Tool
Hunt pack: INC Ransom
1,177 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to INC Ransom - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 1,177okta_user_logins_from_multiple_cities
Detects user logins for same user from different cities within 24 hours.
Show query
rule okta_user_logins_from_multiple_cities {
meta:
author = "Google Cloud Security"
description = "Detects user logins for same user from different cities within 24 hours."
rule_id = "mr_b607de8a-7988-4f4f-8ecf-e8754de6bbae"
rule_name = "Okta User Logins From Multiple Cities"
reference = "https://help.okta.com/en-us/Content/Topics/Security/behavior-detection/logs-behavior-detection.htm"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Okta"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.product_name = "Okta"
$login.metadata.vendor_name = "Okta"
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_event_type = "user.session.start"
$login.security_result.summary = "User login to Okta"
$login.principal.user.userid = $userid
$login.principal.location.city = $city
match:
$userid over 24h
outcome:
$risk_score = max(
35 +
// If the IP Address is marked as suspicious IP address by Okta ThreatInsight
if($login.security_result.detection_fields["threatSuspected"] = "true", 30) +
// Unauthorized target geographies
if($login.principal.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$target_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($login.principal.location.city)
$dc_principal_ip_city = count_distinct($login.principal.location.city)
$security_result_summary = array_distinct($login.security_result.summary)
$principal_user_managers_email_addresses = array_distinct($login.principal.user.managers.email_addresses)
$principal_user_userid = array_distinct($login.principal.user.userid)
$target_user_email_addresses = array_distinct($login.target.user.email_addresses)
$target_user_userid = array_distinct($login.target.user.userid)
condition:
$login and $dc_principal_ip_city > 1
}okta_user_suspicious_activity_reported
An Okta user reports suspicious activity in response to an end user security notification.
Show query
rule okta_user_suspicious_activity_reported {
meta:
author = "Google Cloud Security"
description = "An Okta user reports suspicious activity in response to an end user security notification."
rule_id = "mr_09eaaa93-be5e-4b7f-9d6b-8675e63291a0"
rule_name = "Okta User Suspicious Activity Reported"
reference = "https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Okta"
severity = "Medium"
priority = "Medium"
events:
$suspicious.metadata.product_name = "Okta"
$suspicious.metadata.vendor_name = "Okta"
$suspicious.metadata.event_type = "USER_UNCATEGORIZED"
$suspicious.metadata.product_event_type = "user.account.report_suspicious_activity_by_enduser"
$suspicious.security_result.summary = "User report suspicious activity"
$suspicious.target.user.userid = $userid
match:
$userid over 1h
outcome:
$risk_score = max(
35 +
// Increase Risk based on suspiciousActivityEventType
if($suspicious.security_result.detection_fields["suspiciousActivityEventType"] = "system.email.mfa_enroll_notification.sent_message", 30)
)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$target_user_agent = array_distinct($suspicious.network.http.user_agent)
$principal_ip = array_distinct($suspicious.principal.ip)
$principal_ip_country = array_distinct($suspicious.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($suspicious.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($suspicious.principal.location.city)
$principal_user_email_addresses = array_distinct ($suspicious.principal.user.email_addresses)
$security_result_summary = array_distinct($suspicious.security_result.summary)
$target_user_email_addresses = array_distinct($suspicious.target.user.email_addresses)
$target_user_userid = array_distinct($suspicious.target.user.userid)
condition:
$suspicious
}onelogin_multiple_users_login_failures_from_the_same_ip
Detects multiple users login failures from a single IP.
Show query
rule onelogin_multiple_users_login_failures_from_the_same_ip {
meta:
author = "Google Cloud Security"
description = "Detects multiple users login failures from a single IP."
rule_id = "mr_8e302561-6fc5-430d-ae0c-bd285a0aec21"
rule_name = "OneLogin Multiple Users Login Failures From The Same IP"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v15.1"
type = "Alert"
data_source = "OneLogin"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_name = "ONELOGIN_SSO"
$login.metadata.vendor_name = "ONELOGIN"
$login.security_result.action = "BLOCK"
$login.metadata.product_event_type = "6" //user failed authentication
$login.principal.ip = $ip
match:
$ip over 1h
outcome:
$risk_score = max(35 +
// Unauthorized target geographies
if($login.target.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$mitre_attack_tactic = "Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$principal_user_userid = array_distinct($login.principal.user.userid)
$principal_user_user_display_name = array_distinct($login.principal.user.user_display_name)
$dc_principal_user_userid = count_distinct($login.principal.user.userid)
$metadata_description = array_distinct($login.metadata.description)
condition:
$login and $dc_principal_user_userid > 3
}onelogin_user_logins_from_multiple_countries
Detects user logins for the same user from different cities within 24 hours.
Show query
rule onelogin_user_logins_from_multiple_countries {
meta:
author = "Google Cloud Security"
description = "Detects user logins for the same user from different cities within 24 hours."
rule_id = "mr_92eb87fb-0310-460f-9640-8bc0bb87a8a3"
rule_name = "OneLogin User Logins From Multiple Countries"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v15.1"
type = "Alert"
data_source = "OneLogin"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_name = "ONELOGIN_SSO"
$login.metadata.vendor_name = "ONELOGIN"
$login.metadata.product_event_type = "5" //user logged into onelogin
$login.principal.user.userid = $userid
match:
$userid over 24h
outcome:
$risk_score = max(
35 +
// Unauthorized target geographies
if($login.principal.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$mitre_attack_tactic = "Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$network_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$dc_principal_ip_country = count_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_user_userid = array_distinct($login.principal.user.userid)
$principal_user_user_display_name = array_distinct($login.principal.user.user_display_name)
$target_user_userid = array_distinct($login.target.user.userid)
condition:
$login and $dc_principal_ip_country > 1
}potential_credential_dumping_activity_via_lsass
Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
Show query
rule potential_credential_dumping_activity_via_lsass {
meta:
author = "Samir Bousseaden, Michael Haag"
description = "Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature."
