├── .gitignore
├── Elastic SIEM Rules
    ├── Elastic_Corelight_rules.ndjson
    └── Elastic_Corelight_rules_only_logs-*_ecs_corelight.ndjson
├── LICENSE
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | 
2 | .DS_Store
3 | 


--------------------------------------------------------------------------------
/Elastic SIEM Rules/Elastic_Corelight_rules.ndjson:
--------------------------------------------------------------------------------
 1 | {"id":"d09144f0-a317-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-02T16:37:02.527Z","updated_by":"elastic","created_at":"2023-02-02T16:37:00.497Z","created_by":"elastic","name":"Schedule Task Access or Manipulation over SMB","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"Detects scheduled task access or manipulation on a remote computer over SMB. Determine if the server should be hosting shceduled tasks and if the client has modified them if it is allowed server. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"a9178207-31f6-48bd-8053-7ce20dedb4fc","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence"},"technique":[{"id":"T1574","reference":"https://attack.mitre.org/techniques/T1574","name":"Hijack Execution Flow","subtechnique":[]},{"id":"T1053","reference":"https://attack.mitre.org/techniques/T1053","name":"Scheduled Task/Job","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"smb_files\" AND (file.path:*\\\\*\\\\SYSVOL* AND file.name:*ScheduledTasks.xml) AND (NOT (smb.action.text:\"SMB\\:\\:FILE_OPEN\")))","filters":[],"throttle":"no_actions","actions":[]}
 2 | {"id":"ba0f4b60-a302-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-02T14:06:05.499Z","updated_by":"elastic","created_at":"2023-02-02T14:06:03.461Z","created_by":"elastic","name":"Shared Webroot","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"Advesaries may place a webshell on a fileshare and execute that webshell by accessing it on an existing website. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"3961df68-5ac1-4624-9c39-f3f3999bcf33","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement"},"technique":[{"id":"T1051","reference":"https://attack.mitre.org/techniques/T1051","name":"Shared Webroot","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"smb_files\" AND file.path:(*inetpub* OR *wwwroot*) AND (file.name:(*.aspx OR *.asp OR *.php OR *.jsp OR *.jspx OR *.war OR *.ashx OR *.asmx OR *.ascx OR *.asx OR *.cshtml OR *.cfm OR *.cfc OR *.cfml OR *.wss OR *.do OR *.action OR *.pl OR *.plx OR *.pm OR *.xs OR *.t OR *.pod OR *.php\\\\-s OR *.pht OR *.phar OR *.phps OR *.php7 OR *.php5 OR *.php4 OR *.php3 OR *.phtml OR *.py OR *.rb OR *.rhtml OR *.cgi OR *.dll OR *.ayws OR *.cgi OR *.erb OR *.rjs OR *.hta OR *.htc OR *.cs OR *.kt OR *.lua OR *.vbhtml) OR file.name:/.*[^a-zA-Z0-9\\\\.\\\\_\\\\-][a-zA-Z0-9\\\\.\\\\_\\\\-]{1,3}\\\\.[A-Za-z0-9]{2,3}$/))","filters":[],"throttle":"no_actions","actions":[]}
 3 | {"id":"6f5e9260-a3cf-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T14:31:27.011Z","updated_by":"elastic","created_at":"2023-02-03T14:31:24.921Z","created_by":"elastic","name":"Multiple Clients to HTTP Using Unicode Host via HTTP - Possible Multiple Phishing Attempts","tags":["Corelight","Zeek"],"interval":"60m","enabled":true,"description":"Detects when multiple HTTP requests were made to a single domain that has non-ascii characters(unicode/punycode) and a POST or PUT method was used. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team ","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-3660s","rule_id":"340877b9-05d2-4d80-b33f-f7a55a655a9f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"technique":[{"id":"T1566","reference":"https://attack.mitre.org/techniques/T1566","name":"Phishing","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"http\" AND ((http.request.method: POST) OR (http.request.method: PUT)) AND (url.has_non_ascii:true))","filters":[],"threshold":{"field":["source.ip","url.original"],"value":11,"cardinality":[]},"throttle":"no_actions","actions":[]}
 4 | {"id":"c21df860-a401-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T20:31:40.085Z","updated_by":"elastic","created_at":"2023-02-03T20:31:38.555Z","created_by":"elastic","name":"Possible Kerberos Brute Force Attempt","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"Detects when hundreds of Kerberos requests are made by a single client. Determine if this is a) normal client and b) normal pattern for that client. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"512c0f00-43a8-44ed-b8c9-dec3bf5b041f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access"},"technique":[{"id":"T1110","reference":"https://attack.mitre.org/techniques/T1110","name":"Brute Force","subtechnique":[{"id":"T1110.001","reference":"https://attack.mitre.org/techniques/T1110/001","name":"Password Guessing"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"kerberos\" AND kerberos.request.client:*)","filters":[],"threshold":{"field":["destination.ip","source.ip"],"value":101,"cardinality":[]},"throttle":"no_actions","actions":[]}
 5 | {"id":"d45d5cb0-a40a-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T21:36:36.697Z","updated_by":"elastic","created_at":"2023-02-03T21:36:34.647Z","created_by":"elastic","name":"Possible Windows Executable Download Without Matching Mime Type","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"A download of an executable where the mime type (https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) does not match the extension of the file downloaded. This is one way to hide the type of file downloaded. Determine if the filter was just a mistake based on a new mime type for executables that was not known at the time or more likely determine if the domain and the file downloaded are legitimate. Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"41521ac3-1e6e-43fc-b2fa-8e792aa07e04","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"technique":[{"id":"T1133","reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","subtechnique":[]},{"id":"T1189","reference":"https://attack.mitre.org/techniques/T1189","name":"Drive-by Compromise","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"http\" AND http.resp_mime_types:(\"application/java-archive\" OR \"application/mshelp\" OR \"application/chrome-ext\" OR \"application/x-object\" OR \"application/x-executable\" OR \"application/x-dosexec\" OR \"application/x-msdownload\" OR \"application/vnd.microsoft.portable-executable \") AND (NOT (url.original:(*.exe OR *.dll OR *.msi))))","filters":[],"throttle":"no_actions","actions":[]}
 6 | {"id":"f3af3db0-a32c-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-02T19:08:20.971Z","updated_by":"elastic","created_at":"2023-02-02T19:08:19.118Z","created_by":"elastic","name":"RDP Potential Brute Force Corelight Notices ","tags":["Corelight"],"interval":"30m","enabled":true,"description":"Corelight RDP Inferences detected a Brute Force Password ","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["Corelight"],"false_positives":[],"from":"now-1860s","rule_id":"c4fa3f6e-885b-479e-9e23-c2f56476c27c","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"technique":[{"id":"T1078","reference":"https://attack.mitre.org/techniques/T1078","name":"Valid Accounts","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"event.dataset: \"notice\" and notice.note : \"RDP::Password_Guessing\"","filters":[],"throttle":"no_actions","actions":[]}
 7 | {"id":"2afb2a80-a32e-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-02T19:17:02.613Z","updated_by":"elastic","created_at":"2023-02-02T19:17:01.015Z","created_by":"elastic","name":"RDP Scanning Potential Brute Force Common User Names","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"Identify common user names being attempted against a server in a short period of time. Normally a device will only have one or two local accounts, this detects if 3 or more local accounts are being attempted against a device then normally should be which could indicate an RDP brute force attempt. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team ","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"6caa6d68-6bfb-43f5-b411-8fc55f81af7b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence"},"technique":[]},{"tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"framework":"MITRE ATT&CK","technique":[{"id":"T1133","reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs     "],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"rdp\" AND rdp.cookie.text:(\"Root\" OR \"root\" OR \"Administr\" OR \"administr\" OR \"Admin\" OR \"admin\" OR \"Guest\" OR \"guest\" OR \"Info\" OR \"info\" OR \"Test\" OR \"test\" OR \"Adm\" OR \"adm\" OR \"User\" OR \"user\" OR \"DA\" OR \"da\" OR \"Local\" OR \"local\" OR \"Letmein\" OR \"letmein\" OR \"Service\" OR \\\"service\\\" OR \\\".\\\" OR \"Computer\" OR \"computer\" OR \"xxx\" OR \"\\/\" OR \"\\\\\"))","filters":[],"threshold":{"field":["source.ip","rdp.cookie"],"value":4,"cardinality":[]},"throttle":"no_actions","actions":[]}
 8 | {"id":"a14632f0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.395Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.763Z","created_by":"elastic","name":"Administrative Share File Creation","tags":["Zeek","Corelight"],"interval":"30m","enabled":true,"description":"Adversaries may use administrative shares to place files used for lateral movement remotely. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: ","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"c5c66359-3d27-4fed-8865-d988dd75423f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"tactic":{"id":"TA0008","reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement"},"framework":"MITRE ATT&CK","technique":[{"id":"T1021","reference":"https://attack.mitre.org/techniques/T1021","name":"Remote Services","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs "],"version":8,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"smb_files\" AND (file.path:(*admin$* OR *print$* OR *fax$*) OR file.path:/.*[^A-Za-z][A-Za-z]$.*/) AND smb.action:\"SMB::FILE_WRITE\")","filters":[],"throttle":"no_actions","actions":[]}
 9 | {"id":"a111dc80-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:19.545Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.549Z","created_by":"elastic","name":"Multiple SSH Brute Inferences from Single IP","tags":["Corelight"],"interval":"30m","enabled":true,"description":"Only available on Corelight and requires SSH Inferences package to be enabled. Verify if these were legitimate connections and that the source normally logs into multiple destinations in a short amount of time","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"5m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-2100s","rule_id":"f8443ebc-fde0-42ef-bf81-55a5657bb965","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access"},"technique":[{"id":"T1110","reference":"https://attack.mitre.org/techniques/T1110","name":"Brute Force","subtechnique":[{"id":"T1110.001","reference":"https://attack.mitre.org/techniques/T1110/001","name":"Password Guessing"}]}]}],"to":"now","references":[],"version":6,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"ssh\" AND ssh.inferences:BFS)","filters":[],"threshold":{"field":["source.ip","destination.ip"],"value":10,"cardinality":[]},"throttle":"no_actions","actions":[]}
10 | {"id":"f0860150-a318-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-02T16:45:05.653Z","updated_by":"elastic","created_at":"2023-02-02T16:45:03.546Z","created_by":"elastic","name":"Response from External Facing Service (Overview Query)","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"This rule is to be used as an overview of external facing service/IP has responded to a connection. Determine if these are documented external facing services to help discover new or existing services on your network. This will help you learn about the infrastructure that your oganization hosts which inventory is a large part in defending an organization (ie: you can not protect what you do not know exists). Also, it will help you find when undocumented services are exposed to the internet that should not be. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Priome"],"false_positives":[],"from":"now-1860s","rule_id":"6d6d801c-e93d-412f-88dc-7e4caff8114a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence"},"technique":[{"id":"T1133","reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","subtechnique":[]}]},{"tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"framework":"MITRE ATT&CK","technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:conn and conn.local_orig : false and conn.local_resp : true and source.ip:* and network.connection.history: Sh*)","filters":[],"throttle":"no_actions","actions":[]}
11 | {"id":"e4a0d9b0-a402-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T20:39:48.187Z","updated_by":"elastic","created_at":"2023-02-03T20:39:46.071Z","created_by":"elastic","name":"Potentially Harmful Attachment","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"Advesaries may send malicious attachments via email. These are files that normally, for legitimate purposes, will not be sent. Especially from an external email. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"a35a028c-47a7-42d5-8192-25524786f3f6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"technique":[{"id":"T1193","reference":"https://attack.mitre.org/techniques/T1193","name":"Spearphishing Attachment","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"files\" AND network.protocol:\"SMTP\" AND name:(*.7z OR *.ace OR *.apm OR *.app OR *.appref-ms OR *.arj OR *.asp OR *.bas OR *.bat OR *.bz2 OR *.bzip2 OR *.cab OR *.cdxml OR *.cer OR *.chi OR *.chm OR *.chq OR *.chw OR *.class OR *.cmd OR *.cnt OR *.com OR *.cpl OR *.crt OR *.doc OR *.docm OR *.epub OR *.exe OR *.gadget OR *.gz OR *.gzip OR *.hta OR *.img OR *.inf OR *.ins OR *.ins OR *.iso OR *.isp OR *.isp OR *.jar OR *.jar OR *.jnlp OR *.jse OR *.lnk OR *.lzh OR *.mde OR *.mht OR *.msi OR *.msix OR *.msixbundle OR *.ods OR *.odt OR *.pif OR *.pkg OR *.pl OR *.ps1 OR *.ps1xml OR *.ps2 OR *.ps2xml OR *.psc1 OR *.psc2 OR *.psd1 OR *.psd1 OR *.psdm1 OR *.psm1 OR *.pssc OR *.py OR *.pyc OR *.pyo OR *.pyw OR *.pyz OR *.pyzw OR *.r01 OR *.r14 OR *.r18 OR *.r25 OR *.rar OR *.reg OR *.scr OR *.sct OR *.shb OR *.sys OR *.tar OR *.taz OR *.tbz OR *.tbz2 OR *.tgz OR *.txz OR *.udl OR *.vbe OR *.vbs OR *.ws OR *.wsb OR *.wsc OR *.wsf OR *.xbap OR *.xls OR *.xlsm OR *.xpi OR *.xz OR *.z OR *.zipx))","filters":[],"throttle":"no_actions","actions":[]}
12 | {"id":"756ea3e0-a297-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-02T01:18:13.793Z","updated_by":"elastic","created_at":"2023-02-02T01:18:11.762Z","created_by":"elastic","name":"HTTP Traffic with No HTTP Host Set or User Agent Set","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"Client is making a request mimicking a legitimate browser but is possibly powershell or other programming library that would not normally have that Browser User Agent Author: SOC Prime Team.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"dc8dd4f0-8525-49bc-9b01-e9a2e9ab3498","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1571","reference":"https://attack.mitre.org/techniques/T1571","name":"Non-Standard Port","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"http\" and http.request.header_names:\"USER-AGENT\" AND ((NOT (http.request._names:\"HOST\")) OR http.request.header_names:\"HOST\"))","filters":[],"throttle":"no_actions","actions":[]}
13 | {"id":"1a534a80-a3f3-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T18:46:45.718Z","updated_by":"elastic","created_at":"2023-02-03T18:46:43.649Z","created_by":"elastic","name":"Multiple Compressed Files Transferred over HTTP","tags":["Corelight","Zeek"],"interval":"15m","enabled":true,"description":"Advesaries may use compressed archives to transfer data. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-2700s","rule_id":"76ec8a4f-b195-4efa-948b-ab88d735b2ac","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0010","reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration"},"technique":[{"id":"T1020","reference":"https://attack.mitre.org/techniques/T1020","name":"Automated Exfiltration","subtechnique":[]},{"id":"T1002","reference":"https://attack.mitre.org/techniques/T1002","name":"Data Compressed","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"http\" AND (http.request.method:(\"POST\" OR \"PUT\") AND file.mime_type:(\"application/vnd.ms-cab-compressed\" OR \"application/warc\" OR \"application/x-7z-compressed\" OR \"application/x-ace\" OR \"application/x-arc\" OR \"application/x-archive\" OR \"application/x-arj\" OR \"application/x-compress\" OR \"application/x-cpio\" OR \"application/x-dmg\" OR \"application/x-eet\" OR \"application/x-gzip\" OR \"application/x-lha\" OR \"application/x-lrzip\" OR \"application/x-lz4\" OR \"application/x-lzma\" OR \"application/x-lzh\" OR \"application/x-lzip\" OR \"application/x-rar\" OR \"application/x-rpm\" OR \"application/x-stuffit\" OR \"application/x-tar\" OR \"application/x-xz\" OR \"application/x-zoo\" OR \"application/zip\")) AND (NOT (http.request.referrer:*)))","filters":[],"threshold":{"field":["source.ip","url.original","destination.domain"],"value":26,"cardinality":[]},"throttle":"no_actions","actions":[]}
