You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@fukusuket I noticed that in the recent rule merge, some rules that rely on network connections are now using category: network_connection and therefore can only be detected with Sysmon logs and not the built in logs.
Example:
Before:
title: Suspicious Outbound Kerberos Connection - Security
id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
related:
- id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
type: similar
status: test
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2023/01/30
tags:
- attack.lateral_movement
- attack.t1558.003
logsource:
product: windows
service: security
detection:
security:
Channel: Security
selection:
EventID: 5156
DestPort: 88
filter_exact:
Application:
- C:\Windows\System32\lsass.exe
- C:\Program Files\Google\Chrome\Application\chrome.exe
- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
- C:\Program Files\Mozilla Firefox\firefox.exe
- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
# filter_browsers:
# Application|endswith:
# - '\opera.exe'
# - '\tomcat\bin\tomcat8.exe'
condition: security and (selection and not 1 of filter_*)
falsepositives:
- Web Browsers
level: high
ruletype: Sigma
After:
title: Uncommon Outbound Kerberos Connection
id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
related:
- id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
type: similar
status: test
description: |
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2024/03/15
tags:
- attack.credential_access
- attack.t1558
- attack.lateral_movement
- attack.t1550.003
- sysmon
logsource:
category: network_connection
product: windows
detection:
network_connection:
EventID: 3
Channel: Microsoft-Windows-Sysmon/Operational
selection:
DestinationPort: 88
Initiated: 'true'
filter_main_lsass:
Image: C:\Windows\System32\lsass.exe
filter_optional_chrome:
Image:
- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
- C:\Program Files\Google\Chrome\Application\chrome.exe
filter_optional_firefox:
Image:
- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
- C:\Program Files\Mozilla Firefox\firefox.exe
filter_optional_tomcat:
Image|endswith: \tomcat\bin\tomcat8.exe
condition: network_connection and (selection and not 1 of filter_main_* and not 1 of filter_optional_*)
falsepositives:
- Web Browsers and third party application might generate similar activity. An initial baseline is required.
level: medium
ruletype: Sigma
I would like to look into the differences of Sysmon 3 and Security 5156 to see if we can create rules to detect built in logs like we do for process creation and registry.
The text was updated successfully, but these errors were encountered:
@fukusuket I noticed that in the recent rule merge, some rules that rely on network connections are now using
category: network_connection
and therefore can only be detected with Sysmon logs and not the built in logs.Example:
Before:
After:
I would like to look into the differences of Sysmon 3 and Security 5156 to see if we can create rules to detect built in logs like we do for process creation and registry.
The text was updated successfully, but these errors were encountered: