Last active
February 23, 2025 17:43
-
-
Save zbalkan/ab0d44fe58e8cf9132d21dabb724b489 to your computer and use it in GitHub Desktop.
Sysmon configuration by @olafhartong, fine-tuned for Wazuh usage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| Since Wazuh File Integrity Monitoring (FIM) overlaps with some sysmon capabilities, it is better to fine-tune Sysmon configuration. | |
| Another aspect would be to diable Wazuh FIM and rely on Sysmon. That is not covered here. | |
| --> | |
| <!-- NOTICE : This is a balanced generated output of Sysmon-modular with medium verbosity --> | |
| <!-- due to the balanced nature of this configuration there will be potential blind spots --> | |
| <!-- for more information go to https://github.com/olafhartong/sysmon-modular/wiki --> | |
| <!-- --> | |
| <!-- //** ***// --> | |
| <!-- ///#(** **%(/// --> | |
| <!-- ((&&&** **&&&(( --> | |
| <!-- (&&&** ,(((((((. **&&&( --> | |
| <!-- ((&&**(((((//(((((((/**&&(( _____ __ __ --> | |
| <!-- (&&///((////(((((((///&&( / ___/__ ___________ ___ ____ ____ ____ ___ ____ ____/ /_ __/ /___ ______ --> | |
| <!-- &////(/////(((((/(////& \__ \/ / / / ___/ __ `__ \/ __ \/ __ \______/ __ `__ \/ __ \/ __ / / / / / __ `/ ___/ --> | |
| <!-- ((// /////(///// /((( ___/ / /_/ (__ ) / / / / / /_/ / / / /_____/ / / / / / /_/ / /_/ / /_/ / / /_/ / / --> | |
| <!-- &(((((#.///////// #(((((& /____/\__, /____/_/ /_/ /_/\____/_/ /_/ /_/ /_/ /_/\____/\__,_/\__,_/_/\__,_/_/ --> | |
| <!-- &&&&((#///////((#((&&&& /____/ --> | |
| <!-- &&&&(#/***//(#(&&&& --> | |
| <!-- &&&&****///&&&& by Olaf Hartong --> | |
| <!-- (& ,&. --> | |
| <!-- .*&&*. --> | |
| <!-- --> | |
| <Sysmon schemaversion="4.90"> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <!-- This now also determines the file names of the files preserved (String) --> | |
| <CheckRevocation>False</CheckRevocation> | |
| <!-- Setting this to true might impact performance --> | |
| <DnsLookup>False</DnsLookup> | |
| <!-- Disables lookup behavior, default is True (Boolean) --> | |
| <ArchiveDirectory>Sysmon</ArchiveDirectory> | |
| <!-- Sets the name of the directory in the C:\ root where preserved files will be saved (String)--> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <ProcessCreate onmatch="include"> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">sethc.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">utilman.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">osk.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">Magnify.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">DisplaySwitch.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">Narrator.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">AtBroker.exe</ParentImage> | |
| <OriginalFileName condition="contains">\</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1546.011,technique_name=Application Shimming" condition="is">sdbinst.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1197,technique_name=BITS Jobs" condition="is">bitsadmin.exe</OriginalFileName> | |
| <Rule name="Eventviewer Bypass UAC" groupRelation="and"> | |
| <ParentImage name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="image">eventvwr.exe</ParentImage> | |
| <Image condition="is not">c:\windows\system32\mmc.exe</Image> | |
| </Rule> | |
| <ParentImage name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="image">fodhelper.exe</ParentImage> | |
| <Rule name="technique_id=T1021.003,technique_name=Distributed Component Object Model" groupRelation="and"> | |
| <ParentCommandLine condition="contains">-Embedding</ParentCommandLine> | |
| <ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <CommandLine condition="contains">Set-MpPreference</CommandLine> | |
| <CommandLine condition="contains any">-DisableRealTimeMonitoring $true;-DisableBehaviorMonitoring $true;-DisableBlockAtFirstSeen $true;-DisableIOAVProtection $true;-DisablePrivacyMode $true;-SignatureDisableUpdateOnStartupWithoutEngine $true;-DisableArchiveScanning $true;-DisableIntrusionPreventionSystem $true;-DisableScriptScanning $true</CommandLine> | |
| </Rule> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">^</CommandLine> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">../../</CommandLine> | |
| <ParentCommandLine name="technique_id=T1204,technique_name=User Execution" condition="is">C:\Windows\explorer.exe</ParentCommandLine> | |
| <ParentImage name="technique_id=T1204,technique_name=User Execution" condition="is">C:\Windows\explorer.exe</ParentImage> | |
| <Rule name="Fltmc" groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1562.006,technique_name=Indicator Blocking" condition="is">fltMC.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1562.006,technique_name=Indicator Blocking" condition="contains">unload;detach</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="is">fltMC.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="contains">misc::mflt</CommandLine> | |
| </Rule> | |
| <Rule name="InstallUtil" groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1218.004,technique_name=InstallUtil" condition="is">InstallUtil.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1218.004,technique_name=InstallUtil" condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1546.008,technique_name=Windows Error Reporting" condition="contains">werfault.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="is">odbcconf.exe</OriginalFileName> | |
| <Rule name="technique_id=T1027.004,technique_name=Compile After Delivery" groupRelation="and"> | |
| <ParentImage condition="is">csc.exe</ParentImage> | |
| <CommandLine condition="contains">-target:library</CommandLine> | |
| <CommandLine condition="contains">.cs</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1027.004,technique_name=Compile After Delivery" groupRelation="and"> | |
| <ParentImage condition="is">csc.exe</ParentImage> | |
| <CommandLine condition="contains">-out:</CommandLine> | |
| <CommandLine condition="contains">.cs</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1564.001,technique_name=Hidden Files and Directories" condition="is">attrib.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1543.003,technique_name=Windows Service" condition="is">sc.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1569.002,technique_name=Service Execution" condition="is">dnscmd.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1489,technique_name=Service Stop" condition="is">taskkill.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1074,technique_name=Data Staged" condition="is">xcopy.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1074,technique_name=Data Staged" condition="is">robocopy.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Remote File Copy" condition="is">GfxDownloadWrapper.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">update;--download</CommandLine> | |
| <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">squirrel;--download</CommandLine> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Remote File Copy" condition="is">expand.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1564.001,technique_name=Hidden Files and Directories" condition="is">attrib.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1543.003,technique_name=Windows Service" condition="is">sc.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1040,technique_name=Network Sniffing" condition="is">PktMon.exe</OriginalFileName> | |
| <Rule name="technique_id=T1003,technique_name=Credential Dumping" groupRelation="and"> | |
| <OriginalFileName condition="is">esentutl.exe</OriginalFileName> | |
| <CommandLine condition="contains all">/y;/vss/d</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">TTTracer.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">sqldumper.exe</OriginalFileName> | |
| <Rule name="technique_id=T1003,technique_name=Credential Dumping" groupRelation="and"> | |
| <OriginalFileName condition="is">ntdsutil.exe</OriginalFileName> | |
| <CommandLine condition="contains">ifm</CommandLine> | |
| </Rule> | |
| <ParentImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">diskshadow.exe</ParentImage> | |
| <Rule name="technique_id=T1003,technique_name=Credential Dumping (Likely)" groupRelation="and"> | |
| <OriginalFileName condition="image">rpcping.exe</OriginalFileName> | |
| <CommandLine condition="contains any">\s;-s</CommandLine> | |
| <CommandLine condition="contains any">-u;\u;-t;\t</CommandLine> | |
| <CommandLine condition="contains any">NTLM;ncacn_np</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">rpcping.exe</OriginalFileName> | |
| <Rule name="Ingress Tool Transfer" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">expand</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">IEExec.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">Print.Exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">curl.exe</OriginalFileName> | |
| <ParentImage name="technique=T1105,technique_name=Ingress Tool Transfer" condition="is">ftp.exe</ParentImage> | |
| </Rule> | |
| <Rule name="technique_id=T1564.004,technique_name=NTFS File Attributes" groupRelation="and"> | |
| <OriginalFileName condition="is">print.exe</OriginalFileName> | |
| <CommandLine condition="contains">:</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1564.004,technique_name=NTFS File Attributes" groupRelation="and"> | |
| <OriginalFileName condition="is">regedit.exe</OriginalFileName> | |
| <CommandLine condition="contains">:</CommandLine> | |
| </Rule> | |
| <Rule name="NTFS File Attributes" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1564.004,technique_name=NTFS File Attributes" condition="is">esentutl.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1564.004,technique_name=NTFS File Attributes" condition="is">extrac32.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Scheduled Task/Job" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1053.005,technique_name=Scheduled Task/Job" condition="contains any">schtasks.exe;sctasks.exe</OriginalFileName> | |
| <OriginalFileName name="technique=T1053.002,technique_name=At" condition="contains any">at.exe;At.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1053,technique_name=Scheduled Task/Job" condition="is">taskeng.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="File Permissions Modification" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1222.001,technique_name=File Permissions Modification" condition="is">takeown.exe</OriginalFileName> | |
| <Image name="technique_id=T1222.001,technique_name=File Permissions Modification" condition="image">forfiles.exe</Image> | |
| <OriginalFileName name="technique_id=T1222.001,technique_name=File Permissions Modification" condition="contains any">icacls.exe;cacls.exe;xcacls.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Access Token Manipulation" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1134,technique_name=Access Token Manipulation" condition="is">runas.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1134,technique_name=Access Token Manipulation" condition="contains">runas</CommandLine> | |
| </Rule> | |
| <Rule name="Bypass User Access Control" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">WSReset.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">xwizard.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">computerdefaults.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">dism.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">fodhelper.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Account Control" condition="is">computerdefaults.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Account Control" condition="is">dism.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Account Control" condition="is">fodhelper.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="technique_id=T1490,technique_name=Inhibit System Recovery" groupRelation="and"> | |
| <OriginalFileName condition="contains any">vssadmin.exe;wbadmin.exe</OriginalFileName> | |
| <CommandLine condition="contains">delete</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1490,technique_name=Inhibit System Recovery" groupRelation="and"> | |
| <OriginalFileName condition="is">bcdedit.exe</OriginalFileName> | |
| <CommandLine condition="contains">/set</CommandLine> | |
| </Rule> | |
| <Rule name="Inhibit System Recovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">vssadmin.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">vssadmin;delete</CommandLine> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">wbadmin;delete</CommandLine> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">bcedit;set</CommandLine> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">wmic;delete</CommandLine> | |
| </Rule> | |
| <Rule name="Windows Management Instrumentation" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">mofcomp.exe</OriginalFileName> | |
| <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image> | |
| <OriginalFileName name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">ScrCons</OriginalFileName> | |
| <ParentImage name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="image">wmiprvse.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">wmiprvse.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Account Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1087,technique_name=Account Discovery" condition="is">klist.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1087,technique_name=Account Discovery" condition="is">cmdkey.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1087.001,technique_name=Local Account" condition="contains any">net localgroup;net user;net group</CommandLine> | |
| <CommandLine name="technique_id=T1087.001,technique_name=Local Account" condition="contains any">dir C:\users;ls C:\users;dir C:\Users;ls C:\Users</CommandLine> | |
| <OriginalFileName name="technique_id=T1078.002,technique_name=Domain Accounts" condition="is">djoin.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="System Owner/User Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="contains any">systeminfo.exe;sysinfo.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">whoami.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">quser.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="contains any">nltest.exe;nltestk.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="System Network Configuration Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">ipconfig.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">nslookup.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">tracert.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">route.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="contains any">nbtstat.exe;nbtinfo.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Security Software Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="is">netsh.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="contains">netsh advfirewall</CommandLine> | |
