Zion Boggan
repos/SOC Automation Lab/commits/35f3696
zionboggan.com ↗
Code Commits Tags

custom sysmon, lsass and rdp/ssh brute-force rules

35f3696   Zion Boggan committed on Mar 16, 2026 (3 months ago)
config/wazuh/decoders/local_decoder.xml +9 -0
@@ -0,0 +1,9 @@
+<decoder name="thehive-responder">
+ <prematch>^thehive:</prematch>
+</decoder>
+
+<decoder name="thehive-responder-fields">
+ <parent>thehive-responder</parent>
+ <regex>caseId=(\S+) action=(\S+) analyst=(\S+)</regex>
+ <order>case_id, response_action, analyst</order>
+</decoder>
config/wazuh/rules/local_rules.xml +111 -0
@@ -0,0 +1,111 @@
+<group name="local,sysmon,windows,">
+
+ <rule id="100100" level="3">
+ <if_sid>61603</if_sid>
+ <field name="win.system.eventID">^1$</field>
+ <description>Sysmon - process creation logged</description>
+ </rule>
+
+ <rule id="100101" level="10">
+ <if_sid>100100</if_sid>
+ <field name="win.eventdata.image" type="pcre2">(?i)\\(AppData|Local\\Temp|ProgramData|Users\\Public)\\.+\.(exe|scr|pif|com)$</field>
+ <description>Process launched from a user-writable path: $(win.eventdata.image)</description>
+ <mitre>
+ <id>T1059</id>
+ </mitre>
+ </rule>
+
+ <rule id="100102" level="12">
+ <if_sid>100100</if_sid>
+ <field name="win.eventdata.parentImage" type="pcre2">(?i)\\(winword|excel|powerpnt|outlook)\.exe$</field>
+ <field name="win.eventdata.image" type="pcre2">(?i)\\(cmd|powershell|wscript|cscript|mshta|rundll32)\.exe$</field>
+ <description>Office application spawned a scripting host: $(win.eventdata.image)</description>
+ <mitre>
+ <id>T1566</id>
+ <id>T1059.001</id>
+ </mitre>
+ </rule>
+
+ <rule id="100110" level="12">
+ <if_sid>61609</if_sid>
+ <field name="win.eventdata.targetImage" type="pcre2">(?i)\\lsass\.exe$</field>
+ <field name="win.eventdata.grantedAccess" type="pcre2">0x1010|0x1410|0x143a|0x1fffff</field>
+ <description>Suspicious LSASS access - possible credential dumping</description>
+ <mitre>
+ <id>T1003.001</id>
+ </mitre>
+ </rule>
+
+ <rule id="100120" level="10">
+ <if_sid>61600</if_sid>
+ <field name="win.system.eventID">^7045$</field>
+ <description>New Windows service installed: $(win.eventdata.serviceName)</description>
+ <mitre>
+ <id>T1543.003</id>
+ </mitre>
+ </rule>
+
+ <rule id="100121" level="10">
+ <if_sid>61600</if_sid>
+ <field name="win.system.eventID">^4698$</field>
+ <description>Scheduled task created: $(win.eventdata.taskName)</description>
+ <mitre>
+ <id>T1053.005</id>
+ </mitre>
+ </rule>
+
+</group>
+
+<group name="local,authentication,bruteforce,">
+
+ <rule id="100200" level="10" frequency="8" timeframe="120">
+ <if_matched_sid>5710</if_matched_sid>
+ <same_source_ip />
+ <description>SSH brute force - 8 failed logins from $(srcip) in 120s</description>
+ <mitre>
+ <id>T1110</id>
+ </mitre>
+ </rule>
+
+ <rule id="100201" level="10" frequency="8" timeframe="120">
+ <if_matched_sid>60122</if_matched_sid>
+ <same_source_ip />
+ <description>RDP brute force - 8 failed logins from $(srcip) in 120s</description>
+ <mitre>
+ <id>T1110</id>
+ </mitre>
+ </rule>
+
+</group>
+
+<group name="local,cti,threat-intel,">
+
+ <rule id="100210" level="12">
+ <decoded_as>json</decoded_as>
+ <field name="dstip" type="pcre2">\S+</field>
+ <list field="dstip" lookup="address_match_key">etc/lists/cti-malicious-ip</list>
+ <description>Outbound connection to CTI-flagged IP: $(dstip)</description>
+ <mitre>
+ <id>T1071</id>
+ </mitre>
+ </rule>
+
+ <rule id="100211" level="12">
+ <field name="win.eventdata.queryName" type="pcre2">\S+</field>
+ <list field="win.eventdata.queryName" lookup="match_key">etc/lists/cti-malicious-domain</list>
+ <description>DNS query for CTI-flagged domain: $(win.eventdata.queryName)</description>
+ <mitre>
+ <id>T1071.004</id>
+ </mitre>
+ </rule>
+
+ <rule id="100212" level="13">
+ <field name="win.eventdata.hashes" type="pcre2">\S+</field>
+ <list field="win.eventdata.sha256" lookup="match_key">etc/lists/cti-malware-hash</list>
+ <description>Execution of CTI-flagged malware hash</description>
+ <mitre>
+ <id>T1204</id>
+ </mitre>
+ </rule>
+
+</group>