Zion Boggan
repos/soc-automation-lab/config/wazuh/rules/local_rules.xml
zionboggan.com ↗
Code Commits Tags
107 lines · xml
History for this file →
1
<group name="local,sysmon,windows,">
2
3
  <rule id="100100" level="3">
4
    <if_sid>61603</if_sid>
5
    <field name="win.system.eventID">^1$</field>
6
    <description>Sysmon - process creation logged</description>
7
  </rule>
8
9
  <rule id="100101" level="10">
10
    <if_sid>100100</if_sid>
11
    <field name="win.eventdata.image" type="pcre2">(?i)\\(AppData|Local\\Temp|ProgramData|Users\\Public)\\.+\.(exe|scr|pif|com)$</field>
12
    <description>Process launched from a user-writable path: $(win.eventdata.image)</description>
13
    <mitre>
14
      <id>T1059</id>
15
    </mitre>
16
  </rule>
17
18
  <rule id="100102" level="12">
19
    <if_sid>100100</if_sid>
20
    <field name="win.eventdata.parentImage" type="pcre2">(?i)\\(winword|excel|powerpnt|outlook)\.exe$</field>
21
    <field name="win.eventdata.image" type="pcre2">(?i)\\(cmd|powershell|wscript|cscript|mshta|rundll32)\.exe$</field>
22
    <description>Office application spawned a scripting host: $(win.eventdata.image)</description>
23
    <mitre>
24
      <id>T1566</id>
25
      <id>T1059.001</id>
26
    </mitre>
27
  </rule>
28
29
  <rule id="100110" level="12">
30
    <if_sid>61609</if_sid>
31
    <field name="win.eventdata.targetImage" type="pcre2">(?i)\\lsass\.exe$</field>
32
    <field name="win.eventdata.grantedAccess" type="pcre2">0x1010|0x1410|0x143a|0x1fffff</field>
33
    <description>Suspicious LSASS access - possible credential dumping</description>
34
    <mitre>
35
      <id>T1003.001</id>
36
    </mitre>
37
  </rule>
38
39
  <rule id="100120" level="10">
40
    <if_sid>61600</if_sid>
41
    <field name="win.system.eventID">^7045$</field>
42
    <description>New Windows service installed: $(win.eventdata.serviceName)</description>
43
    <mitre>
44
      <id>T1543.003</id>
45
    </mitre>
46
  </rule>
47
48
  <rule id="100121" level="10">
49
    <if_sid>61600</if_sid>
50
    <field name="win.system.eventID">^4698$</field>
51
    <description>Scheduled task created: $(win.eventdata.taskName)</description>
52
    <mitre>
53
      <id>T1053.005</id>
54
    </mitre>
55
  </rule>
56
57
</group>
58
59
<group name="local,authentication,bruteforce,">
60
61
  <rule id="100200" level="10" frequency="8" timeframe="120">
62
    <if_matched_sid>5710</if_matched_sid>
63
    <same_source_ip />
64
    <description>SSH brute force - 8 failed logins from $(srcip) in 120s</description>
65
    <mitre>
66
      <id>T1110</id>
67
    </mitre>
68
  </rule>
69
70
  <rule id="100201" level="10" frequency="8" timeframe="120">
71
    <if_matched_sid>60122</if_matched_sid>
72
    <same_source_ip />
73
    <description>RDP brute force - 8 failed logins from $(srcip) in 120s</description>
74
    <mitre>
75
      <id>T1110</id>
76
    </mitre>
77
  </rule>
78
79
</group>
80
81
<group name="local,cti,threat-intel,">
82
83
  <rule id="100210" level="12">
84
    <list field="dstip" lookup="address_match_key">etc/lists/cti-malicious-ip</list>
85
    <description>Outbound connection to CTI-flagged IP: $(dstip)</description>
86
    <mitre>
87
      <id>T1071</id>
88
    </mitre>
89
  </rule>
90
91
  <rule id="100211" level="12">
92
    <list field="win.eventdata.queryName" lookup="match_key">etc/lists/cti-malicious-domain</list>
93
    <description>DNS query for CTI-flagged domain: $(win.eventdata.queryName)</description>
94
    <mitre>
95
      <id>T1071.004</id>
96
    </mitre>
97
  </rule>
98
99
  <rule id="100212" level="13">
100
    <list field="win.eventdata.sha256" lookup="match_key">etc/lists/cti-malware-hash</list>
101
    <description>Execution of CTI-flagged malware hash</description>
102
    <mitre>
103
      <id>T1204</id>
104
    </mitre>
105
  </rule>
106
107
</group>