14 | {"id":"91afb250-a3f1-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T18:36:16.697Z","updated_by":"elastic","created_at":"2023-02-03T18:35:45.379Z","created_by":"elastic","name":"Multiple Compressed Files Transferred Outbound","tags":["Corelight","Zeek"],"interval":"5m","enabled":true,"description":"Advesaries may use compressed archives to transfer data. Make sure your zeek or coreligth device has local_orig and local_resp variables filled out correctly matching your organizations subnets. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-2100s","rule_id":"c21b22f1-bd35-480f-871d-5bab56a9d062","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0010","reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration"},"technique":[{"id":"T1002","reference":"https://attack.mitre.org/techniques/T1002","name":"Data Compressed","subtechnique":[]},{"id":"T1020","reference":"https://attack.mitre.org/techniques/T1020","name":"Automated Exfiltration","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"files\" AND (NOT (file.size:\"0\")) AND file.mime_type:(\"application/vnd.ms-cab-compressed\" OR \"application/warc\" OR \"application/x-7z-compressed\" OR \"application/x-ace\" OR \"application/x-arc\" OR \"application/x-archive\" OR \"application/x-arj\" OR \"application/x-compress\" OR \"application/x-cpio\" OR \"application/x-dmg\" OR \"application/x-eet\" OR \"application/x-gzip\" OR \"application/x-lha\" OR \"application/x-lrzip\" OR \"application/x-lz4\" OR \"application/x-lzma\" OR \"application/x-lzh\" OR \"application/x-lzip\" OR \"application/x-rar\" OR \"application/x-rpm\" OR \"application/x-stuffit\" OR \"application/x-tar\" OR \"application/x-xz\" OR \"application/x-zoo\" OR \"application/zip\"))","filters":[],"threshold":{"field":["destination.ip","file.hash.sha1"],"value":26,"cardinality":[]},"throttle":"no_actions","actions":[]}
15 | {"id":"860862a0-a40d-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T21:55:53.472Z","updated_by":"elastic","created_at":"2023-02-03T21:55:51.512Z","created_by":"elastic","name":"Potential Webdav Forced Authentication","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"Identifies internet bound webdav requests which could be forced authentication. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"f76c7c08-d1ce-49c6-ad33-bc224e119193","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access"},"technique":[{"id":"T1187","reference":"https://attack.mitre.org/techniques/T1187","name":"Forced Authentication","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"http\" AND user_agent.original:*webdav* AND (NOT (event.dataset:\"http\" AND destination.ip_public: false)))","filters":[],"throttle":"no_actions","actions":[]}
16 | {"id":"f74b46c0-a409-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T21:30:25.919Z","updated_by":"elastic","created_at":"2023-02-03T21:30:23.720Z","created_by":"elastic","name":"Possible Webshell - Rare PUT or POST by IP","tags":["Corelight","Zeek"],"interval":"24h","enabled":true,"description":"This rule looks for post requests to a single webserver location from less than 3 IPs over 24 hours. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-86460s","rule_id":"65c335b5-7b6b-470f-9e35-e6710f744366","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence"},"technique":[{"id":"T1505","reference":"https://attack.mitre.org/techniques/T1505","name":"Server Software Component","subtechnique":[{"id":"T1505.003","reference":"https://attack.mitre.org/techniques/T1505/003","name":"Web Shell"}]},{"id":"T1100","reference":"https://attack.mitre.org/techniques/T1100","name":"Web Shell","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"http\" AND (url.original:(*.aspx OR *.asp OR *.php OR *.jsp OR *.jspx OR *.war OR *.ashx OR *.asmx OR *.ascx OR *.asx OR *.cshtml OR *.cfm OR *.cfc OR *.cfml OR *.wss OR *.do OR *.action OR *.pl OR *.plx OR *.pm OR *.xs OR *.t OR *.pod OR *.php-s OR *.pht OR *.phar OR *.phps OR *.php7 OR *.php5 OR *.php4 OR *.php3 OR *.phtml OR *.py OR *.rb OR *.rhtml OR *.cgi OR *.dll OR *.ayws OR *.cgi OR *.erb OR *.rjs OR *.hta OR *.htc OR *.cs OR *.kt OR *.lua OR *.vbhtml) AND http.request.method.text:(\"POST\" OR \"PUT\")) AND (NOT (http.response.status_code:4*)))","filters":[],"threshold":{"field":["url.original","source.ip"],"value":10,"cardinality":[]},"throttle":"no_actions","actions":[]}
17 | {"id":"112dd5f0-a2aa-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T18:26:19.246Z","updated_by":"elastic","created_at":"2023-02-02T03:31:23.767Z","created_by":"elastic","name":"Internal and Uncommon HTTP Service with interesting user agent and mime type combination","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"This rule looks for Internal service with an uncommon HTTP port and interesting user agents and matches them with interesting mime types. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: Corelight .","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["Corelight","SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"6a5182d4-f504-4b3a-835f-a2c6fd26aba6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1571","reference":"https://attack.mitre.org/techniques/T1571","name":"Non-Standard Port","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"http\" AND (http.response.mime_types:(\"application/java-archive\" OR \"application/mshelp\" OR \"application/chrome-ext\" OR \"application/x-object\" OR \"application/x-executable\" OR \"application/x-sharedlib\" OR \"application/-mach-o-executable\" OR \"application/x-dosexec\" OR \"application/x-java-applet\" OR \"application/x-java-jnlp-file\" OR \"text/x-php\" OR \"text/x-perl\" OR \"text/x-ruby\" OR \"text/x-python\" OR \"text/x-awk\" OR \"text/x-tcl\" OR \"text/x-lua\" OR \"text/x-msdos-batch\")  AND user_agent.original:(*certutil* OR *powershell* OR *microsoft* OR *python* OR *libwww-perl* OR *go-http* OR *java* OR *lua-resty-http* OR *winhttp* OR *vb project* OR *ruby*)) AND (NOT (source.port:(\"80\" OR \"8000\" OR \"8080\" OR \"8888\"))) AND (destination.ip_public: true))","filters":[],"throttle":"no_actions","actions":[]}
18 | {"id":"d601b430-a315-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-02T16:22:52.683Z","updated_by":"elastic","created_at":"2023-02-02T16:22:50.562Z","created_by":"elastic","name":"Self Signed TLS SSL Certificate (Overview Query)","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"Detects a TLS/SSL certificate that is self signed. Normally a certificate would be signed by a trusted Certificate Authority. This could be an indication of a) malicious activity where attacker is creating and using own infrastructure or b) unauhtorized or incorrectly configured webserver. Sometimes Corelight/Zeek appliance/software does not have the same certificates installed as something like Chrome or Firefox or other browser. You can filter false positives of this scenario using the subject_issuer field. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"b22d42a5-4151-44cb-8a92-e7c7f27bf9f2","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion"},"technique":[{"id":"T1553","reference":"https://attack.mitre.org/techniques/T1553","name":"Subvert Trust Controls","subtechnique":[{"id":"T1553.004","reference":"https://attack.mitre.org/techniques/T1553/004","name":"Install Root Certificate"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"ssl\" AND ssl.validation_status.text:\"self signed certificate\")","filters":[],"throttle":"no_actions","actions":[]}
19 | {"id":"c67f8b60-a31d-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-02T17:19:42.366Z","updated_by":"elastic","created_at":"2023-02-02T17:19:40.602Z","created_by":"elastic","name":"Remote Creation of temp file in System32 folder","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"Detects scenario where a file with a \\\".tmp\\\" (temporary) file extension is created remotely in the System32 folder. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"4a053cdc-6bde-4793-b82a-29c8620e6799","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1105","reference":"https://attack.mitre.org/techniques/T1105","name":"Ingress Tool Transfer","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-log"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"smb_files\" and file.name:*SYSTEM32\\*.tmp* and (not (smb.action:\"SMB::FILE_OPEN\" )))","filters":[],"throttle":"no_actions","actions":[]}
20 | {"id":"a149dc70-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.335Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.807Z","created_by":"elastic","name":"DNS Domain names with Non ASCII Character","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Adversaries can use DNS name with Non ASCII Characters to hide the real domain and make it look like something else.\n\n","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":[],"false_positives":[],"from":"now-360s","rule_id":"5ac25ec4-634b-4d07-9e80-a15ab106c7b9","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"event.dataset: dns and destination.domain_has_non_ascii: true","filters":[],"throttle":"no_actions","actions":[]}
21 | {"id":"9dd09560-a241-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-01T15:03:44.272Z","updated_by":"elastic","created_at":"2023-02-01T15:03:42.653Z","created_by":"elastic","name":"Client transferring large amount of data over HTTP","tags":["Corelight","Zeek"],"interval":"15m","enabled":true,"description":"Client sending over 5GBs via HTTP. It is uncommon for a client to send this much traffic to a server over HTTP. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-960s","rule_id":"fcbb4787-dfd5-4ca5-b312-8d67e573cdf0","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0010","reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration"},"technique":[{"id":"T1030","reference":"https://attack.mitre.org/techniques/T1030","name":"Data Transfer Size Limits","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"http\" AND http.response.body.bytes:* AND http.response.body.bytes >10000000)","filters":[],"throttle":"no_actions","actions":[]}
22 | {"id":"57bd25d0-a40c-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T21:47:26.558Z","updated_by":"elastic","created_at":"2023-02-03T21:47:24.685Z","created_by":"elastic","name":"Possible Webshell PUT or POST to unusual extensions","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"This rule looks for post requests to unusual extensions (e.g. .jpg). This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"6617c7d5-4ae3-4ac2-8b73-def9746bf017","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence"},"technique":[{"id":"T1100","reference":"https://attack.mitre.org/techniques/T1100","name":"Web Shell","subtechnique":[]},{"id":"T1505","reference":"https://attack.mitre.org/techniques/T1505","name":"Server Software Component","subtechnique":[{"id":"T1505.003","reference":"https://attack.mitre.org/techniques/T1505/003","name":"Web Shell"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"http\" AND (url.original:(*.jpg OR *.jpeg OR *.gif OR *.png OR *.icon OR *.ico OR *.xml OR *.swf OR *.svg OR *.ppt OR *.pttx OR *.doc OR *.docx OR *.rtf OR *.pdf OR *.tif OR *.zip OR *.mov) AND http.request.method.text:(\"POST\" OR \"PUT\") AND http.response.status_code:2*) AND (NOT ((http.response.body.bytes:\"0\") )))","filters":[],"throttle":"no_actions","actions":[]}
23 | {"id":"a15240e0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.388Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.874Z","created_by":"elastic","name":"Potential Forced External Outbound DCE_RPC","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Detects DCE/RPC (e.g. MSRPC) traffic originating internally and communicating with an external IP address. DCE/RPC Traffic should only occur internally. Traffic headed externally could be an indicator of a forced authentication attempt.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"f1c7d00c-4eb0-43ac-a1ef-20dbd94a3059","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access"},"technique":[{"id":"T1187","reference":"https://attack.mitre.org/techniques/T1187","name":"Forced Authentication","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol:dce* AND conn.history:Sh* AND conn.local_orig:\"true\" AND conn.local_resp\"false\")","filters":[],"throttle":"no_actions","actions":[]}
24 | {"id":"903b7390-a3ca-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T13:56:35.116Z","updated_by":"elastic","created_at":"2023-02-03T13:56:32.939Z","created_by":"elastic","name":"LNK File Download or Usage over SMB (Overview Query)","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"This should be used to give an over of link files can be used as way to automate certain actions or passing of credentials in windows. Determine if these are LNK files used on a legitmate file share or network share. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"515af96e-b3d7-4f70-9a3c-0e41466dcac6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution"},"technique":[{"id":"T1059","reference":"https://attack.mitre.org/techniques/T1059","name":"Command and Scripting Interpreter","subtechnique":[{"id":"T1059.001","reference":"https://attack.mitre.org/techniques/T1059/001","name":"PowerShell"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"smb_files\" AND file.name:(*.lnk OR *.LNK OR *.inf OR *.INF))","filters":[],"throttle":"no_actions","actions":[]}
25 | {"id":"a15d3d60-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.408Z","updated_by":"elastic","created_at":"2022-10-18T20:44:17.570Z","created_by":"elastic","name":"Suricata Scan with allowed connection","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Take Suricata Alert and correlates it to a full connection ","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"http://10.100.100.137:5601/app/security"},"author":["Corelight"],"false_positives":[],"from":"now-360s","rule_id":"e42202d0-1439-404a-bb3c-50a546bb6111","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"technique":[]},{"tactic":{"id":"TA0043","reference":"https://attack.mitre.org/tactics/TA0043","name":"Reconnaissance"},"framework":"MITRE ATT&CK","technique":[]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"eql","language":"eql","index":["logs-corelight-ds*","apm-*-transaction*","traces-apm*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*"],"query":"sequence by log.id.uid \n [network where rule.name like \"ET SCAN *\"] \n [network where network.connection.history != \"S\" and network.transport ==\"tcp\"]","filters":[],"throttle":"no_actions","actions":[]}
26 | {"id":"a14bd840-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.378Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.872Z","created_by":"elastic","name":"Potential Forced External Outbound SMB","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Detects SMB requests that originate internally and communicate with an external IP address. Attackers can use tools such as metasploit to listen for inbound SMB requets and capture NTLM hashes this way.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"b3cade75-d9b2-436a-9ff5-caac412a4ba6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access"},"technique":[{"id":"T1187","reference":"https://attack.mitre.org/techniques/T1187","name":"Forced Authentication","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol:smb* AND conn.history:Sh* AND conn.local_orig:\"true\" AND conn.local_resp:\"false\")","filters":[],"throttle":"no_actions","actions":[]}
27 | {"id":"a14e9760-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.305Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.842Z","created_by":"elastic","name":"Executable from Webdav","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Detects a download from Webdav service which could be used as a way to transfer tools internally. Determine if this is a) Legitimate server b) legitimate binary/file","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"d5ca8624-8e37-4861-a12b-ab788a088c1d","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0009","reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection"},"technique":[{"id":"T1074","reference":"https://attack.mitre.org/techniques/T1074","name":"Data Staged","subtechnique":[]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"http\" AND (user_agent.original:*WebDAV* OR url.original:*webdav*) AND (http.resp_mime_types:*dosexec* OR url.extension:exe))","filters":[],"throttle":"no_actions","actions":[]}
28 | {"id":"a14d37d0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.405Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.822Z","created_by":"elastic","name":"DNS TXT With Non ASCII Character","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Adversaries can use DNS TXT requests/responses for C2. Sometimes they may include binary data in the response. Since DNS text should be human readable, this is unusual","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"e82f6fd6-b088-460c-993d-ff151c10d9af","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"dns\" AND dns.answers.name:/.*[^\\\\x00-\\\\x7F].*/ AND dns.question.type:(\"TXT\" OR \"txt\"))","filters":[],"throttle":"no_actions","actions":[]}
29 | {"id":"c1d00170-a17a-11ed-ada1-93a8f6107cb8","updated_at":"2023-01-31T15:20:14.951Z","updated_by":"elastic","created_at":"2023-01-31T15:20:13.535Z","created_by":"elastic","name":"DNS tunnel repetitive failures to same domain","tags":["Corelight","Zeek"],"interval":"5m","enabled":true,"description":"This rule identifies large a mounts of DNS resolution failures (domain does not exist and server failures). Some DGA algorithms generate hundreds/thousands of bad DNS names before hitting one that an attacker has registered. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Tea","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime","neu5ron","Brasitech"],"false_positives":[],"from":"now-2100s","rule_id":"449e89a8-11f5-4fde-9b47-fcbf555da042","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1094","reference":"https://attack.mitre.org/techniques/T1094","name":"Custom Command and Control Protocol","subtechnique":[]},{"id":"T1043","reference":"https://attack.mitre.org/techniques/T1043","name":"Commonly Used Port","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"kuery","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"dns\" AND dns.response_code:(\"NXDOMAIN\" OR \"SERVFAIL\" OR \"nxdomain\" OR \"servfail\"))","filters":[],"threshold":{"field":["source.ip","destination.level_1n2_domain"],"value":26,"cardinality":[]},"throttle":"no_actions","actions":[]}
