []
683 | },
684 | {
685 | "techniqueID": "T1101",
686 | "tactic": "persistence",
687 | "color": "#c6dbef",
688 | "comment": "",
689 | "enabled": true,
690 | "metadata": []
691 | },
692 | {
693 | "techniqueID": "T1035",
694 | "tactic": "execution",
695 | "color": "#6baed6",
696 | "comment": "",
697 | "enabled": true,
698 | "metadata": []
699 | },
700 | {
701 | "techniqueID": "T1058",
702 | "tactic": "persistence",
703 | "color": "#9ecae1",
704 | "comment": "",
705 | "enabled": true,
706 | "metadata": []
707 | },
708 | {
709 | "techniqueID": "T1058",
710 | "tactic": "privilege-escalation",
711 | "color": "#9ecae1",
712 | "comment": "",
713 | "enabled": true,
714 | "metadata": []
715 | },
716 | {
717 | "techniqueID": "T1218",
718 | "tactic": "defense-evasion",
719 | "color": "#6baed6",
720 | "comment": "",
721 | "enabled": true,
722 | "metadata": []
723 | },
724 | {
725 | "techniqueID": "T1218",
726 | "tactic": "execution",
727 | "color": "#6baed6",
728 | "comment": "",
729 | "enabled": true,
730 | "metadata": []
731 | },
732 | {
733 | "techniqueID": "T1216",
734 | "tactic": "defense-evasion",
735 | "color": "#c6dbef",
736 | "comment": "",
737 | "enabled": true,
738 | "metadata": []
739 | },
740 | {
741 | "techniqueID": "T1216",
742 | "tactic": "execution",
743 | "color": "#c6dbef",
744 | "comment": "",
745 | "enabled": true,
746 | "metadata": []
747 | },
748 | {
749 | "techniqueID": "T1016",
750 | "tactic": "discovery",
751 | "color": "#9ecae1",
752 | "comment": "",
753 | "enabled": true,
754 | "metadata": []
755 | },
756 | {
757 | "techniqueID": "T1049",
758 | "tactic": "discovery",
759 | "color": "#c6dbef",
760 | "comment": "",
761 | "enabled": true,
762 | "metadata": []
763 | },
764 | {
765 | "techniqueID": "T1033",
766 | "tactic": "discovery",
767 | "color": "#c6dbef",
768 | "comment": "",
769 | "enabled": true,
770 | "metadata": []
771 | },
772 | {
773 | "techniqueID": "T1007",
774 | "tactic": "discovery",
775 | "color": "#c6dbef",
776 | "comment": "",
777 | "enabled": true,
778 | "metadata": []
779 | },
780 | {
781 | "techniqueID": "T1209",
782 | "tactic": "persistence",
783 | "color": "#c6dbef",
784 | "comment": "",
785 | "enabled": true,
786 | "metadata": []
787 | },
788 | {
789 | "techniqueID": "T1099",
790 | "tactic": "defense-evasion",
791 | "color": "#c6dbef",
792 | "comment": "",
793 | "enabled": true,
794 | "metadata": []
795 | },
796 | {
797 | "techniqueID": "T1127",
798 | "tactic": "defense-evasion",
799 | "color": "#c6dbef",
800 | "comment": "",
801 | "enabled": true,
802 | "metadata": []
803 | },
804 | {
805 | "techniqueID": "T1127",
806 | "tactic": "execution",
807 | "color": "#c6dbef",
808 | "comment": "",
809 | "enabled": true,
810 | "metadata": []
811 | },
812 | {
813 | "techniqueID": "T1047",
814 | "tactic": "execution",
815 | "color": "#3182bd",
816 | "comment": "",
817 | "enabled": true,
818 | "metadata": []
819 | },
820 | {
821 | "techniqueID": "T1084",
822 | "tactic": "persistence",
823 | "color": "#c6dbef",
824 | "comment": "",
825 | "enabled": true,
826 | "metadata": []
827 | },
828 | {
829 | "techniqueID": "T1028",
830 | "tactic": "execution",
831 | "color": "#9ecae1",
832 | "comment": "",
833 | "enabled": true,
834 | "metadata": []
835 | },
836 | {
837 | "techniqueID": "T1028",
838 | "tactic": "lateral-movement",
839 | "color": "#9ecae1",
840 | "comment": "",
841 | "enabled": true,
842 | "metadata": []
843 | },
844 | {
845 | "techniqueID": "T1004",
846 | "tactic": "persistence",
847 | "color": "#c6dbef",
848 | "comment": "",
849 | "enabled": true,
850 | "metadata": []
851 | }
852 | ],
853 | "gradient": {
854 | "colors": [
855 | "#ff6666",
856 | "#ffe766",
857 | "#8ec843"
858 | ],
859 | "minValue": 0,
860 | "maxValue": 100
