Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
brian Mapping! c30c2d7 Nov 6, 2019
0 contributors

Users who have contributed to this file

1056 lines (889 sloc) 37.2 KB
<group name="sysmon,MITRE,">
<rule id="255000" level="6">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\powershell.exe||\\.ps1||\\.ps2</field>
<description>Sysmon - Event 1: Powershell exe: $(win.eventdata.sourceImage)</description>
<group>sysmon_event1,powershell_execution,</group>
</rule>
<rule id="255001" level="6">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\cmd.exe</field>
<description>Sysmon - Event 2: CMD exe: $(win.eventdata.sourceImage)</description>
<group>sysmon_event1,cmd_execution,</group>
</rule>
<rule id="255002" level="7">
<if_sid>185001</if_sid>
<match>Network connection detected</match>
<regex>powershell.exe</regex>
<description>Powershell Network Connection</description>
<group>sysmon_event3,network,</group>
</rule>
<rule id="255003" level="12">
<if_sid>255000</if_sid>
<regex>.doc</regex>
<description>Powershell Spawned from Office Doc</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255004" level="12">
<if_sid>255000</if_sid>
<regex>.xls</regex>
<description>Powershell Spawned from Excel Doc</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255005" level="12">
<if_sid>255001</if_sid>
<regex>WINWORD.EXE</regex>
<description>Command Line process spawned from Mircosoft Word Doc</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255006" level="12">
<if_sid>255001</if_sid>
<regex>EXCEL.EXE</regex>
<description>Command Line process spawned from Mircosoft Excel Doc</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255007" level="10">
<if_group>sysmon_event1</if_group>
<match>mshta.exe</match>
<regex>http</regex>
<description>Possible Malicious HTA file executed</description>
<group>MITRE,attack.t1170,</group>
</rule>
<rule id="255008" level="12">
<if_sid>255001</if_sid>
<regex>POWERPNT.exe</regex>
<description>Command Line process spawned from Mircosoft Powerpoint Doc</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255009" level="12">
<if_sid>255001</if_sid>
<regex>OUTLOOK.EXE</regex>
<description>Command Line process spawned from Mircosoft Outlook</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255010" level="12">
<if_sid>255001</if_sid>
<regex>VISIO.exe</regex>
<description>Command Line process spawned from Mircosoft Visio Doc</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255011" level="12">
<if_sid>255001</if_sid>
<regex>MSPUB.exe</regex>
<description>Command Line process spawned from Mircosoft Publisher Doc</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255012" level="12">
<if_sid>255000</if_sid>
<regex>POWERPNT.exe</regex>
<description>Powershell Spawned from Powerpoint Doc</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255013" level="12">
<if_sid>255000</if_sid>
<regex>OUTLOOK.EXE</regex>
<description>Powershell Spawned from Microsoft Outlook</description>
<group>MITRE,attack.t1059,attack.t1202</group>
</rule>
<rule id="255014" level="12">
<if_sid>255000</if_sid>
<regex>MSPUB.exe</regex>
<description>Powershell Spawned from Microsoft Publisher</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255015" level="12">
<if_sid>255000</if_sid>
<regex>VISIO.exe</regex>
<description>Powershell Spawned from Microsoft Visio</description>
<group>MITRE,attack.t1059,attack.t1202,</group>
</rule>
<rule id="255016" level="12">
<if_sid>255001</if_sid>
<match>regsvr32</match>
<regex>http</regex>
<description>MITRE ATT&CK T1117 - Regsvr32 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md</description>
<group>MITRE,attack.t1117,</group>
</rule>
<rule id="255017" level="12">
<if_sid>255001</if_sid>
<match>cscript.exe</match>
<regex>http</regex>
<description>MITRE ATT&CK T1216 - Signed Script Proxy Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md</description>
<group>MITRE,attack.t1216,</group>
</rule>
<rule id="255018" level="8">
<if_sid>255001</if_sid>
<match>sc.exe</match>
<regex>create|start|delete</regex>
<description>New Service Created with sc.exe : MITRE ATT&CK T1035 - Service Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.md</description>
<group>MITRE,attack.t1035,</group>
</rule>
<rule id="255019" level="8">
<if_sid>255000</if_sid>
<match>sc.exe</match>
<regex>create|start|delete</regex>
<description>New Service Created with sc.exe : MITRE ATT&CK T1035 - Service Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.md</description>
<group>MITRE,attack.t1035,</group>
</rule>
</group>
<group name="sysmon-modular,">
<rule id="255500" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=Process Injection</match>
<description>MITRE T1055 Process Injection: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1055,</group>
</rule>
<rule id="255501" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Masquerading</match>
<description>MITRE T1036 Masquerading: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1036,</group>
</rule>
<rule id="255502" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Credential Dumping</match>
<description>MITRE T1003 Credential Dumping: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1003,</group>
</rule>
<rule id="255503" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Winlogon Helper DLL</match>
<description>MITRE T1004 Winlogon Helper DLL: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1004,</group>
</rule>
<rule id="255504" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Data from Local System</match>
<description>MITRE T1005 Data from Local System: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1005,</group>
</rule>
<rule id="255505" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=System Service Discovery</match>
<description>MITRE T1007 System Service Discovery: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1007,</group>
</rule>
<rule id="255506" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Query Registry</match>
<description>MITRE T1012 Query registry: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1012,</group>
</rule>
<rule id="255507" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Forced Authentication</match>
<description>MITRE T1013 Forced Authentication: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1013,</group>
</rule>
<rule id="255508" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Accessibility Features</match>
<description>MITRE T1015 Accessibility Features: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1015,</group>
</rule>
<rule id="255509" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=System Network Configuration Discovery</match>
<description>MITRE T1016 System Network Configuration Discovery: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1016,</group>
</rule>
<rule id="255510" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Remote System Discovery</match>
<description>MITRE T1018 Remote Systen Discovery: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1018,</group>
</rule>
<rule id="255511" level="5">
<if_group>sysmon_event2</if_group>
<match>technique_name=Remote Services</match>
<description>MITRE T1021 Remote Services : $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1021,</group>
</rule>
<rule id="255512" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Obfuscated Files or Information</match>
<description>MITRE T1027 Obfuscated Files or Information : $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1027,</group>
</rule>
<rule id="255513" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Windows Remote Management</match>
<description>MITRE T1028 Windows Remote Management: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1028,</group>
</rule>
<rule id="255514" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Modify Existing Service</match>
<description>MITRE T1031 Modify Existing Service : $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1031,</group>
</rule>
<rule id="255515" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=System Owner/User Discovery</match>
<description>MITRE T1033 System Owner/User Discovery : $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1033,</group>
</rule>
<rule id="255516" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Service Execution</match>
<description>MITRE T1035 Service Execution: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1035,</group>
</rule>
<rule id="255517" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Logon Scripts</match>
<description>MITRE T1037 Logon Scripts: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1037,</group>
</rule>
<rule id="255518" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Change Default File Association</match>
<description>MITRE T1042 Change Default File Association: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1042,</group>
</rule>
<rule id="255519" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=Windows Management Instrumentation</match>
<description>MITRE T1047 Windows Management Instrumentation : $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1047,</group>
</rule>
<rule id="255520" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=System Network Connections Discovery</match>
<description>MITRE T1049 System Network Connections Discovery: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1049,</group>
</rule>
<rule id="255521" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Scheduled Task</match>
<description>MITRE T1053 Scheduled Task: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1053,</group>
</rule>
<rule id="255522" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Indicator Blocking</match>
<description>MITRE T1054 Indicator Blocking : $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1054,</group>
</rule>
<rule id="255523" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Process Discovery</match>
<description>MITRE T1057 Process Discovery: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1057,</group>
</rule>
<rule id="255524" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Command-Line Interface</match>
<description>MITRE T1059 Command-Line Interface: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1059,</group>
</rule>
<rule id="255525" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Registry Run Keys / Start Folder</match>
<description>MITRE T1060 Registry Run Keys / Start Folder: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1060,</group>
</rule>
<rule id="255526" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Security Software Discovery</match>
<description>MITRE T1063 Security Software Discovery: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1063,</group>
</rule>
<rule id="255527" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Permission Groups Discovery</match>
<description>MITRE T1069 Permission Groups Discovery: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1069,</group>
</rule>
<rule id="255528" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Indicator Removal on Host</match>
<description>MITRE T1070 Indicator Removal on Host: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1070,</group>
</rule>
<rule id="255529" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=File and Directory Discovery</match>
<description>MITRE T1083 File and Directory Discovery: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1083,</group>
</rule>
<rule id="255530" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=Rundll32</match>
<description>MITRE T1085 Rundll32: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1085,</group>
</rule>
<rule id="255531" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=PowerShell</match>
<description>MITRE T1086 Powershell: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1086,</group>
</rule>
<rule id="255532" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Bypass User Account Control</match>
<description>MITRE T1088 Bypass User Account Control: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1088,</group>
</rule>
<rule id="255533" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Disabling Security Tools</match>
<description>MITRE T1089 Disabling Security Tools: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1089,</group>
</rule>
<rule id="255534" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Account Manipulation</match>
<description>MITRE T1098 =Account Manipulation: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1098,</group>
</rule>
<rule id="255535" level="5">
<if_group>sysmon_event2</if_group>
<match>technique_name=Timestomp</match>
<description>MITRE T1099 Timestomp: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1099,</group>
</rule>
<rule id="255536" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Security Support Provider</match>
<description>MITRE T1101 Security Support Provider: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1101,</group>
</rule>
<rule id="255537" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Appinit DLLs</match>
<description>MITRE T1103 Appinit DLLs: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1103,</group>
</rule>
<rule id="255538" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Remote File Copy</match>
<description>MITRE T1105 Remote File Copy: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1105,</group>
</rule>
<rule id="255539" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Modify Registry</match>
<description>MITRE T1112 Modify Registry: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1112,</group>
</rule>
<rule id="255540" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Regsvr32</match>
<description>MITRE T1117 Regsvr32: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1117,</group>
</rule>
<rule id="255541" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=InstallUtil</match>
<description>MITRE T1118 InstallUtil: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1118,</group>
</rule>
<rule id="255542" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Regsvcs/Regasm</match>
<description>MITRE T1121 Regsvcs/Regasm: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1121,</group>
</rule>
<rule id="255543" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Component Object Model Hijacking</match>
<description>MITRE T1122 Component Object Model Hijacking: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1122,</group>
</rule>
<rule id="255544" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Trusted Developer Utilities</match>
<description>MITRE T1127 Trusted Developer Utilities: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1127,</group>
</rule>
<rule id="255545" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Netsh Helper DLL</match>
