forked from Hestat/ossec-sysmon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
0812-lateral_movement_rules.xml
77 lines (68 loc) · 2.26 KB
/
0812-lateral_movement_rules.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<group name="lateral movement,">
<rule id="256200" level="5">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.processId">^4$</field>
<description>Executable transferred potentially by Psexec tool, potential lateral movement</description>
<mitre>
<id>T1570</id>
</mitre>
<group>MITRE,</group>
</rule>
<rule id="256201" level="12">
<if_sid>256200</if_sid>
<regex>.exe</regex>
<description>Executable transferred potentially by Psexec tool, potential lateral movement</description>
<mitre>
<id>T1570</id>
</mitre>
<group>MITRE,</group>
</rule>
<rule id="256202" level="12">
<if_sid>255700</if_sid>
<regex>%COMSPEC%</regex>
<description>%COMSPEC% Variable in Registry Service, potential lateral movement or persistence mechanism</description>
<mitre>
<id>T1543.001</id>
</mitre>
<group>MITRE,</group>
</rule>
<rule id="256203" level="12">
<if_sid>60106</if_sid>
<field name="win.eventdata.logonType">10|12</field>
<description>Successful RDP Logon from $(win.eventdata.ipAddress)</description>
<mitre>
<id>T1021</id>
<id>T1133</id>
</mitre>
<group>MITRE,</group>
</rule>
<rule id="256204" level="12">
<if_group>sysmon_event_11</if_group>
<match>Network Shortcuts</match>
<regex>c\$</regex>
<description>Remote System C$ drive mounted</description>
<mitre>
<id>T1021.002</id>
</mitre>
<group>MITRE,</group>
</rule>
<rule id="256205" level="12">
<if_sid>60106</if_sid>
<field name="win.eventdata.logonType">9</field>
<match>seclogo</match>
<description>Potential Pass the Hash Attack</description>
<mitre>
<id>T1550.002</id>
</mitre>
<group>MITRE,</group>
</rule>
<rule id="256206" level="12">
<if_group>sysmon_event_17</if_group>
<regex>msagent_</regex>
<description>Cobalt Strike Named Pipe SMB Beacon usage</description>
<mitre>
<id>T1071</id>
</mitre>
<group>MITRE,</group>
</rule>
</group>