Create new rules for category: network_connection

[YamatoSecurity]

@fukusuket I noticed that in the recent rule merge, some rules that rely on network connections are now using category: network_connection and therefore can only be detected with Sysmon logs and not the built in logs.

Example:

Before:

title: Suspicious Outbound Kerberos Connection - Security
id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
related:
    - id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
      type: similar
status: test
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
    - https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2023/01/30
tags:
    - attack.lateral_movement
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    security:
        Channel: Security
    selection:
        EventID: 5156
        DestPort: 88
    filter_exact:
        Application:
            - C:\Windows\System32\lsass.exe
            - C:\Program Files\Google\Chrome\Application\chrome.exe
            - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
            - C:\Program Files\Mozilla Firefox\firefox.exe
            - C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    # filter_browsers:
        # Application|endswith:
        #     - '\opera.exe'
        #     - '\tomcat\bin\tomcat8.exe'
    condition: security and (selection and not 1 of filter_*)
falsepositives:
    - Web Browsers
level: high
ruletype: Sigma

After:

title: Uncommon Outbound Kerberos Connection
id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
related:
    - id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
      type: similar
status: test
description: |
    Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
    - https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2024/03/15
tags:
    - attack.credential_access
    - attack.t1558
    - attack.lateral_movement
    - attack.t1550.003
    - sysmon
logsource:
    category: network_connection
    product: windows
detection:
    network_connection:
        EventID: 3
        Channel: Microsoft-Windows-Sysmon/Operational
    selection:
        DestinationPort: 88
        Initiated: 'true'
    filter_main_lsass:
        Image: C:\Windows\System32\lsass.exe
    filter_optional_chrome:
        Image:
            - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
            - C:\Program Files\Google\Chrome\Application\chrome.exe
    filter_optional_firefox:
        Image:
            - C:\Program Files (x86)\Mozilla Firefox\firefox.exe
            - C:\Program Files\Mozilla Firefox\firefox.exe
    filter_optional_tomcat:
        Image|endswith: \tomcat\bin\tomcat8.exe
    condition: network_connection and (selection and not 1 of filter_main_* and not 1 of filter_optional_*)
falsepositives:
    - Web Browsers and third party application might generate similar activity. An initial baseline is required.
level: medium
ruletype: Sigma

I would like to look into the differences of Sysmon 3 and Security 5156 to see if we can create rules to detect built in logs like we do for process creation and registry.