This repository has been archived by the owner on Nov 19, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 22
/
0805-v10-sysmon-modular_rules.xml
529 lines (452 loc) · 18.4 KB
/
0805-v10-sysmon-modular_rules.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
<group name="sysmon-modular,">
<rule id="255500" level="5">
<if_group>sysmon_event8</if_group>
<match>technique_name=Process Injection</match>
<description>MITRE T1055 Process Injection: $(win.eventdata.image)</description>
<group>MITRE,attack.t1055,</group>
</rule>
<rule id="255501" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Masquerading</match>
<description>MITRE T1036 Masquerading: $(win.eventdata.image)</description>
<group>MITRE,attack.t1036,</group>
</rule>
<rule id="255502" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Credential Dumping</match>
<description>MITRE T1003 Credential Dumping: $(win.eventdata.image)</description>
<group>MITRE,attack.t1003,</group>
</rule>
<rule id="255503" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Winlogon Helper DLL</match>
<description>MITRE T1004 Winlogon Helper DLL: $(win.eventdata.image)</description>
<group>MITRE,attack.t1004,</group>
</rule>
<rule id="255504" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Data from Local System</match>
<description>MITRE T1005 Data from Local System: $(win.eventdata.image)</description>
<group>MITRE,attack.t1005,</group>
</rule>
<rule id="255505" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=System Service Discovery</match>
<description>MITRE T1007 System Service Discovery: $(win.eventdata.image)</description>
<group>MITRE,attack.t1007,</group>
</rule>
<rule id="255506" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Query Registry</match>
<description>MITRE T1012 Query registry: $(win.eventdata.image)</description>
<group>MITRE,attack.t1012,</group>
</rule>
<rule id="255507" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Forced Authentication</match>
<description>MITRE T1013 Forced Authentication: $(win.eventdata.image)</description>
<group>MITRE,attack.t1013,</group>
</rule>
<rule id="255508" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Accessibility Features</match>
<description>MITRE T1015 Accessibility Features: $(win.eventdata.image)</description>
<group>MITRE,attack.t1015,</group>
</rule>
<rule id="255509" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=System Network Configuration Discovery</match>
<description>MITRE T1016 System Network Configuration Discovery: $(win.eventdata.image)</description>
<group>MITRE,attack.t1016,</group>
</rule>
<rule id="255510" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Remote System Discovery</match>
<description>MITRE T1018 Remote Systen Discovery: $(win.eventdata.image)</description>
<group>MITRE,attack.t1018,</group>
</rule>
<rule id="255511" level="5">
<if_group>sysmon_event2</if_group>
<match>technique_name=Remote Services</match>
<description>MITRE T1021 Remote Services : $(win.eventdata.image)</description>
<group>MITRE,attack.t1021,</group>
</rule>
<rule id="255512" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Obfuscated Files or Information</match>
<description>MITRE T1027 Obfuscated Files or Information : $(win.eventdata.image)</description>
<group>MITRE,attack.t1027,</group>
</rule>
<rule id="255513" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Windows Remote Management</match>
<description>MITRE T1028 Windows Remote Management: $(win.eventdata.image)</description>
<group>MITRE,attack.t1028,</group>
</rule>
<rule id="255514" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Modify Existing Service</match>
<description>MITRE T1031 Modify Existing Service : $(win.eventdata.image)</description>
<group>MITRE,attack.t1031,</group>
</rule>
<rule id="255515" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=System Owner/User Discovery</match>
<description>MITRE T1033 System Owner/User Discovery : $(win.eventdata.image)</description>
<group>MITRE,attack.t1033,</group>
</rule>
<rule id="255516" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Service Execution</match>
<description>MITRE T1035 Service Execution: $(win.eventdata.image)</description>
<group>MITRE,attack.t1035,</group>
</rule>
<rule id="255517" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Logon Scripts</match>
<description>MITRE T1037 Logon Scripts: $(win.eventdata.image)</description>