| </Rule> | |
| <Rule name="Remote System Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">net.exe;net1.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">ping.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">dsquery.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">net view;net group</CommandLine> | |
| </Rule> | |
| <Rule name="Process Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">tasklist.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">qprocess.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">query.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">qwinsta.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">rwinsta.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="File and Directory Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1083,technique_name=File and Directory Discovery" condition="contains any">tree.com;findstr.exe;where.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1083,technique_name=File and Directory Discovery" condition="contains any">ls;dir</CommandLine> | |
| </Rule> | |
| <Rule name="System Network Connections Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1049,technique_name=System Network Connections Discovery" condition="is">netstat.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="technique_id=T1482,technique_name=Domain Trust Discovery" groupRelation="and"> | |
| <OriginalFileName condition="is">nltestrk.exe</OriginalFileName> | |
| <CommandLine condition="contains">/domain_trusts</CommandLine> | |
| </Rule> | |
| <Rule name="Domain Trust Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1482,technique_name=Domain Trust Discovery" condition="is">nltest.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Query Registry" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1012,technique_name=Query Registry" condition="is any">reg.exe;regedit.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="technique_id=T1070.001,technique_name=Clear Windows Event Logs" groupRelation="and"> | |
| <OriginalFileName condition="is">wevtutil.exe</OriginalFileName> | |
| <CommandLine condition="contains any">cl;clear-log</CommandLine> | |
| </Rule> | |
| <Rule name="Indicator Removal" groupRelation="or"> | |
| <OriginalFileName name="Event Log Access" condition="is">wevtutil.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1070,technique_name=Indicator Removal" condition="is">fsutil.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="technique_id=T1112,technique_name=Modify Registry" groupRelation="and"> | |
| <OriginalFileName condition="is any">reg.exe;regedit.exe</OriginalFileName> | |
| <CommandLine condition="contains any">/i;.reg</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1112,technique_name=Modify Registry" groupRelation="and"> | |
| <OriginalFileName condition="is any">reg.exe;regedit.exe</OriginalFileName> | |
| <CommandLine condition="contains any">hklm;HKLM;hkey_local_machine</CommandLine> | |
| <CommandLine condition="contains any">\system;\sam;\security</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1202,technique_name=Indirect Command Execution" groupRelation="and"> | |
| <ParentImage condition="is">hh.exe</ParentImage> | |
| <CommandLine condition="contains">.exe</CommandLine> | |
| </Rule> | |
| <Rule name="Indirect Command Execution" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">pcalua.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">cscript.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">wscript.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">pcalua.exe</ParentImage> | |
| <ParentImage name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">cscript.exe</ParentImage> | |
| <ParentImage name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">wscript.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">bash.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">certutil.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">winrs.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">control.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">desktopimgdownldr.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">wsl.exe</ParentImage> | |
| </Rule> | |
| <Rule name="System Script Proxy Execution" groupRelation="or"> | |
| <CommandLine name="technique_id=T1216.001,technique_name=PubPrn" condition="contains">pubprn</CommandLine> | |
| <CommandLine name="technique_id=T1216,technique_name=System Script Proxy Execution" condition="contains">slmgr</CommandLine> | |
| <CommandLine name="technique_id=T1216,technique_name=System Script Proxy Execution" condition="contains">manage-bde</CommandLine> | |
| <CommandLine name="technique_id=T1216,technique_name=System Script Proxy Execution" condition="contains">CL_Invocation</CommandLine> | |
| <CommandLine name="technique_id=T1216,technique_name=System Script Proxy Execution" condition="contains">CL_Mutexverifiers</CommandLine> | |
| <CommandLine name="technique_id=T1216,technique_name=System Script Proxy Execution" condition="contains">winrm</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1216,technique_name=System Script Proxy Execution" groupRelation="and"> | |
| <OriginalFileName condition="is">cscript.exe</OriginalFileName> | |
| <CommandLine condition="contains">.js</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1218.001,technique_name=Compiled HTML File" condition="is">hh.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1218.001,technique_name=Compiled HTML File" condition="is">hh.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1218.004,technique_name=InstallUtil" condition="is">installutil.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1218.005,technique_name=Mshta" condition="image">mshta.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1218.005,technique_name=Mshta" condition="is">mshta.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218.010,technique_name=Regsvr32" condition="is">regsvr32.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218.011,technique_name=rundll32.exe" condition="contains">rundll32.exe</OriginalFileName> | |
| <Rule name="System Binary Proxy Execution" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">InfDefaultInstall.EXE</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">extexport.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msconfig.EXE</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msiexec.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">odbcconf.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">PresentationHost.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">rasdlui.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">RegisterCimProvider2.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">RegisterCimProvider.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">ScriptRunner.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">verclsid.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wab.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wab.exe</ParentImage> | |
| <ParentImage name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wsreset.exe</ParentImage> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">xwizard RunWizard</CommandLine> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">Appvlp.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">bginfo</CommandLine> | |
| <ParentCommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">bginfo</ParentCommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">cbd</CommandLine> | |
| <ParentCommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">csi.exe</ParentCommandLine> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">csi.exe</OriginalFileName> | |
| <ParentCommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine> | |
| <ParentImage name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">devtoolslauncher.exe</ParentImage> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">runscripthelper.exe surfacecheck</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">Scriptrunner.exe -appvscript</CommandLine> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">Scriptrunner.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">tttracer.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msdt.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">rasautou.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">Register-cimprovider.exe</OriginalFileName> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">diskshadow.exe</Image> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains all">diskshadow.exe;/s</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains all">diskshadow.exe;-s</CommandLine> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">replace.exe</OriginalFileName> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="image">jjs.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="image">appcmd.exe</Image> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">ieexec.exe http</CommandLine> | |
| </Rule> | |
| <Rule name="Trusted Developer Utilities Proxy Execution" groupRelation="or"> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">vbc.exe /target:exe</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">vbc.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">dnx.exe</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">csc.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">dfsvc.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">msdeploy.exe -verb:sync -source:RunCommand</CommandLine> | |
| <ParentImage name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">mftrace.exe</ParentImage> | |
| <ParentImage name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">dxcap.exe</ParentImage> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains all">dxcap.exe;-c</CommandLine> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains all">dxcap.exe;/c</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">ilasm.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">jsc.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">vbc.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">Microsoft.Workflow.Compiler.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">vsjitdebugger.exe</ParentImage> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">vsjitdebugger</CommandLine> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains all">update.exe;--update</CommandLine> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains all">update.exe;--ProcessStart</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">tracker.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">te.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">rcsi.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains all">squirrel.exe;--update</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">Microsoft.Workflow.Compiler.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">rundll32.exe dfshim.dll,ShOpenVerbApplication http://</CommandLine> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">ilasm</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">jsc.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Mavinject" groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="contains">/INJECTRUNNING</CommandLine> | |
| </Rule> | |
| <Rule name="CMSTP" groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1218.003,technique_name=CMSTP" condition="is">CMSTP.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1218.003,technique_name=CMSTP" condition="contains all">/ni;/s</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">MSBuild.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">excel.exe</ParentImage> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">winword.exe</ParentImage> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">powerpnt.exe</ParentImage> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">outlook.exe</ParentImage> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">msaccess.exe</ParentImage> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">mspub.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1218.009,technique_name=Regsvcs/Regasm" condition="contains any">regsvcs.exe;regasm.exe</OriginalFileName> | |
| <Rule name="Windows Command Shell" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1059.003,technique_name=Windows Command Shell" condition="is">cmd.exe</OriginalFileName> | |
| <Image name="technique_id=T1059.003,technique_name=Windows Command Shell" condition="image">cmd.exe</Image> | |
| </Rule> | |
| <Rule name="PowerShell" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell_ise.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="contains">Sqlps.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1059.001,technique_name=PowerShell" condition="contains">pester</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1218,technique_name=System Binary Proxy Execution" groupRelation="and"> | |
| <OriginalFileName condition="is">ATBroker.exe</OriginalFileName> | |
| <CommandLine condition="contains">start</CommandLine> | |