861 | },
862 | "legendItems": [],
863 | "metadata": [],
864 | "showTacticRowBackground": false,
865 | "tacticRowBackground": "#dddddd",
866 | "selectTechniquesAcrossTactics": true
867 | }
--------------------------------------------------------------------------------
/mapping/layer.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "layer",
3 | "version": "2.1",
4 | "domain": "mitre-enterprise",
5 | "description": "",
6 | "filters": {
7 | "stages": [
8 | "act"
9 | ],
10 | "platforms": [
11 | "windows",
12 | "linux",
13 | "mac"
14 | ]
15 | },
16 | "sorting": 0,
17 | "viewMode": 0,
18 | "hideDisabled": false,
19 | "techniques": [
20 | {
21 | "techniqueID": "T1087",
22 | "tactic": "discovery",
23 | "color": "#74c476",
24 | "comment": "",
25 | "enabled": true,
26 | "metadata": []
27 | },
28 | {
29 | "techniqueID": "T1059",
30 | "tactic": "execution",
31 | "color": "#74c476",
32 | "comment": "",
33 | "enabled": true,
34 | "metadata": []
35 | },
36 | {
37 | "techniqueID": "T1081",
38 | "tactic": "credential-access",
39 | "color": "#74c476",
40 | "comment": "",
41 | "enabled": true,
42 | "metadata": []
43 | },
44 | {
45 | "techniqueID": "T1089",
46 | "tactic": "defense-evasion",
47 | "color": "#74c476",
48 | "comment": "",
49 | "enabled": true,
50 | "metadata": []
51 | },
52 | {
53 | "techniqueID": "T1202",
54 | "tactic": "defense-evasion",
55 | "color": "#74c476",
56 | "comment": "",
57 | "enabled": true,
58 | "metadata": []
59 | },
60 | {
61 | "techniqueID": "T1170",
62 | "tactic": "defense-evasion",
63 | "color": "#74c476",
64 | "comment": "",
65 | "enabled": true,
66 | "metadata": []
67 | },
68 | {
69 | "techniqueID": "T1170",
70 | "tactic": "execution",
71 | "color": "#74c476",
72 | "comment": "",
73 | "enabled": true,
74 | "metadata": []
75 | },
76 | {
77 | "techniqueID": "T1050",
78 | "tactic": "persistence",
79 | "color": "#74c476",
80 | "comment": "",
81 | "enabled": true,
82 | "metadata": []
83 | },
84 | {
85 | "techniqueID": "T1050",
86 | "tactic": "privilege-escalation",
87 | "color": "#74c476",
88 | "comment": "",
89 | "enabled": true,
90 | "metadata": []
91 | },
92 | {
93 | "techniqueID": "T1086",
94 | "tactic": "execution",
95 | "color": "#74c476",
96 | "comment": "",
97 | "enabled": true,
98 | "metadata": []
99 | },
100 | {
101 | "techniqueID": "T1033",
102 | "tactic": "discovery",
103 | "color": "#74c476",
104 | "comment": "",
105 | "enabled": true,
106 | "metadata": []
107 | },
108 | {
109 | "techniqueID": "T1047",
110 | "tactic": "execution",
111 | "color": "#74c476",
112 | "comment": "",
113 | "enabled": true,
114 | "metadata": []
115 | }
116 | ],
117 | "gradient": {
118 | "colors": [
119 | "#ff6666",
120 | "#ffe766",
121 | "#8ec843"
122 | ],
123 | "minValue": 0,
124 | "maxValue": 100
125 | },
126 | "legendItems": [],
127 | "metadata": [],
128 | "showTacticRowBackground": false,
129 | "tacticRowBackground": "#dddddd",
130 | "selectTechniquesAcrossTactics": true
131 | }
--------------------------------------------------------------------------------
/osquery.conf:
--------------------------------------------------------------------------------
1 | {
2 | "options": {
3 | "config_plugin": "filesystem",
4 | "logger_plugin": "filesystem",
5 | "utc": "true"
6 | },
7 |
8 | "schedule": {
9 | "system_info": {
10 | "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
11 | "interval": 3600
12 | },
13 | "high_load_average": {
14 | "query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';",
15 | "interval": 900,
16 | "description": "Report if load charge is over 70 percent."
17 | },
18 | "low_free_memory": {
19 | "query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;",
20 | "interval": 1800,
21 | "description": "Free RAM is under 10%."