<group>MITRE,attack.t1037,</group>
</rule>
<rule id="255518" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Change Default File Association</match>
<description>MITRE T1042 Change Default File Association: $(win.eventdata.image)</description>
<group>MITRE,attack.t1042,</group>
</rule>
<rule id="255519" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=Windows Management Instrumentation</match>
<description>MITRE T1047 Windows Management Instrumentation : $(win.eventdata.image)</description>
<group>MITRE,attack.t1047,</group>
</rule>
<rule id="255520" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=System Network Connections Discovery</match>
<description>MITRE T1049 System Network Connections Discovery: $(win.eventdata.image)</description>
<group>MITRE,attack.t1049,</group>
</rule>
<rule id="255521" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Scheduled Task</match>
<description>MITRE T1053 Scheduled Task: $(win.eventdata.image)</description>
<group>MITRE,attack.t1053,</group>
</rule>
<rule id="255522" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Indicator Blocking</match>
<description>MITRE T1054 Indicator Blocking : $(win.eventdata.image)</description>
<group>MITRE,attack.t1054,</group>
</rule>
<rule id="255523" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Process Discovery</match>
<description>MITRE T1057 Process Discovery: $(win.eventdata.image)</description>
<group>MITRE,attack.t1057,</group>
</rule>
<rule id="255524" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Command-Line Interface</match>
<description>MITRE T1059 Command-Line Interface: $(win.eventdata.image)</description>
<group>MITRE,attack.t1059,</group>
</rule>
<rule id="255525" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Registry Run Keys / Start Folder</match>
<description>MITRE T1060 Registry Run Keys / Start Folder: $(win.eventdata.image)</description>
<group>MITRE,attack.t1060,</group>
</rule>
<rule id="255526" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Security Software Discovery</match>
<description>MITRE T1063 Security Software Discovery: $(win.eventdata.image)</description>
<group>MITRE,attack.t1063,</group>
</rule>
<rule id="255527" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Permission Groups Discovery</match>
<description>MITRE T1069 Permission Groups Discovery: $(win.eventdata.image)</description>
<group>MITRE,attack.t1069,</group>
</rule>
<rule id="255528" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Indicator Removal on Host</match>
<description>MITRE T1070 Indicator Removal on Host: $(win.eventdata.image)</description>
<group>MITRE,attack.t1070,</group>
</rule>
<rule id="255529" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=File and Directory Discovery</match>
<description>MITRE T1083 File and Directory Discovery: $(win.eventdata.image)</description>
<group>MITRE,attack.t1083,</group>
</rule>
<rule id="255530" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=Rundll32</match>
<description>MITRE T1085 Rundll32: $(win.eventdata.image)</description>
<group>MITRE,attack.t1085,</group>
</rule>
<rule id="255531" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=PowerShell</match>
<description>MITRE T1086 Powershell: $(win.eventdata.image)</description>
<group>MITRE,attack.t1086,</group>
</rule>
<rule id="255532" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Bypass User Account Control</match>
<description>MITRE T1088 Bypass User Account Control: $(win.eventdata.image)</description>
<group>MITRE,attack.t1088,</group>
</rule>
<rule id="255533" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Disabling Security Tools</match>
<description>MITRE T1089 Disabling Security Tools: $(win.eventdata.image)</description>
<group>MITRE,attack.t1089,</group>
</rule>
<rule id="255534" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Account Manipulation</match>
<description>MITRE T1098 =Account Manipulation: $(win.eventdata.image)</description>
<group>MITRE,attack.t1098,</group>
</rule>
<rule id="255535" level="5">
<if_group>sysmon_event2</if_group>
<match>technique_name=Timestomp</match>
<description>MITRE T1099 Timestomp: $(win.eventdata.image)</description>
<group>MITRE,attack.t1099,</group>
</rule>
<rule id="255536" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Security Support Provider</match>
<description>MITRE T1101 Security Support Provider: $(win.eventdata.image)</description>