| </Rule> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">FromBase64</CommandLine> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">gzip</CommandLine> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">decompress</CommandLine> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">http</CommandLine> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">replace</CommandLine> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">SyncAppvPublishingServer.exe</Image> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="is">PsList.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1007,technique_name=System Service Discovery" condition="is">PsService.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1569.002,technique_name=Service Execution" condition="is">PsExec.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1569.002,technique_name=Service Execution" condition="is">PsExec.c</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">PsGetSID.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="is">PsKill.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="is">PKill.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">ProcDump</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">PsLoggedOn.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">PsFile.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">ShellRunas</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="is">PipeList.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1083,technique_name=File and Directory Discovery" condition="is">AccessChk.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1083,technique_name=File and Directory Discovery" condition="is">AccessEnum.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">LogonSessions.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1005,technique_name=Data from Local System" condition="is">PsLogList.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="is">PsInfo.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1007,technique_name=System Service Discovery" condition="contains">LoadOrd</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1098,technique_name=Account Manipulation" condition="is">PsPasswd.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1012,technique_name=Query Registry" condition="is">ru.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1012,technique_name=Query Registry" condition="contains">Regsize</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">ProcDump</OriginalFileName> | |
| <CommandLine name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">-ma lsass.exe</CommandLine> | |
| <CommandLine name="technique_id=T1036,technique_name=Process Evasion" condition="contains">-accepteula -ma</CommandLine> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">vssadmin.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">delete;shadow</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">vssadmin.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">resize;shadowstorage</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">wmic.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">delete;shadowcopy</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">wbadmin.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">delete;catalog</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">bcdedit.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">recoveryenabled;no</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">bcdedit.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">bootstatuspolicy;ignoreallfailures</CommandLine> | |
| </Rule> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\PerfLogs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\$Recycle.bin\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Intel\Logs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Default\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Public\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\NetworkService\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Fonts\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Debug\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Media\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Help\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\addins\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\repair\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\security\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\system32\config\systemprofile\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">VolumeShadowCopy</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\htdocs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\wwwroot\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Temp\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Downloads\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Desktop\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Appdata\Local\</Image> | |
| <Rule name="Control Panel Items" groupRelation="or"> | |
| <CommandLine name="technique_id=T1218.002,technique_name=Control Panel Items" condition="contains all">control;/name</CommandLine> | |
| <CommandLine name="technique_id=T1218.002,technique_name=Control Panel Items" condition="contains all">rundll32.exe;shell32.dll;Control_RunDLL</CommandLine> | |
| </Rule> | |
| <Rule name="Windows Defender tampering" groupRelation="and"> | |
| <Image name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="image">MpCmdRun.exe</Image> | |
| <CommandLine name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">wsmprovhost.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">winrshost.exe</OriginalFileName> | |
| <Image name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="image">winrm.cmd</Image> | |
| <ParentImage name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="is">wsl.exe</ParentImage> | |
| <ParentCommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;-e</ParentCommandLine> | |
| <ParentCommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;/e</ParentCommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;-e</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;/e</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;-u root</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;/u root</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;--exec bash</CommandLine> | |
| <Rule name="Remote Copy via wsl" groupRelation="and"> | |
| <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">wsl.exe;--exec bash</CommandLine> | |
| <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">/dev/tcp</CommandLine> | |
| </Rule> | |
| </ProcessCreate> | |
| </RuleGroup> | |
| <!-- Event ID 1 == Process Creation - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <ProcessCreate onmatch="exclude"> | |
| <Rule groupRelation="and"> | |
| <Image condition="end with">AcroRd32.exe</Image> | |
| <CommandLine condition="contains any">/CR;channel=</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="or"> | |
| <Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage> | |
| <Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> | |
| </Rule> | |
| <Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage> | |
| <Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image> | |
| <ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage> | |
| <ParentCommandLine condition="is">"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" -Embedding</ParentCommandLine> | |
| <Rule groupRelation="and"> | |
| <ParentImage condition="is">"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe"</ParentImage> | |
| <CommandLine condition="is">"C:\Windows\system32\cscript.exe" /nologo "MonitorKnowledgeDiscovery.vbs"</CommandLine> | |
| </Rule> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> | |
| <Image condition="begin with">C:\program files (x86)\desktopcentral_agent\bin\</Image> | |
| <Image condition="begin with">C:\program files\desktopcentral_server\bin\</Image> | |
| <CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> | |
| <Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> | |
| <Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> | |
| <Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> | |
| <Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> | |
| <ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine> | |
| <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> | |
| <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> | |
| <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> | |
| <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> | |
| <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> | |
| <Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> | |
| <Image condition="begin with">C:\Program Files\Realtek\</Image> | |
| <ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> | |
| <Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage> | |
| <Image condition="is">C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe</Image> | |
| <CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> | |
| <CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> | |
| <Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> | |
| <ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> | |
| <ParentImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\respesvc64.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\ResPesvc64.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files\RES Software\Workspace Manager\respesvc.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files\Ivanti\Workspace Control\ResPesvc.exe</ParentImage> | |
| <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe</Image> | |
| <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe</Image> | |
| <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe</Image> | |
| <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> | |
| <Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> | |
| <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> | |
| <CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> | |
| <CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe</Image> | |
| <Image condition="begin with">C:\Program Files\Splunk\bin\</Image> | |
| <ParentImage condition="is">C:\Program Files\Splunk\bin\splunkd.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files\Splunk\bin\splunk.exe</ParentImage> | |
| <Image condition="begin with">D:\Program Files\Splunk\bin\</Image> | |
| <ParentImage condition="is">D:\Program Files\Splunk\bin\splunkd.exe</ParentImage> | |
| <ParentImage condition="is">D:\Program Files\Splunk\bin\splunk.exe</ParentImage> | |
| <Image condition="begin with">C:\Program Files\SplunkUniversalForwarder\bin\</Image> | |
| <ParentImage condition="is">C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</ParentImage> | |
| <Image condition="begin with">D:\Program Files\SplunkUniversalForwarder\bin\</Image> | |
| <ParentImage condition="is">D:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</ParentImage> | |
| <ParentImage condition="is">D:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</ParentImage> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -s StateRepository</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel</CommandLine> | |
| <CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k camera -s FrameServer</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k defragsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k imgsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s EventSystem</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s bthserv</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s nsi</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s w32Time</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine> | |
| <CommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> | |
| <CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k swprv</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> | |
| <CommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC</CommandLine> | |
| <CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> | |
| <ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</ParentCommandLine> | |
| <ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</ParentCommandLine> | |
| <Image condition="is">C:\Program Files\Trend Micro\Deep Security Agent\ds_monitor.exe</Image> | |
| <Image condition="is">C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe</Image> | |
| <Image condition="is">C:\Program Files\Trend Micro\Deep Security Agent\dsuam.exe</Image> | |
| <Image condition="is">C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe</Image> | |
| <Image condition="is">C:\Program Files\Trend Micro\Deep Security Agent\lib\Patch.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe</Image> | |
| <Image condition="begin with">C:\Program Files\Windows Defender\</Image> | |
| <Image condition="is">C:\Windows\system32\MpSigStub.exe</Image> | |
| <Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_</Image> | |
| <Image condition="is">C:\Program Files\Microsoft Security Client\MpCmdRun.exe</Image> | |
| <CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> | |
| <Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> | |
| <Image condition="is">C:\Windows\System32\MusNotification.exe</Image> | |
| <Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> | |
| <Image condition="is">C:\Windows\System32\audiodg.exe</Image> | |
| <Image condition="is">C:\Windows\System32\conhost.exe</Image> | |
| <Image condition="is">C:\Windows\System32\powercfg.exe</Image> | |
| <Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> | |
| <Image condition="is">C:\Windows\System32\wermgr.exe</Image> | |
| <Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> | |
| <Image condition="is">C:\Windows\system32\sppsvc.exe</Image> | |
| <IntegrityLevel condition="is">AppContainer</IntegrityLevel> | |
| <ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> | |
| <ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> | |
| </ProcessCreate> | |
| </RuleGroup> | |
| <!-- Event ID 2 == File Creation Time - Includes --> | |
| <!-- File operations covered by Wazuh FIM, therefore this section is removed. --> | |
| <RuleGroup groupRelation="or"> | |
| <FileCreateTime onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 3 == Network Connection - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <NetworkConnect onmatch="include"> | |
| <Image name="technique_id=T1021,technique_name=Remote Services" condition="image">vnc.exe</Image> | |
| <Image name="technique_id=T1021,technique_name=Remote Services" condition="image">vncviewer.exe</Image> | |
| <Image name="technique_id=T1021,technique_name=Remote Services" condition="image">vncservice.exe</Image> | |
| <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">winexesvc.exe</Image> | |
| <Image name="technique_id=T1197,technique_name=BITS Jobs" condition="image">bitsadmin.exe</Image> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">4444</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">31337</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">6667</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">5555</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">5353</DestinationPort> | |
| <Image name="technique_id=T1021,technique_name=Remote Services" condition="image">omniinet.exe</Image> | |
