Skip to content

Commit

Permalink
Rules Update
Browse files Browse the repository at this point in the history
  • Loading branch information
@wagga40
wagga40 committed Sep 23, 2024
1 parent 364c453 commit 3ceede9
Show file tree
Hide file tree
Showing 12 changed files with 133 additions and 19 deletions.
4 changes: 2 additions & 2 deletions rules_linux.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1691,7 +1691,7 @@
],
"level": "low",
"rule": [
"SELECT * FROM logs WHERE (((Image LIKE '%/nc' ESCAPE '\\' OR Image LIKE '%/ncat' ESCAPE '\\' OR Image LIKE '%/netcat' ESCAPE '\\' OR Image LIKE '%/socat' ESCAPE '\\') AND NOT ((CommandLine LIKE '% --listen %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\'))) OR (Image LIKE '%/autorecon' ESCAPE '\\' OR Image LIKE '%/hping' ESCAPE '\\' OR Image LIKE '%/hping2' ESCAPE '\\' OR Image LIKE '%/hping3' ESCAPE '\\' OR Image LIKE '%/naabu' ESCAPE '\\' OR Image LIKE '%/nmap' ESCAPE '\\' OR Image LIKE '%/nping' ESCAPE '\\' OR Image LIKE '%/telnet' ESCAPE '\\'))"
"SELECT * FROM logs WHERE (((Image LIKE '%/nc' ESCAPE '\\' OR Image LIKE '%/ncat' ESCAPE '\\' OR Image LIKE '%/netcat' ESCAPE '\\' OR Image LIKE '%/socat' ESCAPE '\\') AND NOT ((CommandLine LIKE '% --listen %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\'))) OR (Image LIKE '%/autorecon' ESCAPE '\\' OR Image LIKE '%/hping' ESCAPE '\\' OR Image LIKE '%/hping2' ESCAPE '\\' OR Image LIKE '%/hping3' ESCAPE '\\' OR Image LIKE '%/naabu' ESCAPE '\\' OR Image LIKE '%/nmap' ESCAPE '\\' OR Image LIKE '%/nping' ESCAPE '\\' OR Image LIKE '%/telnet' ESCAPE '\\' OR Image LIKE '%/zenmap' ESCAPE '\\'))"
],
"filename": "proc_creation_lnx_susp_network_utilities_execution.yml"
},
Expand Down Expand Up @@ -1985,7 +1985,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((Image LIKE '%/crackmapexec' ESCAPE '\\' OR Image LIKE '%/havoc' ESCAPE '\\' OR Image LIKE '%/merlin-agent' ESCAPE '\\' OR Image LIKE '%/merlinServer-Linux-x64' ESCAPE '\\' OR Image LIKE '%/msfconsole' ESCAPE '\\' OR Image LIKE '%/msfvenom' ESCAPE '\\' OR Image LIKE '%/ps-empire server' ESCAPE '\\' OR Image LIKE '%/ps-empire' ESCAPE '\\' OR Image LIKE '%/sliver-client' ESCAPE '\\' OR Image LIKE '%/sliver-server' ESCAPE '\\' OR Image LIKE '%/Villain.py' ESCAPE '\\') OR (Image LIKE '%/cobaltstrike%' ESCAPE '\\' OR Image LIKE '%/teamserver%' ESCAPE '\\') OR (Image LIKE '%/autorecon' ESCAPE '\\' OR Image LIKE '%/httpx' ESCAPE '\\' OR Image LIKE '%/legion' ESCAPE '\\' OR Image LIKE '%/naabu' ESCAPE '\\' OR Image LIKE '%/netdiscover' ESCAPE '\\' OR Image LIKE '%/nmap' ESCAPE '\\' OR Image LIKE '%/nuclei' ESCAPE '\\' OR Image LIKE '%/recon-ng' ESCAPE '\\' OR Image LIKE '%/zenmap' ESCAPE '\\') OR Image LIKE '%/sniper%' ESCAPE '\\' OR (Image LIKE '%/dirb' ESCAPE '\\' OR Image LIKE '%/dirbuster' ESCAPE '\\' OR Image LIKE '%/eyewitness' ESCAPE '\\' OR Image LIKE '%/feroxbuster' ESCAPE '\\' OR Image LIKE '%/ffuf' ESCAPE '\\' OR Image LIKE '%/gobuster' ESCAPE '\\' OR Image LIKE '%/wfuzz' ESCAPE '\\' OR Image LIKE '%/whatweb' ESCAPE '\\') OR (Image LIKE '%/joomscan' ESCAPE '\\' OR Image LIKE '%/nikto' ESCAPE '\\' OR Image LIKE '%/wpscan' ESCAPE '\\') OR (Image LIKE '%/aircrack-ng' ESCAPE '\\' OR Image LIKE '%/bloodhound-python' ESCAPE '\\' OR Image LIKE '%/bpfdos' ESCAPE '\\' OR Image LIKE '%/ebpfki' ESCAPE '\\' OR Image LIKE '%/evil-winrm' ESCAPE '\\' OR Image LIKE '%/hashcat' ESCAPE '\\' OR Image LIKE '%/hoaxshell.py' ESCAPE '\\' OR Image LIKE '%/hydra' ESCAPE '\\' OR Image LIKE '%/john' ESCAPE '\\' OR Image LIKE '%/ncrack' ESCAPE '\\' OR Image LIKE '%/nxc-ubuntu-latest' ESCAPE '\\' OR Image LIKE '%/pidhide' ESCAPE '\\' OR Image LIKE '%/pspy32' ESCAPE '\\' OR Image LIKE '%/pspy32s' ESCAPE '\\' OR Image LIKE '%/pspy64' ESCAPE '\\' OR Image LIKE '%/pspy64s' ESCAPE '\\' OR Image LIKE '%/setoolkit' ESCAPE '\\' OR Image LIKE '%/sqlmap' ESCAPE '\\' OR Image LIKE '%/writeblocker' ESCAPE '\\') OR Image LIKE '%/linpeas%' ESCAPE '\\')"
"SELECT * FROM logs WHERE ((Image LIKE '%/crackmapexec' ESCAPE '\\' OR Image LIKE '%/havoc' ESCAPE '\\' OR Image LIKE '%/merlin-agent' ESCAPE '\\' OR Image LIKE '%/merlinServer-Linux-x64' ESCAPE '\\' OR Image LIKE '%/msfconsole' ESCAPE '\\' OR Image LIKE '%/msfvenom' ESCAPE '\\' OR Image LIKE '%/ps-empire server' ESCAPE '\\' OR Image LIKE '%/ps-empire' ESCAPE '\\' OR Image LIKE '%/sliver-client' ESCAPE '\\' OR Image LIKE '%/sliver-server' ESCAPE '\\' OR Image LIKE '%/Villain.py' ESCAPE '\\') OR (Image LIKE '%/cobaltstrike%' ESCAPE '\\' OR Image LIKE '%/teamserver%' ESCAPE '\\') OR (Image LIKE '%/autorecon' ESCAPE '\\' OR Image LIKE '%/httpx' ESCAPE '\\' OR Image LIKE '%/legion' ESCAPE '\\' OR Image LIKE '%/naabu' ESCAPE '\\' OR Image LIKE '%/netdiscover' ESCAPE '\\' OR Image LIKE '%/nuclei' ESCAPE '\\' OR Image LIKE '%/recon-ng' ESCAPE '\\') OR Image LIKE '%/sniper%' ESCAPE '\\' OR (Image LIKE '%/dirb' ESCAPE '\\' OR Image LIKE '%/dirbuster' ESCAPE '\\' OR Image LIKE '%/eyewitness' ESCAPE '\\' OR Image LIKE '%/feroxbuster' ESCAPE '\\' OR Image LIKE '%/ffuf' ESCAPE '\\' OR Image LIKE '%/gobuster' ESCAPE '\\' OR Image LIKE '%/wfuzz' ESCAPE '\\' OR Image LIKE '%/whatweb' ESCAPE '\\') OR (Image LIKE '%/joomscan' ESCAPE '\\' OR Image LIKE '%/nikto' ESCAPE '\\' OR Image LIKE '%/wpscan' ESCAPE '\\') OR (Image LIKE '%/aircrack-ng' ESCAPE '\\' OR Image LIKE '%/bloodhound-python' ESCAPE '\\' OR Image LIKE '%/bpfdos' ESCAPE '\\' OR Image LIKE '%/ebpfki' ESCAPE '\\' OR Image LIKE '%/evil-winrm' ESCAPE '\\' OR Image LIKE '%/hashcat' ESCAPE '\\' OR Image LIKE '%/hoaxshell.py' ESCAPE '\\' OR Image LIKE '%/hydra' ESCAPE '\\' OR Image LIKE '%/john' ESCAPE '\\' OR Image LIKE '%/ncrack' ESCAPE '\\' OR Image LIKE '%/nxc-ubuntu-latest' ESCAPE '\\' OR Image LIKE '%/pidhide' ESCAPE '\\' OR Image LIKE '%/pspy32' ESCAPE '\\' OR Image LIKE '%/pspy32s' ESCAPE '\\' OR Image LIKE '%/pspy64' ESCAPE '\\' OR Image LIKE '%/pspy64s' ESCAPE '\\' OR Image LIKE '%/setoolkit' ESCAPE '\\' OR Image LIKE '%/sqlmap' ESCAPE '\\' OR Image LIKE '%/writeblocker' ESCAPE '\\') OR Image LIKE '%/linpeas%' ESCAPE '\\')"
],
"filename": "proc_creation_lnx_susp_hktl_execution.yml"
},
Expand Down
2 changes: 1 addition & 1 deletion rules_windows_generic.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,7 +335,7 @@
"title": "Windows Defender Real-time Protection Disabled",
"id": "b28e58e4-2a72-4fae-bdee-0fbe904db642",
"status": "stable",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"author": "Ján Trenčanský, frack113",