22 | },
23 | "crontab": {
24 | "query": "SELECT * FROM crontab;",
25 | "interval": 900
26 | },
27 | "running": {
28 | "query": "SELECT * FROM processes;",
29 | "interval": 300
30 | },
31 | "users": {
32 | "query": "SELECT * FROM users;",
33 | "interval": 86400
34 | },
35 | "behavioral_reverse_shell": {
36 | "query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';",
37 | "interval": 600,
38 | "description": "Find shell processes that have open sockets"
39 | },
40 | "shell_history": {
41 | "query": "SELECT * FROM users CROSS JOIN shell_history USING (uid);",
42 | "interval": 60,
43 | "description": "Record shell history for all users on system (instead of just root)"
44 | }
45 |
46 | },
47 |
48 |
49 | "packs": {
50 | "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
51 | "incident-response": "/usr/share/osquery/packs/incident-response.conf",
52 | "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
53 | "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
54 | "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
55 | "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf"
56 | }
57 | }
58 |
--------------------------------------------------------------------------------
/response-scripts/dfir.ps1:
--------------------------------------------------------------------------------
1 | #######
2 | #Script to collect important logs and forensic triage information from a compromised system
3 | #
4 | #
5 | #
6 | #Set paths and log variables
7 | $location="C:\Program Files (x86)\ossec-agent\logs\"
8 | $trace01="C:\Program Files (x86)\ossec-agent\logs\trace001$(get-date -f yyyy-MM-dd-hh-mm).etl"
9 | $pcap01="C:\Program Files (x86)\ossec-agent\logs\trace$(get-date -f yyyy-MM-dd-hh-mm).cap"
10 | $log01="C:\Program Files (x86)\ossec-agent\logs\summary$(get-date -f yyyy-MM-dd-hh-mm).log"
11 | $log02="C:\Program Files (x86)\ossec-agent\logs\sysmon$(get-date -f yyyy-MM-dd-hh-mm).evtx"
12 | $log03="C:\Program Files (x86)\ossec-agent\logs\defender$(get-date -f yyyy-MM-dd-hh-mm).evtx"
13 | $startdate="get-date"
14 | $comp="hostname"
15 |
16 | #####
17 | #gather basic data on the system
18 | quser.exe > $log01
19 | gdr -PSProvider 'Filesystem' >> $log01
20 | ps >> $log01
21 |
22 | #####
23 | #Collect 5 minutes of network activity (will be in microsoft event trace format, use the microsoft message analyzer to read)
24 | #Or use the commented out section below to move to pcap
25 | #netsh trace start persistent=yes capture=yes traceFile=$trace01
26 | #change sleep if you want to gather data for a longer or shorter time frame
27 | #sleep 300
28 |
29 | #netsh trace stop
30 |
31 | #need microsoft message analyzer for this
32 | #$s = New-PefTraceSession -Path $pcap01 -SaveOnStop
33 | #$s | Add-PefMessageProvider -Provider $trace01
34 | #$s | Start-PefTraceSession
35 |
36 | #####
37 | #Dump pertinent logs
38 | wevtutil.exe epl Microsoft-Windows-Sysmon/Operational $log02
39 | wevtutil.exe epl "Microsoft-Windows-Windows Defender/Operational" $log03
40 |
41 | ####
42 | #Zip up our collected data
43 | Compress-Archive -Path $log01, $log02, $log03 -CompressionLevel Optimal -DestinationPath $location\$env:USERNAME-$(get-date -f yyyy-MM-dd-hh-mm).zip
44 | $TargetFilePath="/$env:USERNAME-$(get-date -f yyyy-MM-dd-hh-mm).zip"
45 | $SourceFilePath="$location\$env:USERNAME-$(get-date -f yyyy-MM-dd-hh-mm).zip"
46 | $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
47 | $authorization = "Bearer " + "enter_token"
48 | $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
49 | $headers.Add("Authorization", $authorization)
50 | $headers.Add("Dropbox-API-Arg", $arg)
51 | $headers.Add("Content-Type", 'application/octet-stream')
52 | Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
53 |
54 | #####
55 | #Clear logs
56 | #Clear-EventLog Microsoft-Windows-Sysmon/Operational
57 | #rm $SourceFilePath
58 | #rm $log01
59 | #rm $log02
60 | #rm $log03
61 |
--------------------------------------------------------------------------------
/windows-agent.conf:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Microsoft-Windows-Sysmon/Operational
5 | eventchannel
6 |
7 |
8 | Microsoft-Windows-Windows Defender/Operational
9 | eventchannel
10 |
11 |
12 | Microsoft-Windows-WMI-Activity/Operational
13 | eventchannel
14 |
15 |
16 | Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
17 | eventchannel
18 |
19 |
20 | Microsoft-Windows-SMBServer/Operational
21 | eventchannel
22 |
23 |
24 | Microsoft-Windows-SMBServer/Connectivity
25 | eventchannel
26 |
27 |
28 | Microsoft-Windows-SMBClient/Operational
29 | eventchannel
30 |
31 |
32 | Microsoft-Windows-SmbClient/Connectivity
33 | eventchannel
34 |
35 |
36 | Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
37 | eventchannel
38 |
39 |
40 | Microsoft-Windows-TaskScheduler/Operational
41 | eventchannel
42 |
43 |
44 |
--------------------------------------------------------------------------------