| <Image name="technique_id=T1021,technique_name=Remote Services" condition="image">hpsmhd.exe</Image> | |
| <Image name="technique_id=T1102,technique_name=Web Service" condition="begin with">C:\Program Files\Microsoft\HybridConnectionManager</Image> | |
| <Rule name="Unusual Connection" groupRelation="or"> | |
| <Image condition="image">dllhost.exe</Image> | |
| <Image condition="image">hh.exe</Image> | |
| <Image condition="image">klist.exe</Image> | |
| <Image condition="image">schtasks.exe</Image> | |
| <Image condition="image">taskkill.exe</Image> | |
| <Image name="technique_id=T1218.005,technique_name=Mshta" condition="image">mshta.exe</Image> | |
| <Image name="technique_id=T1218.010,technique_name=Regsvr32" condition="image">regsvr32.exe</Image> | |
| <Image name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="image">netsh.exe</Image> | |
| <Image name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="image">xwizard.exe</Image> | |
| <Image name="technique_id=T1564.004,technique_name=NTFS File Attributes" condition="image">esentutl.exe</Image> | |
| <Image name="technique_id=T1112,technique_name=Modify Registry" condition="image">reg.exe</Image> | |
| <Image name="technique_id=T1134,technique_name=Access Token Manipulation" condition="image">runas.exe</Image> | |
| <Image name="technique_id=T1069,technique_name=Permission Groups Discovery" condition="image">net1.exe</Image> | |
| <Image name="technique_id=T1070,technique_name=Indicator Removal on Host" condition="image">wevtutil.exe</Image> | |
| </Rule> | |
| <Image name="technique_id=T1003,technique_name=Credential Dumping" condition="image">RpcPing.exe</Image> | |
| <Rule name="Discovery" groupRelation="or"> | |
| <Image name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="image">ipconfig.exe</Image> | |
| <Image name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="image">nbtstat.exe</Image> | |
| <Image name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="image">nslookup.exe</Image> | |
| <Image name="technique_id=T1018,technique_name=Remote System Discovery" condition="image">net.exe</Image> | |
| <Image name="technique_id=T1018,technique_name=Remote System Discovery" condition="image">nslookup.exe</Image> | |
| <Image name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="image">nltest.exe</Image> | |
| <Image name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="image">quser.exe</Image> | |
| <Image name="technique_id=T1049,technique_name=System Network Connections Discovery" condition="image">netstat.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">qprocess.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">query.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">qwinsta.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">rwinsta.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">tasklist.exe</Image> | |
| </Rule> | |
| <Rule name="Ingress Tool Transfer" groupRelation="or"> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">expand.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">extrac32.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">IEExec.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">Print.Exe</Image> | |
| </Rule> | |
| <Rule name="Execution" groupRelation="or"> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">cscript.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">desktopimgdownldr.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">pcalua.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">winrs.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">wscript.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">Msdt.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">msiexec.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">RegisterCimProvider.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">ScriptRunner.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="image">dfsvc.exe</Image> | |
| </Rule> | |
| <Rule name="Services" groupRelation="or"> | |
| <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">dnscmd.exe</Image> | |
| <Image name="technique_id=T1543.003,technique_name=Windows Service" condition="image">sc.exe</Image> | |
| <Image name="technique_id=T1053,technique_name=Scheduled Task/Job" condition="image">taskeng.exe</Image> | |
| </Rule> | |
| <Rule name="Shells and Terminals" groupRelation="or"> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">OpenConsole.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">WindowsTerminal.exe</Image> | |
| <Image name="technique_id=T1059.003,technique_name=Windows Command Shell" condition="image">cmd.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">bash.exe</Image> | |
| </Rule> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">Mavinject.exe</Image> | |
| <Image name="technique_id=T1053,technique_name=Scheduled Task" condition="image">at.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">certutil.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Script Proxy Execution" condition="image">cscript.exe</Image> | |
| <Image condition="image">java.exe</Image> | |
| <Image name="technique_id=T1218.005,technique_name=Mshta" condition="image">mshta.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">msiexec.exe</Image> | |
| <Image name="technique_id=T1069,technique_name=Permission Groups Discovery" condition="image">net.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">notepad.exe</Image> | |
| <Image name="technique_id=T1012,technique_name=Query Registry" condition="image">reg.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Regsvr32" condition="image">regsvr32.exe</Image> | |
| <Image name="technique_id=T1218.011,technique_name=Rundll32" condition="image">rundll32.exe</Image> | |
| <Image name="technique_id=T1543.003,technique_name=Windows Service" condition="image">sc.exe</Image> | |
| <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="image">wmic.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Script Proxy Execution" condition="image">wscript.exe</Image> | |
| <Image condition="image">driverquery.exe</Image> | |
| <Image name="technique_id=T1069,technique_name=Permission Groups Discovery" condition="image">dsquery.exe</Image> | |
| <Image name="technique_id=T1069,technique_name=Permission Groups Discovery" condition="image">AdFind.exe</Image> | |
| <Image condition="image">hh.exe</Image> | |
| <Image condition="image">infDefaultInstall.exe</Image> | |
| <Image condition="image">javaw.exe</Image> | |
| <Image condition="image">javaws.exe</Image> | |
| <Image name="technique_id=T1543.003,technique_name=Windows Service" condition="image">mmc.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">msbuild.exe</Image> | |
| <Image name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="image">nbtstat.exe</Image> | |
| <Image name="technique_id=T1018,technique_name=Remote System Discovery" condition="image">nslookup.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">qprocess.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">qwinsta.exe</Image> | |
| <Image name="technique_id=T1218.009,technique_name=Regsvcs/Regasm" condition="image">regsvcs.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">rwinsta.exe</Image> | |
| <Image name="technique_id=T1053,technique_name=Scheduled Task/Job" condition="image">schtasks.exe</Image> | |
| <Image name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="image">taskkill.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">replace.exe</Image> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">1080</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">3128</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">8080</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">22</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">23</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">25</DestinationPort> | |
| <Rule groupRelation="and"> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">88</DestinationPort> | |
| <Image condition="is not">C:\Windows\System32\lsass.exe</Image> | |
| </Rule> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">3389</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">5800</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">5900</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">5985</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">5986</DestinationPort> | |
| <DestinationPort name="technique_id=T1087.002,technique_name=Account Discovery: Domain Account" condition="is">9389</DestinationPort> | |
| <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">psexec.exe</Image> | |
| <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">psexesvc.exe</Image> | |
| <Rule groupRelation="and"> | |
| <SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort> | |
| <Image condition="is not">C:\Windows\System32\lsass.exe</Image> | |
| <Image condition="is not">c:\Windows\System32\dsamain.exe</Image> | |
| <ProcessId condition="is not">4</ProcessId> | |
| </Rule> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\ProgramData</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Temp</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Temp</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\PerfLogs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\$Recycle.bin\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Intel\Logs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Default\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Public\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\NetworkService\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Fonts\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Debug\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Media\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Help\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\addins\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\repair\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\security\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\system32\config\systemprofile\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\htdocs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\wwwroot\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\AppData\Local\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\AppData\Local\Temp\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\AppData\Roaming\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\AppData\LocalLow\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">C:\Windows\SysWOW64</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">SyncAppvPublishingServer.exe</Image> | |
| <Image condition="image">tor.exe</Image> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">1723</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">4500</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">9001</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">9030</DestinationPort> | |
| <DestinationPort name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">5985</DestinationPort> | |
| <DestinationPort name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">5986</DestinationPort> | |
| </NetworkConnect> | |
| </RuleGroup> | |
| <!-- Event ID 3 == Network Connection - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <NetworkConnect onmatch="exclude"> | |
| <Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> | |
| <Image condition="end with">winlogbeat.exe</Image> | |
| <Image condition="end with">packetbeat.exe</Image> | |
| <Image condition="is">C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\System32\lsass.exe</Image> | |
| <DestinationPort condition="is">88</DestinationPort> | |
| </Rule> | |
| <Image condition="image">OneDrive.exe</Image> | |
| <Image condition="image">OneDriveStandaloneUpdater.exe</Image> | |
| <Image condition="end with">ownCloud\owncloud.exe</Image> | |
| <Image condition="is">C:\Program Files\Palo Alto Networks\Traps\cyserver.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Protocol condition="is">udp</Protocol> | |
| <DestinationPort condition="is">3389</DestinationPort> | |
| </Rule> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image> | |
| <Image condition="is">C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe</Image> | |
| <Image condition="end with">AppData\Roaming\Spotify\Spotify.exe</Image> | |
| <Image condition="end with">AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-ui.exe</Image> | |
| <Image condition="end with">AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe</Image> | |
| <Image condition="is">C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe</Image> | |
| <DestinationHostname condition="end with">.windowsupdate.microsoft.com</DestinationHostname> | |
| <DestinationHostname condition="end with">.windowsupdate.com</DestinationHostname> | |
| <DestinationHostname condition="end with">wustat.windows.com</DestinationHostname> | |
| <DestinationHostname condition="end with">go.microsoft.com</DestinationHostname> | |
| <DestinationHostname condition="end with">.update.microsoft.com</DestinationHostname> | |
| <DestinationHostname condition="end with">download.microsoft.com</DestinationHostname> | |
| <DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> | |
| <DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> | |
| </NetworkConnect> | |
| </RuleGroup> | |
| <!-- Event ID 5 == Process Terminated - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <ProcessTerminate onmatch="include"> | |
| <Image condition="begin with">C:\Users</Image> | |
| <Image condition="begin with">C:\Temp</Image> | |
| <Image condition="begin with">C:\Windows\Temp</Image> | |
| </ProcessTerminate> | |
| </RuleGroup> | |
| <!-- Event ID 6 == Driver Loaded - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <!--Default to log all and exclude only valid signed Microsoft or Intel drivers--> | |
| <DriverLoad onmatch="exclude"> | |
| <Rule groupRelation="and"> | |
| <Signature condition="begin with">Intel </Signature> | |
| <SignatureStatus condition="is">Valid</SignatureStatus> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Signature condition="contains">Microsoft</Signature> | |
| <SignatureStatus condition="is">Valid</SignatureStatus> | |
| </Rule> | |
| </DriverLoad> | |
| </RuleGroup> | |
| <!-- Event ID 7 == Image Loaded - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <ImageLoad onmatch="include"> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="is">amsi.dll</OriginalFileName> | |