"tags": [
"attack.defense-evasion",
Expand Down
23 changes: 21 additions & 2 deletions rules_windows_generic_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3441,7 +3441,7 @@
"title": "Windows Defender Real-time Protection Disabled",
"id": "b28e58e4-2a72-4fae-bdee-0fbe904db642",
"status": "stable",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"author": "J\u00e1n Tren\u010dansk\u00fd, frack113",
"tags": [
"attack.defense-evasion",
Expand Down Expand Up @@ -33964,7 +33964,7 @@
"filename": ""
},
{
"title": "Windows Defender Exclusion Reigstry Key - Write Access Requested",
"title": "Windows Defender Exclusion Registry Key - Write Access Requested",
"id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d",
"status": "test",
"description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\n",
Expand Down Expand Up @@ -47252,6 +47252,25 @@
],
"filename": ""
},
{
"title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral",
"id": "74a2b202-73e0-4693-9a3a-9d36146d0775",
"status": "experimental",
"description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n",
"author": "@Kostastsale",
"tags": [
"attack.command-and-control",
"attack.t1219"
],
"falsepositives": [
"False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host."
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (ParentProcessName LIKE '%\\\\meshagent.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')))"
],
"filename": ""
},
{
"title": "Uncommon Child Process Of AddinUtil.EXE",
"id": "b5746143-59d6-4603-8d06-acbd60e166ee",
Expand Down
2 changes: 1 addition & 1 deletion rules_windows_generic_high.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,7 +335,7 @@
"title": "Windows Defender Real-time Protection Disabled",
"id": "b28e58e4-2a72-4fae-bdee-0fbe904db642",
"status": "stable",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"author": "Ján Trenčanský, frack113",
"tags": [
"attack.defense-evasion",
Expand Down
23 changes: 21 additions & 2 deletions rules_windows_generic_medium.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3441,7 +3441,7 @@
"title": "Windows Defender Real-time Protection Disabled",
"id": "b28e58e4-2a72-4fae-bdee-0fbe904db642",
"status": "stable",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"author": "J\u00e1n Tren\u010dansk\u00fd, frack113",
"tags": [
"attack.defense-evasion",
Expand Down Expand Up @@ -33964,7 +33964,7 @@
"filename": ""
},
{
"title": "Windows Defender Exclusion Reigstry Key - Write Access Requested",
"title": "Windows Defender Exclusion Registry Key - Write Access Requested",
"id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d",
"status": "test",
"description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\n",
Expand Down Expand Up @@ -47252,6 +47252,25 @@
],
"filename": ""
},
{
"title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral",
"id": "74a2b202-73e0-4693-9a3a-9d36146d0775",
"status": "experimental",
"description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n",
"author": "@Kostastsale",
"tags": [
"attack.command-and-control",
"attack.t1219"
],
"falsepositives": [
"False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host."
