Skip to content

Commit

Permalink
Rules Update
Browse files Browse the repository at this point in the history
  • Loading branch information
@wagga40
wagga40 committed Jan 23, 2025
1 parent 9d58773 commit 6a51d13
Show file tree
Hide file tree
Showing 12 changed files with 44 additions and 44 deletions.
6 changes: 3 additions & 3 deletions pdm.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions rules_windows_generic.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7830,7 +7830,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Hashes LIKE '%6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f%' ESCAPE '\\' OR Hashes LIKE '%c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\' AND (CommandLine LIKE '%servtask.bat%' ESCAPE '\\' OR CommandLine LIKE '%execute.bat%' ESCAPE '\\' OR CommandLine LIKE '%doit.bat%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%Delete%' ESCAPE '\\' AND CommandLine LIKE '%/F %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\') OR (CommandLine LIKE '%Get-ChildItem%' ESCAPE '\\' AND CommandLine LIKE '%.save%' ESCAPE '\\' AND CommandLine LIKE '%Compress-Archive -DestinationPath C:\\\\ProgramData\\\\%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Hashes LIKE '%SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\' AND (CommandLine LIKE '%servtask.bat%' ESCAPE '\\' OR CommandLine LIKE '%execute.bat%' ESCAPE '\\' OR CommandLine LIKE '%doit.bat%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%Delete%' ESCAPE '\\' AND CommandLine LIKE '%/F %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\') OR (CommandLine LIKE '%Get-ChildItem%' ESCAPE '\\' AND CommandLine LIKE '%.save%' ESCAPE '\\' AND CommandLine LIKE '%Compress-Archive -DestinationPath C:\\\\ProgramData\\\\%' ESCAPE '\\')))"
],
"filename": "proc_creation_win_apt_forest_blizzard_activity.yml"
},
Expand Down Expand Up @@ -12386,7 +12386,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\')))"
],
"filename": "proc_creation_win_renamed_dctask64.yml"
},
Expand Down Expand Up @@ -14373,7 +14373,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' OR (Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\')) AND (CommandLine LIKE '% executecmd64 %' ESCAPE '\\' OR CommandLine LIKE '% invokeexe %' ESCAPE '\\' OR CommandLine LIKE '% injectDll %' ESCAPE '\\'))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\')) AND (CommandLine LIKE '% executecmd64 %' ESCAPE '\\' OR CommandLine LIKE '% invokeexe %' ESCAPE '\\' OR CommandLine LIKE '% injectDll %' ESCAPE '\\'))"
],
"filename": "proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml"
},
Expand Down Expand Up @@ -16449,7 +16449,7 @@
],
"level": "critical",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%MD5=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))"
],
"filename": "proc_creation_win_hktl_dumpert.yml"
},
Expand Down
8 changes: 4 additions & 4 deletions rules_windows_generic_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2554,7 +2554,7 @@
],
"level": "critical",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (Hashes LIKE '%MD5=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))"
],
"filename": ""
},
Expand Down Expand Up @@ -9027,7 +9027,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((Hashes LIKE '%6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f%' ESCAPE '\\' OR Hashes LIKE '%c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\') AND (CommandLine LIKE '%servtask.bat%' ESCAPE '\\' OR CommandLine LIKE '%execute.bat%' ESCAPE '\\' OR CommandLine LIKE '%doit.bat%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%Delete%' ESCAPE '\\' AND CommandLine LIKE '%/F %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\')) OR (CommandLine LIKE '%Get-ChildItem%' ESCAPE '\\' AND CommandLine LIKE '%.save%' ESCAPE '\\' AND CommandLine LIKE '%Compress-Archive -DestinationPath C:\\\\ProgramData\\\\%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((Hashes LIKE '%SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\') AND (CommandLine LIKE '%servtask.bat%' ESCAPE '\\' OR CommandLine LIKE '%execute.bat%' ESCAPE '\\' OR CommandLine LIKE '%doit.bat%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '%Delete%' ESCAPE '\\' AND CommandLine LIKE '%/F %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\')) OR (CommandLine LIKE '%Get-ChildItem%' ESCAPE '\\' AND CommandLine LIKE '%.save%' ESCAPE '\\' AND CommandLine LIKE '%Compress-Archive -DestinationPath C:\\\\ProgramData\\\\%' ESCAPE '\\')))"
],
"filename": ""
},
Expand Down Expand Up @@ -13008,7 +13008,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\') AND (NOT NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\')))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((Hashes LIKE '%IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\') AND (NOT NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\')))"
],
"filename": ""
},
Expand Down Expand Up @@ -14996,7 +14996,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' OR (Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\')) AND (CommandLine LIKE '% executecmd64 %' ESCAPE '\\' OR CommandLine LIKE '% invokeexe %' ESCAPE '\\' OR CommandLine LIKE '% injectDll %' ESCAPE '\\')))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\')) AND (CommandLine LIKE '% executecmd64 %' ESCAPE '\\' OR CommandLine LIKE '% invokeexe %' ESCAPE '\\' OR CommandLine LIKE '% injectDll %' ESCAPE '\\')))"
],
"filename": ""
},
Expand Down
8 changes: 4 additions & 4 deletions rules_windows_generic_high.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7830,7 +7830,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Hashes LIKE '%6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f%' ESCAPE '\\' OR Hashes LIKE '%c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\' AND (CommandLine LIKE '%servtask.bat%' ESCAPE '\\' OR CommandLine LIKE '%execute.bat%' ESCAPE '\\' OR CommandLine LIKE '%doit.bat%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%Delete%' ESCAPE '\\' AND CommandLine LIKE '%/F %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\') OR (CommandLine LIKE '%Get-ChildItem%' ESCAPE '\\' AND CommandLine LIKE '%.save%' ESCAPE '\\' AND CommandLine LIKE '%Compress-Archive -DestinationPath C:\\\\ProgramData\\\\%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((Hashes LIKE '%SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\' AND (CommandLine LIKE '%servtask.bat%' ESCAPE '\\' OR CommandLine LIKE '%execute.bat%' ESCAPE '\\' OR CommandLine LIKE '%doit.bat%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%Delete%' ESCAPE '\\' AND CommandLine LIKE '%/F %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\WinSrv%' ESCAPE '\\') OR (CommandLine LIKE '%Get-ChildItem%' ESCAPE '\\' AND CommandLine LIKE '%.save%' ESCAPE '\\' AND CommandLine LIKE '%Compress-Archive -DestinationPath C:\\\\ProgramData\\\\%' ESCAPE '\\')))"
],
"filename": "proc_creation_win_apt_forest_blizzard_activity.yml"
},
Expand Down Expand Up @@ -12386,7 +12386,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\')))"
],
"filename": "proc_creation_win_renamed_dctask64.yml"
},
Expand Down Expand Up @@ -14373,7 +14373,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' OR (Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\')) AND (CommandLine LIKE '% executecmd64 %' ESCAPE '\\' OR CommandLine LIKE '% invokeexe %' ESCAPE '\\' OR CommandLine LIKE '% injectDll %' ESCAPE '\\'))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F1039CED4B91572AB7847D26032E6BBF%' ESCAPE '\\')) AND (CommandLine LIKE '% executecmd64 %' ESCAPE '\\' OR CommandLine LIKE '% invokeexe %' ESCAPE '\\' OR CommandLine LIKE '% injectDll %' ESCAPE '\\'))"
],
"filename": "proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml"
},
Expand Down Expand Up @@ -16449,7 +16449,7 @@
],
"level": "critical",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (Hashes LIKE '%MD5=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))"
],
"filename": "proc_creation_win_hktl_dumpert.yml"
},
Expand Down
Loading

0 comments on commit 6a51d13

Please sign in to comment.