| <Image condition="excludes any">powershell.exe;powershell_ise.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image name="technique_id=T1037.005,technique_name=Boot or Logon Initialization Scripts - Startup Items" condition="end with">bginfo.exe</Image> | |
| <ImageLoaded condition="contains any">System.ni.dll;System.Core.ni.dll</ImageLoaded> | |
| </Rule> | |
| <ImageLoaded name="technique_id=T1197,technique_name=BITS" condition="end with">bitsproxy.dll</ImageLoaded> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">clr.dll</OriginalFileName> | |
| <Image condition="excludes">C:\Windows\Microsoft.NET\</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">clrjit.dll</OriginalFileName> | |
| <Image condition="excludes">C:\Windows\Microsoft.NET\</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">mscoreei.dll</OriginalFileName> | |
| <Image condition="excludes">C:\Windows\Microsoft.NET\</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">mscoree.dll</OriginalFileName> | |
| <Image condition="excludes">C:\Windows\Microsoft.NET\</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">mscoreeis.dll</OriginalFileName> | |
| <Image condition="excludes">C:\Windows\Microsoft.NET\</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">mscorlib.dll</OriginalFileName> | |
| <Image condition="excludes">C:\Windows\Microsoft.NET\</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">mscorlib.ni.dll</OriginalFileName> | |
| <Image condition="excludes">C:\Windows\Microsoft.NET\</Image> | |
| </Rule> | |
| <ImageLoaded name="technique_id=T1047,technique_name=Windows Scheduled Tasks" condition="end with">mstask.dll</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1059,technique_name=Command and Scripting Interpreter" condition="end with">wshom.ocx</ImageLoaded> | |
| <OriginalFileName condition="is">scrrun.dll</OriginalFileName> | |
| <OriginalFileName condition="is">vbscript.dll</OriginalFileName> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1218.005,technique_name=MSHTA with AMSI Bypass" condition="is">jscript.dll</OriginalFileName> | |
| <Image condition="end with">mshta.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1218.005,technique_name=MSHTA with AMSI Bypass" condition="is">jscript9.dll</OriginalFileName> | |
| <Image condition="end with">mshta.exe</Image> | |
| </Rule> | |
| <ImageLoaded name="technique_id=T1137,technique_name=Office Application Startup" condition="end with">.wll</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1137,technique_name=Office Application Startup" condition="end with">.xll</ImageLoaded> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <OriginalFileName name="technique_id=T1559.001,technique_name=Component Object Model" condition="is">combase.dll</OriginalFileName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <OriginalFileName name="technique_id=T1559.001,technique_name=Component Object Model" condition="is">coml2.dll</OriginalFileName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <OriginalFileName name="technique_id=T1559.001,technique_name=Component Object Model" condition="is">comsvcs.dll</OriginalFileName> | |
| </Rule> | |
| <Rule groupRelation="and" name="technique_id=T1055,technique_name=Process Injection"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <ImageLoaded condition="begin with">C:\Windows\assembly\</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and" name="technique_id=T1055,technique_name=Process Injection"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <ImageLoaded condition="begin with">C:\Windows\Microsoft.NET\assembly\GAC_MSIL</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and" name="technique_id=T1055,technique_name=Process Injection"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <OriginalFileName condition="is">clr.dll</OriginalFileName> | |
| </Rule> | |
| <Rule groupRelation="and" name="technique_id=T1059.005,technique_name=Command and Scripting Interpreter VBScript"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <OriginalFileName condition="is">VBE7INTL.DLL</OriginalFileName> | |
| </Rule> | |
| <Rule groupRelation="and" name="technique_id=T1059.005,technique_name=Command and Scripting Interpreter VBScript"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <OriginalFileName condition="is">VBE7.DLL</OriginalFileName> | |
| </Rule> | |
| <Rule groupRelation="and" name="technique_id=T1059.005,technique_name=Command and Scripting Interpreter VBScript"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <OriginalFileName condition="is">VBEUI.DLL</OriginalFileName> | |
| </Rule> | |
| <Rule groupRelation="and" name="technique_id=T1137.001,technique_name=Office Application Startup - Office Template Macros"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <OriginalFileName condition="is">OUTLVBA.DLL</OriginalFileName> | |
| </Rule> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="end with">VSTOInstaller.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="contains all">C:\Program Files;\Microsoft Office\root\Office</Image> | |
| <ImageLoaded condition="is">C:\Windows\SysWOW64\wbem\wbemdisp.dll</ImageLoaded> | |
| </Rule> | |
| <ImageLoaded name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">system.management.automation.ni.dll</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">system.management.automation.dll</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">Microsoft.PowerShell.Commands.Diagnostics.dll</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">Microsoft.PowerShell.Commands.Management.dll</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">Microsoft.PowerShell.Commands.Utility.dll</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">Microsoft.PowerShell.ConsoleHost.dll</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">Microsoft.PowerShell.Security.dll</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1210,technique_name=Exploitation of Remote Services" condition="begin with">C:\Windows\System32\spool\drivers\</ImageLoaded> | |
| <OriginalFileName name="technique_id=T1112,technique_name=Modify Registry" condition="is">regsvc.dll</OriginalFileName> | |
| <Rule groupRelation="and"> | |
| <Image condition="end with">rundll32.exe</Image> | |
| <OriginalFileName name="technique_id=T1003.004,technique_name=LSASS Memory" condition="is">comsvcs.dll</OriginalFileName> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1053,technique_name=Scheduled Task" condition="is">taskschd.dll</OriginalFileName> | |
| <ImageLoaded name="technique_id=T1218.010,technique_name=Regsvr32" condition="end with">scrobj.dll</ImageLoaded> | |
| <OriginalFileName name="technique_id=T1218.010,technique_name=Regsvr32" condition="is">scrobj.dll</OriginalFileName> | |
| <ImageLoaded name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="contains any">admin$;c$;\\;\appdata\;\temp\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">c:\programdata\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\Media\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\addins\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\system32\config\systemprofile\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\Debug\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\Temp</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\PerfLogs\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\Help\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Intel\Logs\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Temp</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\repair\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\security\</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\Fonts\</ImageLoaded> | |
| <ImageLoaded condition="contains" name="technique_id=T1574.002,technique_name=DLL Side-Loading">Downloads</ImageLoaded> | |
| <ImageLoaded condition="contains" name="technique_id=T1574.002,technique_name=DLL Side-Loading">Public</ImageLoaded> | |
| <ImageLoaded condition="contains" name="technique_id=T1574.002,technique_name=DLL Side-Loading">Documents</ImageLoaded> | |
| <ImageLoaded condition="contains" name="technique_id=T1574.002,technique_name=DLL Side-Loading">Music</ImageLoaded> | |
| <ImageLoaded condition="contains" name="technique_id=T1574.002,technique_name=DLL Side-Loading">Video</ImageLoaded> | |
| <ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">file:</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="contains">$Recycle.bin\</ImageLoaded> | |
| <ImageLoaded name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="contains">\Windows\IME\</ImageLoaded> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName condition="is">urlmon.dll</OriginalFileName> | |
| </Rule> | |
| <ImageLoaded name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="end with">wmiutils.dll</ImageLoaded> | |
| </ImageLoad> | |
| </RuleGroup> | |
| <!-- Event ID 7 == Image Loaded - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <ImageLoad onmatch="exclude"> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\System32\cscript.exe</Image> | |
| <OriginalFileName condition="is">scrobj.dll</OriginalFileName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">powershell.exe</Image> | |
| <OriginalFileName condition="excludes all">mscoree.dll;mscoreei.dll;mscoreeis.dll;clr.dll;clrjit.dll</OriginalFileName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="end with">VSTOInstaller.exe</Image> | |
| <ImageLoaded condition="begin with">C:\Windows\</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image> | |
| <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileSyncTelemetryExtensions.dll</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image> | |
| <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuthLib.dll</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image> | |
| <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\OneDriveTelemetryStable.dll</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image> | |
| <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\vcruntime140.dll</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image> | |
| <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\UpdateRingSettings.dll</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image> | |
| <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\LoggingPlatform.dll</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image> | |
| <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\System32\svchost.exe</Image> | |
| <ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\System32\svchost.exe</Image> | |
| <ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\System32\svchost.exe</Image> | |
| <ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\System32\svchost.exe</Image> | |
| <ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded> | |
| </Rule> | |
| </ImageLoad> | |
| </RuleGroup> | |
| <!-- Event ID 8 == CreateRemoteThread - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <!--Default to log all and exclude a few common processes--> | |
| <CreateRemoteThread onmatch="exclude"> | |
| <SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\wininit.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\services.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\winlogon.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\audiodg.exe</SourceImage> | |
| <Rule groupRelation="and"> | |
| <SourceImage condition="is">C:\Windows\System32\dwm.exe</SourceImage> | |
| <TargetImage condition="is">C:\Windows\System32\csrss.exe</TargetImage> | |
| </Rule> | |
| <TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage> | |
| <SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage> | |
| </CreateRemoteThread> | |
| </RuleGroup> | |
| <!-- Event ID 9 == RawAccessRead - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <RawAccessRead onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 10 == ProcessAccess - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <ProcessAccess onmatch="include"> | |
| <CallTrace name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">dbghelp.dll</CallTrace> | |
| <CallTrace name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">dbgcore.dll</CallTrace> | |
| <TargetImage condition="contains">Desktop</TargetImage> | |
| <Rule groupRelation="and"> | |
| <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\csrss.exe</TargetImage> | |
| <GrantedAccess>0x1F1FFF</GrantedAccess> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\wininit.exe</TargetImage> | |
| <GrantedAccess>0x1F1FFF</GrantedAccess> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\winlogon.exe</TargetImage> | |
| <GrantedAccess>0x1F1FFF</GrantedAccess> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\services.exe</TargetImage> | |
| <GrantedAccess>0x1F1FFF</GrantedAccess> | |
| </Rule> | |
| <GrantedAccess name="technique_id=T1055.012,technique_name=Process Hollowing">0x21410</GrantedAccess> | |
| <Rule groupRelation="and"> | |
| <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> | |
| <GrantedAccess>0x1FFFFF</GrantedAccess> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> | |
| <GrantedAccess>0x1F1FFF</GrantedAccess> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> | |
| <GrantedAccess>0x1010</GrantedAccess> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> | |
| <GrantedAccess>0x143A</GrantedAccess> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="image">lsass.exe</TargetImage> | |
| <SourceImage name="technique_id=T1003,technique_name=Credential Dumping" condition="image">wsmprovhost.exe</SourceImage> | |
| </Rule> | |
| <Rule groupRelation="and" name="technique_id=T1055,technique_name=Process Injection"> | |
| <SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage> | |
| <CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <CallTrace name="technique_id=T1055.001,technique_name=Dynamic-link Library Injection" condition="contains all">C:\Windows\SYSTEM32\ntdll.dll;C:\Windows\System32\kernelbase.dll;UNKNOWN</CallTrace> | |
| <GrantedAccess name="technique_id=T1055.001,technique_name=Dynamic-link Library Injection" condition="contains any">0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF;0x147A</GrantedAccess> | |
| </Rule> | |
| <GrantedAccess name="technique_id=T1055.012,technique_name=Process Hollowing">0x0800</GrantedAccess> | |
| <GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping">0x0810</GrantedAccess> | |