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Potential Credential Dumping Activity Via LSASS"
sigma_uuid = "5ef9853e-4d0e-4a70-846f-a9ca37d876da"
sigma_status = "experimental"
rule_id = "mr_33474568-9a0a-4588-ba79-144ab7908f8e"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Medium"
priority = "Medium"
false_positives = "Unknown"
events:
$process.metadata.event_type = "PROCESS_OPEN"
re.regex($process.target.process.file.full_path, `\\lsass\.exe$`) nocase
(
strings.contains(strings.to_lower($process.target.resource.name), "0x1038") or
strings.contains(strings.to_lower($process.target.resource.name), "0x1438") or
strings.contains(strings.to_lower($process.target.resource.name), "0x143a") or
strings.contains(strings.to_lower($process.target.resource.name), "0x1fffff") //questionable, this one and others have been filtered out due to FP
)
(
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "dbgcore.dll") or
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "dbghelp.dll") or
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "kernel32.dll") or
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "kernelbase.dll") or
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "ntdll.dll")
)
NOT (
strings.contains($process.principal.administrative_domain, "AUTHORI") or
strings.contains($process.principal.administrative_domain, "AUTORI")
)
NOT (
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), ":\\windows\\temp\\asgard2-agent\\") and
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "\\thor\\thor64.exe+") and
strings.contains(strings.to_upper($process.additional.fields["CallTrace"]), "|UNKNOWN(") and
$process.target.resource.name = "0x103800" nocase
)
NOT re.regex($process.principal.process.file.full_path, `:\\Windows\\Sysmon64\.exe$`) nocase
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test hostname to adjust risk score
$risk_score = max(if($process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}powershell_web_download
Detects suspicious ways to download files or content using PowerShell
Show query
rule powershell_web_download {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects suspicious ways to download files or content using PowerShell"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "PowerShell Web Download"
sigma_uuid = "6e897651-f157-4d8f-aaeb-df8151488385"
sigma_status = "test"
rule_id = "mr_942ed146-8046-4623-bae9-03bb4aaaf7d7"
tactic = "TA0002"
technique = "T1059.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Medium"
priority = "Medium"
false_positives = "Scripts or tools that download files"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
strings.contains(strings.to_lower($process.target.process.command_line), ".downloadstring(") or
strings.contains(strings.to_lower($process.target.process.command_line), ".downloadfile(") or
strings.contains(strings.to_lower($process.target.process.command_line), "invoke-webrequest ") or
strings.contains(strings.to_lower($process.target.process.command_line), "iwr ")
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}rdp_sensitive_settings_changed_to_zero
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Show query
rule rdp_sensitive_settings_changed_to_zero {
meta:
author = "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali"
description = "Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc."
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "RDP Sensitive Settings Changed to Zero"
rule_id = "mr_553a08a3-f1b6-4962-9393-151b0fecdf55"
sigma_uuid = "a2863fbc-d5cb-48d5-83fb-d976d4b1743b"
sigma_status = "test"
tactic = "TA0005"
//tactic = "TA0003"
technique = "T1112"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Medium"
priority = "Medium"
false_positives = "Some of the keys mentioned here could be modified by an administrator while setting group policy"
events:
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
(
re.regex($reg.target.registry.registry_key, `\\fDenyTSConnections$`) nocase or
re.regex($reg.target.registry.registry_key, `\\fSingleSessionPerUser$`) nocase or
re.regex($reg.target.registry.registry_key, `\\UserAuthentication$`) nocase
)
$reg.target.registry.registry_value_data = "DWORD (0x00000000)" nocase
$reg.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($reg.principal.user.userid = "user" and $reg.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($reg.principal.hostname)
$principal_process_pid = array_distinct($reg.principal.process.pid)
$principal_process_file_full_path = array_distinct($reg.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($reg.principal.process.product_specific_process_id)
$principal_user_userid = array_distinct($reg.principal.user.userid)
$target_registry_key = array_distinct($reg.target.registry.registry_key)
$target_registry_value_data = array_distinct($reg.target.registry.registry_value_data)
$log_type = array_distinct(strings.concat($reg.metadata.log_type,"/",$reg.metadata.product_event_type))
condition:
$reg
}sap_function_module_testing_detected
Detects direct execution and testing of SAP Function Modules via SE37 test frame. This identifies correlation between a transaction start (AU7) and a function module call (BU4) in close succession
Show query
rule sap_function_module_testing_detected {
meta:
author = "Google Cloud Security"
description = "Detects direct execution and testing of SAP Function Modules via SE37 test frame. This identifies correlation between a transaction start (AU7) and a function module call (BU4) in close succession"
severity = "Medium"
tactic = "TA0002"
technique = "T1129"
events:
$e.security_result.detection_fields["slgtc_1"] = /^SE37$|^SE80$|^SEU_INT$/
$e.principal.process.file.names = "RS_TESTFRAME_CALL"
$user = $e.principal.user.userid
match:
$user over 1h
outcome:
$resource_accessed = array_distinct($e.additional.fields["param1_1"])
$event_name = array_distinct($e.security_result.summary)
$description = array_distinct($e.metadata.description)
$msg = array_distinct($e.additional.fields["msg_1"])
$src_ip = array_distinct($e.principal.ip)
condition:
$e
}sap_hanadb_user_admin_actions
Detects administrative user management (Create/Alter/Drop) and schema deletion within SAP HANA DB.
Show query
rule sap_hanadb_user_admin_actions {
meta:
author = "Google Cloud Security"
description = "Detects administrative user management (Create/Alter/Drop) and schema deletion within SAP HANA DB."
severity = "Medium"
tactic = "TA0003"
technique = "T1136"
events:
$e.metadata.log_type = "SAP_HANA_AUDIT"
$statement = $e.additional.fields["executed_statement"]
(
$statement = /CREATE USER/ nocase or
$statement = /ALTER USER/ nocase or
$statement = /DROP USER/ nocase or
$statement = /DROP SCHEMA/ nocase
)
$user = $e.principal.user.userid
match:
$user over 30m
outcome:
$risk_score = max(70)
$principal_user = array_distinct($user)
$target_user = array_distinct($e.target.user.userid)
$executed_statements = array_distinct($statement)
$system_id = array_distinct($e.target.resource.attribute.labels["system_id"])
$db_name = array_distinct($e.target.resource.name)
condition:
$e
}sap_impossible_travel
Identifies two successful logons for the same User ID from two different geographic locations in a timeframe that is physically impossible to travel between, indicating credential sharing or theft.
Show query
rule sap_impossible_travel {
meta:
author = "Google Cloud Security"
description = "Identifies two successful logons for the same User ID from two different geographic locations in a timeframe that is physically impossible to travel between, indicating credential sharing or theft."
severity = "medium"
tactic = "TA0006"
technique = "T1078"
events:
$e.metadata.log_type = "SAP_SECURITY_AUDIT"
(
$e.metadata.event_type = "USER_LOGIN" or
$e.additional.fields["msg_1"] = /^AU1$|^AU5$/
)
$e.principal.ip_geo_artifact.location.country_or_region != ""
$country = $e.principal.ip_geo_artifact.location.country_or_region
$state = $e.principal.ip_geo_artifact.location.state
$user = $e.principal.user.userid
match:
$user over 1h
outcome:
$countries = array_distinct($country)
$states = array_distinct($state)
$count_of_countries = count_distinct($country)
$count_of_states = count_distinct($state)
$risk_score = if(count_distinct($country) > 1, 30, 0) + if(count_distinct($state) > 2, 30, 0) + 30
$network_carrier_name = array_distinct($e.principal.ip_geo_artifact.network.carrier_name)
$networn_dns_domain = array_distinct($e.principal.ip_geo_artifact.network.dns_domain)
$network_org = array_distinct($e.principal.ip_geo_artifact.network.organization_name)
$sap_instance = array_distinct($e.target.resource.name)
condition:
#country >= 2 or #state >= 2
}sap_multi_terminal_logon
Identifies successful logons for the same User ID from multiple different terminal IDs or client hostnames in a short timeframe, indicating potential credential sharing or session theft.
Show query
rule sap_multi_terminal_logon {
meta:
author = "Google Cloud Security"
description = "Identifies successful logons for the same User ID from multiple different terminal IDs or client hostnames in a short timeframe, indicating potential credential sharing or session theft."
severity = "medium"
tactic = "TA0006"
technique = "T1078"
events:
$e.metadata.log_type = "SAP_SECURITY_AUDIT"
(
$e.metadata.event_type = "USER_LOGIN" or
$e.additional.fields["msg_1"] = /^AU1$|^AU5$/
)
// Ensure we only check events that actually have a terminal/hostname recorded
$e.principal.hostname != ""
$terminal = $e.principal.hostname
$user = $e.principal.user.userid
match:
// You can reduce this window to 15m or 30m if 1h is too broad for direct terminal switches
$user over 15m
outcome:
$terminals = array_distinct($terminal)
$count_of_terminals = count_distinct($terminal)
// Give a high risk score if they switch terminals
$risk_score = 60
$sap_instance = array_distinct($e.target.resource.name)
condition:
// Trigger if the user is seen on 2 or more distinct terminals
#terminal >= 2
}sap_security_audit_log_user_created_deleted_or_unlocked
Detects when an SAP user is created, deleted, or unlocked
Show query
rule sap_security_audit_log_user_created_deleted_or_unlocked {
meta:
author = "Google Cloud Security"
description = "Detects when an SAP user is created, deleted, or unlocked"
severity = "Medium"
tactic = "TA0003"
technique = "T1136"
events:
$e.metadata.log_type = "SAP_SECURITY_AUDIT"
$e.additional.fields["msg_1"] = /^AU7$|^AU8$|^AU9$|^AUA$/ nocase
$user = $e.principal.user.userid
$sid = $e.target.application
//exclusions
not $user in %sap_admin_users.user
match:
$user, $sid over 59m
outcome:
$risk_score = 75
$target_sid = array_distinct($sid)
$description = array_distinct($e.metadata.description)
$terminal = array_distinct($e.principal.hostname)
$message_ids = array_distinct($e.additional.fields["msg_1"])
$target_user = array_distinct($e.additional.fields["param1_1"])
$t_code = array_distinct($e.security_result.detection_fields["slgtc_1"])
$TXSUBCLSID = array_distinct($e.security_result.summary)
$system = array_distinct($e.target.application)
$instance = array_distinct($e.target.resource.name)
condition:
$e
}sap_suspected_data_exfiltration
Detects high-volume data downloads (AUY) from SAP to a local frontend file, potentially indicating exfiltration.
Show query
rule sap_suspected_data_exfiltration {
meta:
author = "Google Cloud Security"
description = "Detects high-volume data downloads (AUY) from SAP to a local frontend file, potentially indicating exfiltration."
severity = "Medium"
tactic = "TA0010"
technique = "T1041"
events:
$e.metadata.product_name = "SAP security audit"
$e.additional.fields["msg_1"] = "AUY"
$user = $e.principal.user.userid
match:
$user over 5m
outcome:
$event_count = count($e.metadata.product_log_id)
$report_used = array_distinct($e.principal.process.file.names)
$file_paths = array_distinct($e.additional.fields["param3_1"])
$total_bytes_approx = array_distinct($e.additional.fields["param1_1"])
$terminal_ip = array_distinct($e.principal.ip)
$system_id = array_distinct($e.target.application)
condition:
$e and $event_count >= 10
}suspicious_download_via_certutil_exe
Detects the execution of certutil with certain flags that allow the utility to download files
Show query
rule suspicious_download_via_certutil_exe {
meta:
author = "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)"
description = "Detects the execution of certutil with certain flags that allow the utility to download files"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Suspicious Download Via Certutil.EXE"
sigma_uuid = "19b08b1c-861d-4e75-a1ef-ea0c1baf202b"
sigma_status = "test"
le_id = "mr_e9ec6964-4883-47b8-a6b3-2ece9962a813"
tactic = "TA0005"
technique = "T1027"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Medium"
priority = "Medium"
false_positives = "Unknown"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($process.target.process.file.full_path, `\\certutil\.exe$`) nocase or
$process.src.process.file.full_path = "certutil.exe" nocase
)
(
strings.contains(strings.to_lower($process.target.process.command_line), "urlcache ") or
strings.contains(strings.to_lower($process.target.process.command_line), "verifyctl ")
)
strings.contains(strings.to_lower($process.target.process.command_line), "http")
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}ttp_windows_w3wp_launching_encoded_powershell
Detects on the execution of an encoded powershell command with a parent process of w3wp.exe.