30 | {"id":"a14129e0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.372Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.779Z","created_by":"elastic","name":"Potential Forced Netbios DNS Lookup","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Potential Forced Netbios DNS Lookup","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"bff45c08-0fff-4070-96dc-5dbe46071203","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access"},"technique":[{"id":"T1187","reference":"https://attack.mitre.org/techniques/T1187","name":"Forced Authentication","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:conn AND network.protocol: dns AND (destination.port: 137 OR destination.port: 138) AND (NOT destination.ip_rfc: RFC_1918))","filters":[],"throttle":"no_actions","actions":[]}
31 | {"id":"d22d1ac0-a400-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T20:24:58.703Z","updated_by":"elastic","created_at":"2023-02-03T20:24:55.583Z","created_by":"elastic","name":"Multiple Files sent over HTTP with abnormal requests","tags":["Corelight","Zeek"],"interval":"13m","enabled":true,"description":"Client sending multiple compressed files greater than 10MBs sent over HTTP in a short amount of time.. Additionally, this looks for no referrer which is normally seen in HTTP browsing, thus helps find potentially automated or scripted requests. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: Corelight .","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["Corelight"],"false_positives":[],"from":"now-2580s","rule_id":"af290e93-f670-4d38-8670-79dc89ddb6eb","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0010","reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration"},"technique":[{"id":"T1030","reference":"https://attack.mitre.org/techniques/T1030","name":"Data Transfer Size Limits","subtechnique":[]}]},{"tactic":{"id":"TA0009","reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection"},"framework":"MITRE ATT&CK","technique":[{"id":"T1560","reference":"https://attack.mitre.org/techniques/T1560","name":"Archive Collected Data","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"http\" AND file.mime_type.:(\"application/vnd.ms-cab-compressed\" OR \"application/warc\" OR \"application/x-7z-compressed\" OR \"application/x-ace\" OR \"application/x-arc\" OR \"application/x-archive\" OR \"application/x-arj\" OR \"application/x-compress\" OR \"application/x-cpio\" OR \"application/x-dmg\" OR \"application/x-eet\" OR \"application/x-gzip\" OR \"application/x-lha\" OR \"application/x-lrzip\" OR \"application/x-lz4\" OR \"application/x-lzma\" OR \"application/x-lzh\" OR \"application/x-lzip\" OR \"application/x-rar\" OR \"application/x-rpm\" OR \"application/x-stuffit\" OR \"application/x-tar\" OR \"application/x-xz\" OR \"application/x-zoo\" OR \"application/zip\") AND (NOT (http.request.referrer:*)) AND http.response.body.bytes >10000000)","filters":[],"threshold":{"field":["source.ip","log.id.uid"],"value":11,"cardinality":[]},"throttle":"no_actions","actions":[]}
32 | {"id":"8ebc7080-a3d1-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T14:46:38.073Z","updated_by":"elastic","created_at":"2023-02-03T14:46:36.027Z","created_by":"elastic","name":"Multiple Compressed Files Transferred Outbound","tags":["Corelight","Zeek"],"interval":"5m","enabled":true,"description":"Advesaries may use compressed archives to transfer data. Make sure your zeek or coreligth device has local_orig and local_resp variables filled out correctly matching your organizations subnets. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-2100s","rule_id":"32010000-ba3b-444c-aced-af27db45961a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0010","reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration"},"technique":[{"id":"T1020","reference":"https://attack.mitre.org/techniques/T1020","name":"Automated Exfiltration","subtechnique":[]},{"id":"T1002","reference":"https://attack.mitre.org/techniques/T1002","name":"Data Compressed","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"files\" AND (NOT (file.size:\"0\")) AND file.mime_type:(\"application/vnd.ms-cab-compressed\" OR \"application/warc\" OR \"application/x-7z-compressed\" OR \"application/x-ace\" OR \"application/x-arc\" OR \"application/x-archive\" OR \"application/x-arj\" OR \"application/x-compress\" OR \"application/x-cpio\" OR \"application/x-dmg\" OR \"application/x-eet\" OR \"application/x-gzip\" OR \"application/x-lha\" OR \"application/x-lrzip\" OR \"application/x-lz4\" OR \"application/x-lzma\" OR \"application/x-lzh\" OR \"application/x-lzip\" OR \"application/x-rar\" OR \"application/x-rpm\" OR \"application/x-stuffit\" OR \"application/x-tar\" OR \"application/x-xz\" OR \"application/x-zoo\" OR \"application/zip\"))","filters":[],"threshold":{"field":["destination.ip","file.hash.sha1"],"value":26,"cardinality":[]},"throttle":"no_actions","actions":[]}
33 | {"id":"a15b68a0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.369Z","updated_by":"elastic","created_at":"2022-10-18T20:44:17.574Z","created_by":"elastic","name":"HTTP POST or PUT URI Non ASCII Character","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Make sure to apply this for inbound traffic. Traffic that is going to your web servers or public accessible infrastructure. A request with NON ASCII characters within the URL is possible indication of various techniques to bypass WAF and or to logical errors in the severs backend code.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"0c85eb2d-c909-477e-a821-8cae5a23deab","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence"},"technique":[{"id":"T1505","reference":"https://attack.mitre.org/techniques/T1505","name":"Server Software Component","subtechnique":[{"id":"T1505.003","reference":"https://attack.mitre.org/techniques/T1505/003","name":"Web Shell"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"http\" AND url.has_non_ascii:true AND http.request.method: \"POST\" OR \"PUT\")","filters":[],"throttle":"no_actions","actions":[]}
34 | {"id":"a1389e60-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.341Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.801Z","created_by":"elastic","name":"SMTP Email containing NON Ascii Characters within the Subject","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Detects scenario where an email contains non ascii characters within the Subject. This could be a sign of evasion or other malicious possibilities such as character encoding to cause actions within a client such as outlook. If this occurs once it may not be very suspicious. However, take additional note if this was sent to multiple users.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"dc7de593-fd0a-4cb2-af5f-ce2e263a2a8b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"technique":[{"id":"T1566","reference":"https://attack.mitre.org/techniques/T1566","name":"Phishing","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"event.dataset:smtp AND smtp.subject_has_non_ascii: true","filters":[],"throttle":"no_actions","actions":[]}
35 | {"id":"f3d0f580-a337-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T14:51:16.562Z","updated_by":"elastic","created_at":"2023-02-02T20:27:03.582Z","created_by":"elastic","name":"RDP Possible Non User Login, Abnormal Screen Resolution","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"RDP small screen resolution can be an indication that the connection was made via an automated script (unusual for RDP) or via a port forwarding scenario using RDP. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"4b83eea1-97cf-469e-a801-a61b6bcba2a3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement"},"technique":[{"id":"T1021","reference":"https://attack.mitre.org/techniques/T1021","name":"Remote Services","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"rdp\" AND rdp.desktop_height <600 AND rdp.desktop_width <600)","filters":[],"throttle":"no_actions","actions":[]}
36 | {"id":"a153c780-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.425Z","updated_by":"elastic","created_at":"2022-10-18T20:44:17.559Z","created_by":"elastic","name":"External Proxy Detected (Overview Query)","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"This should be used as a guide to filter for known and unknown proxies on your network being used.  This rule detects external proxies using Corelight and Zeek http log.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"8e5c7625-ce39-41e6-81d0-2ef7bf971c57","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1092","reference":"https://attack.mitre.org/techniques/T1092","name":"Communication Through Removable Media","subtechnique":[]}]},{"tactic":{"id":"TA0005","reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion"},"framework":"MITRE ATT&CK","technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"event.dataset:\"http\" AND http.request.proxied:* AND (NOT source.ip_rfc: RFC_1918)","filters":[],"throttle":"no_actions","actions":[]}
37 | {"id":"a13b8490-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.337Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.756Z","created_by":"elastic","name":"Windows Sysvol File Modification","tags":["Corelight","Zeek"],"interval":"5m","enabled":true,"description":"Sysvol is the path in which a domain controller uses to share group policies and other important active directory files. This detects a scenario where one of those files on that share are changed or created. Although this may legitimately happen, determine if the source is authorized or should be making these types of changes.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"d7ee4a4a-07e0-4527-97e4-504206907f99","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement"},"technique":[{"id":"T1021","reference":"https://attack.mitre.org/techniques/T1021","name":"Remote Services","subtechnique":[{"id":"T1021.002","reference":"https://attack.mitre.org/techniques/T1021/002","name":"SMB/Windows Admin Shares"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":3,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"event.dataset:smb_files AND file.path:(*Sysvol OR *SYSVOL OR *sysvol) AND (NOT (smb.action:\"SMB::FILE_OPEN\"))","filters":[],"throttle":"no_actions","actions":[]}
38 | {"id":"a142d790-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.447Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.969Z","created_by":"elastic","name":"External Facing Service Using RFC 1918 Subnets","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Identify external facing services. Exclude documented external facing services to help discover new/existing services on your network","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"ac0e6419-1812-4d05-9205-87fda7fd8aef","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence"},"technique":[{"id":"T1133","reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","subtechnique":[]}]},{"tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"framework":"MITRE ATT&CK","technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"conn\" AND destination.ip_rfc: \"RFC_1918\"  AND network.connection.history: Sh*)","filters":[{"meta":{"alias":null,"negate":true,"disabled":false,"type":"phrase","key":"source.ip_rfc","params":{"query":"RFC_1918"}},"query":{"match_phrase":{"source.ip_rfc":"RFC_1918"}},"$state":{"store":"appState"}}],"throttle":"no_actions","actions":[]}
39 | {"id":"a154d8f0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.431Z","updated_by":"elastic","created_at":"2022-10-18T20:44:17.569Z","created_by":"elastic","name":"External Facing ICS DNP3","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"An external facing ICS DNP3 device is responding to external public facing connections. Verify if this is allowed device.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"f53040b1-4b41-4b52-a628-1b56e20e1db5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"technique":[{"id":"T1133","reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"event.dataset:dnp3 AND dnp3.fc_request:* AND (NOT source.ip_rfc: RFC_1918)","filters":[],"throttle":"no_actions","actions":[]}
40 | {"id":"a144fa70-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.551Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.771Z","created_by":"elastic","name":"Potential Forced External Outbound NTLM","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"\"Detects NTLM requests that originate internally and communicate with an external IP address. Tools such as responder can be used to capture NTLM hashes, etc for offline cracking.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"dc6c9906-b9c7-4d85-b150-d77d2cb82003","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access"},"technique":[{"id":"T1187","reference":"https://attack.mitre.org/techniques/T1187","name":"Forced Authentication","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol.text:\"ntlm\" AND conn.history:Sh* AND conn.local_orig:\"true\" AND conn.local_resp:\"false\")","filters":[],"throttle":"no_actions","actions":[]}
41 | {"id":"a13d8060-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.398Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.776Z","created_by":"elastic","name":"SSH Inference Abnormal Client Activity","tags":["Corelight"],"interval":"5m","enabled":true,"description":"An inference was made that during an SSH connection a client wasn?t adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after encryption begins. Only available on Corelight and requires SSH Inferences package to be enabled. This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"eb5ee8b1-38da-40a7-94a9-d04b0418ad66","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1573","reference":"https://attack.mitre.org/techniques/T1573","name":"Encrypted Channel","subtechnique":[]}]},{"tactic":{"id":"TA0005","reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion"},"framework":"MITRE ATT&CK","technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"ssh\" AND logged_ssh_inference:\"ABP\")","filters":[],"throttle":"no_actions","actions":[]}
42 | {"id":"2efe0a50-a3cc-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T14:08:10.134Z","updated_by":"elastic","created_at":"2023-02-03T14:08:08.065Z","created_by":"elastic","name":"Multiple Abnormal non conforming HTTP Requests","tags":["Corelight","Zeek"],"interval":"10m","enabled":true,"description":"Detects when multiple HTTP requests are made with non conforming standard. Usually can be an indication that an alternative HTTP implemention is in place. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team ","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-660s","rule_id":"d7b986aa-d313-4332-a205-6c179de6722d","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1102","reference":"https://attack.mitre.org/techniques/T1102","name":"Web Service","subtechnique":[{"id":"T1102.001","reference":"https://attack.mitre.org/techniques/T1102/001","name":"Dead Drop Resolver"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"weird\" AND weird.name:\"bad_HTTP_request\")","filters":[],"threshold":{"field":["destination.port","source.ip"],"value":11,"cardinality":[]},"throttle":"no_actions","actions":[]}
43 | {"id":"a15686a0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.346Z","updated_by":"elastic","created_at":"2022-10-18T20:44:17.573Z","created_by":"elastic","name":"Executable Download Directly From IP","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"A download directly from an IP address is not typical of web traffic.. in addition, this was an executable file. Determine if this is legitimate infrastructure and if this is a legitimate file. Usually this means somewhere in a scripting logic is a hard coded IP address.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime","Nate Guagenti (@neu5ron)"],"false_positives":[],"from":"now-360s","rule_id":"d4f54b0b-44b2-44dd-a0e7-2401acbef9bb","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"technique":[{"id":"T1133","reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","subtechnique":[]}]},{"tactic":{"id":"TA0003","reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence"},"framework":"MITRE ATT&CK","technique":[]}],"to":"now","references":[],"version":4,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"event.dataset:http AND ((destination.domain_ends_with_integer: true AND destination.domain_has_dot: true ) OR (domain_has_colon: true AND destination.domain_has_dot: false)) AND url.extension:(apm OR app OR appref\\\\-ms OR bas OR bat OR chi OR chm OR chq OR chw OR dll OR exe OR gadget OR hta OR inf OR jar OR jnlp OR jse OR lnk OR mde OR mht OR msi OR msix OR msixbundle OR pif OR pkg OR pl OR ps1 OR ps1xml OR ps2 OR ps2xml OR psc1 OR psc2 OR psd1 OR psd1 OR psdm1 OR psm1 OR py OR pyc OR pyo OR pyw OR pyz OR reg OR scr OR sct OR vbe OR vbs OR ws OR wsb OR wsc OR wsf OR xpi OR xz OR z OR zip OR zipx)","filters":[],"throttle":"no_actions","actions":[]}
44 | {"id":"a1007760-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:19.400Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.552Z","created_by":"elastic","name":"BloodHound AD Discovery","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Detects usage of RPC operations used by the tool BloodHound. Specifically these operations are used for AD account and group information. This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://18.224.15.232:15601/app/security"},"author":["SOC Prime","@infosecn1nja"],"false_positives":[],"from":"now-360s","rule_id":"502b1c35-68df-4e9a-9984-eb95bf23c562","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0007","reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery"},"technique":[{"id":"T1069","reference":"https://attack.mitre.org/techniques/T1069","name":"Permission Groups Discovery","subtechnique":[{"id":"T1069.001","reference":"https://attack.mitre.org/techniques/T1069/001","name":"Local Groups"},{"id":"T1069.002","reference":"https://attack.mitre.org/techniques/T1069/002","name":"Domain Groups"}]},{"id":"T1087","reference":"https://attack.mitre.org/techniques/T1087","name":"Account Discovery","subtechnique":[{"id":"T1136.001","reference":"https://attack.mitre.org/techniques/T1136/001","name":"Local Account"},{"id":"T1136.002","reference":"https://attack.mitre.org/techniques/T1136/002","name":"Domain Account"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"dce_rpc\" AND dce_rpc.operation:(\"NetrSessionEnum\" OR \"NetrWkstaUserEnum\" OR \"SamrGetMembersInAlias\" OR \"SamrOpenDomain\" OR \"SamrConnect5\" OR \"SamrCloseHandle\"))","filters":[],"threshold":{"field":["source.ip","dce_rpc.operation"],"value":10,"cardinality":[]},"throttle":"no_actions","actions":[]}
