Rule tuning

2021-11-18 10:31:28 +09:00
parent 771c86edbf
commit bad4429ad0
44 changed files with 137 additions and 112 deletions
@@ -2,8 +2,7 @@ title: PowerShell Execution Remote Command
 title_jp: Powershellのリモートコマンドの実行
 description: Powershell command executed remotely.
 description_jp: Powershell command executed remotely.
-author: Eric Conrad
-contributor: Zach Mathis
+author: Eric Conrad, Zach Mathis
 mitre_attack: T1059
 level: medium
 detection:
@@ -15,7 +14,7 @@ detection:
    # condition: selection
 falsepositives:
    - normal system usage
-output: 'Command = %ScriptBlockText%'
-output: 'コマンド = %ScriptBlockText%'
+output: 'Command: %ScriptBlockText%'
+output: 'コマンド: %ScriptBlockText%'
 creation_date: 2020/11/08
 updated_date:  2021/11/06
@@ -1,6 +1,6 @@
 title: Command Line Logging
-description: hogehoge
-author: DeepblueCLI, Zach Mathis
+description: Command line logging.
+author: Eric Conrad, Zach Mathis
 detection:
    selection:
        Channel: Security
@@ -9,6 +9,6 @@ detection:
    # condition: selection
 falsepositives:
    - unknown
-output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
+output: 'CommandLine:%CommandLine%  :  ParentProcessName:%ParentProcessName%'
 creation_date: 2020/11/8
-updated_date: 2020/11/8
+updated_date: 2021/11/8
@@ -0,0 +1,30 @@
+title: Hidden Local User Creation
+author: Christian Burkard
+date: 2021/05/03
+description: Detects the creation of a local hidden user account which should not
+    happen for event ID 4720.
+detection:
+    SELECTION_1:
+        EventID: 4720
+    SELECTION_2:
+        TargetUserName: '*$'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventCode
+- AccountName
+id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
+level: high
+logsource:
+    product: windows
+    service: security
+references:
+- https://twitter.com/SBousseaden/status/1387743867663958021
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136.001
+yml_filename: win_hidden_user_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
@@ -0,0 +1,32 @@
+title: User Added to Local Administrators
+author: Florian Roth
+date: 2017/03/14
+description: This rule triggers on user accounts that are added to the local Administrators
+    group, which could be legitimate activity or a sign of privilege escalation activity
+detection:
+    SELECTION_1:
+        EventID: 4732
+    SELECTION_2:
+        TargetUserName: Administr*
+    SELECTION_3:
+        TargetSid: S-1-5-32-544
+    SELECTION_4:
+        SubjectUserName: '*$'
+    condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Legitimate administrative activity
+id: c265cf08-3f99-46c1-8d59-328247057d57
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/07
+status: stable
+tags:
+- attack.privilege_escalation
+- attack.t1078
+- attack.persistence
+- attack.t1098
+yml_filename: win_user_added_to_local_administrators.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
@@ -0,0 +1,33 @@
+title: Local User Creation
+author: Patrick Bareiss
+date: 2019/04/18
+description: Detects local user creation on windows servers, which shouldn't happen
+    in an Active Directory environment. Apply this Sigma Use Case on your windows
+    server logs and not on your DC logs.
+detection:
+    SELECTION_1:
+        EventID: 4720
+    condition: SELECTION_1
+falsepositives:
+- Domain Controller Logs
+- Local accounts managed by privileged account management tools
+fields:
+- EventCode
+- AccountName
+- AccountDomain
+id: 66b6be3d-55d0-4f47-9855-d69df21740ea
+level: low
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136
+- attack.t1136.001
+yml_filename: win_user_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+