Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
ContentAutoName: Task_1_05_03
ExpertContext:
Created: 22.05.2025
Updated: 22.05.2025
ObjectId: SEC-CR-148026581
102 changes: 102 additions & 0 deletions packages/windows_open_package/correlation_rules/Task_1_05_03/rule.co
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
event Process_Start:
key:
event_src.host
filter {
filter::NotFromCorrelator()
and filter::ProcessStart_Windows_any()
# and filter::ProcessStart_Windows_commandline("process_name", "regex_value")
# and filter::ProcessStart_Windows("process_name")
and filter::CheckWL_Process_Creation("Task_1_05_03", )
}

rule Task_1_05_03: Process_Start

init {
$labels = "w_auto|CheckWL_Process_Creation"
}

on Process_Start {
$subject.account.name = subject.account.name
$subject.account.domain = subject.account.domain
$subject.account.fullname = subject.account.fullname
$subject.account.session_id = subject.account.session_id
$subject.account.id = subject.account.id
$subject.account.privileges = subject.account.privileges

$object.account.session_id = object.account.session_id
$object.account.name = object.account.name
$object.account.domain = object.account.domain
$object.account.fullname = object.account.fullname
$object.account.id = object.account.id

$object.process.id = object.process.id
$object.process.name = object.process.name
$object.process.path = object.process.path
$object.process.fullpath = object.process.fullpath
$object.process.hash = object.process.hash
$object.process.hash.md5 = object.process.hash.md5
$object.process.hash.sha1 = object.process.hash.sha1
$object.process.hash.sha256 = object.process.hash.sha256
$object.process.version = object.process.version
$object.process.cmdline = object.process.cmdline
$object.process.guid = object.process.guid
$object.process.meta = object.process.meta
$object.process.original_name = object.process.original_name
$object.process.cwd = object.process.cwd
$object.process.chain = object.process.chain

$object.process.parent.id = object.process.parent.id
$object.process.parent.name = object.process.parent.name
$object.process.parent.path = object.process.parent.path
$object.process.parent.fullpath = object.process.parent.fullpath
$object.process.parent.guid = object.process.parent.guid
$object.process.parent.cmdline = object.process.parent.cmdline

# FOR LOLBIN
#if ($object.process.parent.name == "services.exe" or $object.process.parent.name == "svchost.exe") then
# $reason = join([$reason, "Service execution"], "|")
#elif $object.process.parent.name == "scheduler.exe" then
# $reason = join([$reason, "Task execution"], "|")
#else
# $reason = join([$reason, "User execution"], "|")
#endif

$datafield6 = datafield6 # Идентификатор сессии в формате UUID

$datafield18 = datafield18 # Цепочка процесса-субъекта с идентификаторами
$datafield19 = datafield19 # Цепочка процесса-объекта с идентификаторами

$event_src.ip = event_src.ip
$event_src.hostname = event_src.hostname
$event_src.fqdn = event_src.fqdn
$event_src.host = event_src.host
$event_src.asset = event_src.asset
$event_src.vendor = event_src.vendor
$event_src.title = event_src.title
$event_src.subsys = event_src.subsys
$event_src.rule = event_src.rule

$alert.key =
$alert.context = # join([$alert.context, "regex_match: " + regex(lower(object.process.cmdline), "regex_from_filter", 0)], "|")
$alert.regex_match =
}

emit {
$correlation_type = ""

$subject = "account"
$action = "start"
$object = "process"
$status = "success"

$importance = ""

$category.generic = "Attack"
$category.high = ""
$category.low = ""

$incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($subject.account.id)], "|")
$incident.severity = $importance
$incident.category = "Undefined"
$incident.aggregation.timeout = 2h
}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>22</EventID><Version>5</Version><Level>4</Level><Task>22</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-03-25T22:26:02.9162941Z'/><EventRecordID>959934</EventRecordID><Correlation/><Execution ProcessID='3544' ThreadID='10204'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>DESKTOP-EOO67OB</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-03-25 22:26:01.081</Data><Data Name='ProcessGuid'>{1b05aedf-8f40-67d4-ac00-000000004100}</Data><Data Name='ProcessId'>1052</Data><Data Name='QueryName'>e9b37a3838955cb29c6018724ed0e813.azr.footprintdns.com</Data><Data Name='QueryStatus'>0</Data><Data Name='QueryResults'>::ffff:172.29.1.80;</Data><Data Name='Image'>C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe</Data><Data Name='User'>DESKTOP-EOO67OB\user</Data></EventData></Event><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-03-25T22:26:01.4345595Z'/><EventRecordID>959933</EventRecordID><Correlation/><Execution ProcessID='3544' ThreadID='4356'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>DESKTOP-EOO67OB</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-03-25 22:26:01.386</Data><Data Name='ProcessGuid'>{1b05aedf-2d79-67e3-7d0f-000000004100}</Data><Data Name='ProcessId'>7508</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.19041.4355 (WinBuild.160101.0800)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>"C:\Windows\System32\Wbem\WMIC.exe" process get caption,executablepath,commandline /format:csv</Data><Data Name='CurrentDirectory'>C:\Users\user\</Data><Data Name='User'>DESKTOP-EOO67OB\user</Data><Data Name='LogonGuid'>{1b05aedf-8f29-67d4-8a4a-080000000000}</Data><Data Name='LogonId'>0x84a8a</Data><Data Name='TerminalSessionId'>1</Data><Data Name='IntegrityLevel'>Medium</Data><Data Name='Hashes'>MD5=F04138FE0E6A4814BF3942E3037900F4,SHA256=BF4FA71C1495F95ADBCF3F7C7D41837E2661622C2EE3B24CD9647676047578DA,IMPHASH=527C7C66CDD13D72D793BCA3A417BCBE</Data><Data Name='ParentProcessGuid'>{1b05aedf-2d75-67e3-7b0f-000000004100}</Data><Data Name='ParentProcessId'>8324</Data><Data Name='ParentImage'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='ParentCommandLine'>"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" </Data><Data Name='ParentUser'>DESKTOP-EOO67OB\user</Data></EventData></Event><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-03-25T22:25:58.9669544Z'/><EventRecordID>959932</EventRecordID><Correlation/><Execution ProcessID='3544' ThreadID='4356'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>DESKTOP-EOO67OB</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-03-25 22:25:58.945</Data><Data Name='ProcessGuid'>{1b05aedf-2d75-67e3-7b0f-000000004100}</Data><Data Name='ProcessId'>8324</Data><Data Name='Image'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='TargetFilename'>C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xw0ermo5.uol.ps1</Data><Data Name='CreationUtcTime'>2025-03-25 22:25:58.945</Data><Data Name='User'>DESKTOP-EOO67OB\user</Data></EventData></Event><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-03-25T22:25:57.2701228Z'/><EventRecordID>959931</EventRecordID><Correlation/><Execution ProcessID='3544' ThreadID='4356'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>DESKTOP-EOO67OB</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-03-25 22:25:57.165</Data><Data Name='ProcessGuid'>{1b05aedf-2d75-67e3-7c0f-000000004100}</Data><Data Name='ProcessId'>11012</Data><Data Name='Image'>C:\Windows\System32\conhost.exe</Data><Data Name='FileVersion'>10.0.19041.5198 (WinBuild.160101.0800)</Data><Data Name='Description'>Console Window Host</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>CONHOST.EXE</Data><Data Name='CommandLine'>\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1</Data><Data Name='CurrentDirectory'>C:\Windows</Data><Data Name='User'>DESKTOP-EOO67OB\user</Data><Data