45 | {"id":"a1577100-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.357Z","updated_by":"elastic","created_at":"2022-10-18T20:44:17.575Z","created_by":"elastic","name":"LNK File Download or Usage over HTTP","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Link files are typically not downloaded or shared over the internet. Link files can be used as way to automate certain actions or passing of credentials in windows","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"41c5dbe7-43f7-41f4-bf9b-a6a2174422c1","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution"},"technique":[{"id":"T1059","reference":"https://attack.mitre.org/techniques/T1059","name":"Command and Scripting Interpreter","subtechnique":[{"id":"T1059.001","reference":"https://attack.mitre.org/techniques/T1059/001","name":"PowerShell"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"(event.dataset:\"http\" AND (http.request.method.text:\"GET\" AND url.extension:(lnk OR LNK OR inf OR INF)) AND (NOT (http.request.referrer:*)))","filters":[],"throttle":"no_actions","actions":[]}
46 | {"id":"a14f5ab0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.384Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.794Z","created_by":"elastic","name":"Possible Webshell - Dirty Word List","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Some cybercriminals use curse words in their webshells, this rule detects those common words or curse words that wouldn't typcially be found","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"76cb2174-a37e-40fc-bc0c-7e6e11a30b21","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence"},"technique":[]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"http\" AND NOT (http.response.status_code:>=400 AND http.response.status_code:<=499) AND url.original:(*pwned* OR *owned* OR *backdoor* OR *spy* OR *bypass* OR *root* OR *r00t* OR *p0wn* OR *robots* OR *hidden* OR *shell* OR *cunt* OR *nigg* OR *shit* OR *crap* OR *fuck* OR *bitch* OR *telnet* OR *hidden* OR *predator* OR *safe_mode* OR *cfexec* OR *botp* OR *zer0* OR *mysql_* OR *oracle_* OR *perlbot*) AND url.extension:(aspx OR asp OR php OR jsp OR jspx OR war OR ashx OR asmx OR ascx OR asx OR cshtml OR html OR cfm OR cfc OR cfml OR wss OR do OR action OR pl OR plx OR pm OR xs OR t OR pod OR php-s OR pht OR phar OR phps OR php7 OR php5 OR php4 OR php3 OR phtml OR py OR rb OR rhtml OR cgi OR dll OR ayws OR cgi OR erb OR rjs OR hta OR htc OR cs OR kt OR lua OR vbhtml) AND http.request.method:(\"POST\" OR \"PUT\" OR \"post\" OR \"put\" OR \"Post\" OR \"Put\") )","filters":[],"throttle":"no_actions","actions":[]}
47 | {"id":"a1491920-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.366Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.850Z","created_by":"elastic","name":"Suspicious DNS Z Flag Bit Set","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["@neu5ron","Soc Prime","Corelight"],"false_positives":[],"from":"now-360s","rule_id":"4882f2c3-d471-4afb-a23c-601e8a1887ea","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1043","reference":"https://attack.mitre.org/techniques/T1043","name":"Commonly Used Port","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":4,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"dns\" AND ((NOT (dns.flags.z_bit:\"0\")) AND _exists_:dns.question.name) AND (NOT ((event.dataset:\"dns\" AND (dns.question.name:(*.arpa OR *.local OR *.ultradns.net OR *.twtrdns.net OR *.azuredns-prd.info OR *.azure-dns.com OR *.azuredns-ff.info OR *.azuredns-ff.org OR *.azuregov-dns.org OR *.edu) OR dns.question.type:(\"NS\" OR \"ns\") OR dns.question.type:SPF OR dns.answers.name:\"*\\\\\\\\x00\" OR destination.port:(\"137\" OR \"138\" OR \"139\"))))))","filters":[],"throttle":"no_actions","actions":[]}
48 | {"id":"63238b40-a0d7-11ed-ada1-93a8f6107cb8","updated_at":"2023-01-30T19:51:40.376Z","updated_by":"elastic","created_at":"2023-01-30T19:50:46.617Z","created_by":"elastic","name":"C2 DGA Detected Via Repetitive Failures","tags":["Corelight","Zeek"],"interval":"5m","enabled":true,"description":"This rule identifies large a mounts of DNS resolution failures (domain does not exist and server failures). Some DGA algorithms generate hundreds/thousands of bad DNS names before hitting one that an attacker has registered. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":38,"severity":"low","license":"","output_index":"","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-2100s","rule_id":"b4f7e8dc-4bbf-4f54-9af3-a8cda96b376e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1094","reference":"https://attack.mitre.org/techniques/T1094","name":"Custom Command and Control Protocol","subtechnique":[]},{"id":"T1043","reference":"https://attack.mitre.org/techniques/T1043","name":"Commonly Used Port","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"kuery","index":["ecs-corelight*","logs-*"],"query":"(event.dataset:\"dns\" AND dns.response_code:(\"NXDOMAIN\" OR \"SERVFAIL\" OR \"nxdomain\" OR \"servfail\"))","filters":[],"threshold":{"field":["dns.question.name","source.ip"],"value":26,"cardinality":[]},"throttle":"no_actions","actions":[]}
49 | {"id":"a150ba40-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.312Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.858Z","created_by":"elastic","name":"Common Port with Unusual Service","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Identifies services using a NON ephemeral port for a service that normally should be using a source port greater than 1024. This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"fdd1ec6b-a7b8-41f4-a6fb-9320357f82c9","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1571","reference":"https://attack.mitre.org/techniques/T1571","name":"Non-Standard Port","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":3,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"conn\" AND source.port:<1024 AND network.protocol:(\"http\" OR \"ssl\" OR \"rdp\" OR \"ssh\") AND conn.local_orig:true AND conn.local_resp:false)","filters":[],"throttle":"no_actions","actions":[]}
50 | {"id":"93577020-a0d6-11ed-ada1-93a8f6107cb8","updated_at":"2023-01-30T19:45:00.345Z","updated_by":"elastic","created_at":"2023-01-30T19:44:58.300Z","created_by":"elastic","name":"Corelight HTTP Potential C2 traffic","tags":["Corelight"],"interval":"5m","enabled":true,"description":"This rule searches for Corelight HTTP potential C2 Traffic","risk_score":47,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io/app/security"},"author":["Corelight"],"false_positives":[],"from":"now-360s","rule_id":"e20e411c-a716-4178-8fff-0f922e86b64a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1094","reference":"https://attack.mitre.org/techniques/T1094","name":"Custom Command and Control Protocol","subtechnique":[]},{"id":"T1043","reference":"https://attack.mitre.org/techniques/T1043","name":"Commonly Used Port","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["ecs-corelight*","logs-*"],"query":"event.dataset: notice and notice.note : \"HTTP_C2::C2_Traffic_Observed\"","filters":[],"throttle":"no_actions","actions":[]}
51 | {"id":"a15cef40-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.401Z","updated_by":"elastic","created_at":"2022-10-18T20:44:17.560Z","created_by":"elastic","name":"Uncommon External Facing Application Service","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Identify external facing services that are commonly internal applications (ie: Kerberos or SMB).","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"22f0ce59-e252-4386-b415-d0d35373f70a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access"},"technique":[{"id":"T1133","reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol:(\"dce_rpc\" OR \"dnp3\" OR \"gssapi\" OR \"krb_tcp\" OR \"krb_udp\" OR \"krb\" OR \"modbus\" OR \"ntlm\" OR \"radius\" OR \"rdp\" OR \"rdpeudp\" OR \"rpc\" OR \"smb\" OR \"snmp\" OR \"syslog\") AND conn.history:Sh* AND conn.local_orig:false AND conn.local_resp:true)","filters":[],"throttle":"no_actions","actions":[]}
52 | {"id":"a147b990-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.428Z","updated_by":"elastic","created_at":"2022-10-18T20:44:17.265Z","created_by":"elastic","name":"PSEXEC Over SMB Detected","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"PSEXEC a tool commonly used for lateral movement uses the default named pipe \\\"psexecsvc\\\". This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"6ff58afa-8db6-4801-adee-0cd360ea1cc7","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement"},"technique":[{"id":"T1021","reference":"https://attack.mitre.org/techniques/T1021","name":"Remote Services","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":3,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"smb_files\" AND file.name.text:*PSEXESVC*)","filters":[],"throttle":"no_actions","actions":[]}
53 | {"id":"a1487ce0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.392Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.805Z","created_by":"elastic","name":"RDP Suspicious Keyboard Layout","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Detects suspicious languages of an RDP keyboard layout. This Sigma query is designed to accompany the Corelight Threat Hunting Guide. Note you might have to change the keyboard layout due to location.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"c20bc1da-6c3d-4e5f-b1c4-2f3b1c071d7b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement"},"technique":[{"id":"T1021","reference":"https://attack.mitre.org/techniques/T1021","name":"Remote Services","subtechnique":[{"id":"T1021.001","reference":"https://attack.mitre.org/techniques/T1021/001","name":"Remote Desktop Protocol"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":3,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"rdp\" AND (rdp.keyboard_layout:(*Arabic* OR \"Armenian-Armenia\" OR \"Farsi\" OR \"Pashto\" OR \"Swahili\" OR \"Syriac\") OR rdp.keyboard_layout:(Chinese* OR \"Mongolian (Mongolian)\" OR Mongolian* OR Tibetan* OR \"Uighur - China\") OR rdp.keyboard_layout:(\"Assamese\" OR \"Kannada\" OR *India OR \"Sanskrit\" OR \"Telugu\") OR rdp.keyboard_layout.text:\"Korean\" OR rdp.keyboard_layout:(*Nigeria OR \"Wolof\" OR \"Yoruba\") OR rdp.keyboard_layout.text:(\"Catalan\" OR \"Rhaeto-Romanic\") OR rdp.keyboard_layout:(\"Albanian - Albania\" OR *Cyrillic* OR \"FYRO Macedonian\" OR Russian* OR \"Sorbian\" OR \"Uzbek (Cyrillic)\" OR \"Uzbek (Latin)\" OR \"Yakut\" OR Serbian* OR \"Slovak\" OR \"Slovenian\") OR rdp.keyboard_layout.text:\"Vietnamese\"))","filters":[],"throttle":"no_actions","actions":[]}
54 | {"id":"a1070710-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:19.624Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.551Z","created_by":"elastic","name":"Sensitive File Access On Admin Network Share","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"This rule identifies sensitive files being accessed via SMB over the Windows Admin$ network share. Determine if these files should a) be accessible and b) accessed by that client.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"4c41e65d-bde3-4bbb-af06-f36c223bc6e9","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0009","reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection"},"technique":[{"id":"T1039","reference":"https://attack.mitre.org/techniques/T1039","name":"Data from Network Shared Drive","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"(event.dataset:\"smb_files\" AND file.path:*ADMIN$* AND file.name:(*\\\\mimidrv* OR *\\\\lsass* OR *\\\\windows\\\\minidump\\\\* OR *\\\\hiberfil* OR *\\\\sqldmpr* OR *\\\\sam* OR *\\\\ntds.dit* OR *\\\\security*))","filters":[],"throttle":"no_actions","actions":[]}
55 | {"id":"a1596cd0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.418Z","updated_by":"elastic","created_at":"2022-10-18T20:44:17.572Z","created_by":"elastic","name":"Client Sending Large Amount of Data","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Client is sending a large amount of data to another host. Verify if the destination is a known host for transfering files/data too. This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC PRIME"],"false_positives":[],"from":"now-360s","rule_id":"285235d5-ece6-491b-ada4-6dc61a84a431","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0009","reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection"},"technique":[{"id":"T1039","reference":"https://attack.mitre.org/techniques/T1039","name":"Data from Network Shared Drive","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"conn\" AND source.bytes <1000000000 AND destination.bytes >100000000)","filters":[],"throttle":"no_actions","actions":[]}
56 | {"id":"27dcc2b0-a40e-11ed-ada1-93a8f6107cb8","updated_at":"2023-02-03T22:00:25.434Z","updated_by":"elastic","created_at":"2023-02-03T22:00:23.336Z","created_by":"elastic","name":"Potential Forced External Outbound GSSAPI","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"description":"Detects GSSAPI (authentication) traffic originating internally and communicating with an external IP address. GSSAPI authentication should typically only occur internally. Outbound requests could be a sign of forced authentication. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"fb7e67fd-21f2-48e8-a0b6-88d04afe9f55","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access"},"technique":[{"id":"T1187","reference":"https://attack.mitre.org/techniques/T1187","name":"Forced Authentication","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["ecs-corelight*","apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol:gssapi* AND conn.history:Sh* AND conn.local_orig:\"true\" AND conn.local_resp:\"false\")\n","filters":[],"throttle":"no_actions","actions":[]}
57 | {"id":"a13a7320-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.329Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.867Z","created_by":"elastic","name":"Custom Cryptographic inference determined by Corelight","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Corelight appliance made an inference/determination that the connection was possibly made using a custom cryptographic implementation. Verify if this is a legitimate request, it will be helpful to pivot to the ssl.log or x509.log to get more context about the request. Only available on Corelight and requires Encryption Detection package to be enabled. This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"c96905eb-b10c-4fef-9fe4-0d1e0e442b4b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1573","reference":"https://attack.mitre.org/techniques/T1573","name":"Encrypted Channel","subtechnique":[]}]},{"tactic":{"id":"TA0005","reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion"},"framework":"MITRE ATT&CK","technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"notice\" AND notice.note:\"Viz::CustomCrypto\")","filters":[],"throttle":"no_actions","actions":[]}
58 | {"id":"a137b400-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.434Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.722Z","created_by":"elastic","name":"Sensitive File Access Over SMB Share","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"During collection advesaries may access windows hosts via their exposed shares to collect sensitive files. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"cadd5feb-eef6-460e-b742-c118a2fdf68f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0009","reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection"},"technique":[{"id":"T1039","reference":"https://attack.mitre.org/techniques/T1039","name":"Data from Network Shared Drive","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"(event.dataset:\"smb_files\" AND file.name:(*.rsa OR *.pem OR *.dsa OR *.dit OR *.ecdsa OR *.ocsp OR *.ed25519 OR *.p12 OR *.pfx OR *.kdbx OR *keychain OR *keystore OR *keyring OR *pass.txt OR *password.txt OR *passwords.txt OR *.bek OR *passwd OR *shadow OR *salesforce.js OR *.psafe3 OR *credentials.xml OR *localsettings.php OR *.mimi OR *.dmp OR *.dump OR *hiberfil.sys OR *1.txt OR *.kirbi OR *.ost OR *.pst OR *groups.xml OR *.bak OR *.ovpn OR *.sqlite OR *.sqlite3 OR *.sqldump))","filters":[],"throttle":"no_actions","actions":[]}
59 | {"id":"a11d2720-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:19.639Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.526Z","created_by":"elastic","name":"External SOCKS Proxy","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"description":"Identifies a SOCKS proxy being outside of the network as defined by local_orig, local_resp.","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"91cc54d8-a7cc-4f38-995f-16ee809c071f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control"},"technique":[{"id":"T1090","reference":"https://attack.mitre.org/techniques/T1090","name":"Proxy","subtechnique":[{"id":"T1090.001","reference":"https://attack.mitre.org/techniques/T1090/001","name":"Internal Proxy"},{"id":"T1090.002","reference":"https://attack.mitre.org/techniques/T1090/002","name":"External Proxy"}]}]},{"tactic":{"id":"TA0005","reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion"},"framework":"MITRE ATT&CK","technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol:*socks* AND conn.history:Sh* AND conn.local_orig:\"true\" AND conn.local_resp:\"false\")","filters":[],"throttle":"no_actions","actions":[]}