<description>MITRE T1128 Netsh Helper DLL: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1128,</group>
</rule>
<rule id="255546" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Install Root Certificate</match>
<description>MITRE T1130 Install Root Certificate: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1130,</group>
</rule>
<rule id="255547" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Authentication Package</match>
<description>MITRE T1131 Authentication Package: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1131,</group>
</rule>
<rule id="255548" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Access Token Manipulation</match>
<description>MITRE T1134 Access Token Manipulation: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1134,</group>
</rule>
<rule id="255549" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Application Shimming</match>
<description>MITRE T1138 Application Shimming: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1138,</group>
</rule>
<rule id="255550" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Hidden Files and DirectoriesHidden Files and Directories</match>
<description>MITRE T1158 Hidden Files and DirectoriesHidden Files and Directories: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1158,</group>
</rule>
<rule id="255551" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Mshta</match>
<description>MITRE T1170 Mshta: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1170,</group>
</rule>
<rule id="255552" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=AppCert DLLs</match>
<description>MITRE T1182: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1182,</group>
</rule>
<rule id="255553" level="12">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Image File Execution Options Injection</match>
<description>MITRE T1183 Image File Execution Options Injection: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1183,</group>
</rule>
<rule id="255554" level="5">
<if_group>sysmon_event_11</if_group>
<match>technique_name=Forced Authentication</match>
<description>MITRE T1187 Forced Authentication: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1187,</group>
</rule>
<rule id="255555" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=CMSTP</match>
<description>MITRE T1191 CMSTP: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1191,</group>
</rule>
<rule id="255556" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Control Panel Items</match>
<description>MITRE T1196: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1196,</group>
</rule>
<rule id="255557" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=BITS Jobs</match>
<description>MITRE T1197 BITS Jobs: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1197,</group>
</rule>
<rule id="255558" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=SIP and Trust Provider Hijacking</match>
<description>MITRE T1198 SIP and Trust Provider Hijacking: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1198,</group>
</rule>
<rule id="255559" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Indirect Command Execution</match>
<description>MITRE T1202 Indirect Command Execution: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1202,</group>
</rule>
<rule id="255560" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Time Providers</match>
<description>MITRE T1209 Time Providers: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1209,</group>
</rule>
<rule id="255561" level="5">
<if_group>sysmon</if_group>
<match>technique_name=Regsvr32</match>
<description>MITRE T1218 Regsvr32: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1218,</group>
</rule>
<rule id="255562" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Signed Binary Proxy Execution</match>
<description>MITRE T1218 Signed Binary Proxy Execution: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1218,</group>
</rule>
<rule id="255563" level="10">
<if_group>sysmon</if_group>
<match>technique_name=Signed Binary Proxy Execution</match>
<description>MITRE T1218 Signed Script Proxy Execution: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1218,</group>
</rule>
<rule id="255564" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=Masquerading</match>
<description>MITRE T1036 Masquerading: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1036,</group>
</rule>
<rule id="255565" level="5">
<if_group>sysmon</if_group>
<match>technique_name=System Network Configuration Discovery</match>
<description>MITRE T1016 System Network Configuration Discovery: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1016,</group>
</rule>
<rule id="255566" level="5">
<if_group>sysmon</if_group>
<match>technique_name=Windows Remote Management</match>
<description>MITRE T1028 Windows Remote Management: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1028,</group>
</rule>
<rule id="255567" level="5">