Show query
rule ttp_windows_w3wp_launching_encoded_powershell {
meta:
author = "Google Cloud Security"
rule_name = "W3WP Launching Encoded Powershell"
description = "Detects on the execution of an encoded powershell command with a parent process of w3wp.exe."
severity = "Medium"
tactic = "TA0002"
technique = "T1059.001"
false_positives = "Legitimate administrative actions to the specified URL should be rare. Some penetration testing activity could trigger this rule. In some cases, specific third party applications could generate similar requests, but this should be rare."
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-49706, https://research.eye.security/sharepoint-under-siege/"
rule_id = "mr_83daf64e-25e8-4b6b-8596-3adcc694e781"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e.principal.process.file.full_path, `(^|\\)w3wp\.exe$`) nocase
not re.regex($e.target.process.command_line, `\\Scripts\\CheckDiskSpace\.ps1'`) nocase
not re.regex($e.target.process.command_line, `DQAKACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAHQAbwBwACcADQAKAFsAdgBlAHIAcwBpAG8AbgBdACQAbQBpAG4AaQBtAHUAbQBWAGUAcgBzAGkAbwBuACAAPQAgACcAMgAuADIALgAwACcADQAKAA0ACgAkAG0AIAA9ACAASQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEEAegAuAEEAYwBjAG8AdQBuAHQAcwAg`) nocase
not re.regex($e.target.process.command_line, `EncodedCommand JABQAG8AaQBuAHQAZQBlAFIAZQBzAG8AdQByAGMAZQBOAGEAbQBlACAAPQAgACcAVgBEAFAAUgB`) nocase
(
(
re.regex($e.target.process.file.full_path, `(^|\\)(pwsh|powershell)\.exe$`) nocase and
re.regex($e.target.process.command_line, `\s-(e|en|enc|enco|encodedcommand)\s`) nocase
) or
re.regex($e.target.process.command_line, `(pwsh|powershell).*\s-(e|en|enc|enco|encodedcommand)\s`) nocase
)
outcome:
$principal_hostname = $e.principal.hostname
$risk_score = 65
$vendor_name = array($e.metadata.vendor_name)
$product_name = $e.metadata.product_name
$victim_uid = $e.principal.asset.asset_id
$victim_name = $e.principal.asset.hostname
$victim_netid = array($e.principal.ip)
$adversary_uid = $e.principal.user.userid
$adversary_name = $e.principal.user.user_display_name
$adversary_netid = $e.principal.user.windows_sid
$tmp1 = max(
if($e.security_result.action != "BLOCK" and $e.security_result.action != "UNKNOWN_ACTION", 2)
)
$tmp2 = max(
if($e.security_result.action = "BLOCK", 1)
)
$result = arrays.index_to_str(strings.split("attempted,failed,succeeded,succeeded"), $tmp1 + $tmp2)
$result_time = $e.metadata.event_timestamp.seconds
$event_count = 1
condition:
$e
}windows_event_log_cleared
Detects the clearing of event logs within the Windows Event Viewer.
Show query
rule windows_event_log_cleared {
meta:
author = "Google Cloud Security"
description = "Detects the clearing of event logs within the Windows Event Viewer. "
rule_id = "mr_067f3ee9-9bc6-400d-9ba5-bebe7253482f"
rule_name = "Windows Event Log Cleared"
type = "alert"
data_source = "microsoft sysmon, microsoft windows events"
platform = "Windows"
tactic = "TA0005"
technique = "T1070.001"
severity = "Medium"
priority = "Medium"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
// currently the command line is focused on the three primary log sets, could expand this further if desired
re.regex($process.target.process.command_line, `wevtutil.*cl.*(system|application|security)`) nocase
)
or
(
$process.metadata.event_type = "SYSTEM_AUDIT_LOG_WIPE" and
$process.metadata.vendor_name = "Microsoft"
)
or
(
$process.metadata.event_type = "STATUS_UPDATE" and
$process.metadata.product_name = "PowerShell" and
$process.metadata.vendor_name = "Microsoft" and
(
re.regex($process.security_result.description, `Remove-EventLog`) nocase or
re.regex($process.security_result.description, `Clear-EventLog`) nocase
)
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
$risk_score = 65
$event_count = count_distinct($process.metadata.id)
$process_description = array_distinct($process.metadata.description)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}AWS EFS File System Deleted
Identifies the deletion of an Amazon EFS file system using the "DeleteFileSystem" API operation. Deleting an EFS file
system permanently removes all stored data and cannot be reversed. This action is rare in most environments and
typically limited to controlled teardown workflows. Adversaries with sufficient permissions may delete a file system to
destroy evidence, disrupt workloads, or impede recovery efforts.
AWS RDS DB Instance or Cluster Deleted
Identifies the deletion of an Amazon RDS DB instance, Aurora cluster, or global database cluster. Deleting these
resources permanently destroys stored data and can cause major service disruption. Adversaries with sufficient
permissions may delete RDS resources to impede recovery, destroy evidence, or inflict operational impact on the
environment.
Auditd Login Attempt at Forbidden Time
Identifies that a login attempt occurred at a forbidden time.
Auditd Max Failed Login Attempts
Identifies that the maximum number of failed login attempts has been reached for a user.
Auditd Max Login Sessions
Identifies that the maximum number login sessions has been reached for a user.
Deprecated - M365 Security Compliance Unusual Volume of File Deletion
Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.
Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected
This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum
allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID
greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.
Deprecated - Potential curl CVE-2023-38545 Exploitation
Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction
with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow
during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be
executed with and without the use of environment variables. For increased visibility, enable the collection of
http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of
this rule.
FortiGate SOCKS Traffic from an Unusual Process
This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
or act as an intermediary for network communications to a command and control server to avoid direct connections to their
infrastructure.
FortiGate SSL VPN Login Followed by SIEM Alert by User
Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a
short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise
used from a VPN session, or initial access via VPN followed by post-compromise behavior.
GitHub Repository Deleted
This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component
used within an organization to manage work, collaborate with others and release products to the public. Any delete
action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization
repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.