60 | {"id":"a14596b0-4f25-11ed-9b6e-8585f283951a","updated_at":"2022-10-18T20:44:20.332Z","updated_by":"elastic","created_at":"2022-10-18T20:44:16.819Z","created_by":"elastic","name":"Domain User Enumeration Network Recon 01","tags":["Zeek","Corelight"],"interval":"30s","enabled":true,"description":"Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. This is a supported version of the public rule that was created by Nate Guagenti and Roberto Rodriguez from his Open Threat Research (OTR) community","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://18.224.15.232:15601/app/security"},"author":["Nate Guagenti (@neu5ron)","SOC Prime","Open Threat Research (OTR)"],"false_positives":[],"from":"now-90s","rule_id":"d6a5272f-a56a-41e0-96db-c6b9a1aa575f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0007","reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery"},"technique":[{"id":"T1135","reference":"https://attack.mitre.org/techniques/T1135","name":"Network Share Discovery","subtechnique":[]},{"id":"T1069","reference":"https://attack.mitre.org/techniques/T1069","name":"Permission Groups Discovery","subtechnique":[{"id":"T1069.001","reference":"https://attack.mitre.org/techniques/T1069/001","name":"Local Groups"},{"id":"T1069.002","reference":"https://attack.mitre.org/techniques/T1069/002","name":"Domain Groups"}]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-**"],"query":"(event.dataset:\"dce_rpc\" AND dce_rpc.operationt:(\"LsarLookupNames3\" OR \"LsarLookupSids3\" OR \"SamrGetGroupsForUser\" OR \"SamrLookupIdsInDomain\" OR \"SamrLookupNamesInDomain\" OR \"SamrQuerySecurityObject\" OR \"SamrQueryInformationGroup\"))","filters":[],"threshold":{"field":["source.ip","dce_rpc.operation"],"value":4,"cardinality":[]},"throttle":"no_actions","actions":[]}
61 | 


--------------------------------------------------------------------------------
/Elastic SIEM Rules/Elastic_Corelight_rules_only_logs-*_ecs_corelight.ndjson:
--------------------------------------------------------------------------------
 1 | {"id":"7a14ce48-bf41-4456-98ec-feb97e13298d","updated_at":"2024-06-18T15:25:58.544Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.544Z","created_by":"elastic","name":"LNK File Download or Usage over SMB (Overview Query)","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"This should be used to give an over of link files can be used as way to automate certain actions or passing of credentials in windows. Determine if these are LNK files used on a legitmate file share or network share. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"515af96e-b3d7-4f70-9a3c-0e41466dcac6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059","subtechnique":[{"id":"T1059.001","name":"PowerShell","reference":"https://attack.mitre.org/techniques/T1059/001"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"smb_files\" AND file.name:(*.lnk OR *.LNK OR *.inf OR *.INF))","filters":[],"actions":[]}
 2 | {"id":"d4988e93-0c89-4806-875e-47f307cf8ad6","updated_at":"2024-06-18T15:25:58.550Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.550Z","created_by":"elastic","name":"Response from External Facing Service (Overview Query)","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"This rule is to be used as an overview of external facing service/IP has responded to a connection. Determine if these are documented external facing services to help discover new or existing services on your network. This will help you learn about the infrastructure that your oganization hosts which inventory is a large part in defending an organization (ie: you can not protect what you do not know exists). Also, it will help you find when undocumented services are exposed to the internet that should not be. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Priome"],"false_positives":[],"from":"now-1860s","rule_id":"6d6d801c-e93d-412f-88dc-7e4caff8114a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003"},"technique":[{"id":"T1133","name":"External Remote Services","reference":"https://attack.mitre.org/techniques/T1133","subtechnique":[]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:conn and conn.local_orig : false and conn.local_resp : true and source.ip:* and network.connection.history: Sh*)","filters":[],"actions":[]}
 3 | {"id":"94de6b92-c4ff-4568-82f8-9e28a28ed553","updated_at":"2024-06-18T15:25:58.551Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.551Z","created_by":"elastic","name":"Self Signed TLS SSL Certificate (Overview Query)","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"Detects a TLS/SSL certificate that is self signed. Normally a certificate would be signed by a trusted Certificate Authority. This could be an indication of a) malicious activity where attacker is creating and using own infrastructure or b) unauhtorized or incorrectly configured webserver. Sometimes Corelight/Zeek appliance/software does not have the same certificates installed as something like Chrome or Firefox or other browser. You can filter false positives of this scenario using the subject_issuer field. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"b22d42a5-4151-44cb-8a92-e7c7f27bf9f2","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005"},"technique":[{"id":"T1553","name":"Subvert Trust Controls","reference":"https://attack.mitre.org/techniques/T1553","subtechnique":[{"id":"T1553.004","name":"Install Root Certificate","reference":"https://attack.mitre.org/techniques/T1553/004"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"ssl\" AND ssl.validation_status.text:\"self signed certificate\")","filters":[],"actions":[]}
 4 | {"id":"dae2a3bb-26ca-44d8-8807-394aa4aa0c3d","updated_at":"2024-06-18T15:25:58.546Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.546Z","created_by":"elastic","name":"Possible Webshell PUT or POST to unusual extensions","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"This rule looks for post requests to unusual extensions (e.g. .jpg). This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"6617c7d5-4ae3-4ac2-8b73-def9746bf017","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003"},"technique":[{"id":"T1100","name":"Web Shell","reference":"https://attack.mitre.org/techniques/T1100","subtechnique":[]},{"id":"T1505","name":"Server Software Component","reference":"https://attack.mitre.org/techniques/T1505","subtechnique":[{"id":"T1505.003","name":"Web Shell","reference":"https://attack.mitre.org/techniques/T1505/003"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND (url.original:(*.jpg OR *.jpeg OR *.gif OR *.png OR *.icon OR *.ico OR *.xml OR *.swf OR *.svg OR *.ppt OR *.pttx OR *.doc OR *.docx OR *.rtf OR *.pdf OR *.tif OR *.zip OR *.mov) AND http.request.method.text:(\"POST\" OR \"PUT\") AND http.response.status_code:2*) AND (NOT ((http.response.body.bytes:\"0\") )))","filters":[],"actions":[]}
 5 | {"id":"cceef01e-ad07-4db0-a43d-92f38b32deeb","updated_at":"2024-06-18T15:26:01.839Z","updated_by":"elastic","created_at":"2024-06-18T15:26:01.839Z","created_by":"elastic","name":"Uncommon External Facing Application Service","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Identify external facing services that are commonly internal applications (ie: Kerberos or SMB).","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"22f0ce59-e252-4386-b415-d0d35373f70a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[{"id":"T1133","name":"External Remote Services","reference":"https://attack.mitre.org/techniques/T1133","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol:(\"dce_rpc\" OR \"dnp3\" OR \"gssapi\" OR \"krb_tcp\" OR \"krb_udp\" OR \"krb\" OR \"modbus\" OR \"ntlm\" OR \"radius\" OR \"rdp\" OR \"rdpeudp\" OR \"rpc\" OR \"smb\" OR \"snmp\" OR \"syslog\") AND conn.history:Sh* AND conn.local_orig:false AND conn.local_resp:true)","filters":[],"actions":[]}
 6 | {"id":"37bf4def-4895-416f-96f1-65d2c4e08289","updated_at":"2024-06-18T15:26:01.839Z","updated_by":"elastic","created_at":"2024-06-18T15:26:01.839Z","created_by":"elastic","name":"Custom Cryptographic inference determined by Corelight","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Corelight appliance made an inference/determination that the connection was possibly made using a custom cryptographic implementation. Verify if this is a legitimate request, it will be helpful to pivot to the ssl.log or x509.log to get more context about the request. Only available on Corelight and requires Encryption Detection package to be enabled. This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"c96905eb-b10c-4fef-9fe4-0d1e0e442b4b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1573","name":"Encrypted Channel","reference":"https://attack.mitre.org/techniques/T1573","subtechnique":[]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005"},"technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"notice\" AND notice.note:\"Viz::CustomCrypto\")","filters":[],"actions":[]}
 7 | {"id":"440cc23f-8f31-4382-b3c1-cc6f3bf54321","updated_at":"2024-06-18T15:25:58.583Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.583Z","created_by":"elastic","name":"Possible Windows Executable Download Without Matching Mime Type","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"A download of an executable where the mime type (https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) does not match the extension of the file downloaded. This is one way to hide the type of file downloaded. Determine if the filter was just a mistake based on a new mime type for executables that was not known at the time or more likely determine if the domain and the file downloaded are legitimate. Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"41521ac3-1e6e-43fc-b2fa-8e792aa07e04","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[{"id":"T1133","name":"External Remote Services","reference":"https://attack.mitre.org/techniques/T1133","subtechnique":[]},{"id":"T1189","name":"Drive-by Compromise","reference":"https://attack.mitre.org/techniques/T1189","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND http.resp_mime_types:(\"application/java-archive\" OR \"application/mshelp\" OR \"application/chrome-ext\" OR \"application/x-object\" OR \"application/x-executable\" OR \"application/x-dosexec\" OR \"application/x-msdownload\" OR \"application/vnd.microsoft.portable-executable \") AND (NOT (url.original:(*.exe OR *.dll OR *.msi))))","filters":[],"actions":[]}
 8 | {"id":"124a5b63-c149-48bb-81e1-7e61fcf241a1","updated_at":"2024-06-18T15:25:58.591Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.591Z","created_by":"elastic","name":"HTTP POST or PUT URI Non ASCII Character","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Make sure to apply this for inbound traffic. Traffic that is going to your web servers or public accessible infrastructure. A request with NON ASCII characters within the URL is possible indication of various techniques to bypass WAF and or to logical errors in the severs backend code.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"0c85eb2d-c909-477e-a821-8cae5a23deab","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003"},"technique":[{"id":"T1505","name":"Server Software Component","reference":"https://attack.mitre.org/techniques/T1505","subtechnique":[{"id":"T1505.003","name":"Web Shell","reference":"https://attack.mitre.org/techniques/T1505/003"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND url.has_non_ascii:true AND http.request.method: \"POST\" OR \"PUT\")","filters":[],"actions":[]}
 9 | {"id":"bab298a6-299b-4a52-8068-a5c27dd68b19","updated_at":"2024-06-18T15:25:58.563Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.563Z","created_by":"elastic","name":"SMTP Email containing NON Ascii Characters within the Subject","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Detects scenario where an email contains non ascii characters within the Subject. This could be a sign of evasion or other malicious possibilities such as character encoding to cause actions within a client such as outlook. If this occurs once it may not be very suspicious. However, take additional note if this was sent to multiple users.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"dc7de593-fd0a-4cb2-af5f-ce2e263a2a8b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[{"id":"T1566","name":"Phishing","reference":"https://attack.mitre.org/techniques/T1566","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"event.dataset:smtp AND smtp.subject_has_non_ascii: true","filters":[],"actions":[]}
10 | {"id":"29137c11-7f6e-4efc-b489-67c2572c0be9","updated_at":"2024-06-18T15:25:58.570Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.570Z","created_by":"elastic","name":"Executable Download Directly From IP","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"A download directly from an IP address is not typical of web traffic.. in addition, this was an executable file. Determine if this is legitimate infrastructure and if this is a legitimate file. Usually this means somewhere in a scripting logic is a hard coded IP address.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime","Nate Guagenti (@neu5ron)"],"false_positives":[],"from":"now-360s","rule_id":"d4f54b0b-44b2-44dd-a0e7-2401acbef9bb","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[{"id":"T1133","name":"External Remote Services","reference":"https://attack.mitre.org/techniques/T1133","subtechnique":[]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003"},"technique":[]}],"to":"now","references":[],"version":4,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"event.dataset:http AND ((destination.domain_ends_with_integer: true AND destination.domain_has_dot: true ) OR (domain_has_colon: true AND destination.domain_has_dot: false)) AND url.extension:(apm OR app OR appref\\\\-ms OR bas OR bat OR chi OR chm OR chq OR chw OR dll OR exe OR gadget OR hta OR inf OR jar OR jnlp OR jse OR lnk OR mde OR mht OR msi OR msix OR msixbundle OR pif OR pkg OR pl OR ps1 OR ps1xml OR ps2 OR ps2xml OR psc1 OR psc2 OR psd1 OR psd1 OR psdm1 OR psm1 OR py OR pyc OR pyo OR pyw OR pyz OR reg OR scr OR sct OR vbe OR vbs OR ws OR wsb OR wsc OR wsf OR xpi OR xz OR z OR zip OR zipx)","filters":[],"actions":[]}
11 | {"id":"766e4bc3-07c9-4043-8039-4cfd3f1251e8","updated_at":"2024-06-18T15:25:58.520Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.520Z","created_by":"elastic","name":"Multiple Clients to HTTP Using Unicode Host via HTTP - Possible Multiple Phishing Attempts","tags":["Corelight","Zeek"],"interval":"60m","enabled":true,"revision":0,"description":"Detects when multiple HTTP requests were made to a single domain that has non-ascii characters(unicode/punycode) and a POST or PUT method was used. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team ","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-3660s","rule_id":"340877b9-05d2-4d80-b33f-f7a55a655a9f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[{"id":"T1566","name":"Phishing","reference":"https://attack.mitre.org/techniques/T1566","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND ((http.request.method: POST) OR (http.request.method: PUT)) AND (url.has_non_ascii:true))","filters":[],"threshold":{"field":["source.ip","url.original"],"value":11,"cardinality":[]},"actions":[]}
12 | {"id":"c7329baa-224d-434f-81e9-ce1171143015","updated_at":"2024-06-18T15:26:01.835Z","updated_by":"elastic","created_at":"2024-06-18T15:26:01.835Z","created_by":"elastic","name":"PSEXEC Over SMB Detected","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"PSEXEC a tool commonly used for lateral movement uses the default named pipe \\\"psexecsvc\\\". This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"6ff58afa-8db6-4801-adee-0cd360ea1cc7","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008"},"technique":[{"id":"T1021","name":"Remote Services","reference":"https://attack.mitre.org/techniques/T1021","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":3,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"smb_files\" AND file.name.text:*PSEXESVC*)","filters":[],"actions":[]}
13 | {"id":"715f515a-260d-4f85-a9dd-5cbd1fdadec0","updated_at":"2024-06-18T15:25:58.587Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.587Z","created_by":"elastic","name":"Potential Forced External Outbound DCE_RPC","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Detects DCE/RPC (e.g. MSRPC) traffic originating internally and communicating with an external IP address. DCE/RPC Traffic should only occur internally. Traffic headed externally could be an indicator of a forced authentication attempt.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"f1c7d00c-4eb0-43ac-a1ef-20dbd94a3059","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006"},"technique":[{"id":"T1187","name":"Forced Authentication","reference":"https://attack.mitre.org/techniques/T1187","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol:dce* AND conn.history:Sh* AND conn.local_orig:\"true\" AND conn.local_resp\"false\")","filters":[],"actions":[]}
14 | {"id":"83d8cf20-5ad7-45ac-bed7-53aac6944124","updated_at":"2024-06-18T15:25:58.569Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.569Z","created_by":"elastic","name":"Possible Webshell - Dirty Word List","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Some cybercriminals use curse words in their webshells, this rule detects those common words or curse words that wouldn't typcially be found","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"76cb2174-a37e-40fc-bc0c-7e6e11a30b21","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003"},"technique":[]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND NOT (http.response.status_code:>=400 AND http.response.status_code:<=499) AND url.original:(*pwned* OR *owned* OR *backdoor* OR *spy* OR *bypass* OR *root* OR *r00t* OR *p0wn* OR *robots* OR *hidden* OR *shell* OR *cunt* OR *nigg* OR *shit* OR *crap* OR *fuck* OR *bitch* OR *telnet* OR *hidden* OR *predator* OR *safe_mode* OR *cfexec* OR *botp* OR *zer0* OR *mysql_* OR *oracle_* OR *perlbot*) AND url.extension:(aspx OR asp OR php OR jsp OR jspx OR war OR ashx OR asmx OR ascx OR asx OR cshtml OR html OR cfm OR cfc OR cfml OR wss OR do OR action OR pl OR plx OR pm OR xs OR t OR pod OR php-s OR pht OR phar OR phps OR php7 OR php5 OR php4 OR php3 OR phtml OR py OR rb OR rhtml OR cgi OR dll OR ayws OR cgi OR erb OR rjs OR hta OR htc OR cs OR kt OR lua OR vbhtml) AND http.request.method:(\"POST\" OR \"PUT\" OR \"post\" OR \"put\" OR \"Post\" OR \"Put\") )","filters":[],"actions":[]}