<if_group>sysmon</if_group>
<match>technique_name=Service Execution</match>
<description>MITRE T1035 Service Execution: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1035,</group>
</rule>
<rule id="255568" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=Regsvr32</match>
<description>MITRE T1218 Regsvr32: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1218,</group>
</rule>
<rule id="255569" level="6">
<if_group>sysmon_event3</if_group>
<match>technique_name=Commonly Used Port</match>
<description>MITRE T043 Commonly Used Port: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1043,</group>
</rule>
<rule id="255570" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=PowerShell</match>
<description>MITRE T1086 Powershell Network Connection: $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1086,</group>
</rule>
</group>
<group name="credential_access,MITRE,">
<rule id="255103" level="8">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\findstr.exe</field>
<regex>cpassword</regex>
<description>Finding Passwords in SYSVOL & Exploiting Group Policy Preferences : MITRE ATT&CK T1081 - https://adsecurity.org/?p=2288</description>
<group>MITRE,attack.t1081,</group>
</rule>
<rule id="255104" level="10">
<if_sid>255547</if_sid>
<regex>HKLM\\System\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel</regex>
<description>ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue</description>
<group>MITRE,attack.t1075</group>
</rule>
<rule id="255105" level="10">
<if_sid>255547</if_sid>
<regex>HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictSendingNTLMTraffic</regex>
<description>ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue</description>
<group>MITRE,attack.t1075</group>
</rule>
<rule id="255106" level="10">
<if_group>sysmon_event_11</if_group>
<regex>\\Temp\\debug.bin</regex>
<description>Detects possible SafetyKatz Behaviour</description>
<group>MITRE,attack.t1003,sigma</group>
</rule>
<rule id="255107" level="12">
<if_group>sysmon_event_10</if_group>
<field name="win.eventdata.targetImage">\\lsass.exe</field>
<description>ATT&CK T1003: Detects possible Mimikatz Activity, LSASS access, check parent process</description>
<group>MITRE,attack.t1003,</group>
</rule>
<rule id="255108" level="12">
<if_group>sysmon_event_13</if_group>
<field name="win.eventdata.targetObject">\\WDigest\\UseLogonCredential</field>
<description>ATT&CK T1003: Detects possible Mimikatz Activity, registry edit for WDigest plain text credentials</description>
<group>MITRE,attack.t1003,</group>
</rule>
<rule id="255109" level="0">
<if_sid>255107</if_sid>
<field name="win.eventdata.sourceImage">\\MsMpEng.exe|\\ossec-agent.exe|\\wininit.exe|\\csrss.exe</field>
<description>Whitelist Interaction with LSASS</description>
<group>MITRE,attack.t1003,</group>
</rule>
</group>
<group name="WMI,">
<rule id="255200" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\WMIC.exe</field>
<regex>process call create</regex>
<description>Using WMIC for process creation: https://attack.mitre.org/techniques/T1047/</description>
<group>MITRE,attack.t1047</group>
</rule>
<rule id="255201" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\WMIC.exe</field>
<regex>/namespace:\\root\securitycenter2 path antivirusproduct</regex>
<description>Using WMIC for Antivirus Enumeration: https://attack.mitre.org/techniques/T1047/</description>
<group>MITRE,attack.t1047</group>
</rule>
<rule id="255202" level="8">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\WMIC.exe</field>
<regex>/NAMESPACE:\\\\root\\directory\\ldap PATH ds_user</regex>
<description>Using WMIC for Domain User Enumeration: https://attack.mitre.org/techniques/T1047/</description>
<group>MITRE,attack.t1047</group>
</rule>
<rule id="255203" level="8">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\WMIC.exe</field>
<regex>/NAMESPACE:\\\\root\\directory\\ldap PATH ds_group</regex>
<description>Using WMIC for Domain Group Enumeration: https://attack.mitre.org/techniques/T1047/</description>
<group>MITRE,attack.t1047</group>
</rule>
<rule id="255204" level="8">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\WMIC.exe</field>
<regex>USERACCOUNT</regex>
<description>Using WMIC for Local Account Enumeration: https://attack.mitre.org/techniques/T1047/</description>
<group>MITRE,attack.t1047</group>
</rule>
<rule id="255205" level="8">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\WMIC.exe</field>
<regex>NTDOMAIN</regex>
<description>Using WMIC for Domain Enumeration: https://attack.mitre.org/techniques/T1047/</description>
<group>MITRE,attack.t1047</group>
</rule>
<rule id="255206" level="8">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\WMIC.exe</field>
<regex>gfe list brief</regex>
<description>Using WMIC for Host Patch Level Enumeration: https://attack.mitre.org/techniques/T1047/</description>
<group>MITRE,attack.t1047</group>
</rule>