IRC (Internet Relay Chat) Protocol Activity to the Internet
This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol
that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and
data transfers to and from a network.
Kubernetes Exposed Service Created With Type NodePort
This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to
externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster
that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod
through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept
traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers
within a cluster. This creates a direct method of communication between the cluster and the outside world, which could
be used for more malicious behavior and certainly widens the attack surface of your cluster.
Message-of-the-Day (MOTD) File Creation
This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the
day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial
connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These
scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create
malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a
backdoor script or command.
PANW and Elastic Defend - Command and Control Correlation
This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify
the source process performing the network activity.
Potential Account Takeover - Logon from New Source IP
Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different
source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover
or use of stolen credentials from a new location.
Potential Account Takeover - Mixed Logon Types
Identifies a user account (often a service account) that normally logs in with high volume using one logon type
suddenly showing successful logons using a different logon type with low count. This pattern may indicate account
takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service
was expected).
Process Injection - Prevented - Elastic Endgame
Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in
the rule.reference column for additional information.
Suspicious Activity Reported by Okta User
Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can
help security teams identify when an adversary is attempting to gain access to their network.
Unusual Parent Process for cmd.exe
Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.
Unusual Print Spooler Child Process
Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
escalation vulnerabilities related to the Printing Service on Windows.
aws_console_login_without_mfa
Detect when a user logs into AWS console without MFA.
Show query
rule aws_console_login_without_mfa {
meta:
author = "Google Cloud Security"
description = "Detect when a user logs into AWS console without MFA."
rule_id = "mr_b03d1e57-7ed0-49e7-b125-6c18b364ae8c"
rule_name = "AWS Console Login Without MFA"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "Low"
priority = "Low"
events:
$login.metadata.vendor_name = "AMAZON"
$login.metadata.product_name = "AWS CloudTrail"
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_event_type = "ConsoleLogin"
$login.security_result.action= "ALLOW"
$login.extensions.auth.auth_details = "MFAUsed: No"
$login.additional.fields["recipientAccountId"] = $account_id
match:
$account_id over 1h
outcome:
$risk_score = max(
//Baseline
35 +
if($login.principal.resource.type = "Root", 50)
)
$mitre_attack_tactic = "Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$mitre_attack_technique_id = "T1078.004"
$event_count = count_distinct($login.metadata.id)
$network_http_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$target_user_display_name = array_distinct($login.target.user.user_display_name)
$target_user_userid = array_distinct($login.target.user.userid)
$is_mfa_used = array_distinct($login.extensions.auth.auth_details)
$target_resource_name = array_distinct($login.target.resource.name)
$target_resource_product_object_id = array_distinct($login.target.resource.product_object_id)
condition:
$login
}aws_privilege_escalation_using_iam_access_key
Detect when a user creates a new access key for another user and escalates privileges using this newly created access key from the same IP.
Show query
rule aws_privilege_escalation_using_iam_access_key {
meta:
author = "Google Cloud Security"
description = "Detect when a user creates a new access key for another user and escalates privileges using this newly created access key from the same IP."
rule_id = "mr_a28c56ea-b5e6-4e23-8cb8-f306587b832b"
rule_name = "AWS Privilege Escalation Using IAM Access Key"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Cloud Account"
mitre_attack_url = "https://attack.mitre.org/techniques/T1136/003/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "Low"
priority = "Low"
events:
$accesskey.metadata.vendor_name = "AMAZON"
$accesskey.metadata.product_name = "AWS CloudTrail"
$accesskey.metadata.product_event_type = "CreateAccessKey"
$accesskey.security_result.action= "ALLOW"
$accesskey.principal.user.user_display_name != $accesskey.target.user.userid
$accesskey.principal.user.userid = $p_userid
$accesskey.target.user.userid = $t_userid
$privesc.metadata.vendor_name = "AMAZON"
$privesc.metadata.product_name = "AWS CloudTrail"
//Same IP address and Access Key used
$accesskey.principal.ip = $privesc.principal.ip
$accesskey.target.resource.product_object_id = $privesc.additional.fields["accessKeyId"]
$accesskey.metadata.event_timestamp.seconds < $privesc.metadata.event_timestamp.seconds
match:
$p_userid over 1h
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Cloud Account"
$mitre_attack_technique_id = "T1136.003"
$event_count = count_distinct($privesc.metadata.id)
$network_http_user_agent = array_distinct($privesc.network.http.user_agent)
$principal_ip = array_distinct($privesc.principal.ip)
$principal_ip_country = array_distinct($privesc.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($privesc.principal.ip_geo_artifact.location.state)
$principal_user_display_name = array_distinct($privesc.principal.user.user_display_name)
$dc_principal_user_display_name = count_distinct($privesc.principal.user.user_display_name)
$is_mfa_used = array_distinct($privesc.principal.user.attribute.labels["mfaAuthenticated"])
$target_resource_name = array_distinct($privesc.target.resource.name)
$target_resource_product_object_id = array_distinct($privesc.target.resource.product_object_id)
$product_event_types = array_distinct($privesc.metadata.product_event_type)
condition:
$accesskey and $privesc
}aws_privilege_escalation_using_iam_login_profile
Detect when a user creates or updates a login profile for another user and escalates privileges using this new user from the same IP.
Show query
rule aws_privilege_escalation_using_iam_login_profile {
meta:
author = "Google Cloud Security"
description = "Detect when a user creates or updates a login profile for another user and escalates privileges using this new user from the same IP."
rule_id = "mr_b0d13079-dbe7-4c19-a8e9-23f98655a29b"
rule_name = "AWS Privilege Escalation Using IAM Login Profile"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Cloud Account"
mitre_attack_url = "https://attack.mitre.org/techniques/T1136/003/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "Low"
priority = "Low"
events:
$profile.metadata.vendor_name = "AMAZON"
$profile.metadata.product_name = "AWS CloudTrail"
$profile.metadata.product_event_type = "CreateLoginProfile" or $profile.metadata.product_event_type = "UpdateLoginProfile"
$profile.security_result.action= "ALLOW"
$profile.principal.user.userid = $p_userid
$profile.target.user.userid = $t_userid
$login.metadata.vendor_name = "AMAZON"
$login.metadata.product_name = "AWS CloudTrail"
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_event_type = "ConsoleLogin"
$login.security_result.action= "ALLOW"
//Same IP address
$login.principal.ip = $profile.principal.ip
//User created and logged in
$profile.principal.user.user_display_name != $profile.target.user.userid
$login.target.user.user_display_name = $profile.target.user.userid
$profile.metadata.event_timestamp.seconds < $login.metadata.event_timestamp.seconds
match:
$p_userid over 1h
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Cloud Account"
$mitre_attack_technique_id = "T1136.003"
$event_count = count_distinct($login.metadata.id)
$network_http_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$principal_user_display_name = array_distinct($login.principal.user.user_display_name)
$dc_principal_user_display_name = count_distinct($login.principal.user.user_display_name)
$is_mfa_used = array_distinct($login.principal.user.attribute.labels["mfaAuthenticated"])
$target_resource_name = array_distinct($login.target.resource.name)
$target_resource_product_object_id = array_distinct($login.target.resource.product_object_id)
condition:
$profile and $login
}entra_id_login_activity_to_uncommon_mscloud_apps
This rule detects Azure AD login activity to apps other than a defined list of first party MS Cloud Apps. Note that Azure Active Directory PowerShell and custom Azure apps are not in this list by default
Show query
rule entra_id_login_activity_to_uncommon_mscloud_apps {
meta:
author = "Google Cloud Security"
description = "This rule detects Azure AD login activity to apps other than a defined list of first party MS Cloud Apps. Note that Azure Active Directory PowerShell and custom Azure apps are not in this list by default"
assumption = "The lists first_party_ms_cloud_apps is populated and tuned as needed"
rule_id = "mr_1a39c017-9045-48d4-928d-096511edf3cc"
rule_name = "Entra ID Login Activity to Uncommon MS Cloud Apps"
tactic = "TA0001"
technique = "T1078.004"
reference = "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in"
type = "alert"
platform = "azure"
data_source = "azure ad"
severity = "Low"
priority = "Low"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_name = "Azure AD"
$login.metadata.vendor_name = "Microsoft"
$login.security_result.action = "ALLOW"
not $login.target.resource.attribute.labels["App Id"] in %first_party_ms_cloud_apps
// Below is to filter ADFS Sync Account that runs every 30 minutes between AD and Azure; can use userid or email address
//$login.target.user.userid = "insert your userid here"
$login.target.user.user_display_name != "On-Premises Directory Synchronization Service Account"
$login.target.user.userid = $userid
match:
$userid over 5m
outcome:
$risk_score = 35
$event_count = count_distinct($login.metadata.id)
$target_application = array_distinct($login.target.application)
$traget_application_guid = array_distinct($login.target.resource.attribute.labels["App Id"])
$security_description = array_distinct($login.security_result.description)
$security_summary = array_distinct($login.security_result.summary)
$country_region_login_attempt = array_distinct(strings.concat($login.principal.location.city," ",$login.principal.location.state," ",$login.principal.location.country_or_region))
//Used for match condition, don't need as outcome variable as well
//$target_user_userid = array_distinct($login.target.user.userid)
condition:
$login
}github_repository_archived_or_deleted
Detects when a GitHub repository is archived or deleted.
Show query
rule github_repository_archived_or_deleted {
meta:
author = "Google Cloud Security"
description = "Detects when a GitHub repository is archived or deleted."
rule_id = "mr_8c515a63-1e2e-4f9e-9150-93302b813315"
rule_name = "GitHub Repository Archived Or Deleted"
assumption = "Your GitHub enterprise audit log settings are configured to log the source IP address for events. Reference: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization"
type = "alert"
severity = "Low"
priority = "Low"
platform = "GitHub"
data_source = "github"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "Data Destruction"
mitre_attack_url = "https://attack.mitre.org/versions/v14/techniques/T1485/"
mitre_attack_version = "v14"
reference = "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise"
events:
$github.metadata.vendor_name = "GITHUB" nocase
$github.metadata.product_name = "GITHUB"
(
$github.metadata.product_event_type = "repo.archived" or
$github.metadata.product_event_type = "repo.destroy"
)
$github.principal.user.userid = $user_id
$github.target.resource.name = $github_repo_name
match:
$user_id, $github_repo_name over 30m
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Impact"
$mitre_attack_technique = "Data Destruction"
$mitre_attack_technique_id = "T1485"
$event_count = count_distinct($github.metadata.id)
$principal_ip = array_distinct($github.principal.ip)
$principal_user_userid = array_distinct($github.principal.user.userid)
$principal_ip_country = array_distinct($github.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($github.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($github.principal.location.city)
$security_result_summary = array_distinct($github.security_result.summary)
condition:
$github
}local_accounts_discovery
Local accounts, System Owner/User discovery using operating systems utilities
Show query
rule local_accounts_discovery {
meta:
author = "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community"
description = "Local accounts, System Owner/User discovery using operating systems utilities"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Local Accounts Discovery"
sigma_uuid = "502b42de-4306-40b4-9596-6f590c81f073"
sigma_status = "test"
rule_id = "mr_3a6b5c72-8126-4f43-a4ac-9c8bbac7fa72"
tactic = "TA0007"
technique = "T1033"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Low"
priority = "Low"
false_positives = "Legitimate administrator or user enumerates local users for legitimate reason"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
(
re.regex($process.target.process.file.full_path, `\\cmd\.exe$`) nocase and
strings.contains(strings.to_lower($process.target.process.command_line), " /c") and
strings.contains(strings.to_lower($process.target.process.command_line), "dir ") and
strings.contains(strings.to_lower($process.target.process.command_line), "\\users\\") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), " rmdir ")
)
or
(
re.regex($process.target.process.file.full_path, `\\net\.exe$`) nocase or
re.regex($process.target.process.file.full_path, `\\net1\.exe$`) nocase and
strings.contains(strings.to_lower($process.target.process.command_line), "user") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/domain") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/add") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/delete") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/active") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/expires") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/passwordreq") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/scriptpath") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/times") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/workstations")
)
or
(
re.regex($process.target.process.file.full_path, `\\whoami\.exe$`) nocase or
re.regex($process.target.process.file.full_path, `\\quser\.exe$`) nocase or
re.regex($process.target.process.file.full_path, `\\qwinsta\.exe$`) nocase or
(
re.regex($process.target.process.file.full_path, `\\wmic\.exe$`) nocase and
strings.contains(strings.to_lower($process.target.process.command_line), "useraccount") and
strings.contains(strings.to_lower($process.target.process.command_line), "get")
) or
(
re.regex($process.target.process.file.full_path, `\\cmdkey\.exe$`) nocase and
strings.contains(strings.to_lower($process.target.process.command_line), " /l")
)
)
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}mitre_attack_T1021_002_windows_admin_share_basic
Detect the use of net use for SMB/Windows admin shares
Show query
rule mitre_attack_T1021_002_windows_admin_share_basic {
meta:
author = "Google Cloud Security"
description = "Detect the use of net use for SMB/Windows admin shares"
rule_id = "mr_ceadd402-7315-4462-9716-8b41a6329bdd"
rule_name = "MITRE ATT&CK T1021.002 Windows Admin Share Basic"
tactic = "TA0008"
technique = "T1021.002"
type = "alert"
platform = "Windows"
data_source = "microsoft sysmon, microsoft windows events"
severity = "Low"
priority = "Low"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.target.process.command_line = /net.*use.*(C|ADMIN|IPC)\$/ nocase
outcome:
$risk_score = 35
// added to populate alert graph with additional context
$principal_hostname = $process.principal.hostname
$principal_process_pid = $process.principal.process.pid
$principal_process_command_line = $process.principal.process.command_line
$principal_process_file_sha256 = $process.principal.process.file.sha256
$principal_process_file_full_path = $process.principal.process.file.full_path
$principal_process_product_specific_process_id = $process.principal.process.product_specific_process_id
$principal_process_parent_process_product_specific_process_id = $process.principal.process.parent_process.product_specific_process_id
$target_process_pid = $process.target.process.pid
$target_process_command_line = $process.target.process.command_line
$target_process_file_sha256 = $process.target.process.file.sha256
$target_process_file_full_path = $process.target.process.file.full_path
$target_process_product_specific_process_id = $process.target.process.product_specific_process_id
$principal_user_userid = $process.principal.user.userid
condition:
$process
}mitre_attack_T1021_002_windows_admin_share_with_asset_entity
Net use commands for SMB/Windows admin shares based on asset entity group
Show query
rule mitre_attack_T1021_002_windows_admin_share_with_asset_entity {
meta:
author = "Google Cloud Security"
description = "Net use commands for SMB/Windows admin shares based on asset entity group"
rule_id = "mr_7b7fbe57-12a8-4254-ad73-b9e9024cbc8a"
rule_name = "MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity"
tactic = "TA0008"
technique = "T1021.002"
type = "alert"
tags = "asset entity"
platform = "Windows"
assumption = "Assumes ingestion of Windows assets to entity graph"
data_source = "microsoft sysmon, microsoft windows events"
severity = "Low"
priority = "Low"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.target.process.command_line = /net.*use.*(C|ADMIN|IPC)\$/ nocase
$process.principal.ip = $ip
// Correlate with asset entity data
$asset.graph.entity.ip = $ip
$asset.graph.metadata.entity_type = "ASSET"
$asset.graph.metadata.source_type = "ENTITY_CONTEXT"
$asset.graph.entity.asset.platform_software.platform = "WINDOWS"
// Can be modified to focus rule on different groups or removed if not needed
$asset.graph.relations.entity.group.group_display_name = "Domain Computers"
match:
$ip over 5m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
// added to populate alert graph with additional context
// Commented out principal.hostname because principal.ip is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process and $asset
}mitre_attack_T1021_002_windows_admin_share_with_user_enrichment
Net use commands for SMB/Windows admin shares focused on UDM enriched user fields
Show query
rule mitre_attack_T1021_002_windows_admin_share_with_user_enrichment {
meta:
author = "Google Cloud Security"
description = "Net use commands for SMB/Windows admin shares focused on UDM enriched user fields"
rule_id = "mr_57f52ed2-c7e2-4c8d-b308-2a3238986e98"
rule_name = "MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment"
tactic = "TA0008"
technique = "T1021.002"
type = "alert"
tags = "user enrichment"
platform = "Windows"
data_source = "microsoft sysmon, microsoft windows events"
severity = "Low"
priority = "Low"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.target.process.command_line = /net.*use.*(C|ADMIN|IPC)\$/ nocase
$process.principal.user.userid = $userid
/* Enriched UDM fields from assets & users can often be used without needing to
join to entity graph for these fields, assuming assets and users are being ingested */
$process.principal.user.department != "Information Technology" or
$process.principal.user.title = "Intern"
match:
$userid over 5m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
// added to populate alert graph with additional context
$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
// Commented out principal.ip because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}mitre_attack_T1021_002_windows_admin_share_with_user_entity
Net use commands for SMB/Windows admin shares focused on specific user entity characteristics
Show query
rule mitre_attack_T1021_002_windows_admin_share_with_user_entity {
meta:
author = "Google Cloud Security"
description = "Net use commands for SMB/Windows admin shares focused on specific user entity characteristics"
rule_id = "mr_18cff6cc-0d2d-4b83-9424-c854c84c4241"
rule_name = "MITRE ATT&CK T1021.002 Windows Admin Share With User Entity"
tactic = "TA0008"
technique = "T1021.002"
type = "alert"
tags = "user entity"
platform = "Windows"
assumption = "Assumes ingestion of Windows users to entity graph"
data_source = "microsoft sysmon, microsoft windows events"
severity = "Low"
priority = "Low"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.target.process.command_line = /net.*use.*(C|ADMIN|IPC)\$/ nocase
$process.principal.user.userid = $userid
// Correlate with user entity data
$user.graph.entity.user.userid = $userid
$user.graph.metadata.entity_type = "USER"
$user.graph.metadata.source_type = "ENTITY_CONTEXT"
/* Following two lines are used for exercise #4 in rules workshop, comment out if you want to
demonstrate the same logic to run based on group */
//$user.graph.entity.user.department != "Information Technology" or
//$user.graph.entity.user.title = "Intern"
// Can be modified to focus rule on different groups or removed if not needed
any $user.graph.relations.entity.group.group_display_name = "Domain Admins"
match:
$userid over 5m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
// added to populate alert graph with additional context
$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
// Commented out principal.user.userid because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process and $user
}o365_file_download
Detects file downloads using O365 or Graph Activity logs, not including anonymous file links
Show query
rule o365_file_download {
meta:
author = "Google Cloud Security"
description = "Detects file downloads using O365 or Graph Activity logs, not including anonymous file links"
rule_id = "mr_0dfb4338-4b4c-4af1-82da-fd5221d611a0"
rule_name = "Hunt for Non-Anonymous Office 365 file downloads"
assumption = "Because file downloads occur all the time, additional criteria to narrow this rule is expected. Areas to filter include user agent, specific users, IPs, applications and folders or items in the directory structure."
tactic = "TA0010"
technique = "T1048.002"
type = "hunt"
platform = "azure"
data_source = "o365, ms graph activity logs"
severity = "Low"
priority = "Low"
events:
(
$file.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT" and
$file.metadata.product_event_type = "FileDownloaded" and
$file.metadata.product_name = "Office 365" and
$file.metadata.vendor_name = "Microsoft" and
//This could be modified to specify downloading only thorugh specific applications
//$file.target.application = "OneDrive" and
//Add folder or docs of interest to monitor for downloads like this - focus in example is pdf in R&D folder - could also use a list
//re.regex($file.src.url, `^https://.*sharepoint.com/sites/.*/R&D/.*\.pdf$`) nocase and
NOT (
$file.principal.user.userid = /^urn:spo:anon#/ or
$file.principal.user.userid = "anonymous"
)
)
or
(
$file.metadata.event_type = "NETWORK_HTTP" and
$file.metadata.product_event_type = "Microsoft Graph Activity" and
$file.network.http.method = "GET" and
$file.network.http.response_code = 302 //and
//Could modify this to focus on a specific UA string or a UA strings not commonly used in environment
//$file.network.http.user_agent = /PowerShell/ nocase
//Could tighten to specify drives or items using an example like this
//re.regex($file.target.url, `^https://graph.microsoft.com/.*/drives/.*/content$`) nocase
)
$file.principal.ip = $ip
match:
$ip over 5m
outcome:
$risk_score = 35
$event_count = count_distinct($file.metadata.id)
$referral_url = array_distinct($file.network.http.referral_url)
$user_agent = array_distinct($file.network.http.user_agent)
$principal_application = array_distinct($file.principal.application)
$principal_ip = array_distinct($file.principal.ip)
$target_application = array_distinct($file.target.application)
//$principal_user_email_address = array_distinct(principal.user.email_addresses)
$principal_user_userid = array_distinct($file.principal.user.userid)
$src_file_full_path = array_distinct($file.src.file.full_path)
$src_url = array_distinct($file.src.url)
$session = array_distinct($file.network.session_id)
$location = array_distinct($file.principal.location.name)
$target_resource_guid = array_distinct($file.target.resource.product_object_id)
$target_url = array_distinct($file.target.url)
condition:
$file
}okta_user_login_out_of_hours
Detects out of hours successful authentication.
Show query
rule okta_user_login_out_of_hours {
meta:
author = "Google Cloud Security"
description = "Detects out of hours successful authentication."
rule_id = "mr_36840037-a41c-47d0-b0eb-4096f28855e1"
rule_name = "Okta User Login Out Of Hours"
reference = "https://support.okta.com/help/s/article/User-Signin-and-Recovery-Events-in-the-Okta-System-Log"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Okta"
severity = "Low"
priority = "Low"
events:
$login.metadata.product_name = "Okta"
$login.metadata.vendor_name = "Okta"
$login.metadata.event_type = "USER_LOGIN"
$login.target.user.email_addresses = $user
$login.security_result.action = "ALLOW"
$login.metadata.event_timestamp.seconds = $timestamp
(
01 = timestamp.get_day_of_week($timestamp, "UTC") or //Sunday
07 = timestamp.get_day_of_week($timestamp, "UTC") //Saturday
)
match:
$user over 1h
outcome:
$risk_score = max(
if (01 = timestamp.get_day_of_week($timestamp, "UTC"), 10) +
if (07 = timestamp.get_day_of_week($timestamp, "UTC"), 15) +
if ( ( timestamp.get_hour($timestamp, "UTC") >= 0 and timestamp.get_hour($timestamp,"UTC")<= 7) or timestamp.get_hour($timestamp,"UTC") > 20, 50)
)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($login.principal.location.city)
$security_result_summary = array_distinct($login.security_result.summary)
$principal_user_managers_email_addresses = array_distinct($login.principal.user.managers.email_addresses)
$principal_user_userid = array_distinct($login.principal.user.userid)
$dc_principal_user_userid = count_distinct($login.principal.user.userid)
$target_user_email_addresses = array_distinct($login.target.user.email_addresses)
$target_user_userid = array_distinct($login.target.user.userid)
$target_user_agent = array_distinct($login.network.http.user_agent)
$security_result_description = array_distinct($login.security_result.description)
condition:
$login
}port_proxy_forwarding_T1090_cisa_report
Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
Show query
rule port_proxy_forwarding_T1090_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4"
rule_id = "mr_4c6f2d66-ed6f-4dda-bd2f-7c545898468b"
rule_name = "MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, windows event log"
tactic = "TA0011"
technique = "T1090"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Low"
priority = "Low"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as needed
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*add.*v4tov4`) nocase
// For greater precision to align with the report, comment out the above line and uncomment the below line to incorporate exact ports referenced
//re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*add.*v4tov4.*port\=(9999|50100).*port\=(8443|1433)`) nocase
)
or
(
// Looks for the actual registry creation or modification that would accompany portproxy command executing
(
$process.metadata.event_type = "REGISTRY_CREATION" or
$process.metadata.event_type = "REGISTRY_MODIFICATION"
) and
$process.target.registry.registry_key = "HKLM\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4"
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}Showing 101-150 of 1,177