15 | {"id":"23f07cf0-4061-4b26-ab8c-05ce3f7bb90a","updated_at":"2024-06-18T15:26:01.840Z","updated_by":"elastic","created_at":"2024-06-18T15:26:01.840Z","created_by":"elastic","name":"Sensitive File Access Over SMB Share","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"During collection advesaries may access windows hosts via their exposed shares to collect sensitive files. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"cadd5feb-eef6-460e-b742-c118a2fdf68f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0009","name":"Collection","reference":"https://attack.mitre.org/tactics/TA0009"},"technique":[{"id":"T1039","name":"Data from Network Shared Drive","reference":"https://attack.mitre.org/techniques/T1039","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"smb_files\" AND file.name:(*.rsa OR *.pem OR *.dsa OR *.dit OR *.ecdsa OR *.ocsp OR *.ed25519 OR *.p12 OR *.pfx OR *.kdbx OR *keychain OR *keystore OR *keyring OR *pass.txt OR *password.txt OR *passwords.txt OR *.bek OR *passwd OR *shadow OR *salesforce.js OR *.psafe3 OR *credentials.xml OR *localsettings.php OR *.mimi OR *.dmp OR *.dump OR *hiberfil.sys OR *1.txt OR *.kirbi OR *.ost OR *.pst OR *groups.xml OR *.bak OR *.ovpn OR *.sqlite OR *.sqlite3 OR *.sqldump))","filters":[],"actions":[]}
16 | {"id":"6fd50883-2a6e-44bc-95a4-d64a10fdc588","updated_at":"2024-06-18T15:25:58.564Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.564Z","created_by":"elastic","name":"Potential Forced External Outbound SMB","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Detects SMB requests that originate internally and communicate with an external IP address. Attackers can use tools such as metasploit to listen for inbound SMB requets and capture NTLM hashes this way.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"b3cade75-d9b2-436a-9ff5-caac412a4ba6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006"},"technique":[{"id":"T1187","name":"Forced Authentication","reference":"https://attack.mitre.org/techniques/T1187","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol:smb* AND conn.history:Sh* AND conn.local_orig:\"true\" AND conn.local_resp:\"false\")","filters":[],"actions":[]}
17 | {"id":"fbc6fc1f-c320-460c-849f-d53960dd3560","updated_at":"2024-06-18T15:25:58.548Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.548Z","created_by":"elastic","name":"Remote Creation of temp file in System32 folder","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"Detects scenario where a file with a \\\".tmp\\\" (temporary) file extension is created remotely in the System32 folder. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"4a053cdc-6bde-4793-b82a-29c8620e6799","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1105","name":"Ingress Tool Transfer","reference":"https://attack.mitre.org/techniques/T1105","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-log"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"smb_files\" and file.name:*SYSTEM32\\*.tmp* and (not (smb.action:\"SMB::FILE_OPEN\" )))","filters":[],"actions":[]}
18 | {"id":"965b911f-8ad3-43a1-ae3a-4be820f4032c","updated_at":"2024-06-18T15:25:58.561Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.561Z","created_by":"elastic","name":"Possible Webshell - Rare PUT or POST by IP","tags":["Corelight","Zeek"],"interval":"24h","enabled":true,"revision":0,"description":"This rule looks for post requests to a single webserver location from less than 3 IPs over 24 hours. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-86460s","rule_id":"65c335b5-7b6b-470f-9e35-e6710f744366","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003"},"technique":[{"id":"T1505","name":"Server Software Component","reference":"https://attack.mitre.org/techniques/T1505","subtechnique":[{"id":"T1505.003","name":"Web Shell","reference":"https://attack.mitre.org/techniques/T1505/003"}]},{"id":"T1100","name":"Web Shell","reference":"https://attack.mitre.org/techniques/T1100","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND (url.original:(*.aspx OR *.asp OR *.php OR *.jsp OR *.jspx OR *.war OR *.ashx OR *.asmx OR *.ascx OR *.asx OR *.cshtml OR *.cfm OR *.cfc OR *.cfml OR *.wss OR *.do OR *.action OR *.pl OR *.plx OR *.pm OR *.xs OR *.t OR *.pod OR *.php-s OR *.pht OR *.phar OR *.phps OR *.php7 OR *.php5 OR *.php4 OR *.php3 OR *.phtml OR *.py OR *.rb OR *.rhtml OR *.cgi OR *.dll OR *.ayws OR *.cgi OR *.erb OR *.rjs OR *.hta OR *.htc OR *.cs OR *.kt OR *.lua OR *.vbhtml) AND http.request.method.text:(\"POST\" OR \"PUT\")) AND (NOT (http.response.status_code:4*)))","filters":[],"threshold":{"field":["url.original","source.ip"],"value":10,"cardinality":[]},"actions":[]}
19 | {"id":"d47cb8b4-291c-4852-8c24-0087a156b153","updated_at":"2024-06-18T15:25:58.582Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.582Z","created_by":"elastic","name":"Potentially Harmful Attachment","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"Advesaries may send malicious attachments via email. These are files that normally, for legitimate purposes, will not be sent. Especially from an external email. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"a35a028c-47a7-42d5-8192-25524786f3f6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[{"id":"T1193","name":"Spearphishing Attachment","reference":"https://attack.mitre.org/techniques/T1193","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"files\" AND network.protocol:\"SMTP\" AND name:(*.7z OR *.ace OR *.apm OR *.app OR *.appref-ms OR *.arj OR *.asp OR *.bas OR *.bat OR *.bz2 OR *.bzip2 OR *.cab OR *.cdxml OR *.cer OR *.chi OR *.chm OR *.chq OR *.chw OR *.class OR *.cmd OR *.cnt OR *.com OR *.cpl OR *.crt OR *.doc OR *.docm OR *.epub OR *.exe OR *.gadget OR *.gz OR *.gzip OR *.hta OR *.img OR *.inf OR *.ins OR *.ins OR *.iso OR *.isp OR *.isp OR *.jar OR *.jar OR *.jnlp OR *.jse OR *.lnk OR *.lzh OR *.mde OR *.mht OR *.msi OR *.msix OR *.msixbundle OR *.ods OR *.odt OR *.pif OR *.pkg OR *.pl OR *.ps1 OR *.ps1xml OR *.ps2 OR *.ps2xml OR *.psc1 OR *.psc2 OR *.psd1 OR *.psd1 OR *.psdm1 OR *.psm1 OR *.pssc OR *.py OR *.pyc OR *.pyo OR *.pyw OR *.pyz OR *.pyzw OR *.r01 OR *.r14 OR *.r18 OR *.r25 OR *.rar OR *.reg OR *.scr OR *.sct OR *.shb OR *.sys OR *.tar OR *.taz OR *.tbz OR *.tbz2 OR *.tgz OR *.txz OR *.udl OR *.vbe OR *.vbs OR *.ws OR *.wsb OR *.wsc OR *.wsf OR *.xbap OR *.xls OR *.xlsm OR *.xpi OR *.xz OR *.z OR *.zipx))","filters":[],"actions":[]}
20 | {"id":"6d470f83-24fd-4d1c-b598-003270e6cec6","updated_at":"2024-06-18T15:26:01.838Z","updated_by":"elastic","created_at":"2024-06-18T15:26:01.838Z","created_by":"elastic","name":"External SOCKS Proxy","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies a SOCKS proxy being outside of the network as defined by local_orig, local_resp.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"91cc54d8-a7cc-4f38-995f-16ee809c071f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1090","name":"Proxy","reference":"https://attack.mitre.org/techniques/T1090","subtechnique":[{"id":"T1090.001","name":"Internal Proxy","reference":"https://attack.mitre.org/techniques/T1090/001"},{"id":"T1090.002","name":"External Proxy","reference":"https://attack.mitre.org/techniques/T1090/002"}]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005"},"technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol:*socks* AND conn.history:Sh* AND conn.local_orig:\"true\" AND conn.local_resp:\"false\")","filters":[],"actions":[]}
21 | {"id":"672f42c9-e5fb-41af-8fa9-bff381808fcf","updated_at":"2024-06-18T15:25:58.586Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.586Z","created_by":"elastic","name":"Potential Webdav Forced Authentication","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"Identifies internet bound webdav requests which could be forced authentication. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"f76c7c08-d1ce-49c6-ad33-bc224e119193","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006"},"technique":[{"id":"T1187","name":"Forced Authentication","reference":"https://attack.mitre.org/techniques/T1187","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND user_agent.original:*webdav* AND (NOT (event.dataset:\"http\" AND destination.ip_public: false)))","filters":[],"actions":[]}
22 | {"id":"0c97c896-943e-428c-b61d-1b022f8ede9b","updated_at":"2024-10-11T13:45:38.912Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.559Z","created_by":"elastic","name":"DNS TXT With Non ASCII Character","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":1,"description":"Adversaries can use DNS TXT requests/responses for C2. Sometimes they may include binary data in the response. Since DNS text should be human readable, this is unusual","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"e82f6fd6-b088-460c-993d-ff151c10d9af","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"dns\" AND dns.answers.name:/.*[^\\x00-\\x7F].*/ AND dns.question.type:(\"TXT\" OR \"txt\"))","filters":[],"actions":[]}
23 | {"id":"a1821ed1-098b-4f71-88e1-21047a0b49a9","updated_at":"2024-06-18T15:25:58.539Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.539Z","created_by":"elastic","name":"RDP Scanning Potential Brute Force Common User Names","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"Identify common user names being attempted against a server in a short period of time. Normally a device will only have one or two local accounts, this detects if 3 or more local accounts are being attempted against a device then normally should be which could indicate an RDP brute force attempt. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team ","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"6caa6d68-6bfb-43f5-b411-8fc55f81af7b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003"},"technique":[]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[{"id":"T1133","name":"External Remote Services","reference":"https://attack.mitre.org/techniques/T1133","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs     "],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"rdp\" AND rdp.cookie.text:(\"Root\" OR \"root\" OR \"Administr\" OR \"administr\" OR \"Admin\" OR \"admin\" OR \"Guest\" OR \"guest\" OR \"Info\" OR \"info\" OR \"Test\" OR \"test\" OR \"Adm\" OR \"adm\" OR \"User\" OR \"user\" OR \"DA\" OR \"da\" OR \"Local\" OR \"local\" OR \"Letmein\" OR \"letmein\" OR \"Service\" OR \\\"service\\\" OR \\\".\\\" OR \"Computer\" OR \"computer\" OR \"xxx\" OR \"\\/\" OR \"\\\\\"))","filters":[],"threshold":{"field":["source.ip","rdp.cookie"],"value":4,"cardinality":[]},"actions":[]}
24 | {"id":"f6638518-47fd-408b-b26b-2dfa7b2914c3","updated_at":"2024-06-18T15:25:58.536Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.536Z","created_by":"elastic","name":"Shared Webroot","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"Advesaries may place a webshell on a fileshare and execute that webshell by accessing it on an existing website. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"3961df68-5ac1-4624-9c39-f3f3999bcf33","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008"},"technique":[{"id":"T1051","name":"Shared Webroot","reference":"https://attack.mitre.org/techniques/T1051","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"smb_files\" AND file.path:(*inetpub* OR *wwwroot*) AND (file.name:(*.aspx OR *.asp OR *.php OR *.jsp OR *.jspx OR *.war OR *.ashx OR *.asmx OR *.ascx OR *.asx OR *.cshtml OR *.cfm OR *.cfc OR *.cfml OR *.wss OR *.do OR *.action OR *.pl OR *.plx OR *.pm OR *.xs OR *.t OR *.pod OR *.php\\\\-s OR *.pht OR *.phar OR *.phps OR *.php7 OR *.php5 OR *.php4 OR *.php3 OR *.phtml OR *.py OR *.rb OR *.rhtml OR *.cgi OR *.dll OR *.ayws OR *.cgi OR *.erb OR *.rjs OR *.hta OR *.htc OR *.cs OR *.kt OR *.lua OR *.vbhtml) OR file.name:/.*[^a-zA-Z0-9\\\\.\\\\_\\\\-][a-zA-Z0-9\\\\.\\\\_\\\\-]{1,3}\\\\.[A-Za-z0-9]{2,3}$/))","filters":[],"actions":[]}
25 | {"id":"8468a78a-9d5c-4fa1-a751-de3f4e0267ae","updated_at":"2024-06-18T15:25:58.533Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.533Z","created_by":"elastic","name":"External Facing Service Using RFC 1918 Subnets","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Identify external facing services. Exclude documented external facing services to help discover new/existing services on your network","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"ac0e6419-1812-4d05-9205-87fda7fd8aef","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003"},"technique":[{"id":"T1133","name":"External Remote Services","reference":"https://attack.mitre.org/techniques/T1133","subtechnique":[]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"conn\" AND destination.ip_rfc: \"RFC_1918\"  AND network.connection.history: Sh*)","filters":[{"meta":{"alias":null,"negate":true,"disabled":false,"type":"phrase","key":"source.ip_rfc","params":{"query":"RFC_1918"}},"query":{"match_phrase":{"source.ip_rfc":"RFC_1918"}},"$state":{"store":"appState"}}],"actions":[]}
26 | {"id":"1e3a8a3e-7775-484a-a5db-160add37fdc1","updated_at":"2024-06-18T15:25:58.584Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.584Z","created_by":"elastic","name":"Executable from Webdav","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Detects a download from Webdav service which could be used as a way to transfer tools internally. Determine if this is a) Legitimate server b) legitimate binary/file","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"d5ca8624-8e37-4861-a12b-ab788a088c1d","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0009","name":"Collection","reference":"https://attack.mitre.org/tactics/TA0009"},"technique":[{"id":"T1074","name":"Data Staged","reference":"https://attack.mitre.org/techniques/T1074","subtechnique":[]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND (user_agent.original:*WebDAV* OR url.original:*webdav*) AND (http.resp_mime_types:*dosexec* OR url.extension:exe))","filters":[],"actions":[]}
27 | {"id":"3988116b-d0ec-4cfd-9391-700181d0f4f1","updated_at":"2024-06-18T15:25:58.518Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.518Z","created_by":"elastic","name":"Schedule Task Access or Manipulation over SMB","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"Detects scheduled task access or manipulation on a remote computer over SMB. Determine if the server should be hosting shceduled tasks and if the client has modified them if it is allowed server. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"a9178207-31f6-48bd-8053-7ce20dedb4fc","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0003","name":"Persistence","reference":"https://attack.mitre.org/tactics/TA0003"},"technique":[{"id":"T1574","name":"Hijack Execution Flow","reference":"https://attack.mitre.org/techniques/T1574","subtechnique":[]},{"id":"T1053","name":"Scheduled Task/Job","reference":"https://attack.mitre.org/techniques/T1053","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"smb_files\" AND (file.path:*\\\\*\\\\SYSVOL* AND file.name:*ScheduledTasks.xml) AND (NOT (smb.action.text:\"SMB\\:\\:FILE_OPEN\")))","filters":[],"actions":[]}
28 | {"id":"b12f01e9-0af4-4bfe-af12-50890b289d7f","updated_at":"2024-06-18T15:25:58.589Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.589Z","created_by":"elastic","name":"LNK File Download or Usage over HTTP","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Link files are typically not downloaded or shared over the internet. Link files can be used as way to automate certain actions or passing of credentials in windows","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"41c5dbe7-43f7-41f4-bf9b-a6a2174422c1","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002"},"technique":[{"id":"T1059","name":"Command and Scripting Interpreter","reference":"https://attack.mitre.org/techniques/T1059","subtechnique":[{"id":"T1059.001","name":"PowerShell","reference":"https://attack.mitre.org/techniques/T1059/001"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND (http.request.method.text:\"GET\" AND url.extension:(lnk OR LNK OR inf OR INF)) AND (NOT (http.request.referrer:*)))","filters":[],"actions":[]}
29 | {"id":"e599dcee-f126-4503-9a10-82c975d76faa","updated_at":"2024-06-18T15:25:58.523Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.523Z","created_by":"elastic","name":"Administrative Share File Creation","tags":["Zeek","Corelight"],"interval":"30m","enabled":true,"revision":0,"description":"Adversaries may use administrative shares to place files used for lateral movement remotely. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: ","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"c5c66359-3d27-4fed-8865-d988dd75423f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008"},"technique":[{"id":"T1021","name":"Remote Services","reference":"https://attack.mitre.org/techniques/T1021","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs "],"version":8,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"smb_files\" AND (file.path:(*admin$* OR *print$* OR *fax$*) OR file.path:/.*[^A-Za-z][A-Za-z]$.*/) AND smb.action:\"SMB::FILE_WRITE\")","filters":[],"actions":[]}
30 | {"id":"4c0aff87-f303-4ab2-8f6c-808ee76bf88c","updated_at":"2024-10-11T14:28:08.444Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.526Z","created_by":"elastic","name":"Possible Kerberos Brute Force Attempt","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":1,"description":"Detects when hundreds of Kerberos requests are made by a single client. Determine if this is a) normal client and b) normal pattern for that client. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"512c0f00-43a8-44ed-b8c9-dec3bf5b041f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006"},"technique":[{"id":"T1110","name":"Brute Force","reference":"https://attack.mitre.org/techniques/T1110","subtechnique":[{"id":"T1110.001","name":"Password Guessing","reference":"https://attack.mitre.org/techniques/T1110/001"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"kerberos\" AND kerberos.request.client:* event.outcome:\"failure\" AND kerberos.error_message:\"KDC_ERR_PREAUTH_FAILED\"\n)","filters":[],"threshold":{"field":["destination.ip","source.ip"],"value":101,"cardinality":[]},"actions":[]}
