diff --git a/Rules/SIGMA/builtin/win_account_backdoor_dcsync_rights.ps1 b/Rules/SIGMA/builtin/win_account_backdoor_dcsync_rights.ps1 index b37ddcd1..0f4634f7 100644 --- a/Rules/SIGMA/builtin/win_account_backdoor_dcsync_rights.ps1 +++ b/Rules/SIGMA/builtin/win_account_backdoor_dcsync_rights.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_account_backdoor_dcsync_rights"; + $detectedMessage = "backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using PowerviewAdd-DomainObjectAcl DCSync"; $result = $event | where { ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*ntSecurityDescriptor" -and ($_.message -match "AttributeValue.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "AttributeValue.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "AttributeValue.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_account_discovery.ps1 b/Rules/SIGMA/builtin/win_account_discovery.ps1 index 6fc72353..02800ce0 100644 --- a/Rules/SIGMA/builtin/win_account_discovery.ps1 +++ b/Rules/SIGMA/builtin/win_account_discovery.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_account_discovery"; + $detectedMessage = "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs"; $result = $event | where { (($_.ID -eq "4661" -and ($_.message -match "SAM_USER" -or $_.message -match "SAM_GROUP")) -and (($_.message -match "ObjectName.*.*-512" -or $_.message -match "ObjectName.*.*-502" -or $_.message -match "ObjectName.*.*-500" -or $_.message -match "ObjectName.*.*-505" -or $_.message -match "ObjectName.*.*-519" -or $_.message -match "ObjectName.*.*-520" -or $_.message -match "ObjectName.*.*-544" -or $_.message -match "ObjectName.*.*-551" -or $_.message -match "ObjectName.*.*-555") -or ($_.message -match "ObjectName.*.*admin.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_ad_object_writedac_access.ps1 b/Rules/SIGMA/builtin/win_ad_object_writedac_access.ps1 index 55d9fef8..377a8d5f 100644 --- a/Rules/SIGMA/builtin/win_ad_object_writedac_access.ps1 +++ b/Rules/SIGMA/builtin/win_ad_object_writedac_access.ps1 @@ -12,7 +12,9 @@ function Add-Rule { $event ) - $result = $event | where {($_.ID -eq "4662" -and $_.message -match "ObjectServer.*DS" -and $_.message -match "AccessMask.*0x40000" -and ($_.message -match "19195a5b-6da0-11d0-afd3-00c04fd930c9" -or $_.message -match "domainDNS")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + $ruleName = "win_ad_object_writedac_access"; + $detectedMessage = "Detects WRITE_DAC access to a domain object"; + $result = $event | where { ($_.ID -eq "4662" -and $_.message -match "ObjectServer.*DS" -and $_.message -match "AccessMask.*0x40000" -and ($_.message -match "19195a5b-6da0-11d0-afd3-00c04fd930c9" -or $_.message -match "domainDNS")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/SIGMA/builtin/win_ad_replication_non_machine_account.ps1 b/Rules/SIGMA/builtin/win_ad_replication_non_machine_account.ps1 index 9fb6cc53..616d42b0 100644 --- a/Rules/SIGMA/builtin/win_ad_replication_non_machine_account.ps1 +++ b/Rules/SIGMA/builtin/win_ad_replication_non_machine_account.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_ad_replication_non_machine_account"; + $detectedMessage = "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials."; $result = $event | where { (($_.ID -eq "4662" -and $_.message -match "AccessMask.*0x100" -and ($_.message -match "Properties.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) -and -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_ad_user_enumeration.ps1 b/Rules/SIGMA/builtin/win_ad_user_enumeration.ps1 index 0c8e3a06..bb01224d 100644 --- a/Rules/SIGMA/builtin/win_ad_user_enumeration.ps1 +++ b/Rules/SIGMA/builtin/win_ad_user_enumeration.