| <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x0820</GrantedAccess> | |
| <GrantedAccess name="technique_id=T1055.012,technique_name=Process Hollowing">0x800</GrantedAccess> | |
| <GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping">0x810</GrantedAccess> | |
| <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x820</GrantedAccess> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\PerfLogs\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\$Recycle.bin\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Intel\Logs\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Default\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Public\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\NetworkService\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Fonts\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Debug\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Media\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Help\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\addins\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\repair\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\security\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\system32\config\systemprofile\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">VolumeShadowCopy</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\htdocs\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\wwwroot\</SourceImage> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Temp\</SourceImage> | |
| <Rule groupRelation="and"> | |
| <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\AppData\</SourceImage> | |
| <SourceImage condition="not end with">\AppData\Local\Microsoft\Teams\current\Teams.exe</SourceImage> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <CallTrace name="technique_id=T1059.001,technique_name=PowerShell" condition="contains">System.Management.Automation.ni.dll</CallTrace> | |
| <SourceImage condition="is not">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</SourceImage> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <CallTrace name="technique_id=T1055,technique_name=Process Injection" condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace> | |
| <CallTrace name="technique_id=T1055,technique_name=Process Injection" condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace> | |
| <CallTrace name="technique_id=T1055,technique_name=Process Injection" condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace> | |
| </Rule> | |
| </ProcessAccess> | |
| </RuleGroup> | |
| <!-- Event ID 10 == ProcessAccess - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <ProcessAccess onmatch="exclude"> | |
| <SourceImage condition="is">C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe</SourceImage> | |
| <SourceImage condition="contains all">C:\Program Files;\Common Files\Adobe\AdobeGCClient\AGMService.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage> | |
| <TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage> | |
| <TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage> | |
| <Rule groupRelation="and"> | |
| <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage> | |
| <TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage> | |
| </Rule> | |
| <SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage> | |
| <Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and"> | |
| <SourceImage condition="image">software_reporter_tool.exe</SourceImage> | |
| <TargetImage condition="image">software_reporter_tool.exe</TargetImage> | |
| <GrantedAccess condition="is">0x1410</GrantedAccess> | |
| </Rule> | |
| <Rule name="Exclude Chrome SW Reporter into Chrome" groupRelation="and"> | |
| <SourceImage condition="image">software_reporter_tool.exe</SourceImage> | |
| <TargetImage condition="image">chrome.exe</TargetImage> | |
| <GrantedAccess condition="is">0x1410</GrantedAccess> | |
| </Rule> | |
| <Rule name="Exclude Chrome SW Reporter Accessing Anything" groupRelation="and"> | |
| <SourceImage condition="image">software_reporter_tool.exe</SourceImage> | |
| <GrantedAccess condition="is">0x1410</GrantedAccess> | |
| </Rule> | |
| <SourceImage condition="contains all">C:\Program Files\Cisco\AMP\;sfc.exe</SourceImage> | |
| <SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage> | |
| <SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage> | |
| <SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage> | |
| <SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage> | |
| <SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\cpushld.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Ivanti\Workspace Control\cpushld.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\RES Software\Workspace Manager\cpushld.exe</SourceImage> | |
| <SourceImage condition="end with">wmiprvse.exe</SourceImage> | |
| <SourceImage condition="end with">GoogleUpdate.exe</SourceImage> | |
| <SourceImage condition="end with">LTSVC.exe</SourceImage> | |
| <SourceImage condition="end with">taskmgr.exe</SourceImage> | |
| <SourceImage condition="end with">VBoxService.exe</SourceImage> | |
| <SourceImage condition="end with">vmtoolsd.exe</SourceImage> | |
| <SourceImage condition="end with">\Citrix\System32\wfshell.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\lsm.exe</SourceImage> | |
| <SourceImage condition="end with">Microsoft.Identity.AadConnect.Health.AadSync.Host.exe</SourceImage> | |
| <SourceImage condition="begin with">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection</SourceImage> | |
| <GrantedAccess>0x1000</GrantedAccess> | |
| <GrantedAccess>0x1400</GrantedAccess> | |
| <GrantedAccess>0x101400</GrantedAccess> | |
| <GrantedAccess>0x101000</GrantedAccess> | |
| <SourceImage condition="is">C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\McAfee\Agent\x86\macompatsvc.exe</SourceImage> | |
| <SourceImage condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\PowerToys\modules\KeyboardManager\KeyboardManagerEngine\PowerToys.KeyboardManagerEngine.exe</SourceImage> | |
| <Rule groupRelation="and"> | |
| <SourceImage condition="contains all">C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe</SourceImage> | |
| <TargetImage condition="contains all">C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe</TargetImage> | |
| </Rule> | |
| <SourceImage condition="is">C:\Program Files\Microsoft Security Client\MsMpEng.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage> | |
| <SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Palo Alto Networks\Traps\cyserver.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Qualys\QualysAgent\QualysAgent.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe</SourceImage> | |
| <SourceImage condition="is">C:\WINDOWS\CCM\CcmExec.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Splunk\bin\splunkd.exe</SourceImage> | |
| <Rule groupRelation="and"> | |
| <SourceImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</SourceImage> | |
| <TargetImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</TargetImage> | |
| <GrantedAccess condition="is">0x100000</GrantedAccess> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <SourceImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</SourceImage> | |
| <TargetImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</TargetImage> | |
| <GrantedAccess condition="is">0x1401</GrantedAccess> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <SourceImage condition="contains all">C:\Users\;\AppData\Local\Programs\Microsoft VS Code\Code.exe</SourceImage> | |
| <TargetImage condition="contains all">C:\Users\;\AppData\Local\Programs\Microsoft VS Code\Code.exe</TargetImage> | |
| <GrantedAccess condition="is">0x1401</GrantedAccess> | |
| </Rule> | |
| <SourceImage condition="is">C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\WinZip\FAHWindow64.exe</SourceImage> | |
| </ProcessAccess> | |
| </RuleGroup> | |
| <!-- Event ID 11 == FileCreate - Includes --> | |
| <!-- File operations covered by Wazuh FIM, therefore this section is removed. --> | |
| <RuleGroup groupRelation="or"> | |
| <FileCreate onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed - Includes --> | |
| <!-- File operations covered by Wazuh FIM, therefore this section is removed. --> | |
| <RuleGroup groupRelation="or"> | |
| <RegistryEvent onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 15 == FileStream Created - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <FileCreateStreamHash onmatch="include"> | |
| <TargetFilename condition="contains">Temp\7z</TargetFilename> | |
| <TargetFilename condition="end with">.bat</TargetFilename> | |
| <TargetFilename condition="end with">.cmd</TargetFilename> | |
| <TargetFilename condition="end with">Temp\debug.bin</TargetFilename> | |
| <TargetFilename condition="end with">.dll</TargetFilename> | |
| <TargetFilename condition="end with">.exe</TargetFilename> | |
| <TargetFilename condition="end with">.hta</TargetFilename> | |
| <Rule name="technique_id=T1189,technique_name=Drive-by Compromise" groupRelation="and"> | |
| <TargetFilename condition="end with">:Zone.Identifier</TargetFilename> | |
| <Contents condition="contains any">blob:;about:internet</Contents> | |
| </Rule> | |
| <TargetFilename condition="end with">.lnk</TargetFilename> | |
| <TargetFilename condition="contains">Content.Outlook</TargetFilename> | |
| <TargetFilename name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">.ps1</TargetFilename> | |
| <TargetFilename name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">.ps2</TargetFilename> | |
| <TargetFilename condition="end with">.reg</TargetFilename> | |
| <TargetFilename condition="contains">Downloads</TargetFilename> | |
| <TargetFilename condition="contains">AppData</TargetFilename> | |
| <TargetFilename condition="contains">Temp</TargetFilename> | |
| <TargetFilename condition="contains">ProgramData</TargetFilename> | |
| <TargetFilename condition="contains">Users</TargetFilename> | |
| <TargetFilename condition="end with">.vb</TargetFilename> | |
| <TargetFilename condition="end with">.vbe</TargetFilename> | |
| <TargetFilename condition="end with">.vbs</TargetFilename> | |
| </FileCreateStreamHash> | |
| </RuleGroup> | |
| <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <PipeEvent onmatch="include"> | |
| <Rule groupRelation="and"> | |
| <PipeName condition="begin with">\</PipeName> | |
| <EventType>CreatePipe</EventType> | |
| </Rule> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\atsvc</PipeName> | |
| <Rule groupRelation="and"> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\msse-</PipeName> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="end with">-server</PipeName> | |
| </Rule> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\msagent_</PipeName> | |
| <PipeName name="technique_id=T1055; Possible Cobalt Strike post-exploitation jobs." condition="begin with">\postex_</PipeName> | |
| <PipeName name="technique_id=T1021.004,technique_name=Remote Services: SSH" condition="begin with">\postex_ssh_</PipeName> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\status_</PipeName> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\gruntsvc</PipeName> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\svcctl</PipeName> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\msf-pipe</PipeName> | |
| <Rule groupRelation="and"> | |
| <PipeName name="technique_id=T1059.001,technique_name=PowerShell" condition="begin with">\PSHost</PipeName> | |
| <Image condition="is not">powershell.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <PipeName name="technique_id=T1059.001,technique_name=PowerShell" condition="begin with">\PSHost</PipeName> | |
| <Image condition="is not">powershell_ise.exe</Image> | |
| </Rule> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\PSEXESVC</PipeName> | |
| <PipeName name="technique_id=T1049,technique_name=System Network Connections Discovery" condition="begin with">\srvsvc</PipeName> | |
| <Rule groupRelation="and"> | |
| <PipeName condition="begin with">\TSVCPIPE</PipeName> | |
| </Rule> | |
| <PipeName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="begin with">\winreg</PipeName> | |
| </PipeEvent> | |
| </RuleGroup> | |
| <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <PipeEvent onmatch="exclude"> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> | |
| <PipeName condition="begin with">\32B6B37A-4A7D-4e00-95F2-</PipeName> | |
| <PipeName condition="end with">thsnYaVieBoda</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> | |
| <PipeName condition="begin with">\com.adobe.reader.rna.;\mojo</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Common Files\Adobe\AdobeGCClient\AGMService.exe</Image> | |
| <PipeName condition="begin with">\gc_pipe_</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Common Files\Adobe\Creative Cloud Libraries\libs\node.exe</Image> | |
| <PipeName condition="begin with">\uv\</PipeName> | |
| </Rule> | |
| <Image condition="is">"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe"</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Programs\Call Manager\Call Manager.exe</Image> | |
| <PipeName condition="begin with">\crashpad_;\mojo.;\uv\</PipeName> | |
| </Rule> | |
| <Image condition="contains all">C:\Program Files;\Citrix\ICA Client\SelfServicePlugin\SelfService.exe</Image> | |
| <Image condition="contains all">C:\Program Files;\Citrix\ICA Client\Receiver\Receiver.exe</Image> | |
| <Image condition="contains all">C:\Program Files;\Citrix\ICA Client\wfcrun32.exe</Image> | |
| <Image condition="contains all">C:\Program Files;\Citrix\ICA Client\concentr.exe</Image> | |
| <Image condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</Image> | |
| <Image condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\SelfServicePlugin\SelfService.exe</Image> | |
| <Image condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Google\Update\Install\;setup.exe</Image> | |
| <PipeName condition="begin with">\crashpad_</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Google\Chrome\Application\chrome.exe</Image> | |
| <PipeName condition="begin with">\mojo.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Google\Chrome\Application\;\Installer\chrmstp.exe</Image> | |
| <PipeName condition="begin with">\crashpad_</PipeName> | |
| </Rule> | |
| <PipeName condition="begin with">\Vivisimo Velocity</PipeName> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft\Edge\Application\msedge.exe</Image> | |
