pex7hfbnt
/
apt-hunter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ADD file via upload

Browse Source
pull/1/head
pex7hfbnt 1 month ago
parent fb18ba3b82
commit 510c39f242
1 changed files with 722 additions and 0 deletions
Show Stats Download Patch File Download Diff File

722
source/lib/config/sigma-converter-rules-config.yml
Unescape View File

@ -0,0 +1,722 @@
title: Combination of configs
order: 15
# Taken from https://github.com/SigmaHQ/legacy-sigmatools/blob/master/tools/config/
logsources:
ps_module:
category: ps_module
product: windows
conditions:
EventID: 4103
rewrite:
product: windows
service: powershell
ps_script:
category: ps_script
product: windows
conditions:
EventID: 4104
rewrite:
product: windows
service: powershell
# for the "classic" channel
ps_classic_start:
category: ps_classic_start
product: windows
conditions:
EventID: 400
rewrite:
product: windows
service: powershell-classic
ps_classic_provider_start:
category: ps_classic_provider_start
product: windows
conditions:
EventID: 600
rewrite:
product: windows
service: powershell-classic
ps_classic_script:
category: ps_classic_script
product: windows
conditions:
EventID: 800
rewrite:
product: windows
service: powershell-classic
process_creation:
category: process_creation
product: windows
conditions:
EventID: 4688
rewrite:
product: windows
service: security
registry_event:
category: registry_event
product: windows
conditions:
EventID: 4657
OperationType:
- 'New registry value created'
- 'Existing registry value modified'
rewrite:
product: windows
service: security
registry_event_set:
category: registry_set
product: windows
conditions:
EventID: 4657
OperationType:
- 'Existing registry value modified'
rewrite:
product: windows
service: security
registry_event_add:
category: registry_add
product: windows
conditions:
EventID: 4657
OperationType:
- 'New registry value created'
rewrite:
product: windows
service: security
ps_module:
category: ps_module
product: windows
conditions:
EventID: 4103
rewrite:
product: windows
service: powershell
ps_script:
category: ps_script
product: windows
conditions:
EventID: 4104
rewrite:
product: windows
service: powershell
# for the "classic" channel
ps_classic_start:
category: ps_classic_start
product: windows
conditions:
EventID: 400
rewrite:
product: windows
service: powershell-classic
ps_classic_provider_start:
category: ps_classic_provider_start
product: windows
conditions:
EventID: 600
rewrite:
product: windows
service: powershell-classic
ps_classic_script:
category: ps_classic_script
product: windows
conditions:
EventID: 800
rewrite:
product: windows
service: powershell-classic
windows-application:
product: windows
service: application
conditions:
Channel: Application
windows-security:
product: windows
service: security
conditions:
Channel: Security
windows-system:
product: windows
service: system
conditions:
Channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
Channel: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
Channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
Channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
Channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
Channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
Channel: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
Channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
Channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
Channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
Channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
conditions:
Channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
Channel: 'MSExchange Management'
windows-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
Channel: 'Microsoft-ServiceBus-Client'
windows-ladp-client-debug:
product: windows
service: ldap_debug
conditions:
Channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-taskscheduler-operational:
product: windows
service: taskscheduler
conditions:
Channel: 'Microsoft-Windows-TaskScheduler/Operational'
windows-wmi-activity-Operational:
product: windows
service: wmi
conditions:
Channel: 'Microsoft-Windows-WMI-Activity/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
Channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
Channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-diagnosis-scripted:
product: windows
service: diagnosis-scripted
conditions:
Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
Channel: 'Microsoft-Windows-Shell-Core/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
Channel: 'Microsoft-Windows-Security-Mitigations'
windows-openssh:
product: windows
service: openssh
conditions:
Channel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
Channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
Channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
Channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
Channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
Channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
Channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
windows-application:
product: windows
service: application
conditions:
Channel: Application
windows-security:
product: windows
service: security
conditions:
Channel: Security
windows-system:
product: windows
service: system
conditions:
Channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
Channel: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
Channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
Channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
Channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
Provider_Name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
Provider_Name: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
Provider_Name: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
Channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
Channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
Channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
Channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
Channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
conditions:
Channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
Channel: 'MSExchange Management'
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
Channel: 'Microsoft-ServiceBus-Client'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
Channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-vhdmp-Operational:
product: windows
service: vhdmp
conditions:
Channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
Channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
Channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
Channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
Channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
process_creation:
category: process_creation
product: windows
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
process_creation_linux:
category: process_creation
product: linux
conditions:
EventID: 1
rewrite:
product: linux
service: sysmon
file_change:
category: file_change
product: windows
conditions:
EventID: 2
rewrite:
product: windows
service: sysmon
network_connection:
category: network_connection
product: windows
conditions:
EventID: 3
rewrite:
product: windows
service: sysmon
network_connection_linux:
category: network_connection
product: linux
conditions:
EventID: 3
rewrite:
product: linux
service: sysmon
sysmon_status:
category: sysmon_status
product: windows
conditions:
EventID:
- 4
- 16
rewrite:
product: windows
service: sysmon
sysmon_status_linux:
category: sysmon_status
product: linux
conditions:
EventID: 16
rewrite:
product: linux
service: sysmon
process_terminated:
category: process_termination
product: windows
conditions:
EventID: 5
rewrite:
product: windows
service: sysmon
process_terminated_linux:
category: process_termination
product: linux
conditions:
EventID: 5
rewrite:
product: linux
service: sysmon
driver_loaded:
category: driver_load
product: windows
conditions:
EventID: 6
rewrite:
product: windows
service: sysmon
image_loaded:
category: image_load
product: windows
conditions:
EventID: 7
rewrite:
product: windows
service: sysmon
create_remote_thread:
category: create_remote_thread
product: windows
conditions:
EventID: 8
rewrite:
product: windows
service: sysmon
raw_access_thread:
category: raw_access_thread
product: windows
conditions:
EventID: 9
rewrite:
product: windows
service: sysmon
process_access:
category: process_access
product: windows
conditions:
EventID: 10
rewrite:
product: windows
service: sysmon
raw_access_read_linux:
category: raw_access_read
product: linux
conditions:
EventID: 9
rewrite:
product: linux
service: sysmon
file_creation:
category: file_event
product: windows
conditions:
EventID: 11
rewrite:
product: windows
service: sysmon
file_creation_linux:
category: file_event
product: linux
conditions:
EventID: 11
rewrite:
product: linux
service: sysmon
registry_add:
category: registry_add
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_delete:
category: registry_delete
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_set:
category: registry_set
product: windows
conditions:
EventID: 13
rewrite:
product: windows
service: sysmon
registry_rename:
category: registry_rename
product: windows
conditions:
EventID: 14
rewrite:
product: windows
service: sysmon
registry_event:
category: registry_event
product: windows
conditions:
EventID:
- 12
- 13
- 14
rewrite:
product: windows
service: sysmon
create_stream_hash:
category: create_stream_hash
product: windows
conditions:
EventID: 15
rewrite:
product: windows
service: sysmon
pipe_created:
category: pipe_created
product: windows
conditions:
EventID:
- 17
- 18
rewrite:
product: windows
service: sysmon
wmi_event:
category: wmi_event
product: windows
conditions:
EventID:
- 19
- 20
- 21
rewrite:
product: windows
service: sysmon
dns_query:
category: dns_query
product: windows
conditions:
EventID: 22
rewrite:
product: windows
service: sysmon
file_delete:
category: file_delete
product: windows
conditions:
EventID:
- 23
- 26
rewrite:
product: windows
service: sysmon
file_delete_linux:
category: file_delete
product: linux
conditions:
EventID: 23
rewrite:
product: linux
service: sysmon
clipboard_capture:
category: clipboard_capture
product: windows
conditions:
EventID: 24
rewrite:
product: windows
service: sysmon
process_tampering:
category: process_tampering
product: windows
conditions:
EventID: 25
rewrite:
product: windows
service: sysmon
file_block:
category: file_block
product: windows
conditions:
EventID: 27
rewrite:
product: windows
service: sysmon
sysmon_error:
category: sysmon_error
product: windows
conditions:
EventID: 255
rewrite:
product: windows
service: sysmon
fieldmappings:
Image: NewProcessName
ParentImage: ParentProcessName
Details: NewValue
#CommandLine: ProcessCommandLine # No need to map, as real name of ProcessCommandLine is already CommandLine
LogonId: SubjectLogonId
Write Preview
Loading…
Cancel
Save