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_ad_user_enumeration"; + $detectedMessage = "Detects access to a domain user from a non-machine account"; $result = $event | where { (($_.ID -eq "4662" -and ($_.message -match "ObjectType.*.*bf967aba-0de6-11d0-a285-00aa003049e2.*")) -and -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_admin_rdp_login.ps1 b/Rules/SIGMA/builtin/win_admin_rdp_login.ps1 index 415dfead..117353ae 100644 --- a/Rules/SIGMA/builtin/win_admin_rdp_login.ps1 +++ b/Rules/SIGMA/builtin/win_admin_rdp_login.ps1 @@ -12,7 +12,9 @@ function Add-Rule { $event ) - $result = $event | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and $_.message -match "AuthenticationPackageName.*Negotiate" -and $_.message -match "TargetUserName.*Admin.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + $ruleName = "win_admin_rdp_login"; + $detectedMessage = "Detect remote login by Administrator user (depending on internal pattern)."; + $result = $event | where { ($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and $_.message -match "AuthenticationPackageName.*Negotiate" -and $_.message -match "TargetUserName.*Admin.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/SIGMA/builtin/win_admin_share_access.ps1 b/Rules/SIGMA/builtin/win_admin_share_access.ps1 index f2d0a463..1223daab 100644 --- a/Rules/SIGMA/builtin/win_admin_share_access.ps1 +++ b/Rules/SIGMA/builtin/win_admin_share_access.ps1 @@ -12,7 +12,9 @@ function Add-Rule { $event ) - $result = $event | where {(($_.ID -eq "5140" -and $_.message -match "ShareName.*Admin$") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + $ruleName = "win_admin_share_access"; + $detectedMessage = "Detects access to $ADMIN share"; + $result = $event | where { (($_.ID -eq "5140" -and $_.message -match "ShareName.*Admin$") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/SIGMA/builtin/win_alert_active_directory_user_control.ps1 b/Rules/SIGMA/builtin/win_alert_active_directory_user_control.ps1 index 38aec240..add30d97 100644 --- a/Rules/SIGMA/builtin/win_alert_active_directory_user_control.ps1 +++ b/Rules/SIGMA/builtin/win_alert_active_directory_user_control.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_alert_active_directory_user_control"; + $detectedMessage = "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects."; $result = $event | where { ($_.ID -eq "4704" -and ($_.message -match ".*SeEnableDelegationPrivilege.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_alert_ad_user_backdoors.ps1 b/Rules/SIGMA/builtin/win_alert_ad_user_backdoors.ps1 index 40e8c4a1..f23057a2 100644 --- a/Rules/SIGMA/builtin/win_alert_ad_user_backdoors.ps1 +++ b/Rules/SIGMA/builtin/win_alert_ad_user_backdoors.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_alert_ad_user_backdoors"; + $detectedMessage = "Detects scenarios where one can control another users or computers account without having to use their credentials."; $result = $event | where { (((((($_.ID -eq "4738" -and -not ($_.message -match "AllowedToDelegateTo.*-")) ) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToDelegateTo")) -or ($_.ID -eq "5136" -and $_.message -match "ObjectClass.*user" -and $_.message -match "AttributeLDAPDisplayName.*servicePrincipalName")) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToActOnBehalfOfOtherIdentity"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_alert_enable_weak_encryption.ps1 b/Rules/SIGMA/builtin/win_alert_enable_weak_encryption.ps1 index ff417e39..93117405 100644 --- a/Rules/SIGMA/builtin/win_alert_enable_weak_encryption.ps1 +++ b/Rules/SIGMA/builtin/win_alert_enable_weak_encryption.