| <PipeName condition="begin with">\LOCAL\mojo.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft\Edge\Application\msedge.exe</Image> | |
| <PipeName condition="begin with">\LOCAL\chrome.sync.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft\Edge\Application\msedge.exe</Image> | |
| <PipeName condition="begin with">\LOCAL\crashpad_</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office16\OUTLOOK.EXE</Image> | |
| <PipeName condition="is">\MsFteWds</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe</Image> | |
| <PipeName condition="begin with">\mojo.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe</Image> | |
| <PipeName condition="begin with">\chrome.sync.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Mozilla Firefox\firefox.exe</Image> | |
| <PipeName condition="begin with">\cubeb-pipe-</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Mozilla Firefox\firefox.exe</Image> | |
| <PipeName condition="begin with">\chrome.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Mozilla Firefox\firefox.exe</Image> | |
| <PipeName condition="begin with">\gecko-crash-server-pipe.</PipeName> | |
| </Rule> | |
| <PipeName condition="is">\SQLLocal\MSSQLSERVER</PipeName> | |
| <PipeName condition="is">\SQLLocal\INSTANCE01</PipeName> | |
| <PipeName condition="is">\SQLLocal\SQLEXPRESS</PipeName> | |
| <PipeName condition="is">\SQLLocal\COMMVAULT</PipeName> | |
| <PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName> | |
| <PipeName condition="is">\SQLLocal\RTC</PipeName> | |
| <PipeName condition="is">\SQLLocal\TMSM</PipeName> | |
| <Image condition="is">Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe</Image> | |
| <Image condition="end with">PostgreSQL\9.6\bin\postgres.exe</Image> | |
| <PipeName condition="contains">\pgsignal_</PipeName> | |
| <Image condition="is">Program Files\Qlik\Sense\Engine\Engine.exe</Image> | |
| <Image condition="contains all">C:\Program Files;\Qualys\QualysAgent\QualysAgent.exe</Image> | |
| <Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Image> | |
| <Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunk.exe</Image> | |
| <Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe</Image> | |
| <Image condition="end with">Program Files\Trend\SPROTECT\x64\tsc.exe</Image> | |
| <Image condition="end with">Program Files\Trend\SPROTECT\x64\tsc64.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe</Image> | |
| <PipeName condition="is">\Trend Micro OSCE Command Handler Manager</PipeName> | |
| <PipeName condition="is">\Trend Micro OSCE Command Handler2 Manager</PipeName> | |
| <PipeName condition="is">\Trend Micro Endpoint Encryption ToolBox Command Handler Manager</PipeName> | |
| <PipeName condition="is">\OfcServerNamePipe</PipeName> | |
| <PipeName condition="is">\ntapvsrq</PipeName> | |
| <PipeName condition="is">\srvsvc</PipeName> | |
| <PipeName condition="is">\wkssvc</PipeName> | |
| <PipeName condition="is">\lsass</PipeName> | |
| <PipeName condition="is">\winreg</PipeName> | |
| <PipeName condition="is">\spoolss</PipeName> | |
| <PipeName condition="contains">Anonymous Pipe</PipeName> | |
| <Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image> | |
| </PipeEvent> | |
| </RuleGroup> | |
| <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <WmiEvent onmatch="include"> | |
| <Operation name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">Created</Operation> | |
| </WmiEvent> | |
| </RuleGroup> | |
| <!-- Event ID 22 == DNS Queries and their results Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <!--Default to log all and exclude a few common processes--> | |
| <DnsQuery onmatch="exclude"> | |
| <QueryName condition="end with">.1rx.io</QueryName> | |
| <QueryName condition="end with">.2mdn.net</QueryName> | |
| <QueryName condition="end with">.adadvisor.net</QueryName> | |
| <QueryName condition="end with">.adap.tv</QueryName> | |
| <QueryName condition="end with">.addthis.com</QueryName> | |
| <QueryName condition="end with">.adform.net</QueryName> | |
| <QueryName condition="end with">.adnxs.com</QueryName> | |
| <QueryName condition="end with">.adroll.com</QueryName> | |
| <QueryName condition="end with">.adrta.com</QueryName> | |
| <QueryName condition="end with">.adsafeprotected.com</QueryName> | |
| <QueryName condition="end with">.adsrvr.org</QueryName> | |
| <QueryName condition="end with">.advertising.com</QueryName> | |
| <QueryName condition="end with">.amazon-adsystem.com</QueryName> | |
| <QueryName condition="end with">.amazon-adsystem.com</QueryName> | |
| <QueryName condition="end with">.analytics.yahoo.com</QueryName> | |
| <QueryName condition="end with">.aol.com</QueryName> | |
| <QueryName condition="end with">.betrad.com</QueryName> | |
| <QueryName condition="end with">.bidswitch.net</QueryName> | |
| <QueryName condition="end with">.casalemedia.com</QueryName> | |
| <QueryName condition="end with">.chartbeat.net</QueryName> | |
| <QueryName condition="end with">.cnn.com</QueryName> | |
| <QueryName condition="end with">.convertro.com</QueryName> | |
| <QueryName condition="end with">.criteo.com</QueryName> | |
| <QueryName condition="end with">.criteo.net</QueryName> | |
| <QueryName condition="end with">.crwdcntrl.net</QueryName> | |
| <QueryName condition="end with">.demdex.net</QueryName> | |
| <QueryName condition="end with">.domdex.com</QueryName> | |
| <QueryName condition="end with">.dotomi.com</QueryName> | |
| <QueryName condition="end with">.doubleclick.net</QueryName> | |
| <QueryName condition="end with">.doubleverify.com</QueryName> | |
| <QueryName condition="end with">.emxdgt.com</QueryName> | |
| <QueryName condition="end with">.exelator.com</QueryName> | |
| <QueryName condition="end with">.google-analytics.com</QueryName> | |
| <QueryName condition="end with">.googleadservices.com</QueryName> | |
| <QueryName condition="end with">.googlesyndication.com</QueryName> | |
| <QueryName condition="end with">.googletagmanager.com</QueryName> | |
| <QueryName condition="end with">.googlevideo.com</QueryName> | |
| <QueryName condition="end with">.gstatic.com</QueryName> | |
| <QueryName condition="end with">.gvt1.com</QueryName> | |
| <QueryName condition="end with">.gvt2.com</QueryName> | |
| <QueryName condition="end with">.ib-ibi.com</QueryName> | |
| <QueryName condition="end with">.jivox.com</QueryName> | |
| <QueryName condition="end with">.mathtag.com</QueryName> | |
| <QueryName condition="end with">.moatads.com</QueryName> | |
| <QueryName condition="end with">.moatpixel.com</QueryName> | |
| <QueryName condition="end with">.mookie1.com</QueryName> | |
| <QueryName condition="end with">.myvisualiq.net</QueryName> | |
| <QueryName condition="end with">.netmng.com</QueryName> | |
| <QueryName condition="end with">.nexac.com</QueryName> | |
| <QueryName condition="end with">.openx.net</QueryName> | |
| <QueryName condition="end with">.optimizely.com</QueryName> | |
| <QueryName condition="end with">.outbrain.com</QueryName> | |
| <QueryName condition="end with">.pardot.com</QueryName> | |
| <QueryName condition="end with">.phx.gbl</QueryName> | |
| <QueryName condition="end with">.pinterest.com</QueryName> | |
| <QueryName condition="end with">.pubmatic.com</QueryName> | |
| <QueryName condition="end with">.quantcount.com</QueryName> | |
| <QueryName condition="end with">.quantserve.com</QueryName> | |
| <QueryName condition="end with">.revsci.net</QueryName> | |
| <QueryName condition="end with">.rfihub.net</QueryName> | |
| <QueryName condition="end with">.rlcdn.com</QueryName> | |
| <QueryName condition="end with">.rubiconproject.com</QueryName> | |
| <QueryName condition="end with">.scdn.co</QueryName> | |
| <QueryName condition="end with">.scorecardresearch.com</QueryName> | |
| <QueryName condition="end with">.serving-sys.com</QueryName> | |
| <QueryName condition="end with">.sharethrough.com</QueryName> | |
| <QueryName condition="end with">.simpli.fi</QueryName> | |
| <QueryName condition="end with">.sitescout.com</QueryName> | |
| <QueryName condition="end with">.smartadserver.com</QueryName> | |
| <QueryName condition="end with">.snapads.com</QueryName> | |
| <QueryName condition="end with">.spotxchange.com</QueryName> | |
| <QueryName condition="end with">.taboola.com</QueryName> | |
| <QueryName condition="end with">.taboola.map.fastly.net</QueryName> | |
| <QueryName condition="end with">.tapad.com</QueryName> | |
| <QueryName condition="end with">.tidaltv.com</QueryName> | |
| <QueryName condition="end with">.trafficmanager.net</QueryName> | |
| <QueryName condition="end with">.tremorhub.com</QueryName> | |
| <QueryName condition="end with">.tribalfusion.com</QueryName> | |
| <QueryName condition="end with">.turn.com</QueryName> | |
| <QueryName condition="end with">.twimg.com</QueryName> | |
| <QueryName condition="end with">.tynt.com</QueryName> | |
| <QueryName condition="end with">.w55c.net</QueryName> | |
| <QueryName condition="end with">.ytimg.com</QueryName> | |
| <QueryName condition="end with">.zorosrv.com</QueryName> | |
| <QueryName condition="is">1rx.io</QueryName> | |
| <QueryName condition="is">adservice.google.com</QueryName> | |
| <QueryName condition="is">ampcid.google.com</QueryName> | |
| <QueryName condition="is">clientservices.googleapis.com</QueryName> | |
| <QueryName condition="is">googleadapis.l.google.com</QueryName> | |
| <QueryName condition="is">imasdk.googleapis.com</QueryName> | |
| <QueryName condition="is">l.google.com</QueryName> | |
| <QueryName condition="is">ml314.com</QueryName> | |
| <QueryName condition="is">mtalk.google.com</QueryName> | |
| <QueryName condition="is">update.googleapis.com</QueryName> | |
| <QueryName condition="is">www.googletagservices.com</QueryName> | |
| <QueryName condition="end with">.mozaws.net</QueryName> | |
| <QueryName condition="end with">.mozilla.com</QueryName> | |
| <QueryName condition="end with">.mozilla.net</QueryName> | |
| <QueryName condition="end with">.mozilla.org</QueryName> | |
| <QueryName condition="is">clients1.google.com</QueryName> | |
| <QueryName condition="is">clients2.google.com</QueryName> | |
| <QueryName condition="is">clients3.google.com</QueryName> | |
| <QueryName condition="is">clients4.google.com</QueryName> | |
| <QueryName condition="is">clients5.google.com</QueryName> | |
| <QueryName condition="is">clients6.google.com</QueryName> | |
| <QueryName condition="is">safebrowsing.googleapis.com</QueryName> | |
| <QueryName condition="end with">.akadns.net</QueryName> | |
| <QueryName condition="end with">.netflix.com</QueryName> | |
| <QueryName condition="end with">.aspnetcdn.com</QueryName> | |
| <QueryName condition="is">ajax.googleapis.com</QueryName> | |
| <QueryName condition="is">cdnjs.cloudflare.com</QueryName> | |
| <QueryName condition="is">fonts.googleapis.com</QueryName> | |
| <QueryName condition="end with">.typekit.net</QueryName> | |
| <QueryName condition="is">cdnjs.cloudflare.com</QueryName> | |
| <QueryName condition="end with">.stackassets.com</QueryName> | |
| <QueryName condition="end with">.steamcontent.com</QueryName> | |
| <QueryName condition="end with">.arpa.</QueryName> | |
| <QueryName condition="end with">.arpa</QueryName> | |
| <QueryName condition="end with">.msftncsi.com</QueryName> | |
| <QueryName condition="end with">.localmachine</QueryName> | |
| <QueryName condition="is">localhost</QueryName> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\ProgramData\LogiShrd\LogiOptions\Software\Current\updater.exe</Image> | |
| <QueryName condition="end with">.logitech.com</QueryName> | |
| </Rule> | |
| <Image condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</Image> | |
| <QueryName condition="end with">-pushp.svc.ms</QueryName> | |
| <QueryName condition="end with">.b-msedge.net</QueryName> | |
| <QueryName condition="end with">.bing.com</QueryName> | |
| <QueryName condition="end with">.hotmail.com</QueryName> | |
| <QueryName condition="end with">.live.com</QueryName> | |
| <QueryName condition="end with">.live.net</QueryName> | |
| <QueryName condition="end with">.s-microsoft.com</QueryName> | |
| <QueryName condition="end with">.microsoft.com</QueryName> | |
| <QueryName condition="end with">.microsoftonline.com</QueryName> | |
| <QueryName condition="end with">.microsoftstore.com</QueryName> | |
| <QueryName condition="end with">.ms-acdc.office.com</QueryName> | |
| <QueryName condition="end with">.msedge.net</QueryName> | |
| <QueryName condition="end with">.msn.com</QueryName> | |
| <QueryName condition="end with">.msocdn.com</QueryName> | |
| <QueryName condition="end with">.skype.com</QueryName> | |
| <QueryName condition="end with">.skype.net</QueryName> | |
| <QueryName condition="end with">.windows.com</QueryName> | |
| <QueryName condition="end with">.windows.net.nsatc.net</QueryName> | |
| <QueryName condition="end with">.windowsupdate.com</QueryName> | |
| <QueryName condition="end with">.xboxlive.com</QueryName> | |
| <QueryName condition="is">login.windows.net</QueryName> | |
| <QueryName condition="is">outlook.office.com</QueryName> | |
| <QueryName condition="is">statics.teams.cdn.office.net</QueryName> | |
| <QueryName condition="is">acdc-direct.office.com</QueryName> | |
| <QueryName condition="end with">.fp.measure.office.com</QueryName> | |
| <QueryName condition="end with">office365.com</QueryName> | |
| <QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> | |
| <QueryName condition="end with">.aria.microsoft.com</QueryName> | |
| <QueryName condition="end with">.msauth.net</QueryName> | |
| <QueryName condition="end with">.msftauth.net</QueryName> | |
| <QueryName condition="end with">.opinsights.azure.com</QueryName> | |
| <QueryName condition="is">management.azure.com</QueryName> | |
| <QueryName condition="is">outlook.office365.com</QueryName> | |
| <QueryName condition="is">portal.azure.com</QueryName> | |
| <QueryName condition="is">substrate.office.com</QueryName> | |
| <QueryName condition="is">osi.office.net</QueryName> | |
| <QueryName condition="end with">.digicert.com</QueryName> | |
| <QueryName condition="end with">.globalsign.com</QueryName> | |
| <QueryName condition="end with">.globalsign.net</QueryName> | |
| <QueryName condition="is">msocsp.com</QueryName> | |
| <QueryName condition="is">ocsp.msocsp.com</QueryName> | |
| <QueryName condition="is">pki.goog</QueryName> | |
| <QueryName condition="end with">.pki.goog</QueryName> | |
