ルール更新 (#224)

2021-11-23 15:04:03 +09:00
parent 034f9c0957
commit 015899bc51
2224 changed files with 2916 additions and 47186 deletions
@@ -0,0 +1,30 @@
+
+title: Silenttrinity Stager Msbuild Activity
+author: Kiran kumar s, oscd.community
+date: 2020/10/11
+description: Detects a possible remote connections to Silenttrinity c2
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\msbuild.exe'
+  SELECTION_3:
+    DestinationPort:
+    - '80'
+    - '443'
+  SELECTION_4:
+    Initiated: 'true'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
+level: high
+logsource:
+  category: network_connection
+  product: windows
+references:
+- https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
+status: experimental
+tags:
+- attack.execution
+- attack.t1127.001
@@ -0,0 +1,52 @@
+
+title: Dllhost Internet Connection
+author: bartblaze
+date: 2020/07/13
+description: Detects Dllhost that communicates with public IP addresses
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\dllhost.exe'
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    DestinationIp:
+    - 10.*
+    - 192.168.*
+    - 172.16.*
+    - 172.17.*
+    - 172.18.*
+    - 172.19.*
+    - 172.20.*
+    - 172.21.*
+    - 172.22.*
+    - 172.23.*
+    - 172.24.*
+    - 172.25.*
+    - 172.26.*
+    - 172.27.*
+    - 172.28.*
+    - 172.29.*
+    - 172.30.*
+    - 172.31.*
+    - 127.*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Communication to other corporate systems that use IP addresses from public address
+  spaces
+id: cfed2f44-16df-4bf3-833a-79405198b277
+level: medium
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
+- attack.t1559.001
+- attack.t1175
@@ -0,0 +1,60 @@
+
+title: Excel Network Connections
+author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0"
+date: 2021/11/10
+description: Detects an Excel process that opens suspicious network connections to
+  non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely
+  have to tune this rule for your organization, but it is certainly something you
+  should look for and could have applications for malicious activity beyond CVE-2021-42292.
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\excel.exe'
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    DestinationIsIpv6: 'false'
+  SELECTION_5:
+    DestinationIp:
+    - 10.*
+    - 192.168.*
+    - 172.16.*
+    - 172.17.*
+    - 172.18.*
+    - 172.19.*
+    - 172.20.*
+    - 172.21.*
+    - 172.22.*
+    - 172.23.*
+    - 172.24.*
+    - 172.25.*
+    - 172.26.*
+    - 172.27.*
+    - 172.28.*
+    - 172.29.*
+    - 172.30.*
+    - 172.31.*
+    - 127.0.0.1*
+  SELECTION_6:
+    DestinationIsIpv6: 'false'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5 and SELECTION_6))
+falsepositives:
+- You may have to tune certain domains out that Excel may call out to, such as microsoft
+  or other business use case domains.
+- Office documents commonly have templates that refer to external addresses, like
+  sharepoint.ourcompany.com may have to be tuned.
+- It is highly recomended to baseline your activity and tune out common business use
+  cases.