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_alert_enable_weak_encryption"; + $detectedMessage = "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking."; $result = $event | where { ($_.ID -eq "4738" -and ($_.message -match ".*DES.*" -or $_.message -match ".*Preauth.*" -or $_.message -match ".*Encrypted.*") -and ($_.message -match ".*Enabled.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_alert_lsass_access.ps1 b/Rules/SIGMA/builtin/win_alert_lsass_access.ps1 index 37fe46c6..38b4527c 100644 --- a/Rules/SIGMA/builtin/win_alert_lsass_access.ps1 +++ b/Rules/SIGMA/builtin/win_alert_lsass_access.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_alert_lsass_access"; + $detectedMessage = "Detects Access to LSASS Process"; $result = $event | where { ($_.ID -eq "1121" -and $_.message -match "Path.*.*\\lsass.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_alert_mimikatz_keywords.ps1 b/Rules/SIGMA/builtin/win_alert_mimikatz_keywords.ps1 index 957624de..a37caec7 100644 --- a/Rules/SIGMA/builtin/win_alert_mimikatz_keywords.ps1 +++ b/Rules/SIGMA/builtin/win_alert_mimikatz_keywords.ps1 @@ -12,7 +12,9 @@ function Add-Rule { $event ) - $result = $event | where {($_.message -match ".*mimikatz.*" -or $_.message -match ".*mimilib.*" -or $_.message -match ".*<3 eo.oe.*" -or $_.message -match ".*eo.oe.kiwi.*" -or $_.message -match ".*privilege::debug.*" -or $_.message -match ".*sekurlsa::logonpasswords.*" -or $_.message -match ".*lsadump::sam.*" -or $_.message -match ".*mimidrv.sys.*" -or $_.message -match ".* p::d .*" -or $_.message -match ".* s::l .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + $ruleName = "win_alert_mimikatz_keywords"; + $detectedMessage = "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)"; + $result = $event | where { ($_.message -match ".*mimikatz.*" -or $_.message -match ".*mimilib.*" -or $_.message -match ".*<3 eo.oe.*" -or $_.message -match ".*eo.oe.kiwi.*" -or $_.message -match ".*privilege::debug.*" -or $_.message -match ".*sekurlsa::logonpasswords.*" -or $_.message -match ".*lsadump::sam.*" -or $_.message -match ".*mimidrv.sys.*" -or $_.message -match ".* p::d .*" -or $_.message -match ".* s::l .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/SIGMA/builtin/win_alert_ruler.ps1 b/Rules/SIGMA/builtin/win_alert_ruler.ps1 index f731ea05..f8a4fdb7 100644 --- a/Rules/SIGMA/builtin/win_alert_ruler.ps1 +++ b/Rules/SIGMA/builtin/win_alert_ruler.ps1 @@ -12,7 +12,9 @@ function Add-Rule { $event ) - $result = $event | where {(((($_.ID -eq "4776") -and $_.message -match "Workstation.*RULER") -or (($_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "WorkstationName.*RULER"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + $ruleName = "win_alert_ruler"; + $detectedMessage = "This events that are generated when using the hacktool Ruler by Sensepost"; + $result = $event | where { (((($_.ID -eq "4776") -and $_.message -match "Workstation.*RULER") -or (($_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "WorkstationName.*RULER"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/SIGMA/builtin/win_applocker_file_was_not_allowed_to_run.ps1 b/Rules/SIGMA/builtin/win_applocker_file_was_not_allowed_to_run.ps1 index 0086c5b1..af278c25 100644 --- a/Rules/SIGMA/builtin/win_applocker_file_was_not_allowed_to_run.ps1 +++ b/Rules/SIGMA/builtin/win_applocker_file_was_not_allowed_to_run.