Name='LogonGuid'>{1b05aedf-8f29-67d4-8a4a-080000000000}</Data><Data Name='LogonId'>0x84a8a</Data><Data Name='TerminalSessionId'>1</Data><Data Name='IntegrityLevel'>Medium</Data><Data Name='Hashes'>MD5=7850554B5C650163FC168AA08F18E343,SHA256=B02EE54FB2EC69673386D41119EE8ED083A6EAB3BFCA6AA2155D20CE68EF8963,IMPHASH=0F64302D3280DE299F4C51A78746F606</Data><Data Name='ParentProcessGuid'>{1b05aedf-2d75-67e3-7b0f-000000004100}</Data><Data Name='ParentProcessId'>8324</Data><Data Name='ParentImage'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='ParentCommandLine'>"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" </Data><Data Name='ParentUser'>DESKTOP-EOO67OB\user</Data></EventData></Event><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-03-25T22:25:57.0689884Z'/><EventRecordID>959930</EventRecordID><Correlation/><Execution ProcessID='3544' ThreadID='4356'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>DESKTOP-EOO67OB</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-03-25 22:25:57.047</Data><Data Name='ProcessGuid'>{1b05aedf-2d75-67e3-7b0f-000000004100}</Data><Data Name='ProcessId'>8324</Data><Data Name='Image'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='FileVersion'>10.0.19041.3996 (WinBuild.160101.0800)</Data><Data Name='Description'>Windows PowerShell</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>PowerShell.EXE</Data><Data Name='CommandLine'>"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" </Data><Data Name='CurrentDirectory'>C:\Users\user\</Data><Data Name='User'>DESKTOP-EOO67OB\user</Data><Data Name='LogonGuid'>{1b05aedf-8f29-67d4-8a4a-080000000000}</Data><Data Name='LogonId'>0x84a8a</Data><Data Name='TerminalSessionId'>1</Data><Data Name='IntegrityLevel'>Medium</Data><Data Name='Hashes'>MD5=2E5A8590CF6848968FC23DE3FA1E25F1,SHA256=9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3,IMPHASH=3D08F4848535206D772DE145804FF4B6</Data><Data Name='ParentProcessGuid'>{1b05aedf-8f33-67d4-9b00-000000004100}</Data><Data Name='ParentProcessId'>6860</Data><Data Name='ParentImage'>C:\Windows\explorer.exe</Data><Data Name='ParentCommandLine'>C:\Windows\Explorer.EXE</Data><Data Name='ParentUser'>DESKTOP-EOO67OB\user</Data></EventData></Event><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-03-25T22:25:56.1330452Z'/><EventRecordID>959929</EventRecordID><Correlation/><Execution ProcessID='3544' ThreadID='4356'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>DESKTOP-EOO67OB</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-03-25 22:25:56.036</Data><Data Name='ProcessGuid'>{1b05aedf-2d74-67e3-7a0f-000000004100}</Data><Data Name='ProcessId'>7704</Data><Data Name='Image'>C:\Windows\System32\smartscreen.exe</Data><Data Name='FileVersion'>10.0.19041.5369 (WinBuild.160101.0800)</Data><Data Name='Description'>Windows Defender SmartScreen</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>smartscreen.exe</Data><Data Name='CommandLine'>C:\Windows\System32\smartscreen.exe -Embedding</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>DESKTOP-EOO67OB\user</Data><Data Name='LogonGuid'>{1b05aedf-8f29-67d4-8a4a-080000000000}</Data><Data Name='LogonId'>0x84a8a</Data><Data Name='TerminalSessionId'>1</Data><Data Name='IntegrityLevel'>Medium</Data><Data Name='Hashes'>MD5=419701D67559E04E345E092944187DBB,SHA256=A5F50D8F1E61A08C8C6FE20A41122187C1BC0ED2129FAA6DC7FEE98F7829FB64,IMPHASH=D671DD5FDB49D6ACE006E8FFF0BD6DF9</Data><Data Name='ParentProcessGuid'>{1b05aedf-8f19-67d4-0d00-000000004100}</Data><Data Name='ParentProcessId'>864</Data><Data Name='ParentImage'>C:\Windows\System32\svchost.exe</Data><Data Name='ParentCommandLine'>C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event></Events>
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"event_src":{"title":"sysmon"},"msgid":"1","object":{"process":{"fullpath":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","cmdline":"powershell.exe -ExecutionPolicy Unrestricted -Command \"reg add HKCU\\Software\\Microsoft\\Windows Script\\Settings /v AmsiEnable /t REG_DWORD /d 0 /f\""}}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@


Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
table_list default
expect 1 {"correlation_name": "Task_1_05_03"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Вайтлистинг
table_list default
table_list {"Common_whitelist_auto": [{"rule": "Task_1_05_03", "specific_value": ""}]}

expect not {"correlation_name": "Task_1_05_03"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
ContentAutoName: Task_2_05_03
ExpertContext:
Created: 23.05.2025
Updated: 23.05.2025
ObjectId: SEC-CR-960147016
102 changes: 102 additions & 0 deletions packages/windows_open_package/correlation_rules/Task_2_05_03/rule.co
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
event Process_Start:
key:
event_src.host
filter {
filter::NotFromCorrelator()
and filter::ProcessStart_Windows_any()
# and filter::ProcessStart_Windows_commandline("process_name", "regex_value")
# and filter::ProcessStart_Windows("process_name")
and filter::CheckWL_Process_Creation("Task_2_05_03", )
}

rule Task_2_05_03: Process_Start

init {
$labels = "w_auto|CheckWL_Process_Creation"
}

on Process_Start {
$subject.account.name = subject.account.name
$subject.account.domain = subject.account.domain
$subject.account.fullname = subject.account.fullname
$subject.account.session_id = subject.account.session_id
$subject.account.id = subject.account.id
$subject.account.privileges = subject.account.privileges

$object.account.session_id = object.account.session_id
$object.account.name = object.account.name
$object.account.domain = object.account.domain
$object.account.fullname = object.account.fullname
$object.account.id = object.account.id

$object.process.id = object.process.id
$object.process.name = object.process.name
$object.process.path = object.process.path
$object.process.fullpath = object.process.fullpath
$object.process.hash = object.process.hash
$object.process.hash.md5 = object.process.hash.md5
$object.process.hash.sha1 = object.process.hash.sha1
$object.process.hash.sha256 = object.process.hash.sha256
$object.process.version = object.process.version
$object.process.cmdline = object.process.cmdline
$object.process.guid = object.process.guid
$object.process.meta = object.process.meta
$object.process.original_name = object.process.original_name
$object.process.cwd = object.process.cwd
$object.process.chain = object.process.chain

$object.process.parent.id = object.process.parent.id
$object.process.parent.name = object.process.parent.name
$object.process.parent.path = object.process.parent.path
$object.process.parent.fullpath = object.process.parent.fullpath
$object.process.parent.guid = object.process.parent.guid
$object.process.parent.cmdline = object.process.parent.cmdline

# FOR LOLBIN
#if ($object.process.parent.name == "services.exe" or $object.process.parent.name == "svchost.exe") then
# $reason = join([$reason, "Service execution"], "|")
#elif $object.process.parent.name == "scheduler.exe" then
# $reason = join([$reason, "Task execution"], "|")
#else
# $reason = join([$reason, "User execution"], "|")
#endif

$datafield6 = datafield6 # Идентификатор сессии в формате UUID

$datafield18 = datafield18 # Цепочка процесса-субъекта с идентификаторами
$datafield19 = datafield19 # Цепочка процесса-объекта с идентификаторами

$event_src.ip = event_src.ip
$event_src.hostname = event_src.hostname
$event_src.fqdn = event_src.fqdn
$event_src.host = event_src.host
$event_src.asset = event_src.asset
$event_src.vendor = event_src.vendor
$event_src.title = event_src.title
$event_src.subsys = event_src.subsys
$event_src.rule = event_src.rule

$alert.key =
$alert.context = # join([$alert.context, "regex_match: " + regex(lower(object.process.cmdline), "regex_from_filter", 0)], "|")
$alert.regex_match =
}

emit {
$correlation_type = ""

$subject = "account"
$action = "start"
$object = "process"
$status = "success"

$importance = ""

$category.generic = "Attack"
$category.high = ""
$category.low = ""

$incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($subject.account.id)], "|")
$incident.severity = $importance
$incident.category = "Undefined"
$incident.aggregation.timeout = 2h
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
table_list default
expect 1 {"correlation_name": "Task_2_05_03"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Вайтлистинг
table_list default
table_list {"Common_whitelist_auto": [{"rule": "Task_2_05_03", "specific_value": ""}]}

expect not {"correlation_name": "Task_2_05_03"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
ContentAutoName: Task_5_1_1_5_03
ExpertContext:
Created: 27.05.2025
Updated: 27.05.2025
ObjectId: SEC-CR-210460128
Loading