<rule id="255207" level="8">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\scrcons.exe</field>
<description>WMI persistence Script Event Consumer File Write : https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ </description>
<group>MITRE,attack.t1084</group>
</rule>
<rule id="255208" level="10">
<if_sid>255000</if_sid>
<field name="win.eventdata.parentImage">\\WmiPrvSE.exe</field>
<description>WmiPrvSE event spawning powershell</description>
<group>MITRE,attack.t1047</group>
</rule>
</group>
<group name="Defense Evasion,Windows Defender">
<rule id="255300" level="10">
<if_sid>18101</if_sid>
<regex>Windows Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled</regex>
<description>Windows Defender: Realtime Detection Disabled: https://attack.mitre.org/techniques/T1089/</description>
<group>gdpr_IV_35.7.d,MITRE,attack.t1089,</group>
</rule>
<rule id="255301" level="12">
<if_sid>83000</if_sid>
<id>3002</id>
<description>Windows Defender: Antivirus Rules Missing: https://attack.mitre.org/techniques/T1089/</description>
<group>MITRE,attack.t1089</group>
</rule>
<rule id="255302" level="10">
<if_sid>18101</if_sid>
<id>5007</id>
<regex>C:\\ = 0x0</regex>
<description>Windows Defender: C:\ Path Excluded, check for malware: https://attack.mitre.org/techniques/T1089/</description>
<group>gdpr_IV_35.7.d,MITRE,attack.t1089,</group>
</rule>
</group>
<group name="privesc,">
<rule id="255600" level="12">
<if_sid>255531</if_sid>
<regex>\\csc.exe</regex>
<match>cmdline</match>
<description>ATT&CK T1055: Suspected Shellcode Compile on Endpoint</description>
<group>MITRE,attack.t1055,</group>
</rule>
</group>
<group name="persistence,">
<rule id="255700" level="9">
<if_group>sysmon_event_13</if_group>
<regex>services.exe</regex>
<description>ATT&CK T1058:Registry edit for new service</description>
<group>MITRE,attack.t1058</group>
</rule>
<rule id="255701" level="12">
<if_sid>255700</if_sid>
<field name="win.eventdata.details">\\.exe</field>
<description>ATT&CK T1058:Executable written to Registry for Persistence</description>
<group>MITRE,attack.t1058</group>
</rule>
<rule id="255702" level="12">
<if_group>sysmon_event_11</if_group>
<match>\\Programs\\Startup</match>
<description>ATT&CK T1060: Potential Persistence Method via Startup Folder</description>
<group>MITRE,attack.t1060</group>
</rule>
</group>
<group name="Defense Evasion,">
<rule id="255800" level="10">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\mshta.exe</field>
<regex>browser_broker.exe</regex>
<description>ATT&CK T1170: MSHTA execution demiguise techniques</description>
<group>MITRE,attack.t1170</group>
</rule>
<rule id="255801" level="10">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\mshta.exe</field>
<regex>chrome.exe</regex>
<description>ATT&CK T1170: MSHTA execution demiguise techniques</description>
<group>MITRE,attack.t1170</group>
</rule>
<rule id="255802" level="10">
<if_group>sysmon_event1</if_group>
<regex>firewall set opmode mode=disable</regex>
<description>ATT&CK T1089: Disabling the Windows Firewall</description>
<group>MITRE,attack.t1089</group>
</rule>
<rule id="255803" level="10">
<if_group>sysmon_event1</if_group>
<regex>advfirewall set currentprofile state off</regex>
<description>ATT&CK T1089: Disabling the Windows Firewall</description>
<group>MITRE,attack.t1089</group>
</rule>
</group>
<group name="execution,">
<rule id="255901" level="12">
<if_sid>255531</if_sid>
<regex>-e PAA|-en PAA|-enc PAA|-enco PAA|-encod PAA|JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ|QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA|kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA|IgAoACcAKgAnACkAOwAkA|IAKAAnACoAJwApADsAJA|iACgAJwAqACcAKQA7ACQA</regex>
<description>ATT&CK T1059: Powershell execution techniques seen with Emotet malware</description>
<group>MITRE,attack.t1059</group>
</rule>
<rule id="255902" level="12">
<if_sid>255531</if_sid>
<regex>-noP -sta -w 1 -enc</regex>
<description>ATT&CK T1059: Powershell execution techniques default PowerShell Empire launcher</description>
<group>MITRE,attack.t1059</group>
</rule>
<rule id="255903" level="10">
<if_group>sysmon_event1</if_group>
<regex>certutil -urlcache -split -f </regex>
<description>ATT&CK T1059: CertUtil Download Technique</description>
<group>MITRE,attack.t1059</group>
</rule>
<rule id="255904" level="12">
<if_sid>255531</if_sid>
<regex>-exec bypass -Noninteractive -windowstyle hidden -e</regex>
<description>ATT&CK T1059: Powershell execution techniques default Posh C2 launcher</description>
<group>MITRE,attack.t1059</group>
</rule>
<rule id="255905" level="12">
<if_sid>255531</if_sid>
<regex>/w 1</regex>
<match>value.toString</match>
<description>ATT&CK T1059: Powershell execution techniques default Unicorn Powershell Meterpreter launcher</description>
<group>MITRE,attack.t1059</group>
</rule>
<rule id="255906" level="9">
<if_sid>60100</if_sid>