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_applocker_file_was_not_allowed_to_run"; + $detectedMessage = "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events."; $result = $event | where { (($_.message -match "Microsoft-Windows-AppLocker/MSI and Script" -or $_.message -match "Microsoft-Windows-AppLocker/EXE and DLL" -or $_.message -match "Microsoft-Windows-AppLocker/Packaged app-Deployment" -or $_.message -match "Microsoft-Windows-AppLocker/Packaged app-Execution") -and ($_.ID -eq "8004" -or $_.ID -eq "8007")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_apt_carbonpaper_turla.ps1 b/Rules/SIGMA/builtin/win_apt_carbonpaper_turla.ps1 index 89204bce..7af00072 100644 --- a/Rules/SIGMA/builtin/win_apt_carbonpaper_turla.ps1 +++ b/Rules/SIGMA/builtin/win_apt_carbonpaper_turla.ps1 @@ -12,7 +12,9 @@ function Add-Rule { $event ) - $result = $event | where {($_.ID -eq "7045" -and ($_.message -match "srservice" -or $_.message -match "ipvpn" -or $_.message -match "hkmsvc")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + $ruleName = "win_apt_carbonpaper_turla"; + $detectedMessage = "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET"; + $result = $event | where { ($_.ID -eq "7045" -and ($_.message -match "srservice" -or $_.message -match "ipvpn" -or $_.message -match "hkmsvc")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/SIGMA/builtin/win_apt_stonedrill.ps1 b/Rules/SIGMA/builtin/win_apt_stonedrill.ps1 index 4b3981c3..a4b0229b 100644 --- a/Rules/SIGMA/builtin/win_apt_stonedrill.ps1 +++ b/Rules/SIGMA/builtin/win_apt_stonedrill.ps1 @@ -12,7 +12,9 @@ function Add-Rule { $event ) - $result = $event | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*NtsSrv" -and $_.message -Like "* LocalService") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + $ruleName = "win_apt_stonedrill"; + $detectedMessage = "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky"; + $result = $event | where { ($_.ID -eq "7045" -and $_.message -match "ServiceName.*NtsSrv" -and $_.message -Like "* LocalService") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/SIGMA/builtin/win_apt_turla_service_png.ps1 b/Rules/SIGMA/builtin/win_apt_turla_service_png.ps1 index 46cce5ee..ce01d238 100644 --- a/Rules/SIGMA/builtin/win_apt_turla_service_png.ps1 +++ b/Rules/SIGMA/builtin/win_apt_turla_service_png.ps1 @@ -12,7 +12,9 @@ function Add-Rule { $event ) - $result = $event | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*WerFaultSvc") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + $ruleName = "win_apt_turla_service_png"; + $detectedMessage = "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018"; + $result = $event | where { ($_.ID -eq "7045" -and $_.message -match "ServiceName.*WerFaultSvc") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/SIGMA/builtin/win_arbitrary_shell_execution_via_settingcontent.ps1 b/Rules/SIGMA/builtin/win_arbitrary_shell_execution_via_settingcontent.ps1 index a4ef318d..a169a784 100644 --- a/Rules/SIGMA/builtin/win_arbitrary_shell_execution_via_settingcontent.ps1 +++ b/Rules/SIGMA/builtin/win_arbitrary_shell_execution_via_settingcontent.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_arbitrary_shell_execution_via_settingcontent"; + $detectedMessage = "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create ""shortcuts"" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries."; $result = $event | where { ($_.message -match "CommandLine.*.*.SettingContent-ms.*" -and -not (($_.message -match "FilePath.*.*immersivecontrolpanel.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_atsvc_task.ps1 b/Rules/SIGMA/builtin/win_atsvc_task.ps1 index 6e9019c6..eb607bd6 100644 --- a/Rules/SIGMA/builtin/win_atsvc_task.ps1 +++ b/Rules/SIGMA/builtin/win_atsvc_task.ps1 @@ -12,6 +12,8 @@ function Add-Rule { $event ) + $ruleName = "win_atsvc_task"; + $detectedMessage = "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe"; $result = $event | where { ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*atsvc" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host diff --git a/Rules/SIGMA/builtin/win_audit_cve.ps1 b/Rules/SIGMA/builtin/win_audit_cve.ps1 index 4c1c4553..e9bd0859 100644 --- a/Rules/SIGMA/builtin/win_audit_cve.ps1 +++ b/Rules/SIGMA/builtin/win_audit_cve.ps1 @@ -12,7 +12,9 @@ function Add-Rule { $event ) - $result = $event | where {($_.message -match "Source.*Microsoft-Windows-Audit-CVE") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; + $ruleName = "win_audit_cve"; + $detectedMessage = "Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)"; + $result = $event | where { ($_.message -match "Source.*Microsoft-Windows-Audit-CVE") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; if ($result.Count -ne 0) { Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/WELA-Rules/Application/2-EMETBlocked.ps1 b/Rules/WELA-Rules/Application/2-EMETBlocked.ps1 index 117009be..6c6138ca 100644 --- a/Rules/WELA-Rules/Application/2-EMETBlocked.ps1 +++ b/Rules/WELA-Rules/Application/2-EMETBlocked.ps1 @@ -10,7 +10,8 @@ function Add-Rule { $event ) $target = $event | where { $_.ID -eq 2 -and $_.LogName -eq "Application" } - + $ruleName = "2-EMETBlocked"; + $detectedMessage = "detected EMET blocked on DeepBlueCLI Rule"; foreach ($record in $target) { if ($record.message) { $array = $event.message -split '\n' # Split each line of the message into an array @@ -19,7 +20,7 @@ function Add-Rule { $command = $application -Replace "^Application: ", "" $username = Remove-Spaces($array[4]) $result = "$text`n" - $reuslt += "command: $command`n" + $result += "command: $command`n" $result += "$username`n" Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/WELA-Rules/Applocker/8003-ApplockerWarning.ps1 b/Rules/WELA-Rules/Applocker/8003-ApplockerWarning.ps1 index 0355d5d4..3234b758 100644 --- a/Rules/WELA-Rules/Applocker/8003-ApplockerWarning.ps1 +++ b/Rules/WELA-Rules/Applocker/8003-ApplockerWarning.ps1 @@ -9,6 +9,8 @@ function Add-Rule { param ( $event ) + $ruleName = "8003-ApplockerWarning"; + $detectedMessage = "detected Applocker warning on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 8003 -and $_.LogName -eq "Microsoft-Windows-AppLocker/EXE and DLL" } if ($target) { @@ -17,7 +19,6 @@ function Add-Rule { Write-Host $detectedMessage; } foreach ($record in $target) { - $result = $record.message Write-host $result } }; diff --git a/Rules/WELA-Rules/Applocker/8004-ApplockerBlock.ps1 b/Rules/WELA-Rules/Applocker/8004-ApplockerBlock.ps1 index d2b5fd76..197bb39d 100644 --- a/Rules/WELA-Rules/Applocker/8004-ApplockerBlock.ps1 +++ b/Rules/WELA-Rules/Applocker/8004-ApplockerBlock.ps1 @@ -9,6 +9,8 @@ function Add-Rule { param ( $event ) + $ruleName = "8004-ApplockerBlock"; + $detectedMessage = "detected Applocker block on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 8004 -and $_.LogName -eq "Microsoft-Windows-AppLocker/EXE and DLL" } if ($target) { @@ -17,7 +19,6 @@ function Add-Rule { Write-Host $detectedMessage; } foreach ($record in $target) { - $result = $record.message Write-host $result } }; diff --git a/Rules/WELA-Rules/PowerShell/4103-PowerShellExecute.ps1 b/Rules/WELA-Rules/PowerShell/4103-PowerShellExecute.ps1 index 7a913e41..8d0829fb 100644 --- a/Rules/WELA-Rules/PowerShell/4103-PowerShellExecute.ps1 +++ b/Rules/WELA-Rules/PowerShell/4103-PowerShellExecute.ps1 @@ -9,6 +9,8 @@ function Add-Rule { param ( $event ) + $ruleName = "4103-PowerShellExecute"; + $detectedMessage = "detected PowerShell execute on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 4103 -and $_.LogName -eq "Microsoft-Windows-PowerShell" } foreach ($record in $target) { @@ -20,7 +22,7 @@ function Add-Rule { # Remove every line after the "Host Application = " line. $commandline = $commandline -Replace "(?ms)`n.