<group>MITRE,attack.t1101,</group>
</rule>
<rule id="255537" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Appinit DLLs</match>
<description>MITRE T1103 Appinit DLLs: $(win.eventdata.image)</description>
<group>MITRE,attack.t1103,</group>
</rule>
<rule id="255538" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Remote File Copy</match>
<description>MITRE T1105 Remote File Copy: $(win.eventdata.image)</description>
<group>MITRE,attack.t1105,</group>
</rule>
<rule id="255539" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Modify Registry</match>
<description>MITRE T1112 Modify Registry: $(win.eventdata.image)</description>
<group>MITRE,attack.t1112,</group>
</rule>
<rule id="255540" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Regsvr32</match>
<description>MITRE T1117 Regsvr32: $(win.eventdata.image)</description>
<group>MITRE,attack.t1117,</group>
</rule>
<rule id="255541" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=InstallUtil</match>
<description>MITRE T1118 InstallUtil: $(win.eventdata.image)</description>
<group>MITRE,attack.t1118,</group>
</rule>
<rule id="255542" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Regsvcs/Regasm</match>
<description>MITRE T1121 Regsvcs/Regasm: $(win.eventdata.image)</description>
<group>MITRE,attack.t1121,</group>
</rule>
<rule id="255543" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Component Object Model Hijacking</match>
<description>MITRE T1122 Component Object Model Hijacking: $(win.eventdata.image)</description>
<group>MITRE,attack.t1122,</group>
</rule>
<rule id="255544" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Trusted Developer Utilities</match>
<description>MITRE T1127 Trusted Developer Utilities: $(win.eventdata.image)</description>
<group>MITRE,attack.t1127,</group>
</rule>
<rule id="255545" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Netsh Helper DLL</match>
<description>MITRE T1128 Netsh Helper DLL: $(win.eventdata.image)</description>
<group>MITRE,attack.t1128,</group>
</rule>
<rule id="255546" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Install Root Certificate</match>
<description>MITRE T1130 Install Root Certificate: $(win.eventdata.image)</description>
<group>MITRE,attack.t1130,</group>
</rule>
<rule id="255547" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Authentication Package</match>
<description>MITRE T1131 Authentication Package: $(win.eventdata.image)</description>
<group>MITRE,attack.t1131,</group>
</rule>
<rule id="255548" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Access Token Manipulation</match>
<description>MITRE T1134 Access Token Manipulation: $(win.eventdata.image)</description>
<group>MITRE,attack.t1134,</group>
</rule>
<rule id="255549" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Application Shimming</match>
<description>MITRE T1138 Application Shimming: $(win.eventdata.image)</description>
<group>MITRE,attack.t1138,</group>
</rule>
<rule id="255550" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Hidden Files and Files Directories</match>
<description>MITRE T1158 Hidden Files and Directories: $(win.eventdata.image)</description>
<group>MITRE,attack.t1158,</group>
</rule>
<rule id="255551" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Mshta</match>
<description>MITRE T1170 Mshta: $(win.eventdata.image)</description>
<group>MITRE,attack.t1170,</group>
</rule>
<rule id="255552" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=AppCert DLLs</match>
<description>MITRE T1182: $(win.eventdata.image)</description>
<group>MITRE,attack.t1182,</group>
</rule>
<rule id="255553" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Image File Execution Options Injection</match>
<description>MITRE T1183 Image File Execution Options Injection: $(win.eventdata.image)</description>
<group>MITRE,attack.t1183,</group>
</rule>
<rule id="255554" level="5">
<if_group>sysmon_event_11</if_group>
<match>technique_name=Forced Authentication</match>
<description>MITRE T1187 Forced Authentication: $(win.eventdata.image)</description>
<group>MITRE,attack.t1187,</group>
</rule>
<rule id="255555" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=CMSTP</match>
<description>MITRE T1191 CMSTP: $(win.eventdata.image)</description>
<group>MITRE,attack.t1191,</group>
</rule>
<rule id="255556" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Control Panel Items</match>
<description>MITRE T1196: $(win.eventdata.image)</description>
<group>MITRE,attack.t1196,</group>
</rule>
<rule id="255557" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=BITS Jobs</match>
<description>MITRE T1197 BITS Jobs: $(win.eventdata.image)</description>
<group>MITRE,attack.t1197,</group>
</rule>
<rule id="255558" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=SIP and Trust Provider Hijacking</match>
<description>MITRE T1198 SIP and Trust Provider Hijacking: $(win.eventdata.image)</description>
<group>MITRE,attack.t1198,</group>
</rule>
<rule id="255559" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Indirect Command Execution</match>
<description>MITRE T1202 Indirect Command Execution: $(win.eventdata.image)</description>
<group>MITRE,attack.t1202,</group>
</rule>
<rule id="255560" level="5">
<if_group>sysmon_event_12</if_group>
<match>technique_name=Time Providers</match>
<description>MITRE T1209 Time Providers: $(win.eventdata.image)</description>
<group>MITRE,attack.t1209,</group>
</rule>
<rule id="255561" level="5">
<if_group>sysmon</if_group>
<match>technique_name=Regsvr32</match>
<description>MITRE T1218 Regsvr32: $(win.eventdata.image)</description>
<group>MITRE,attack.t1218,</group>
</rule>
<rule id="255562" level="5">
<if_group>sysmon_event1</if_group>
<match>technique_name=Signed Binary Proxy Execution</match>
<description>MITRE T1218 Signed Binary Proxy Execution: $(win.eventdata.image)</description>
<group>MITRE,attack.t1218,</group>
</rule>
<rule id="255563" level="10">
<if_group>sysmon</if_group>
<match>technique_name=Signed Binary Proxy Execution</match>
<description>MITRE T1218 Signed Script Proxy Execution: $(win.eventdata.image)</description>
<group>MITRE,attack.t1218,</group>
</rule>
<rule id="255564" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=Masquerading</match>
<description>MITRE T1036 Masquerading: $(win.eventdata.image)</description>
<group>MITRE,attack.t1036,</group>
</rule>
<rule id="255565" level="5">
<if_group>sysmon</if_group>
<match>technique_name=System Network Configuration Discovery</match>
<description>MITRE T1016 System Network Configuration Discovery: $(win.eventdata.image)</description>
<group>MITRE,attack.t1016,</group>
</rule>
<rule id="255566" level="5">
<if_group>sysmon</if_group>
<match>technique_name=Windows Remote Management</match>
<description>MITRE T1028 Windows Remote Management: $(win.eventdata.image)</description>
<group>MITRE,attack.t1028,</group>
</rule>
<rule id="255567" level="5">
<if_group>sysmon</if_group>
<match>technique_name=Service Execution</match>
<description>MITRE T1035 Service Execution: $(win.eventdata.image)</description>
<group>MITRE,attack.t1035,</group>
</rule>
<rule id="255568" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=Regsvr32</match>
<description>MITRE T1218 Regsvr32: $(win.eventdata.image)</description>
<group>MITRE,attack.t1218,</group>
</rule>
<rule id="255569" level="6">
<if_group>sysmon_event3</if_group>
<match>technique_name=Commonly Used Port</match>
<description>MITRE T043 Commonly Used Port: $(win.eventdata.image)</description>
<group>MITRE,attack.t1043,</group>
</rule>
<rule id="255570" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=PowerShell</match>
<description>MITRE T1086 Powershell Network Connection: $(win.eventdata.image)</description>
<group>MITRE,attack.t1086,</group>
</rule>
<rule id="255571" level="5">
<if_group>sysmon_event3</if_group>
<match>technique_name=Indirect Command Execution</match>
<description>MITRE T1202 Indirect Command Execution Network Activity: $(win.eventdata.image)</description>
<group>MITRE,attack.t1202,</group>
</rule>
<rule id="255572" level="5">
<if_group>sysmon_event_13</if_group>
<match>technique_name=Registry Run</match>
<description>MITRE T1060 Run Key Persistence: $(win.eventdata.image)</description>
<group>MITRE,attack.t1060,</group>
</rule>
<rule id="255573" level="6">
<if_group>sysmon_event3</if_group>
<match>technique_name=UnCommonly Used Port</match>
<description>MITRE T1065 Commonly Used Port: $(win.eventdata.image)</description>
<group>MITRE,attack.t1065,</group>
</rule>
<rule id="255574" level="6">
<if_group>sysmon_event7</if_group>
<match>technique_name=User Execution</match>
<description>MITRE T1204 User Execution: $(win.eventdata.image)</description>
<group>MITRE,attack.t204,</group>
</rule>
</group>