<field name="win.system.eventID">^400$</field>
<regex>PowerShell</regex>
<description>Windows PowerShell was started.</description>
</rule>
<rule id="255907" level="9">
<if_sid>60100</if_sid>
<field name="win.system.eventID">^800$</field>
<regex>PowerShell</regex>
<description>Windows PowerShell command executed.</description>
</rule>
<rule id="255910" level="12">
<if_group>sysmon_event1</if_group>
<regex>englishsize|adamteapot|initijpn|classchx|choreengine|pixelproc|cablesongs|mscmsknown</regex>
<description>Potential Emotet Execuatble running detection</description>
<group>MITRE,execution</group>
</rule>
<rule id="255911" level="12">
<if_group>sysmon_event3</if_group>
<regex>englishsize|adamteapot|initijpn|classchx|choreengine|pixelproc|vertclient|cablesongs|mscmsknown</regex>
<description>Potential Emotet Execuatble running detection</description>
<group>MITRE,execution</group>
</rule>
<rule id="255912" level="12">
<field name="win.eventdata.currentDirectory">AppData\\Roaming</field>
<regex>ipconfig|workstation|domain_trusts</regex>
<description>Potential Trickbot Execuatble running local and domain reconasiance</description>
<group>MITRE,execution</group>
</rule>
<rule id="255913" level="12">
<if_group>sysmon_event1</if_group>
<regex>Roaming\\NuiGet|Roaming\\HomeLan|Roaming\\netRest|Roaming\\netcloud|Roaming\\netRest</regex>
<description>Potential Emotet Executable running detection</description>
<group>MITRE,execution</group>
</rule>
<rule id="255914" level="12">
<if_group>sysmon_event3</if_group>
<regex>Roaming\\NuiGet|Roaming\\HomeLan|Roaming\\netRest|Roaming\\netcloud|Roaming\\netRest</regex>
<description>Potential Emotet Executable running detection</description>
<group>MITRE,execution</group>
</rule>
<rule id="255915" level="12">
<if_sid>255531</if_sid>
<regex>RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==</regex>
<description>ATT&CK T1486: Powershell Ransomware technique to delete shadow copies seen in Sodinokibi strains</description>
<group>MITRE,attack.t1486,ransomware</group>
</rule>
<rule id="255916" level="12">
<if_group>sysmon_event1</if_group>
<regex>WMIC.exe shadowcopy delete</regex>
<description>ATT&CK T1486: WMIC Ransomware technique to delete shadow copies seen in Robinhood strains</description>
<group>MITRE,attack.t1486,ransomware</group>
</rule>
<rule id="255917" level="12">
<if_group>sysmon_event1</if_group>
<regex>vssadmin delete shadows /all /quiet</regex>
<description>ATT&CK T1486:Ransomware technique to delete shadow copies</description>
<group>MITRE,attack.t1486,ransomware</group>
</rule>
<rule id="255918" level="12">
<if_group>sysmon_event1</if_group>
<regex>/c Bcdedit.exe /set {default} recoveryenabled no</regex>
<description>ATT&CK T1486:Ransomware technique to delete backups seen in Robinhood strains</description>
<group>MITRE,attack.t1486,ransomware</group>
</rule>
<rule id="255919" level="12">
<if_group>sysmon_event1</if_group>
<regex>wbadmin delete catalog -quiet</regex>
<description>ATT&CK T1486:Ransomware technique to delete backups seen in Wannacry strains</description>
<group>MITRE,attack.t1486,ransomware</group>
</rule>
<rule id="255920" level="12">
<if_group>sysmon_event1</if_group>
<regex>icacls . /grant Everyone:F /T /C /Q</regex>
<description>ATT&CK T1486:Ransomware technique to grant all permissions seen in Wannacry strains</description>
<group>MITRE,attack.t1486,ransomware</group>
</rule>
<rule id="255921" level="12">
<if_group>sysmon_event1</if_group>
<regex>gandcrab.bit|ransomware.bit|carder.bit</regex>
<description>ATT&CK T1486:Ransomware technique to look up Ransomware Domains seen in Gandcrab strain</description>
<group>MITRE,attack.t1486,ransomware</group>
</rule>
<rule id="255922" level="12">
<if_group>sysmon_event1</if_group>
<regex>EQNEDT32.EXE</regex>
<description>ATT&CK T1173: Potential use of Microsoft Equation Editor for Exploitation</description>
<group>MITRE,attack.t1173,</group>
</rule>
<rule id="255923" level="12">
<if_sid>255561</if_sid>
<field name="win.eventdata.parentImage">\\powershell.exe</field>
<description>ATT&CK T1117: Regsrv32 execution spawned from Powershell (Ursnif IOC)</description>
<group>MITRE,attack.t1117</group>
</rule>
<rule id="255924" level="12">
<if_sid>255901</if_sid>
<regex>IwBwAGEAY</regex>
<description>ATT&CK T1059: Powershell Signature Matching Ursnif Malware</description>
<group>MITRE,attack.t1059</group>
</rule>
<rule id="255925" level="5">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.sourceImage">\\WScript.exe</field>
<description>ATT&CK T1064: WScript Execution $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1064</group>
</rule>
<rule id="255926" level="12">
<if_sid>255925</if_sid>
<regex>WINWORD.exe</regex>
<description>ATT&CK T1064: Word Executing WScript $(win.eventdata.sourceImage)</description>
<group>MITRE,attack.t1064</group>
</rule>
</group>
You can’t perform that action at this time.