forked from The-DFIR-Report/Sigma-Rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sigma-mapping.yaml
122 lines (113 loc) · 4.33 KB
/
sigma-mapping.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Supported values are Stalker and Sigma
kind: sigma
# Exclude noisy rules, add the "title" of the Sigma rule here to exclude (or just delete the rule...)
exclusions:
- "Wuauclt Network Connection"
- "Exports Registry Key To an Alternate Data Stream"
- "NetNTLM Downgrade Attack"
- "Non Interactive PowerShell"
- "Defense evasion via process reimaging"
# EventID and SystemTime are automatically added to the mapping schema and show in the table output
mappings:
22:
title: "DNS Query"
provider: "Microsoft-Windows-Sysmon"
search_fields:
Image: "Event.EventData.Image"
QueryName: "Event.EventData.QueryName"
table_headers:
context_field: "Event.EventData.Image"
QueryName: "Event.EventData.QueryName"
1:
title: "Suspicious Process Creation"
provider: "Microsoft-Windows-Sysmon"
search_fields:
Product: "Event.EventData.Product"
Description: "Event.EventData.Description"
Image: "Event.EventData.Image"
CommandLine: "Event.EventData.CommandLine"
ParentImage: "Event.EventData.ParentImage"
ParentCommandLine: "Event.EventData.ParentCommandLine"
OriginalFileName: "Event.EventData.OriginalFileName"
table_headers:
context_field: "Event.EventData.Image"
command_line: "Event.EventData.CommandLine"
# Can cause noise, enabled as needed
# 3:
# title: "Suspicious Network Connection"
# provider: "Microsoft-Windows-Sysmon"
# search_fields:
# Image: "Event.EventData.Image"
# DestinationIp: "Event.EventData.DestinationIp"
# DestinationHostname: "Event.EventData.DestinationHostname"
# DestinationPort: "Event.EventData.DestinationPort"
# DestinationIsIpv6: "Event.EventData.DestinationIsIpv6"
# User: "Event.EventData.User"
# Initiated: "Event.EventData.Initiated"
# SourcePort: "Event.EventData.SourcePort"
# table_headers:
# context_field: "Event.EventData.Image"
# destination_ip: "Event.EventData.DestinationIp"
# destination_port: "Event.EventData.DestinationPort"
7:
title: "Suspicious Image Load"
provider: "Microsoft-Windows-Sysmon"
search_fields:
Image: "Event.EventData.Image"
ImageLoaded: "Event.EventData.ImageLoaded"
table_headers:
context_field: "Event.EventData.Image"
image_loaded: "Event.EventData.ImageLoaded"
11:
title: "Suspicious File Creation"
provider: "Microsoft-Windows-Sysmon"
search_fields:
Image: "Event.EventData.Image"
TargetFilename: "Event.EventData.TargetFilename"
table_headers:
context_field: "Event.EventData.TargetFilename"
image: "Event.EventData.Image"
13:
title: "Suspicious Registry Event"
provider: "Microsoft-Windows-Sysmon"
search_fields:
Image: "Event.EventData.Image"
TargetObject: "Event.EventData.TargetObject"
Details: "Event.EventData.Details"
table_headers:
context_field: "Event.EventData.Details"
target_object: "Event.EventData.TargetObject"
7045:
title: "Suspicious Service Installed"
provider: "Service Control Manager"
search_fields:
CommandLine: "Event.EventData.ImagePath"
ServiceName: "Event.EventData.ServiceName"
table_headers:
context_field: "Event.EventData.ImagePath"
service_name: "Event.EventData.ServiceName"
4688:
title: "Suspicious Command Line"
provider: "Microsoft-Windows-Security-Auditing"
search_fields:
CommandLine: "Event.EventData.CommandLine"
UserName: "Event.EventData.SubjectUserName"
Image: "Event.EventData.NewProcessName"
table_headers:
context_field: "Event.EventData.CommandLine"
process_name: "Event.EventData.NewProcessName"
4104:
title: "Suspicious Powershell ScriptBlock"
provider: "Microsoft-Windows-PowerShell"
search_fields:
ScriptBlockText: "Event.EventData.ScriptBlockText"
table_headers:
context_field: "Event.EventData.ScriptBlockText"
4698:
title: "Suspicious Scheduled Task Created"
provider: "Microsoft-Windows-Security-Auditing"
search_fields:
CommandLine: "Event.EventData.TaskContent"
table_headers:
context_field: "Event.EventData.TaskContent"
username: "Event.EventData.SubjectUserName"