| <QueryName condition="is">ocsp.godaddy.com</QueryName> | |
| <QueryName condition="is">amazontrust.com</QueryName> | |
| <QueryName condition="end with">.amazontrust.com</QueryName> | |
| <QueryName condition="is">ocsp.sectigo.com</QueryName> | |
| <QueryName condition="is">pki-goog.l.google.com</QueryName> | |
| <QueryName condition="end with">.usertrust.com</QueryName> | |
| <QueryName condition="is">ocsp.comodoca.com</QueryName> | |
| <QueryName condition="is">ocsp.verisign.com</QueryName> | |
| <QueryName condition="is">ocsp.entrust.net</QueryName> | |
| <QueryName condition="end with">ocsp.identrust.com</QueryName> | |
| <QueryName condition="is">status.rapidssl.com</QueryName> | |
| <QueryName condition="is">status.thawte.com</QueryName> | |
| <QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName> | |
| <QueryName condition="is">subca.ocsp-certum.com</QueryName> | |
| <QueryName condition="is">cscasha2.ocsp-certum.com</QueryName> | |
| <QueryName condition="is">crl.verisign.com</QueryName> | |
| <Image condition="contains all">C:\Program Files\SentinelOne\Sentinel Agent;\SentinelAgent.exe</Image> | |
| <QueryName condition="end with">.spotify.com</QueryName> | |
| <QueryName condition="end with">.spotify.map.fastly.net</QueryName> | |
| <Image condition="contains all">C:\Windows\SystemApps\Microsoft.Windows.Search;SearchApp.exe</Image> | |
| </DnsQuery> | |
| </RuleGroup> | |
| <!-- Event ID 23 == File Delete and overwrite events which saves a copy to the archivedir - Includes --> | |
| <!-- Default set to disabled due to disk space implications, enable with care!--> | |
| <!-- File operations covered by Wazuh FIM, therefore this section is removed. --> | |
| <RuleGroup groupRelation="or"> | |
| <FileDelete onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 24 == Clipboard change events, only captures text, not files - Includes --> | |
| <!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!--> | |
| <RuleGroup groupRelation="or"> | |
| <ClipboardChange onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 25 == Process tampering events - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <ProcessTampering onmatch="exclude"> | |
| <Image condition="is">C:\Program Files\Mozilla Firefox\firefox.exe</Image> | |
| <Image condition="is">C:\Program Files\Mozilla Firefox\updater.exe</Image> | |
| <Image condition="is">C:\Program Files\Mozilla Firefox\default-browser-agent.exe</Image> | |
| <Image condition="is">C:\Program Files\Mozilla Firefox\pingsender.exe</Image> | |
| <Image condition="is">C:\Program Files\Git\cmd\git.exe</Image> | |
| <Image condition="is">C:\Program Files\Git\mingw64\bin\git.exe</Image> | |
| <Image condition="is">C:\Program Files\Git\mingw64\libexec\git-core\git.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="begin with">C:\Program Files (x86)\Microsoft\Edge\Application\</Image> | |
| <Image condition="end with">\BHO\ie_to_edge_stub.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="begin with">C:\Program Files (x86)\Microsoft\Edge\Application\</Image> | |
| <Image condition="end with">\identity_helper.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="begin with">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\</Image> | |
| <Image condition="contains">\MicrosoftEdge_X64_</Image> | |
| </Rule> | |
| <Image condition="is">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\XDelta64\xdelta3.exe</Image> | |
| <Image condition="contains">unknown process</Image> | |
| <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image> | |
| <Image condition="is">C:\Windows\System32\wbem\WMIADAP.exe</Image> | |
| </ProcessTampering> | |
| </RuleGroup> | |
| <!-- Event ID 26 == File Delete and overwrite events, does NOT save the file - Includes --> | |
| <!-- File operations covered by Wazuh FIM, therefore this section is removed. --> | |
| <RuleGroup groupRelation="or"> | |
| <FileDeleteDetected onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 27 == File Block Executable and overwrite events - Includes --> | |
| <!-- Default set to disabled due to potential unwanted blocks, enable with care!--> | |
| <!-- Wazuh default ruleset does not have rules as of 4.10.0. You need to write custom rules if you need to use this event. --> | |
| <RuleGroup groupRelation="or"> | |
| <FileBlockExecutable onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 28 == Fileblock Shredding events - Includes --> | |
| <!-- Default set to disabled due to disk space implications, enable with care!--> | |
| <!-- Wazuh default ruleset does not have rules as of 4.10.0. You need to write custom rules if you need to use this event. --> | |
| <RuleGroup groupRelation="or"> | |
| <FileBlockShredding onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 29 == File Executable Detected events - Excludes --> | |
| <!-- Wazuh default ruleset does not have rules as of 4.10.0. You need to write custom rules if you need to use this event. --> | |
| <RuleGroup groupRelation="or"> | |
| <FileExecutableDetected onmatch="exclude" /> | |
| </RuleGroup> | |
| <RuleGroup groupRelation="or"> | |
| <CreateRemoteThread onmatch="include"> | |
| <SourceImage name="technique_id=T1055,technique_name=Process Injection" condition="begin with">C:\</SourceImage> | |
| <SourceImage name="technique_id=T1055,technique_name=Process Injection" condition="begin with">\\</SourceImage> | |
| </CreateRemoteThread> | |
| </RuleGroup> | |
| <RuleGroup groupRelation="or"> | |
| <WmiEvent onmatch="exclude" /> | |
| </RuleGroup> | |
| <RuleGroup groupRelation="or"> | |
| <FileDeleteDetected onmatch="exclude"> | |
| <Image condition="contains all">C:\WindowsAzure\GuestAgent;\WindowsAzureGuestAgent.exe</Image> | |
| <Image condition="contains all">C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent\;\AMAExtHealthMonitor.exe</Image> | |
| <TargetFilename condition="begin with">C:\WindowsAzure\Logs\AggregateStatus\aggregatestatus</TargetFilename> | |
| <Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image> | |
| <TargetFilename condition="contains all">C:\Windows\Prefetch;.pf</TargetFilename> | |
| <User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User> | |
| </FileDeleteDetected> | |
| </RuleGroup> | |
| <RuleGroup groupRelation="or"> | |
| <FileExecutableDetected onmatch="include"> | |
| <Image name="technique_id=T1546.008,technique_name=Windows Error Reporting" condition="contains">werfault.exe</Image> | |
| <Image name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="is">odbcconf.exe</Image> | |
| <Image name="technique_id=T1027.004,technique_name=Compile After Delivery" condition="is">csc.exe</Image> | |
| <Image name="technique_id=T1543.003,technique_name=Windows Service" condition="is">sc.exe</Image> | |
| <Image name="technique_id=T1489,technique_name=Service Stop" condition="is">taskkill.exe</Image> | |
| <Image name="technique_id=T1074,technique_name=Data Staged" condition="is">xcopy.exe</Image> | |
| <Image name="technique_id=T1074,technique_name=Data Staged" condition="is">robocopy.exe</Image> | |
| <Image name="technique_id=T,technique_name=" condition="is">makecab.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Remote File Copy" condition="is">GfxDownloadWrapper.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Remote File Copy" condition="is">expand.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">curl.exe</Image> | |
| <Image name="technique=T1105,technique_name=Ingress Tool Transfer" condition="is">ftp.exe</Image> | |
| <Image name="technique_id=T1564.004,technique_name=NTFS File Attributes" condition="is">extrac32.exe</Image> | |
| <Image name="technique_id=T1053.005,technique_name=Scheduled Task/Job" condition="contains any">schtasks.exe;sctasks.exe</Image> | |
| <Image name="technique=T1053.002,technique_name=At" condition="contains any">at.exe;At.exe</Image> | |
| <Image name="technique_id=T1053,technique_name=Scheduled Task/Job" condition="is">taskeng.exe</Image> | |
| <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image> | |
| <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">wmiprvse.exe</Image> | |
| <Image condition="is">wevtutil.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">pcalua.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">cscript.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">wscript.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">bash.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">certutil.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">winrs.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">control.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">desktopimgdownldr.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">wsl.exe</Image> | |
| <Image name="technique_id=T1218.001,technique_name=Compiled HTML File" condition="is">hh.exe</Image> | |
| <Image name="technique_id=T1218.004,technique_name=InstallUtil" condition="is">installutil.exe</Image> | |
| <Image name="technique_id=T1218.005,technique_name=Mshta" condition="image">mshta.exe</Image> | |
| <Image name="technique_id=T1218.005,technique_name=Mshta" condition="is">mshta.exe</Image> | |
| <Image name="technique_id=T1218.010,technique_name=Regsvr32" condition="is">regsvr32.exe</Image> | |
| <Image name="technique_id=T1218.011,technique_name=rundll32.exe" condition="contains">rundll32.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">InfDefaultInstall.EXE</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">extexport.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msconfig.EXE</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msiexec.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">odbcconf.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">PresentationHost.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">rasdlui.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">RegisterCimProvider2.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">RegisterCimProvider.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">ScriptRunner.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">verclsid.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wab.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wab.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wsreset.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">Appvlp.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">csi.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">devtoolslauncher.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">Scriptrunner.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">tttracer.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msdt.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">rasautou.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">Register-cimprovider.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">diskshadow.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">replace.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="image">jjs.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="image">appcmd.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">vbc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">csc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">dfsvc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">mftrace.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">dxcap.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">ilasm.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">jsc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">vbc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">Microsoft.Workflow.Compiler.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">vsjitdebugger.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">tracker.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">te.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">rcsi.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">Microsoft.Workflow.Compiler.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">jsc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">MSBuild.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">excel.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">winword.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">powerpnt.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">outlook.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">msaccess.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">mspub.exe</Image> | |
| <TargetFilename condition="begin with">C:\Program Files\Qualys\QualysAgent</TargetFilename> | |
| <Image name="technique_id=T1059.003,technique_name=Windows Command Shell" condition="is">cmd.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">pwsh.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell_ise.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="contains">Sqlps.exe</Image> | |
| <TargetFilename condition="contains">\Downloads\</TargetFilename> | |
| <TargetFilename condition="contains">\Appdata\Local\Temp\</TargetFilename> | |
| <TargetFilename condition="contains">\Appdata\Local\Microsoft\Windows\INetCache\Content.Outlook\</TargetFilename> | |
| <Image name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">wsmprovhost.exe</Image> | |
| <Image name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">winrshost.exe</Image> | |
| <Image name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="image">winrm.cmd</Image> | |
| <TargetFilename condition="begin with">C:\ProgramData\Intel</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Mozilla</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\chocolatey\</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\DeviceSync</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\PlayReady</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\User Account Pictures</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\Office\Heartbeat</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\Windows\WER</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Users\All Users\</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\Tasks</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\tracing</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\spool\drivers\color</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename> | |
| </FileExecutableDetected> | |
| </RuleGroup> | |
| </EventFiltering> | |
| </Sysmon> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment