forked from vxcontrol/xp-rules
-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* fix category.low * Added a missing character * Deleted the generator.version * Fixed the expected states based on the rule * Added different types of hashes * The types of hashes are described separately * Fixed a rule that caused Subject to return the value None
- Loading branch information
1 parent
0ccf90f
commit 1588f6f
Showing
10 changed files
with
70 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...Kernel-EventTracing/17_The_security_descriptor_for_session_has_been_updated/metainfo.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...ckage/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_conds_4.tc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| expect 1 {"action": "create", "alert.context": "lab\\admin \"C:\\Windows\\system32\\netsh.exe\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382", "alert.key": "\"C:\\Windows\\system32\\netsh.exe\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382", "category.high": "Command and Control", "category.low": "Traffic Signaling", "correlation_name": "Portproxy_netsh", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "pc1.lab.local", "event_src.hostname": "pc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Portproxy_netsh|pc1.lab.local", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "lab", "object.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "object.account.name": "admin", "object.account.session_id": "336094", "object.process.cmdline": "\"C:\\Windows\\system32\\netsh.exe\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382", "object.process.fullpath": "c:\\windows\\system32\\netsh.exe", "object.process.id": "3328", "object.process.name": "netsh.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.id": "2300", "object.process.parent.name": "powershell.exe", "object.process.parent.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "object.process.path": "c:\\windows\\system32\\", "status": "success", "subject": "account", "subject.account.domain": "lab", "subject.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "subject.account.name": "admin", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "336094"} | ||
| expect 1 {"action": "create", "alert.context": "lab\\admin \"C:\\Windows\\system32\\netsh.exe\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382", "alert.key": "\"C:\\Windows\\system32\\netsh.exe\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382", "category.high": "Command and Control", "category.low": "Proxy", "correlation_name": "Portproxy_netsh", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "pc1.lab.local", "event_src.hostname": "pc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Portproxy_netsh|pc1.lab.local", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "lab", "object.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "object.account.name": "admin", "object.account.session_id": "336094", "object.process.cmdline": "\"C:\\Windows\\system32\\netsh.exe\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382", "object.process.fullpath": "c:\\windows\\system32\\netsh.exe", "object.process.id": "3328", "object.process.name": "netsh.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.id": "2300", "object.process.parent.name": "powershell.exe", "object.process.parent.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "object.process.path": "c:\\windows\\system32\\", "status": "success", "subject": "account", "subject.account.domain": "lab", "subject.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "subject.account.name": "admin", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "336094"} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...les/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/tests/test_conds_1.tc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| expect 1 {"action": "start", "alert.key": "c:\\programdata\\intel\\helpa.dll", "category.generic": "Attack", "category.high": "Execution", "category.low": "System Binary Proxy Execution", "correlation_name": "Detect_execution_imageload_wuauclt_lolbas", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "laptop-ju4m3i0e", "event_src.host": "laptop-ju4m3i0e", "event_src.hostname": "laptop-ju4m3i0e", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "Detect_execution_imageload_wuauclt_lolbas|laptop-ju4m3i0e||c:\\programdata\\intel\\helpa.dll", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "module", "object.process.fullpath": "c:\\programdata\\intel\\helpa.dll", "object.process.hash": "IMPHASH:8DEF796746DD54062D5B3186EEF39356 MD5:6AB43126243BE72FF7D446D5A496AA76 SHA1:AF7687063F8EE1C8FD57D1A5FE6FA4F28A53C434 SHA256:56C5AFF6AC04BDF86EDBC4F0D0F9581F250A4C97DD60FD1179F153AC20230920", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "helpa.dll", "object.process.original_name": "?", "object.process.path": "c:\\programdata\\intel\\", "object.property": "signature status", "object.value": "not signed", "object.version": "?", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\wuauclt.exe", "subject.process.guid": "00247c92-09fe-5f86-0000-001051841401", "subject.process.id": "1716", "subject.process.name": "wuauclt.exe", "subject.process.path": "c:\\windows\\system32\\"} | ||
| expect 1 {"action":"start","alert.key":"c:\\programdata\\intel\\helpa.dll","category.generic":"Attack","category.high":"Execution","category.low":"System Binary Proxy Execution","correlation_name":"Detect_execution_imageload_wuauclt_lolbas","correlation_type":"incident","event_src.category":"Other","event_src.fqdn":"laptop-ju4m3i0e","event_src.host":"laptop-ju4m3i0e","event_src.hostname":"laptop-ju4m3i0e","event_src.subsys":"Microsoft-Windows-Sysmon/Operational","event_src.title":"sysmon","event_src.vendor":"microsoft","generator.type":"correlationengine","importance":"high","incident.aggregation.key":"Detect_execution_imageload_wuauclt_lolbas|laptop-ju4m3i0e||c:\\programdata\\intel\\helpa.dll","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"high","object":"module","object.process.fullpath":"c:\\programdata\\intel\\helpa.dll","object.process.hash.imphash":"8DEF796746DD54062D5B3186EEF39356","object.process.hash.md5":"6AB43126243BE72FF7D446D5A496AA76","object.process.hash.sha1":"AF7687063F8EE1C8FD57D1A5FE6FA4F28A53C434","object.process.hash.sha256":"56C5AFF6AC04BDF86EDBC4F0D0F9581F250A4C97DD60FD1179F153AC20230920","object.process.meta":"Description:? | Product:? | Company:?","object.process.name":"helpa.dll","object.process.original_name":"?","object.process.path":"c:\\programdata\\intel\\","object.property":"signature status","object.value":"not signed","object.version":"?","status":"success","subject":"process","subject.process.fullpath":"c:\\windows\\system32\\wuauclt.exe","subject.process.guid":"00247c92-09fe-5f86-0000-001051841401","subject.process.id":"1716","subject.process.name":"wuauclt.exe","subject.process.path":"c:\\windows\\system32\\"} |
2 changes: 1 addition & 1 deletion
2
...les/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/tests/test_conds_2.tc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| expect 1 {"action": "start", "alert.key": "wuauclt.exe /updatedeploymentprovider c:\\programdata\\intel\\helpa.dll /runhandlercomserver", "category.generic": "Attack", "category.high": "Execution", "category.low": "System Binary Proxy Execution", "correlation_name": "Detect_execution_imageload_wuauclt_lolbas", "correlation_type": "incident", "datafield6": "00247c92-de70-5f85-0000-002059f80600", "event_src.category": "Other", "event_src.fqdn": "laptop-ju4m3i0e", "event_src.host": "laptop-ju4m3i0e", "event_src.hostname": "laptop-ju4m3i0e", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "Detect_execution_imageload_wuauclt_lolbas|laptop-ju4m3i0e|wuauclt.exe /UpdateDeploymentProvider C:\\ProgramData\\Intel\\helpa.dll /RunHandlerComServer|c:\\windows\\system32\\cmd.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "laptop-ju4m3i0e", "object.account.id": "synthetic:bouss@laptop-ju4m3i0e", "object.account.name": "bouss", "object.account.session_id": "456793", "object.process.cmdline": "c:\\windows\\system32\\cmd.exe", "object.process.cwd": "c:\\Windows\\System32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "00247c92-09fe-5f86-0000-0010ac861401", "object.process.hash": "IMPHASH:272245E2988E1E430500B852C4FB5E18 MD5:D7AB69FAD18D4A643D84A271DFC0DBDF SHA1:8DCA9749CD48D286950E7A9FA1088C937CBCCAD4 SHA256:FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5", "object.process.id": "6372", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "wuauclt.exe /UpdateDeploymentProvider C:\\ProgramData\\Intel\\helpa.dll /RunHandlerComServer", "object.process.parent.fullpath": "c:\\windows\\system32\\wuauclt.exe", "object.process.parent.guid": "00247c92-09fe-5f86-0000-001051841401", "object.process.parent.id": "1716", "object.process.parent.name": "wuauclt.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.18362.449 (WinBuild.160101.0800)", "status": "success", "subject": "account", "subject.account.domain": "laptop-ju4m3i0e", "subject.account.id": "synthetic:bouss@laptop-ju4m3i0e", "subject.account.name": "bouss", "subject.account.privileges": "Medium", "subject.account.session_id": "456793"} | ||
| expect 1 {"action":"start","alert.key":"wuauclt.exe /updatedeploymentprovider c:\\programdata\\intel\\helpa.dll /runhandlercomserver","category.generic":"Attack","category.high":"Execution","category.low":"System Binary Proxy Execution","correlation_name":"Detect_execution_imageload_wuauclt_lolbas","correlation_type":"incident","datafield6":"00247c92-de70-5f85-0000-002059f80600","event_src.category":"Other","event_src.fqdn":"laptop-ju4m3i0e","event_src.host":"laptop-ju4m3i0e","event_src.hostname":"laptop-ju4m3i0e","event_src.subsys":"Microsoft-Windows-Sysmon/Operational","event_src.title":"sysmon","event_src.vendor":"microsoft","generator.type":"correlationengine","importance":"high","incident.aggregation.key":"Detect_execution_imageload_wuauclt_lolbas|laptop-ju4m3i0e|wuauclt.exe /UpdateDeploymentProvider C:\\ProgramData\\Intel\\helpa.dll /RunHandlerComServer|c:\\windows\\system32\\cmd.exe","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"high","object":"process","object.account.domain":"laptop-ju4m3i0e","object.account.id":"synthetic:bouss@laptop-ju4m3i0e","object.account.name":"bouss","object.account.session_id":"456793","object.process.cmdline":"c:\\windows\\system32\\cmd.exe","object.process.cwd":"c:\\Windows\\System32\\","object.process.fullpath":"c:\\windows\\system32\\cmd.exe","object.process.guid":"00247c92-09fe-5f86-0000-0010ac861401","object.process.hash.imphash":"272245E2988E1E430500B852C4FB5E18","object.process.hash.md5":"D7AB69FAD18D4A643D84A271DFC0DBDF","object.process.hash.sha1":"8DCA9749CD48D286950E7A9FA1088C937CBCCAD4","object.process.hash.sha256":"FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5","object.process.id":"6372","object.process.meta":"Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation","object.process.name":"cmd.exe","object.process.original_name":"Cmd.Exe","object.process.parent.cmdline":"wuauclt.exe /UpdateDeploymentProvider C:\\ProgramData\\Intel\\helpa.dll /RunHandlerComServer","object.process.parent.fullpath":"c:\\windows\\system32\\wuauclt.exe","object.process.parent.guid":"00247c92-09fe-5f86-0000-001051841401","object.process.parent.id":"1716","object.process.parent.name":"wuauclt.exe","object.process.parent.path":"c:\\windows\\system32\\","object.process.path":"c:\\windows\\system32\\","object.process.version":"10.0.18362.449 (WinBuild.160101.0800)","status":"success","subject":"account","subject.account.domain":"laptop-ju4m3i0e","subject.account.id":"synthetic:bouss@laptop-ju4m3i0e","subject.account.name":"bouss","subject.account.privileges":"Medium","subject.account.session_id":"456793"} |
2 changes: 1 addition & 1 deletion
2
...ckage/correlation_rules/mitre_attck_lat_move/Detect_MSHTA_LethalHTA/tests/test_conds_1.tc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| expect 1 {"action": "start", "alert.context": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -> C:\\Windows\\System32\\mshta.exe -Embedding", "alert.key": "c:\\windows\\system32\\svchost.exe -k dcomlaunch|c:\\windows\\system32\\mshta.exe -embedding|description:microsoft (r) html application host | product:internet explorer | company:microsoft corporation", "category.generic": "Attack", "category.high": "Lateral Movement", "category.low": "Remote Services: Distributed Component Object Model", "correlation_name": "Detect_MSHTA_LethalHTA", "correlation_type": "incident", "count": 1, "dst.host": "10.0.2.17", "dst.ip": "10.0.2.17", "dst.port": 55683, "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "generator.version": "26.0.3002 (libservice v.2.0.787)", "importance": "medium", "incident.aggregation.key": "Detect_MSHTA_LethalHTA|iewin7", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.session_id": "1077454", "object.process.cmdline": "C:\\Windows\\System32\\mshta.exe -Embedding", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\mshta.exe", "object.process.guid": "365abb72-19e0-5cda-0000-001006711000", "object.process.id": "1932", "object.process.meta": "Description:Microsoft (R) HTML Application host | Product:Internet Explorer | Company:Microsoft Corporation", "object.process.name": "mshta.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "365abb72-965e-5cda-0000-0010af760000", "object.process.parent.id": "596", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "11.00.9600.16428 (winblue_gdr.131013-1700)", "src.host": "iewin7", "src.ip": "10.0.2.16", "src.port": 49168, "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1077454", "time": "2019-05-14T01:29:04.293Z"} | ||
| expect 1 {"action": "start", "alert.context": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -> C:\\Windows\\System32\\mshta.exe -Embedding", "alert.key": "c:\\windows\\system32\\svchost.exe -k dcomlaunch|c:\\windows\\system32\\mshta.exe -embedding|description:microsoft (r) html application host | product:internet explorer | company:microsoft corporation", "category.generic": "Attack", "category.high": "Lateral Movement", "category.low": "Remote Services: Distributed Component Object Model", "correlation_name": "Detect_MSHTA_LethalHTA", "correlation_type": "incident", "count": 1, "dst.host": "10.0.2.17", "dst.ip": "10.0.2.17", "dst.port": 55683, "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Detect_MSHTA_LethalHTA|iewin7", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.session_id": "1077454", "object.process.cmdline": "C:\\Windows\\System32\\mshta.exe -Embedding", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\mshta.exe", "object.process.guid": "365abb72-19e0-5cda-0000-001006711000", "object.process.id": "1932", "object.process.meta": "Description:Microsoft (R) HTML Application host | Product:Internet Explorer | Company:Microsoft Corporation", "object.process.name": "mshta.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "365abb72-965e-5cda-0000-0010af760000", "object.process.parent.id": "596", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "11.00.9600.16428 (winblue_gdr.131013-1700)", "src.host": "iewin7", "src.ip": "10.0.2.16", "src.port": 49168, "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1077454", "time": "2019-05-14T01:29:04.293Z"} |
Oops, something went wrong.