31 | {"id":"e55a9383-5736-42b5-8ef7-89d2e6a85419","updated_at":"2024-06-18T15:25:58.569Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.569Z","created_by":"elastic","name":"Multiple Abnormal non conforming HTTP Requests","tags":["Corelight","Zeek"],"interval":"10m","enabled":true,"revision":0,"description":"Detects when multiple HTTP requests are made with non conforming standard. Usually can be an indication that an alternative HTTP implemention is in place. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team ","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-660s","rule_id":"d7b986aa-d313-4332-a205-6c179de6722d","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1102","name":"Web Service","reference":"https://attack.mitre.org/techniques/T1102","subtechnique":[{"id":"T1102.001","name":"Dead Drop Resolver","reference":"https://attack.mitre.org/techniques/T1102/001"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"weird\" AND weird.name:\"bad_HTTP_request\")","filters":[],"threshold":{"field":["destination.port","source.ip"],"value":11,"cardinality":[]},"actions":[]}
32 | {"id":"825fd9f7-7237-4465-9c2a-caf5101b765e","updated_at":"2024-06-18T15:25:58.568Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.568Z","created_by":"elastic","name":"RDP Possible Non User Login, Abnormal Screen Resolution","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"RDP small screen resolution can be an indication that the connection was made via an automated script (unusual for RDP) or via a port forwarding scenario using RDP. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"4b83eea1-97cf-469e-a801-a61b6bcba2a3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008"},"technique":[{"id":"T1021","name":"Remote Services","reference":"https://attack.mitre.org/techniques/T1021","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"rdp\" AND rdp.desktop_height <600 AND rdp.desktop_width <600)","filters":[],"actions":[]}
33 | {"id":"034a3a0e-7646-49b5-9ed3-0813f363c161","updated_at":"2024-06-18T15:25:58.528Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.528Z","created_by":"elastic","name":"HTTP Traffic with No HTTP Host Set or User Agent Set","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"Client is making a request mimicking a legitimate browser but is possibly powershell or other programming library that would not normally have that Browser User Agent Author: SOC Prime Team.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"dc8dd4f0-8525-49bc-9b01-e9a2e9ab3498","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1571","name":"Non-Standard Port","reference":"https://attack.mitre.org/techniques/T1571","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" and http.request.header_names:\"USER-AGENT\" AND ((NOT (http.request._names:\"HOST\")) OR http.request.header_names:\"HOST\"))","filters":[],"actions":[]}
34 | {"id":"a1714d2f-7f1b-41ec-9d64-52354e97a847","updated_at":"2024-06-18T15:25:58.572Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.572Z","created_by":"elastic","name":"Potential Forced External Outbound NTLM","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"\"Detects NTLM requests that originate internally and communicate with an external IP address. Tools such as responder can be used to capture NTLM hashes, etc for offline cracking.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"dc6c9906-b9c7-4d85-b150-d77d2cb82003","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006"},"technique":[{"id":"T1187","name":"Forced Authentication","reference":"https://attack.mitre.org/techniques/T1187","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol.text:\"ntlm\" AND conn.history:Sh* AND conn.local_orig:\"true\" AND conn.local_resp:\"false\")","filters":[],"actions":[]}
35 | {"id":"77f0a2ce-6709-45bc-8e9c-130c7216eb75","updated_at":"2024-06-18T15:26:01.842Z","updated_by":"elastic","created_at":"2024-06-18T15:26:01.842Z","created_by":"elastic","name":"Potential Forced External Outbound GSSAPI","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"Detects GSSAPI (authentication) traffic originating internally and communicating with an external IP address. GSSAPI authentication should typically only occur internally. Outbound requests could be a sign of forced authentication. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"fb7e67fd-21f2-48e8-a0b6-88d04afe9f55","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006"},"technique":[{"id":"T1187","name":"Forced Authentication","reference":"https://attack.mitre.org/techniques/T1187","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"conn\" AND network.protocol:gssapi* AND conn.history:Sh* AND conn.local_orig:\"true\" AND conn.local_resp:\"false\")\n","filters":[],"actions":[]}
36 | {"id":"22240bab-a692-429b-a880-ae7f0cb55424","updated_at":"2024-06-18T15:25:58.596Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.596Z","created_by":"elastic","name":"BloodHound AD Discovery","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Detects usage of RPC operations used by the tool BloodHound. Specifically these operations are used for AD account and group information. This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://18.224.15.232:15601/app/security"},"author":["SOC Prime","@infosecn1nja"],"false_positives":[],"from":"now-360s","rule_id":"502b1c35-68df-4e9a-9984-eb95bf23c562","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0007","name":"Discovery","reference":"https://attack.mitre.org/tactics/TA0007"},"technique":[{"id":"T1069","name":"Permission Groups Discovery","reference":"https://attack.mitre.org/techniques/T1069","subtechnique":[{"id":"T1069.001","name":"Local Groups","reference":"https://attack.mitre.org/techniques/T1069/001"},{"id":"T1069.002","name":"Domain Groups","reference":"https://attack.mitre.org/techniques/T1069/002"}]},{"id":"T1087","name":"Account Discovery","reference":"https://attack.mitre.org/techniques/T1087","subtechnique":[{"id":"T1136.001","name":"Local Account","reference":"https://attack.mitre.org/techniques/T1136/001"},{"id":"T1136.002","name":"Domain Account","reference":"https://attack.mitre.org/techniques/T1136/002"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"dce_rpc\" AND dce_rpc.operation:(\"NetrSessionEnum\" OR \"NetrWkstaUserEnum\" OR \"SamrGetMembersInAlias\" OR \"SamrOpenDomain\" OR \"SamrConnect5\" OR \"SamrCloseHandle\"))","filters":[],"threshold":{"field":["source.ip","dce_rpc.operation"],"value":10,"cardinality":[]},"actions":[]}
37 | {"id":"c6a689fa-0d9c-4cc6-acc7-dfccee490860","updated_at":"2024-06-18T15:25:58.591Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.591Z","created_by":"elastic","name":"Windows Sysvol File Modification","tags":["Corelight","Zeek"],"interval":"5m","enabled":true,"revision":0,"description":"Sysvol is the path in which a domain controller uses to share group policies and other important active directory files. This detects a scenario where one of those files on that share are changed or created. Although this may legitimately happen, determine if the source is authorized or should be making these types of changes.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"d7ee4a4a-07e0-4527-97e4-504206907f99","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008"},"technique":[{"id":"T1021","name":"Remote Services","reference":"https://attack.mitre.org/techniques/T1021","subtechnique":[{"id":"T1021.002","name":"SMB/Windows Admin Shares","reference":"https://attack.mitre.org/techniques/T1021/002"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":3,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"event.dataset:smb_files AND file.path:(*Sysvol OR *SYSVOL OR *sysvol) AND (NOT (smb.action:\"SMB::FILE_OPEN\"))","filters":[],"actions":[]}
38 | {"id":"7dcef05b-7029-40bd-a637-2f9965dca757","updated_at":"2024-06-18T15:25:58.567Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.567Z","created_by":"elastic","name":"Suspicious DNS Z Flag Bit Set","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["@neu5ron","Soc Prime","Corelight"],"false_positives":[],"from":"now-360s","rule_id":"4882f2c3-d471-4afb-a23c-601e8a1887ea","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1043","name":"Commonly Used Port","reference":"https://attack.mitre.org/techniques/T1043","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":4,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"dns\" AND ((NOT (dns.flags.z_bit:\"0\")) AND _exists_:dns.question.name) AND (NOT ((event.dataset:\"dns\" AND (dns.question.name:(*.arpa OR *.local OR *.ultradns.net OR *.twtrdns.net OR *.azuredns-prd.info OR *.azure-dns.com OR *.azuredns-ff.info OR *.azuredns-ff.org OR *.azuregov-dns.org OR *.edu) OR dns.question.type:(\"NS\" OR \"ns\") OR dns.question.type:SPF OR dns.answers.name:\"*\\\\\\\\x00\" OR destination.port:(\"137\" OR \"138\" OR \"139\"))))))","filters":[],"actions":[]}
39 | {"id":"93d22289-834b-4031-bdec-d459b17f2dc6","updated_at":"2024-06-18T15:25:58.594Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.594Z","created_by":"elastic","name":"Client transferring large amount of data over HTTP","tags":["Corelight","Zeek"],"interval":"15m","enabled":true,"revision":0,"description":"Client sending over 5GBs via HTTP. It is uncommon for a client to send this much traffic to a server over HTTP. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-960s","rule_id":"fcbb4787-dfd5-4ca5-b312-8d67e573cdf0","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0010","name":"Exfiltration","reference":"https://attack.mitre.org/tactics/TA0010"},"technique":[{"id":"T1030","name":"Data Transfer Size Limits","reference":"https://attack.mitre.org/techniques/T1030","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND http.response.body.bytes:* AND http.response.body.bytes >10000000)","filters":[],"actions":[]}
40 | {"id":"c7603bbd-2d6b-4517-a0ff-0b92bde60a6b","updated_at":"2024-06-18T15:26:01.841Z","updated_by":"elastic","created_at":"2024-06-18T15:26:01.841Z","created_by":"elastic","name":"RDP Suspicious Keyboard Layout","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Detects suspicious languages of an RDP keyboard layout. This Sigma query is designed to accompany the Corelight Threat Hunting Guide. Note you might have to change the keyboard layout due to location.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"c20bc1da-6c3d-4e5f-b1c4-2f3b1c071d7b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0008","name":"Lateral Movement","reference":"https://attack.mitre.org/tactics/TA0008"},"technique":[{"id":"T1021","name":"Remote Services","reference":"https://attack.mitre.org/techniques/T1021","subtechnique":[{"id":"T1021.001","name":"Remote Desktop Protocol","reference":"https://attack.mitre.org/techniques/T1021/001"}]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":3,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"rdp\" AND (rdp.keyboard_layout:(*Arabic* OR \"Armenian-Armenia\" OR \"Farsi\" OR \"Pashto\" OR \"Swahili\" OR \"Syriac\") OR rdp.keyboard_layout:(Chinese* OR \"Mongolian (Mongolian)\" OR Mongolian* OR Tibetan* OR \"Uighur - China\") OR rdp.keyboard_layout:(\"Assamese\" OR \"Kannada\" OR *India OR \"Sanskrit\" OR \"Telugu\") OR rdp.keyboard_layout.text:\"Korean\" OR rdp.keyboard_layout:(*Nigeria OR \"Wolof\" OR \"Yoruba\") OR rdp.keyboard_layout.text:(\"Catalan\" OR \"Rhaeto-Romanic\") OR rdp.keyboard_layout:(\"Albanian - Albania\" OR *Cyrillic* OR \"FYRO Macedonian\" OR Russian* OR \"Sorbian\" OR \"Uzbek (Cyrillic)\" OR \"Uzbek (Latin)\" OR \"Yakut\" OR Serbian* OR \"Slovak\" OR \"Slovenian\") OR rdp.keyboard_layout.text:\"Vietnamese\"))","filters":[],"actions":[]}
41 | {"id":"e111e57b-843a-49a9-a137-28ab1f336308","updated_at":"2024-06-18T15:25:58.565Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.565Z","created_by":"elastic","name":"Suricata Scan with allowed connection","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Take Suricata Alert and correlates it to a full connection ","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"http://10.100.100.137:5601/app/security"},"author":["Corelight"],"false_positives":[],"from":"now-360s","rule_id":"e42202d0-1439-404a-bb3c-50a546bb6111","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0043","name":"Reconnaissance","reference":"https://attack.mitre.org/tactics/TA0043"},"technique":[]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"eql","language":"eql","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"sequence by log.id.uid \n [network where rule.name like \"ET SCAN *\"] \n [network where network.connection.history != \"S\" and network.transport ==\"tcp\"]","filters":[],"actions":[]}
42 | {"id":"c60e6fac-e463-4b56-85bc-8be336e0a586","updated_at":"2024-06-18T15:26:01.836Z","updated_by":"elastic","created_at":"2024-06-18T15:26:01.836Z","created_by":"elastic","name":"Client Sending Large Amount of Data","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Client is sending a large amount of data to another host. Verify if the destination is a known host for transfering files/data too. This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC PRIME"],"false_positives":[],"from":"now-360s","rule_id":"285235d5-ece6-491b-ada4-6dc61a84a431","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0009","name":"Collection","reference":"https://attack.mitre.org/tactics/TA0009"},"technique":[{"id":"T1039","name":"Data from Network Shared Drive","reference":"https://attack.mitre.org/techniques/T1039","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"conn\" AND source.bytes <1000000000 AND destination.bytes >100000000)","filters":[],"actions":[]}
43 | {"id":"a4f8bfd9-3c3c-4ca9-81be-2175d64836a2","updated_at":"2024-06-18T15:25:58.573Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.573Z","created_by":"elastic","name":"External Proxy Detected (Overview Query)","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"This should be used as a guide to filter for known and unknown proxies on your network being used.  This rule detects external proxies using Corelight and Zeek http log.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"8e5c7625-ce39-41e6-81d0-2ef7bf971c57","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1092","name":"Communication Through Removable Media","reference":"https://attack.mitre.org/techniques/T1092","subtechnique":[]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","name":"Defense Evasion","reference":"https://attack.mitre.org/tactics/TA0005"},"technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"event.dataset:\"http\" AND http.request.proxied:* AND (NOT source.ip_rfc: RFC_1918)","filters":[],"actions":[]}
44 | {"id":"707e94a9-77eb-401b-ba79-f6c397da236e","updated_at":"2024-06-18T15:25:58.595Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.595Z","created_by":"elastic","name":"Common Port with Unusual Service","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Identifies services using a NON ephemeral port for a service that normally should be using a source port greater than 1024. This Sigma query is designed to accompany the Corelight Threat Hunting Guide","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"fdd1ec6b-a7b8-41f4-a6fb-9320357f82c9","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1571","name":"Non-Standard Port","reference":"https://attack.mitre.org/techniques/T1571","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":3,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"conn\" AND source.port:<1024 AND network.protocol:(\"http\" OR \"ssl\" OR \"rdp\" OR \"ssh\") AND conn.local_orig:true AND conn.local_resp:false)","filters":[],"actions":[]}
45 | {"id":"55dba819-fe90-49b2-943b-c58312b84e46","updated_at":"2024-06-18T15:25:58.566Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.566Z","created_by":"elastic","name":"Potential Forced Netbios DNS Lookup","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Potential Forced Netbios DNS Lookup","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"bff45c08-0fff-4070-96dc-5dbe46071203","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0006","name":"Credential Access","reference":"https://attack.mitre.org/tactics/TA0006"},"technique":[{"id":"T1187","name":"Forced Authentication","reference":"https://attack.mitre.org/techniques/T1187","subtechnique":[]}]}],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:conn AND network.protocol: dns AND (destination.port: 137 OR destination.port: 138) AND (NOT destination.ip_rfc: RFC_1918))","filters":[],"actions":[]}
46 | {"id":"5f27b653-3209-42b6-98e6-e041e926c8bc","updated_at":"2024-06-18T15:25:58.560Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.560Z","created_by":"elastic","name":"Multiple Compressed Files Transferred Outbound","tags":["Corelight","Zeek"],"interval":"5m","enabled":true,"revision":0,"description":"Advesaries may use compressed archives to transfer data. Make sure your zeek or coreligth device has local_orig and local_resp variables filled out correctly matching your organizations subnets. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-2100s","rule_id":"32010000-ba3b-444c-aced-af27db45961a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0010","name":"Exfiltration","reference":"https://attack.mitre.org/tactics/TA0010"},"technique":[{"id":"T1020","name":"Automated Exfiltration","reference":"https://attack.mitre.org/techniques/T1020","subtechnique":[]},{"id":"T1002","name":"Data Compressed","reference":"https://attack.mitre.org/techniques/T1002","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"files\" AND (NOT (file.size:\"0\")) AND file.mime_type:(\"application/vnd.ms-cab-compressed\" OR \"application/warc\" OR \"application/x-7z-compressed\" OR \"application/x-ace\" OR \"application/x-arc\" OR \"application/x-archive\" OR \"application/x-arj\" OR \"application/x-compress\" OR \"application/x-cpio\" OR \"application/x-dmg\" OR \"application/x-eet\" OR \"application/x-gzip\" OR \"application/x-lha\" OR \"application/x-lrzip\" OR \"application/x-lz4\" OR \"application/x-lzma\" OR \"application/x-lzh\" OR \"application/x-lzip\" OR \"application/x-rar\" OR \"application/x-rpm\" OR \"application/x-stuffit\" OR \"application/x-tar\" OR \"application/x-xz\" OR \"application/x-zoo\" OR \"application/zip\"))","filters":[],"threshold":{"field":["destination.ip","file.hash.sha1"],"value":26,"cardinality":[]},"actions":[]}