+id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
+level: medium
+logsource:
+  category: network_connection
+  product: windows
+references:
+- https://corelight.com/blog/detecting-cve-2021-42292
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
@@ -0,0 +1,110 @@
+
+title: Suspicious Typical Malware Back Connect Ports
+author: Florian Roth
+date: 2017/03/19
+description: Detects programs that connect to typical malware back connect ports based
+  on statistical analysis from two different sandbox system databases
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Initiated: 'true'
+  SELECTION_3:
+    DestinationPort:
+    - '4443'
+    - '2448'
+    - '8143'
+    - '1777'
+    - '1443'
+    - '243'
+    - '65535'
+    - '13506'
+    - '3360'
+    - '200'
+    - '198'
+    - '49180'
+    - '13507'
+    - '6625'
+    - '4444'
+    - '4438'
+    - '1904'
+    - '13505'
+    - '13504'
+    - '12102'
+    - '9631'
+    - '5445'
+    - '2443'
+    - '777'
+    - '13394'
+    - '13145'
+    - '12103'
+    - '5552'
+    - '3939'
+    - '3675'
+    - '666'
+    - '473'
+    - '5649'
+    - '4455'
+    - '4433'
+    - '1817'
+    - '100'
+    - '65520'
+    - '1960'
+    - '1515'
+    - '743'
+    - '700'
+    - '14154'
+    - '14103'
+    - '14102'
+    - '12322'
+    - '10101'
+    - '7210'
+    - '4040'
+    - '9943'
+  SELECTION_4:
+    EventID: 3
+  SELECTION_5:
+    Image: '*\Program Files*'
+  SELECTION_6:
+    DestinationIp:
+    - 10.*
+    - 192.168.*
+    - 172.16.*
+    - 172.17.*
+    - 172.18.*
+    - 172.19.*
+    - 172.20.*
+    - 172.21.*
+    - 172.22.*
+    - 172.23.*
+    - 172.24.*
+    - 172.25.*
+    - 172.26.*
+    - 172.27.*
+    - 172.28.*
+    - 172.29.*
+    - 172.30.*
+    - 172.31.*
+    - 127.*
+  SELECTION_7:
+    DestinationIsIpv6: 'false'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+    and (SELECTION_5 or (SELECTION_6 and SELECTION_7)))))
+falsepositives:
+- unknown
+id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
+level: medium
+logsource:
+  category: network_connection
+  definition: 'Use the following config to generate the necessary Event ID 10 Process
+    Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
+    onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+  product: windows
+modified: 2020/08/24
+references:
+- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1571
+- attack.t1043
@@ -0,0 +1,30 @@
+
+title: Notepad Making Network Connection
+author: EagleEye Team
+date: 2020/05/14
+description: Detects suspicious network connection by Notepad
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\notepad.exe'
+  SELECTION_3:
+    DestinationPort: '9100'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- None observed so far
+id: e81528db-fc02-45e8-8e98-4e84aba1f10b
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
+- https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.execution
+- attack.defense_evasion
+- attack.t1055
@@ -0,0 +1,62 @@
+
+title: PowerShell Network Connections
+author: Florian Roth
+date: 2017/03/13
+description: Detects a Powershell process that opens network connections - check for
+  suspicious target ports and target systems - adjust to your environment (e.g. extend
+  filters with company's ip range')
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    DestinationIsIpv6: 'false'
+  SELECTION_5:
+    DestinationIp:
+    - 10.*
+    - 192.168.*
+    - 172.16.*
+    - 172.17.*
+    - 172.18.*
+    - 172.19.*
+    - 172.20.*
+    - 172.21.*
+    - 172.22.*
+    - 172.23.*
+    - 172.24.*
+    - 172.25.*
+    - 172.26.*
+    - 172.27.*
+    - 172.28.*
+    - 172.29.*
+    - 172.30.*
+    - 172.31.*
+    - 127.0.0.1*
+  SELECTION_6:
+    DestinationIsIpv6: 'false'
+  SELECTION_7:
+    User: NT AUTHORITY\SYSTEM
+  SELECTION_8:
+    User: '*AUT*'
+  SELECTION_9:
+    User: '* NT*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9))
+falsepositives:
+- Administrative scripts
+id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
+level: low
+logsource:
+  category: network_connection
+  product: windows
+modified: 2021/06/14
+references:
+- https://www.youtube.com/watch?v=DLtJTxMWZ2o
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
@@ -0,0 +1,41 @@
+
+title: RDP Over Reverse SSH Tunnel
+author: Samir Bousseaden
+date: 2019/02/16
+description: Detects svchost hosting RDP termsvcs communicating with the loopback
+  address and on TCP port 3389
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\svchost.exe'
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    SourcePort: 3389
+  SELECTION_5:
+    DestinationIp:
+    - 127.*
+  SELECTION_6:
+    DestinationIp:
+    - ::1
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and (SELECTION_5
+    or SELECTION_6))
+falsepositives:
+- unknown
+id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2021/05/11
+references:
+- https://twitter.com/SBousseaden/status/1096148422984384514
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1572
+- attack.lateral_movement
+- attack.t1021.001
+- attack.t1076
+- car.2013-07-002
@@ -0,0 +1,37 @@
+
+title: Regsvr32 Network Activity
+author: Dmitriy Lifanov, oscd.community
+date: 2019/10/25
+description: Detects network connections and DNS queries initiated by Regsvr32.exe
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\regsvr32.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- Image
+- DestinationIp
+- DestinationPort
+id: c7e91a02-d771-4a6d-a700-42587e0b1095
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2021/09/21
+references:
+- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
+status: experimental
+tags:
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
@@ -0,0 +1,34 @@
+
+title: Remote PowerShell Session
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects remote PowerShell connections by monitoring network outbound
+  connections to ports 5985 or 5986 from a non-network service account.
