Skip to content

Commit

Permalink
Rules Update
Browse files Browse the repository at this point in the history
  • Loading branch information
@wagga40
wagga40 committed Dec 8, 2024
1 parent 5615592 commit ccda131
Show file tree
Hide file tree
Showing 8 changed files with 10 additions and 10 deletions.
6 changes: 3 additions & 3 deletions pdm.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion rules_windows_generic_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42536,7 +42536,7 @@
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%AnyDesk%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
],
"filename": ""
},
Expand Down
2 changes: 1 addition & 1 deletion rules_windows_generic_medium.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42536,7 +42536,7 @@
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%AnyDesk%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
],
"filename": ""
},
Expand Down
2 changes: 1 addition & 1 deletion rules_windows_generic_pysigma.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42536,7 +42536,7 @@
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%AnyDesk%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
],
"filename": ""
},
Expand Down
2 changes: 1 addition & 1 deletion rules_windows_sysmon_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42536,7 +42536,7 @@
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%AnyDesk%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
],
"filename": ""
},
Expand Down
2 changes: 1 addition & 1 deletion rules_windows_sysmon_medium.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42536,7 +42536,7 @@
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%AnyDesk%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
],
"filename": ""
},
Expand Down
2 changes: 1 addition & 1 deletion rules_windows_sysmon_pysigma.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42536,7 +42536,7 @@
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4697 AND (ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%AnyDesk%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%TightVNC%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\'))"
],
"filename": ""
},
Expand Down
2 changes: 1 addition & 1 deletion sigma
Submodule sigma updated 1 files
+2 −1 rules/windows/builtin/security/win_security_service_install_remote_access_software.yml

0 comments on commit ccda131

Please sign in to comment.