47 | {"id":"c8f0f11e-5750-4b57-80ea-4bf06b641eb0","updated_at":"2024-06-18T15:26:01.843Z","updated_by":"elastic","created_at":"2024-06-18T15:26:01.843Z","created_by":"elastic","name":"Sensitive File Access On Admin Network Share","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"This rule identifies sensitive files being accessed via SMB over the Windows Admin$ network share. Determine if these files should a) be accessible and b) accessed by that client.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"4c41e65d-bde3-4bbb-af06-f36c223bc6e9","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0009","name":"Collection","reference":"https://attack.mitre.org/tactics/TA0009"},"technique":[{"id":"T1039","name":"Data from Network Shared Drive","reference":"https://attack.mitre.org/techniques/T1039","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"smb_files\" AND file.path:*ADMIN$* AND file.name:(*\\\\mimidrv* OR *\\\\lsass* OR *\\\\windows\\\\minidump\\\\* OR *\\\\hiberfil* OR *\\\\sqldmpr* OR *\\\\sam* OR *\\\\ntds.dit* OR *\\\\security*))","filters":[],"actions":[]}
48 | {"id":"a23fe4dd-9c77-499e-af27-cfd381324e69","updated_at":"2024-06-18T15:25:58.585Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.585Z","created_by":"elastic","name":"Multiple Files sent over HTTP with abnormal requests","tags":["Corelight","Zeek"],"interval":"13m","enabled":true,"revision":0,"description":"Client sending multiple compressed files greater than 10MBs sent over HTTP in a short amount of time.. Additionally, this looks for no referrer which is normally seen in HTTP browsing, thus helps find potentially automated or scripted requests. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: Corelight .","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["Corelight"],"false_positives":[],"from":"now-2580s","rule_id":"af290e93-f670-4d38-8670-79dc89ddb6eb","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0010","name":"Exfiltration","reference":"https://attack.mitre.org/tactics/TA0010"},"technique":[{"id":"T1030","name":"Data Transfer Size Limits","reference":"https://attack.mitre.org/techniques/T1030","subtechnique":[]}]},{"framework":"MITRE ATT&CK","tactic":{"id":"TA0009","name":"Collection","reference":"https://attack.mitre.org/tactics/TA0009"},"technique":[{"id":"T1560","name":"Archive Collected Data","reference":"https://attack.mitre.org/techniques/T1560","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND file.mime_type.:(\"application/vnd.ms-cab-compressed\" OR \"application/warc\" OR \"application/x-7z-compressed\" OR \"application/x-ace\" OR \"application/x-arc\" OR \"application/x-archive\" OR \"application/x-arj\" OR \"application/x-compress\" OR \"application/x-cpio\" OR \"application/x-dmg\" OR \"application/x-eet\" OR \"application/x-gzip\" OR \"application/x-lha\" OR \"application/x-lrzip\" OR \"application/x-lz4\" OR \"application/x-lzma\" OR \"application/x-lzh\" OR \"application/x-lzip\" OR \"application/x-rar\" OR \"application/x-rpm\" OR \"application/x-stuffit\" OR \"application/x-tar\" OR \"application/x-xz\" OR \"application/x-zoo\" OR \"application/zip\") AND (NOT (http.request.referrer:*)) AND http.response.body.bytes >10000000)","filters":[],"threshold":{"field":["source.ip","log.id.uid"],"value":11,"cardinality":[]},"actions":[]}
49 | {"id":"20463397-6aea-4519-8da9-bb4404b40e97","updated_at":"2024-06-18T15:25:58.541Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.541Z","created_by":"elastic","name":"Multiple Compressed Files Transferred over HTTP","tags":["Corelight","Zeek"],"interval":"15m","enabled":true,"revision":0,"description":"Advesaries may use compressed archives to transfer data. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-2700s","rule_id":"76ec8a4f-b195-4efa-948b-ab88d735b2ac","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0010","name":"Exfiltration","reference":"https://attack.mitre.org/tactics/TA0010"},"technique":[{"id":"T1020","name":"Automated Exfiltration","reference":"https://attack.mitre.org/techniques/T1020","subtechnique":[]},{"id":"T1002","name":"Data Compressed","reference":"https://attack.mitre.org/techniques/T1002","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND (http.request.method:(\"POST\" OR \"PUT\") AND file.mime_type:(\"application/vnd.ms-cab-compressed\" OR \"application/warc\" OR \"application/x-7z-compressed\" OR \"application/x-ace\" OR \"application/x-arc\" OR \"application/x-archive\" OR \"application/x-arj\" OR \"application/x-compress\" OR \"application/x-cpio\" OR \"application/x-dmg\" OR \"application/x-eet\" OR \"application/x-gzip\" OR \"application/x-lha\" OR \"application/x-lrzip\" OR \"application/x-lz4\" OR \"application/x-lzma\" OR \"application/x-lzh\" OR \"application/x-lzip\" OR \"application/x-rar\" OR \"application/x-rpm\" OR \"application/x-stuffit\" OR \"application/x-tar\" OR \"application/x-xz\" OR \"application/x-zoo\" OR \"application/zip\")) AND (NOT (http.request.referrer:*)))","filters":[],"threshold":{"field":["source.ip","url.original","destination.domain"],"value":26,"cardinality":[]},"actions":[]}
50 | {"id":"0fe5a973-bd62-4f65-9b00-38ce857c1389","updated_at":"2024-06-18T15:25:58.592Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.592Z","created_by":"elastic","name":"Internal and Uncommon HTTP Service with interesting user agent and mime type combination","tags":["Corelight","Zeek"],"interval":"30m","enabled":true,"revision":0,"description":"This rule looks for Internal service with an uncommon HTTP port and interesting user agents and matches them with interesting mime types. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: Corelight .","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["Corelight","SOC Prime"],"false_positives":[],"from":"now-1860s","rule_id":"6a5182d4-f504-4b3a-835f-a2c6fd26aba6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1571","name":"Non-Standard Port","reference":"https://attack.mitre.org/techniques/T1571","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"http\" AND (http.response.mime_types:(\"application/java-archive\" OR \"application/mshelp\" OR \"application/chrome-ext\" OR \"application/x-object\" OR \"application/x-executable\" OR \"application/x-sharedlib\" OR \"application/-mach-o-executable\" OR \"application/x-dosexec\" OR \"application/x-java-applet\" OR \"application/x-java-jnlp-file\" OR \"text/x-php\" OR \"text/x-perl\" OR \"text/x-ruby\" OR \"text/x-python\" OR \"text/x-awk\" OR \"text/x-tcl\" OR \"text/x-lua\" OR \"text/x-msdos-batch\")  AND user_agent.original:(*certutil* OR *powershell* OR *microsoft* OR *python* OR *libwww-perl* OR *go-http* OR *java* OR *lua-resty-http* OR *winhttp* OR *vb project* OR *ruby*)) AND (NOT (source.port:(\"80\" OR \"8000\" OR \"8080\" OR \"8888\"))) AND (destination.ip_public: true))","filters":[],"actions":[]}
51 | {"id":"86e91217-709f-4cce-bf93-ec4818ec7499","updated_at":"2024-06-18T15:25:58.574Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.574Z","created_by":"elastic","name":"DNS tunnel repetitive failures to same domain","tags":["Corelight","Zeek"],"interval":"5m","enabled":true,"revision":0,"description":"This rule identifies large a mounts of DNS resolution failures (domain does not exist and server failures). Some DGA algorithms generate hundreds/thousands of bad DNS names before hitting one that an attacker has registered. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Tea","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime","neu5ron","Brasitech"],"false_positives":[],"from":"now-2100s","rule_id":"449e89a8-11f5-4fde-9b47-fcbf555da042","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1094","name":"Custom Command and Control Protocol","reference":"https://attack.mitre.org/techniques/T1094","subtechnique":[]},{"id":"T1043","name":"Commonly Used Port","reference":"https://attack.mitre.org/techniques/T1043","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"dns\" AND dns.response_code:(\"NXDOMAIN\" OR \"SERVFAIL\" OR \"nxdomain\" OR \"servfail\"))","filters":[],"threshold":{"field":["source.ip","destination.level_1n2_domain"],"value":26,"cardinality":[]},"actions":[]}
52 | {"id":"55454429-0fa1-473a-8295-f568e721cef9","updated_at":"2024-06-18T15:25:58.588Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.588Z","created_by":"elastic","name":"External Facing ICS DNP3","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"An external facing ICS DNP3 device is responding to external public facing connections. Verify if this is allowed device.","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-360s","rule_id":"f53040b1-4b41-4b52-a628-1b56e20e1db5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[{"id":"T1133","name":"External Remote Services","reference":"https://attack.mitre.org/techniques/T1133","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"event.dataset:dnp3 AND dnp3.fc_request:* AND (NOT source.ip_rfc: RFC_1918)","filters":[],"actions":[]}
53 | {"id":"f8267ba2-ca88-4ea6-a0e5-6d5cefdd3fe7","updated_at":"2024-06-18T15:25:58.571Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.571Z","created_by":"elastic","name":"C2 DGA Detected Via Repetitive Failures","tags":["Corelight","Zeek"],"interval":"5m","enabled":true,"revision":0,"description":"This rule identifies large a mounts of DNS resolution failures (domain does not exist and server failures). Some DGA algorithms generate hundreds/thousands of bad DNS names before hitting one that an attacker has registered. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team .","risk_score":38,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-2100s","rule_id":"b4f7e8dc-4bbf-4f54-9af3-a8cda96b376e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[{"id":"T1094","name":"Custom Command and Control Protocol","reference":"https://attack.mitre.org/techniques/T1094","subtechnique":[]},{"id":"T1043","name":"Commonly Used Port","reference":"https://attack.mitre.org/techniques/T1043","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"dns\" AND dns.response_code:(\"NXDOMAIN\" OR \"SERVFAIL\" OR \"nxdomain\" OR \"servfail\"))","filters":[],"threshold":{"field":["dns.question.name","source.ip"],"value":26,"cardinality":[]},"actions":[]}
54 | {"id":"f0caa25d-2bcc-4993-a69b-5ca62350fec4","updated_at":"2024-06-18T15:26:01.837Z","updated_by":"elastic","created_at":"2024-06-18T15:26:01.837Z","created_by":"elastic","name":"Domain User Enumeration Network Recon 01","tags":["Zeek","Corelight"],"interval":"30s","enabled":true,"revision":0,"description":"Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. This is a supported version of the public rule that was created by Nate Guagenti and Roberto Rodriguez from his Open Threat Research (OTR) community","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://18.224.15.232:15601/app/security"},"author":["Nate Guagenti (@neu5ron)","SOC Prime","Open Threat Research (OTR)"],"false_positives":[],"from":"now-90s","rule_id":"d6a5272f-a56a-41e0-96db-c6b9a1aa575f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0007","name":"Discovery","reference":"https://attack.mitre.org/tactics/TA0007"},"technique":[{"id":"T1135","name":"Network Share Discovery","reference":"https://attack.mitre.org/techniques/T1135","subtechnique":[]},{"id":"T1069","name":"Permission Groups Discovery","reference":"https://attack.mitre.org/techniques/T1069","subtechnique":[{"id":"T1069.001","name":"Local Groups","reference":"https://attack.mitre.org/techniques/T1069/001"},{"id":"T1069.002","name":"Domain Groups","reference":"https://attack.mitre.org/techniques/T1069/002"}]}]}],"to":"now","references":[],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"dce_rpc\" AND dce_rpc.operationt:(\"LsarLookupNames3\" OR \"LsarLookupSids3\" OR \"SamrGetGroupsForUser\" OR \"SamrLookupIdsInDomain\" OR \"SamrLookupNamesInDomain\" OR \"SamrQuerySecurityObject\" OR \"SamrQueryInformationGroup\"))","filters":[],"threshold":{"field":["source.ip","dce_rpc.operation"],"value":4,"cardinality":[]},"actions":[]}
55 | {"id":"b3ae3989-c737-4bb1-ba1b-4eb45c912535","updated_at":"2024-06-18T15:25:58.562Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.562Z","created_by":"elastic","name":"Multiple Compressed Files Transferred Outbound","tags":["Corelight","Zeek"],"interval":"5m","enabled":true,"revision":0,"description":"Advesaries may use compressed archives to transfer data. Make sure your zeek or coreligth device has local_orig and local_resp variables filled out correctly matching your organizations subnets. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs Author: SOC Prime Team","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"30m","kibana_siem_app_url":"https://ebfdeca78883482ab27c7788d91afc61.eu-central-1.aws.cloud.es.io:9243/app/security"},"author":["SOC Prime"],"false_positives":[],"from":"now-2100s","rule_id":"c21b22f1-bd35-480f-871d-5bab56a9d062","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0010","name":"Exfiltration","reference":"https://attack.mitre.org/tactics/TA0010"},"technique":[{"id":"T1002","name":"Data Compressed","reference":"https://attack.mitre.org/techniques/T1002","subtechnique":[]},{"id":"T1020","name":"Automated Exfiltration","reference":"https://attack.mitre.org/techniques/T1020","subtechnique":[]}]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"threshold","language":"lucene","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"(event.dataset:\"files\" AND (NOT (file.size:\"0\")) AND file.mime_type:(\"application/vnd.ms-cab-compressed\" OR \"application/warc\" OR \"application/x-7z-compressed\" OR \"application/x-ace\" OR \"application/x-arc\" OR \"application/x-archive\" OR \"application/x-arj\" OR \"application/x-compress\" OR \"application/x-cpio\" OR \"application/x-dmg\" OR \"application/x-eet\" OR \"application/x-gzip\" OR \"application/x-lha\" OR \"application/x-lrzip\" OR \"application/x-lz4\" OR \"application/x-lzma\" OR \"application/x-lzh\" OR \"application/x-lzip\" OR \"application/x-rar\" OR \"application/x-rpm\" OR \"application/x-stuffit\" OR \"application/x-tar\" OR \"application/x-xz\" OR \"application/x-zoo\" OR \"application/zip\"))","filters":[],"threshold":{"field":["destination.ip","file.hash.sha1"],"value":26,"cardinality":[]},"actions":[]}
56 | {"id":"d57a5f8c-c8b6-41a8-81d1-259db1ff95d4","updated_at":"2024-06-18T15:25:58.581Z","updated_by":"elastic","created_at":"2024-06-18T15:25:58.581Z","created_by":"elastic","name":"DNS Domain names with Non ASCII Character","tags":["Zeek","Corelight"],"interval":"5m","enabled":true,"revision":0,"description":"Adversaries can use DNS name with Non ASCII Characters to hide the real domain and make it look like something else.\n\n","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://10.100.100.137:5601/app/security"},"author":[],"false_positives":[],"from":"now-360s","rule_id":"5ac25ec4-634b-4d07-9e80-a15ab106c7b9","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0011","name":"Command and Control","reference":"https://attack.mitre.org/tactics/TA0011"},"technique":[]}],"to":"now","references":["https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs"],"version":2,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-corelight-ds*","ecs-corelight*","logs-*"],"query":"event.dataset: dns and destination.domain_has_non_ascii: true","filters":[],"actions":[]}
57 | {"exported_count":56,"exported_rules_count":56,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":0,"exported_exception_list_item_count":0,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0,"exported_action_connector_count":0,"missing_action_connection_count":0,"missing_action_connections":[],"excluded_action_connection_count":0,"excluded_action_connections":[]}
58 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2023, Corelight, Inc.
 4 | 
 5 | Redistribution and use in source and binary forms, with or without
 6 | modification, are permitted provided that the following conditions are met:
 7 | 
 8 | 1. Redistributions of source code must retain the above copyright notice, this
 9 |    list of conditions and the following disclaimer.
10 | 
11 | 2. Redistributions in binary form must reproduce the above copyright notice,
12 |    this list of conditions and the following disclaimer in the documentation
13 |    and/or other materials provided with the distribution.
14 | 
15 | 3. Neither the name of the copyright holder nor the names of its
16 |    contributors may be used to endorse or promote products derived from
17 |    this software without specific prior written permission.
18 | 
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Elasticsearch_rules
2 | ElasticSearch Detection version of SOC prime watcher rules with some new Corelight rules
3 | 
4 | Please note some of these rules should be tuned to your environment. 
5 | 
6 | To load in Elastic, download the ndjson and expand Security and go to alerts. Click on Managed Alerts and click import rules and upload the file to Elastic. This will create two new tags one Zeek - These rules will work on OS Zeek and Corelight, and the other Corelight will only work with Corelight Data.  
7 | 
8 | 


--------------------------------------------------------------------------------