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    DestinationPort: 5985
+  SELECTION_3:
+    DestinationPort: 5986
+  SELECTION_4:
+    User: NT AUTHORITY\NETWORK SERVICE
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
+id: c539afac-c12a-46ed-b1bd-5a5567c9f045
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
@@ -0,0 +1,51 @@
+
+title: Rundll32 Internet Connection
+author: Florian Roth
+date: 2017/11/04
+description: Detects a rundll32 that communicates with public IP addresses
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\rundll32.exe'
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    DestinationIp:
+    - 10.*
+    - 192.168.*
+    - 172.16.*
+    - 172.17.*
+    - 172.18.*
+    - 172.19.*
+    - 172.20.*
+    - 172.21.*
+    - 172.22.*
+    - 172.23.*
+    - 172.24.*
+    - 172.25.*
+    - 172.26.*
+    - 172.27.*
+    - 172.28.*
+    - 172.29.*
+    - 172.30.*
+    - 172.31.*
+    - 127.*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Communication to other corporate systems that use IP addresses from public address
+  spaces
+id: cdc8da7d-c303-42f8-b08c-b4ab47230263
+level: medium
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+- attack.t1085
+- attack.execution
@@ -0,0 +1,42 @@
+
+title: Suspicious Program Location with Network Connections
+author: Florian Roth
+date: 2017/03/19
+description: Detects programs with network connections running in suspicious files
+  system locations
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image:
+    - '*\Users\All Users\\*'
+    - '*\Users\Default\\*'
+    - '*\Users\Public\\*'
+    - '*\Users\Contacts\\*'
+    - '*\Users\Searches\\*'
+    - '*\config\systemprofile\\*'
+    - '*\Windows\Fonts\\*'
+    - '*\Windows\IME\\*'
+    - '*\Windows\addins\\*'
+  SELECTION_3:
+    Image:
+    - '*\$Recycle.bin'
+  SELECTION_4:
+    Image:
+    - C:\Perflogs\\*
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
+level: high
+logsource:
+  category: network_connection
+  definition: Use the following config to generate the necessary Event ID 3 Network
+    Connection events
+  product: windows
+references:
+- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
@@ -0,0 +1,53 @@
+
+title: Suspicious Outbound RDP Connections
+author: Markus Neis - Swisscom
+date: 2019/05/15
+description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible
+  lateral movement
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    DestinationPort: 3389
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    Image:
+    - '*\mstsc.exe'
+    - '*\RTSApp.exe'
+    - '*\RTS2App.exe'
+    - '*\RDCMan.exe'
+    - '*\ws_TunnelService.exe'
+    - '*\RSSensor.exe'
+    - '*\RemoteDesktopManagerFree.exe'
+    - '*\RemoteDesktopManager.exe'
+    - '*\RemoteDesktopManager64.exe'
+    - '*\mRemoteNG.exe'
+    - '*\mRemote.exe'
+    - '*\Terminals.exe'
+    - '*\spiceworks-finder.exe'
+    - '*\FSDiscovery.exe'
+    - '*\FSAssessment.exe'
+    - '*\MobaRTE.exe'
+    - '*\chrome.exe'
+    - '*\System32\dns.exe'
+    - '*\thor.exe'
+    - '*\thor64.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Other Remote Desktop RDP tools
+- domain controller using dns.exe
+id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.001
+- attack.t1076
+- car.2013-07-002
@@ -0,0 +1,38 @@
+
+title: Suspicious Outbound Kerberos Connection
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+description: Detects suspicious outbound network activity via kerberos default port
+  indicating possible lateral movement or first stage PrivEsc via delegation.