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (ParentProcessName LIKE '%\\\\meshagent.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')))"
],
"filename": ""
},
{
"title": "Uncommon Child Process Of AddinUtil.EXE",
"id": "b5746143-59d6-4603-8d06-acbd60e166ee",
Expand Down
23 changes: 21 additions & 2 deletions rules_windows_generic_pysigma.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3441,7 +3441,7 @@
"title": "Windows Defender Real-time Protection Disabled",
"id": "b28e58e4-2a72-4fae-bdee-0fbe904db642",
"status": "stable",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"author": "J\u00e1n Tren\u010dansk\u00fd, frack113",
"tags": [
"attack.defense-evasion",
Expand Down Expand Up @@ -33964,7 +33964,7 @@
"filename": ""
},
{
"title": "Windows Defender Exclusion Reigstry Key - Write Access Requested",
"title": "Windows Defender Exclusion Registry Key - Write Access Requested",
"id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d",
"status": "test",
"description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\n",
Expand Down Expand Up @@ -47252,6 +47252,25 @@
],
"filename": ""
},
{
"title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral",
"id": "74a2b202-73e0-4693-9a3a-9d36146d0775",
"status": "experimental",
"description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n",
"author": "@Kostastsale",
"tags": [
"attack.command-and-control",
"attack.t1219"
],
"falsepositives": [
"False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host."
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (ParentProcessName LIKE '%\\\\meshagent.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')))"
],
"filename": ""
},
{
"title": "Uncommon Child Process Of AddinUtil.EXE",
"id": "b5746143-59d6-4603-8d06-acbd60e166ee",
Expand Down
2 changes: 1 addition & 1 deletion rules_windows_sysmon.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,7 +335,7 @@
"title": "Windows Defender Real-time Protection Disabled",
"id": "b28e58e4-2a72-4fae-bdee-0fbe904db642",
"status": "stable",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"author": "Ján Trenčanský, frack113",
"tags": [
"attack.defense-evasion",
Expand Down
23 changes: 21 additions & 2 deletions rules_windows_sysmon_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3441,7 +3441,7 @@
"title": "Windows Defender Real-time Protection Disabled",
"id": "b28e58e4-2a72-4fae-bdee-0fbe904db642",
"status": "stable",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"author": "J\u00e1n Tren\u010dansk\u00fd, frack113",
"tags": [
"attack.defense-evasion",
Expand Down Expand Up @@ -33964,7 +33964,7 @@
"filename": ""
},
{
"title": "Windows Defender Exclusion Reigstry Key - Write Access Requested",
"title": "Windows Defender Exclusion Registry Key - Write Access Requested",
"id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d",
"status": "test",
"description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\n",
Expand Down Expand Up @@ -47252,6 +47252,25 @@
],
"filename": ""
},
{
"title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral",
"id": "74a2b202-73e0-4693-9a3a-9d36146d0775",
"status": "experimental",
"description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n",
"author": "@Kostastsale",
"tags": [
"attack.command-and-control",
"attack.t1219"
],
"falsepositives": [
"False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host."
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (ParentImage LIKE '%\\\\meshagent.exe' ESCAPE '\\' AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\')))"
],
"filename": ""
},
{
"title": "Uncommon Child Process Of AddinUtil.EXE",
"id": "b5746143-59d6-4603-8d06-acbd60e166ee",
Expand Down
Loading

0 comments on commit 3ceede9

Please sign in to comment.