*$", "" if ($commandline) { - $obj = Create-Obj -event $record + $obj = Create-Obj -event $record $result = Check-Command -EventID 4103 -commandline $commandline -obj $obj Write-Host Write-Host "Detected! RuleName:$ruleName"; diff --git a/Rules/WELA-Rules/PowerShell/4104-PowerShellScriptBlockCreate.ps1 b/Rules/WELA-Rules/PowerShell/4104-PowerShellScriptBlockCreate.ps1 index bf0d9114..ecdf8fc7 100644 --- a/Rules/WELA-Rules/PowerShell/4104-PowerShellScriptBlockCreate.ps1 +++ b/Rules/WELA-Rules/PowerShell/4104-PowerShellScriptBlockCreate.ps1 @@ -9,6 +9,8 @@ function Add-Rule { param ( $event ) + $ruleName = "4104-PowerShellScriptBlockCreate"; + $detectedMessage = "detected PowerShell script block created on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 4104 -and $_.LogName -eq "Microsoft-Windows-PowerShell" } foreach ($record in $target) { diff --git a/Rules/WELA-Rules/Security/1102-AuditLogFileClear.ps1 b/Rules/WELA-Rules/Security/1102-AuditLogFileClear.ps1 index 05a63aef..b1a99d3c 100644 --- a/Rules/WELA-Rules/Security/1102-AuditLogFileClear.ps1 +++ b/Rules/WELA-Rules/Security/1102-AuditLogFileClear.ps1 @@ -1,14 +1,15 @@  function Add-Rule { $ruleName = "1102_AuditLogFileClear"; - $detectedMessage = "The Audit log was cleared on DeepBlueCLI Rule"; - + $detectRule = { function Search-DetectableEvents { param ( $event ) + $ruleName = "1102_AuditLogFileClear"; + $detectedMessage = "The Audit log was cleared on DeepBlueCLI Rule"; $target = $event | where { $_.LogName -eq "Security" -and $event.id -eq 1102 } if ($target) { diff --git a/Rules/WELA-Rules/Security/4625-FailedLogonAndPasswordSpray.ps1 b/Rules/WELA-Rules/Security/4625-FailedLogonAndPasswordSpray.ps1 index f2642ff0..fc35ce59 100644 --- a/Rules/WELA-Rules/Security/4625-FailedLogonAndPasswordSpray.ps1 +++ b/Rules/WELA-Rules/Security/4625-FailedLogonAndPasswordSpray.ps1 @@ -10,6 +10,8 @@ function Add-Rule { $event ) $maxfailedlogons = 5 + $ruleName = "4625_FailedLogonAndPasswordSpray"; + $detectedMessage = "High number of logon failures for one /multi account on DeepBlueCLI Rule"; $target = $event | where { $_.LogName -eq "Security" -and ($event.id -eq 4625) } if ($target) { diff --git a/Rules/WELA-Rules/Security/4625_4648-PassSprayAttack.ps1 b/Rules/WELA-Rules/Security/4625_4648-PassSprayAttack.ps1 index 2c9e8d43..7a5a260f 100644 --- a/Rules/WELA-Rules/Security/4625_4648-PassSprayAttack.ps1 +++ b/Rules/WELA-Rules/Security/4625_4648-PassSprayAttack.ps1 @@ -10,6 +10,8 @@ function Add-Rule { $event ) + $ruleName = "4625_4648-PassSprayAttack"; + $detectedMessage = "Distributed Account Explicit Credential Use (Password Spray Attack) in timeframe on WELA"; $target = $event | where { $_.LogName -eq "Security" -and ($event.id -eq 4648 -or $event.id -eq 4625) } $PasswordGuessDetection = @{ FirstDetect = $null ; Count = 0 } diff --git a/Rules/WELA-Rules/Security/4672-AdminAccountAccessAllAlerts.ps1 b/Rules/WELA-Rules/Security/4672-AdminAccountAccessAllAlerts.ps1 index f8c14d65..931a26ff 100644 --- a/Rules/WELA-Rules/Security/4672-AdminAccountAccessAllAlerts.ps1 +++ b/Rules/WELA-Rules/Security/4672-AdminAccountAccessAllAlerts.ps1 @@ -9,6 +9,8 @@ function Add-Rule { param ( $event ) + $ruleName = "4672-AdminAccountAccessAllAlerts"; + $detectedMessage = "Logon with SeDebugPrivilege (admin access)`nSpecial privileges assgned to new logons on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 4672 -and $_.LogName -eq "Security" -and $_.message -Match "SeDebugPrivilege" } $multipleadminlogons = @{} diff --git a/Rules/WELA-Rules/Security/4673-IndicativeOfMimikatz.ps1 b/Rules/WELA-Rules/Security/4673-IndicativeOfMimikatz.ps1 