-
Notifications
You must be signed in to change notification settings - Fork 0
Detection Rule
mrblacyk edited this page Apr 24, 2020
·
2 revisions
There are many fields defined which API will accept but in the backend, they are not considered in any way. Use
raw_ruleonly!
{
"raw_rule": "${DR JSON as string}",
"tag": [],
"references": [],
"data_needed": [],
"description": "",
"severity": "",
"status": "",
"title": "",
"author": ""
}title: Executable in ADS
status: experimental
description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
tags:
- attack.defense_evasion
- attack.t1027
- attack.s0139
author: Florian Roth, @0xrawsec
date: 2018/06/03
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
selection:
EventID: 15
filter:
Imphash: '00000000000000000000000000000000'
condition: selection and not filter
fields:
- TargetFilename
- Image
falsepositives:
- unknown
level: criticalRemember that you have to put detection rule as
raw_rule!
path_to_dr = "DR0001.yml"
with open(path_to_dr, 'r') as stream:
dr = [x for x in yaml.safe_load_all(stream)]
data = {'raw_rule': dr}
r = requests.post(
'http://127.0.0.1:8000/api/v1/atc/detectionrule/',
json=data,
auth=('admin', 'admin')
)There are three types of filters - exact match, contains and isnull. Here is the list of valid filters:
title_containsdescription_containsdata_needed_containstag_containsseverity_containsstatus_containsauthor_containsraw_rule_contains
title_exactdescription_exactdata_needed_exacttag_exactseverity_exactstatus_exactauthor_exact
-
data_needed_isnull(which takes eithertrueorfalse)