Skip to content

Commit

Permalink
Rules Update
Browse files Browse the repository at this point in the history
  • Loading branch information
@wagga40
wagga40 committed Jul 25, 2024
1 parent 3a40487 commit c006d3d
Show file tree
Hide file tree
Showing 12 changed files with 34 additions and 34 deletions.
6 changes: 3 additions & 3 deletions pdm.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions rules_windows_generic.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18986,7 +18986,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE '%:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Java\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND (NewProcessName LIKE '%:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files\\\\Java\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%ping 127.0.0.1 -n%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE '%:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Java\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND (NewProcessName LIKE '%:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files\\\\Java\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))"
],
"filename": "proc_creation_win_susp_system_user_anomaly.yml"
},
Expand Down Expand Up @@ -27864,7 +27864,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))"
],
"filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml"
},
Expand Down
8 changes: 4 additions & 4 deletions rules_windows_generic_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2163,7 +2163,7 @@
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\dbgmodel.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WinDbg\\_%' ESCAPE '\\') OR ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))) AND NOT (logs MATCH ('\"\"')))"
"SELECT * FROM logs WHERE ((ImageLoaded LIKE '%\\\\dbgmodel.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))) AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WinDbg\\_%' ESCAPE '\\') OR ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\'))))"
],
"filename": "image_load_side_load_dbgmodel.yml"
},
Expand Down Expand Up @@ -19180,7 +19180,7 @@
],
"level": "low",
"rule": [
"SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8002' AND ProcessName LIKE '%' ESCAPE '\\')"
"SELECT * FROM logs WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8002')"
],
"filename": "win_susp_ntlm_auth.yml"
},
Expand Down Expand Up @@ -33460,7 +33460,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE '%:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Java\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND (NewProcessName LIKE '%:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files\\\\Java\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%ping 127.0.0.1 -n%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE '%:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Java\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND (NewProcessName LIKE '%:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files\\\\Java\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))"
],
"filename": "proc_creation_win_susp_system_user_anomaly.yml"
},
Expand Down Expand Up @@ -51464,7 +51464,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))"
],
"filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml"
},
Expand Down
Loading

0 comments on commit c006d3d

Please sign in to comment.