index 1c0f2abb..4afd8282 100644 --- a/Rules/WELA-Rules/Security/4673-IndicativeOfMimikatz.ps1 +++ b/Rules/WELA-Rules/Security/4673-IndicativeOfMimikatz.ps1 @@ -10,12 +10,14 @@ function Add-Rule { $event ) + $ruleName = "4673_IndicativeOfMimikatz"; + $detectedMessage = "Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made on DeepBlueCLI Rule"; $target = $event | where { $_.LogName -eq "Security" -and ($event.id -eq 4673) } $maxtotalsensprivuse = 4 $resultoutput = @{} foreach ($record in $target) { - $eventXML = [xml]$event.ToXml(); + $eventXML = [xml]$record.ToXml(); $username = $eventXML.Event.EventData.Data[1]."#text" $domainname = $eventXML.Event.EventData.Data[2]."#text" $key = "$username\\$domainname" diff --git a/Rules/WELA-Rules/Security/4674-HiddenServiceAttempt.ps1 b/Rules/WELA-Rules/Security/4674-HiddenServiceAttempt.ps1 index 0da3ea1c..2a9b3161 100644 --- a/Rules/WELA-Rules/Security/4674-HiddenServiceAttempt.ps1 +++ b/Rules/WELA-Rules/Security/4674-HiddenServiceAttempt.ps1 @@ -10,6 +10,8 @@ function Add-Rule { $event ) + $ruleName = "4674_HiddenServiceAttempt"; + $detectedMessage = "User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view on DeepBlueCLI Rule"; $target = $event | where { $_.LogName -eq "Security" -and ($event.id -eq 4674 -and $event.message -match "C:\WINDOWS\SYSTEM32\SERVICES.EXE" -and $event.message -match "write_dac") } if ($target) { Write-Host diff --git a/Rules/WELA-Rules/Security/4688-ProcessCreate.ps1 b/Rules/WELA-Rules/Security/4688-ProcessCreate.ps1 index 7977dc44..cf5fec08 100644 --- a/Rules/WELA-Rules/Security/4688-ProcessCreate.ps1 +++ b/Rules/WELA-Rules/Security/4688-ProcessCreate.ps1 @@ -10,6 +10,8 @@ function Add-Rule { param ( $event ) + $ruleName = "4688-ProcessCreate"; + $detectedMessage = "detected ProcessCreate on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 4668 -and $_.LogName -eq "Security" } foreach ($record in $target) { diff --git a/Rules/WELA-Rules/Security/4720-UserAccountCreate.ps1 b/Rules/WELA-Rules/Security/4720-UserAccountCreate.ps1 index 65a7a51c..eafd9acc 100644 --- a/Rules/WELA-Rules/Security/4720-UserAccountCreate.ps1 +++ b/Rules/WELA-Rules/Security/4720-UserAccountCreate.ps1 @@ -9,6 +9,9 @@ function Add-Rule { param ( $event ) + + $ruleName = "4720-UserAccountCreate"; + $detectedMessage = "User account create on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 4720 -and $_.LogName -eq "Security" } if ($target) { diff --git a/Rules/WELA-Rules/Security/4728_4732_4756-AddedUserAdministratorsGroup.ps1 b/Rules/WELA-Rules/Security/4728_4732_4756-AddedUserAdministratorsGroup.ps1 index 0773dd3c..61cf7673 100644 --- a/Rules/WELA-Rules/Security/4728_4732_4756-AddedUserAdministratorsGroup.ps1 +++ b/Rules/WELA-Rules/Security/4728_4732_4756-AddedUserAdministratorsGroup.ps1 @@ -9,6 +9,9 @@ function Add-Rule { param ( $event ) + + $ruleName = "4728_4732_4756-AddedUserAdministratorsGroup"; + $detectedMessage = "User account added to Administrators group on DeepBlueCLI Rule"; $target = $event | where { $_.LogName -eq "Security" -and ($event.id -eq 4728 -or $event.id -eq 4732 -or $event.id -eq 4756) } if ($target) { foreach ($record in $target) { diff --git a/Rules/WELA-Rules/Sysmon/1-ProcessCreation.ps1 b/Rules/WELA-Rules/Sysmon/1-ProcessCreation.ps1 index 576404f0..1424dadb 100644 --- a/Rules/WELA-Rules/Sysmon/1-ProcessCreation.ps1 +++ b/Rules/WELA-Rules/Sysmon/1-ProcessCreation.ps1 @@ -9,6 +9,9 @@ function Add-Rule { param ( $event ) + + $ruleName = "1-ProcessCreation"; + $detectedMessage = "detected Sysmon process creation on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 1 -and $_.LogName -eq "Microsoft-Windows-Sysmon/Operational" } foreach ($record in $target) { diff --git a/Rules/WELA-Rules/Sysmon/7-UnsignedDLLImage.ps1 b/Rules/WELA-Rules/Sysmon/7-UnsignedDLLImage.ps1 index cb75dc6b..2635956e 100644 --- a/Rules/WELA-Rules/Sysmon/7-UnsignedDLLImage.ps1 +++ b/Rules/WELA-Rules/Sysmon/7-UnsignedDLLImage.ps1 @@ -10,6 +10,9 @@ function Add-Rule { param ( $event ) + + $ruleName = "7-UnsignedDLLImage"; + $detectedMessage = "detected Sysmon Unsigned Image(DLL) on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 7 -and $_.LogName -eq "Microsoft-Windows-Sysmon/Operational" } foreach ($record in $target) { diff --git a/Rules/WELA-Rules/System/104-SystemLogClear.ps1 b/Rules/WELA-Rules/System/104-SystemLogClear.ps1 index f2c46b2f..f92ec0fe 100644 --- a/Rules/WELA-Rules/System/104-SystemLogClear.ps1 +++ b/Rules/WELA-Rules/System/104-SystemLogClear.ps1 @@ -9,6 +9,9 @@ function Add-Rule { param ( $event ) + + $ruleName = "104-SystemLogClear"; + $detectedMessage = "detected system log cleared on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 104 -and $_.LogName -eq "System" } if ($target) { diff --git a/Rules/WELA-Rules/System/7030-InteractiveServiceWarning.ps1 b/Rules/WELA-Rules/System/7030-InteractiveServiceWarning.ps1 index e00a4358..f03d0e9d 100644 --- a/Rules/WELA-Rules/System/7030-InteractiveServiceWarning.ps1 +++ b/Rules/WELA-Rules/System/7030-InteractiveServiceWarning.ps1 @@ -9,6 +9,9 @@ function Add-Rule { param ( $event ) + + $ruleName = "7030-InteractiveServiceWarning"; + $detectedMessage = "detected Interactive service warning on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 7030 -and $_.LogName -eq "System" } if ($target) { diff --git a/Rules/WELA-Rules/System/7036-SuspiciousServiceName.ps1 b/Rules/WELA-Rules/System/7036-SuspiciousServiceName.ps1 index 4343a5fe..a7018172 100644 --- a/Rules/WELA-Rules/System/7036-SuspiciousServiceName.ps1 +++ b/Rules/WELA-Rules/System/7036-SuspiciousServiceName.ps1 @@ -9,6 +9,9 @@ function Add-Rule { param ( $event ) + + $ruleName = "7036-SuspiciousServiceName"; + $detectedMessage = "detected Suspicious Service on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 7036 -and $_.LogName -eq "System" } foreach ($record in $target) { diff --git a/Rules/WELA-Rules/System/7040-EventLogServiceStopped_Started.ps1 b/Rules/WELA-Rules/System/7040-EventLogServiceStopped_Started.ps1 index a5dfbe73..e8a0d7db 100644 --- a/Rules/WELA-Rules/System/7040-EventLogServiceStopped_Started.ps1 +++ b/Rules/WELA-Rules/System/7040-EventLogServiceStopped_Started.ps1 @@ -8,6 +8,9 @@ function Add-Rule { param ( $event ) + + $ruleName = "7040-EventLogServiceStopped/Started"; + $detectedMessage = "detected event log serice stopped/started on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 7040 -and $_.LogName -match "System" } foreach ($record in $target) { $eventXML = [xml]$record.ToXml(); diff --git a/Rules/WELA-Rules/System/7045-ServiceCreated.ps1 b/Rules/WELA-Rules/System/7045-ServiceCreated.ps1 index baa97c9b..de92aa64 100644 --- a/Rules/WELA-Rules/System/7045-ServiceCreated.ps1 +++ b/Rules/WELA-Rules/System/7045-ServiceCreated.ps1 @@ -9,6 +9,9 @@ function Add-Rule { param ( $event ) + + $ruleName = "7045-ServiceCreated"; + $detectedMessage = "detected Service Create on DeepBlueCLI Rule"; $target = $event | where { $_.ID -eq 7045 -and $_.LogName -eq "System" } foreach ($record in $target) { @@ -29,6 +32,8 @@ function Add-Rule { # Check for suspicious cmd if ($commandline) { $servicecmd = 1 # CLIs via service creation get extra checks + $ruleName = "7045-ServiceCreated"; + $detectedMessage = "detected Service Create on DeepBlueCLI Rule"; $result = Check-Command -EventID 7045 -servicecmd $servicecmd if ($result) { Write-Host