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    DestinationPort: 88
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    Image:
+    - '*\lsass.exe'
+    - '*\opera.exe'
+    - '*\chrome.exe'
+    - '*\firefox.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Other browsers
+id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://github.com/GhostPack/Rubeus
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1558
+- attack.t1208
+- attack.lateral_movement
+- attack.t1550.003
+- attack.t1097
@@ -0,0 +1,37 @@
+
+title: Microsoft Binary Github Communication
+author: Michael Haag (idea), Florian Roth (rule)
+date: 2017/08/24
+description: Detects an executable in the Windows folder accessing github.com
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Initiated: 'true'
+  SELECTION_3:
+    DestinationHostname:
+    - '*.github.com'
+    - '*.githubusercontent.com'
+  SELECTION_4:
+    Image: C:\Windows\\*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+- '@subTee in your network'
+id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://twitter.com/M_haggis/status/900741347035889665
+- https://twitter.com/M_haggis/status/1032799638213066752
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
+- attack.exfiltration
+- attack.t1567.001
+- attack.t1048
@@ -0,0 +1,32 @@
+
+title: Microsoft Binary Suspicious Communication Endpoint
+author: Florian Roth
+date: 2018/08/30
+description: Detects an executable in the Windows folder accessing suspicious domains
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Initiated: 'true'
+  SELECTION_3:
+    DestinationHostname:
+    - '*dl.dropboxusercontent.com'
+    - '*.pastebin.com'
+    - '*.githubusercontent.com'
+  SELECTION_4:
+    Image: C:\Windows\\*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
+level: high
+logsource:
+  category: network_connection
+  product: windows
+references:
+- https://twitter.com/M_haggis/status/900741347035889665
+- https://twitter.com/M_haggis/status/1032799638213066752
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
@@ -0,0 +1,27 @@
+
+title: Wuauclt Network Connection
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
+  proxy execute code and making a network connections. One could easily make the DLL
+  spawn a new process and inject to it to proxy the network connection and bypass
+  this rule.
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*wuauclt*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of wuauclt.exe over the network.
+id: c649a6c7-cd8c-4a78-9c04-000fc76df954
+level: medium
+logsource:
+  category: network_connection
+  product: windows
+references:
+- https://dtm.uk/wuauclt/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
@@ -0,0 +1,46 @@
+
+title: Windows Crypto Mining Pool Connections
+author: Florian Roth
+date: 2021/10/26
+description: Detects process connections to a Monero crypto mining pool
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    DestinationHostname:
+    - pool.minexmr.com
+    - fr.minexmr.com
+    - de.minexmr.com
+    - sg.minexmr.com
+    - ca.minexmr.com
+    - us-west.minexmr.com
+    - pool.supportxmr.com
+    - mine.c3pool.com
+    - xmr-eu1.nanopool.org
+    - xmr-eu2.nanopool.org
+    - xmr-us-east1.nanopool.org
+    - xmr-us-west1.nanopool.org
+    - xmr-asia1.nanopool.org
+    - xmr-jp1.nanopool.org
+    - xmr-au1.nanopool.org
+    - xmr.2miners.com
+    - xmr.hashcity.org
+    - xmr.f2pool.com
+    - xmrpool.eu
+    - pool.hashvault.pro
+    - moneroocean.stream
+    - monerocean.stream
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of crypto miners
+id: fa5b1358-b040-4403-9868-15f7d9ab6329
+level: high
+logsource:
+  category: network_connection
+  product: windows
+references:
+- https://www.poolwatch.io/coin/monero
+status: stable
+tags:
+- attack.impact
+- attack.t1496