mirror of
https://github.com/vxcontrol/soldr-modules.git
synced 2026-07-01 12:47:17 -04:00
919 lines
31 KiB
JSON
919 lines
31 KiB
JSON
[
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "empty",
|
|
"os": {
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "sysmon",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"sysmon_already_installed",
|
|
"sysmon_already_started",
|
|
"sysmon_config_updated_error",
|
|
"sysmon_config_updated_success",
|
|
"sysmon_installed_error",
|
|
"sysmon_installed_success",
|
|
"sysmon_started_error",
|
|
"sysmon_started_success",
|
|
"sysmon_unexpected_stopped",
|
|
"sysmon_unexpected_uninstalled",
|
|
"sysmon_uninstalled_error",
|
|
"sysmon_uninstalled_success",
|
|
"sysmon_updated_error",
|
|
"sysmon_updated_success"
|
|
],
|
|
"fields": [
|
|
"reason",
|
|
"version"
|
|
],
|
|
"last_module_update": "2022-10-26 00:00:00",
|
|
"last_update": "2022-10-26 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "empty",
|
|
"os": {
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "wineventlog",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"wel_module_internal_error",
|
|
"wel_module_started",
|
|
"wel_module_stopped"
|
|
],
|
|
"fields": [
|
|
"reason"
|
|
],
|
|
"last_module_update": "2022-10-26 00:00:00",
|
|
"last_update": "2022-10-26 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "custom",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "lua_interpreter",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [],
|
|
"fields": [],
|
|
"last_module_update": "2022-04-29 00:00:00",
|
|
"last_update": "2022-04-29 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "syslog",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"send_to_syslog"
|
|
],
|
|
"events": [
|
|
"syslog_module_started",
|
|
"syslog_module_stopped"
|
|
],
|
|
"fields": [],
|
|
"last_module_update": "2022-04-29 00:00:00",
|
|
"last_update": "2022-04-29 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "file_remover",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"fr_remove_object_file",
|
|
"fr_remove_object_proc_image",
|
|
"fr_remove_subject_proc_image"
|
|
],
|
|
"events": [
|
|
"fr_module_started",
|
|
"fr_module_stopped",
|
|
"fr_object_file_removed_failed",
|
|
"fr_object_file_removed_successful",
|
|
"fr_object_proc_image_removed_failed",
|
|
"fr_object_proc_image_removed_successful",
|
|
"fr_remove_internal_error",
|
|
"fr_subject_proc_image_removed_failed",
|
|
"fr_subject_proc_image_removed_successful"
|
|
],
|
|
"fields": [
|
|
"object.fullpath",
|
|
"object.process.fullpath",
|
|
"reason",
|
|
"subject.fullpath",
|
|
"subject.process.fullpath"
|
|
],
|
|
"last_module_update": "2022-04-29 00:00:00",
|
|
"last_update": "2022-04-29 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "proc_terminator",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"pt_kill_object_process_by_file_path",
|
|
"pt_kill_object_process_by_image",
|
|
"pt_kill_object_process_by_name",
|
|
"pt_kill_object_process_by_name_and_id",
|
|
"pt_kill_object_process_by_image_and_id",
|
|
"pt_kill_object_process_tree_by_file_path",
|
|
"pt_kill_object_process_tree_by_image",
|
|
"pt_kill_object_process_tree_by_name",
|
|
"pt_kill_object_process_tree_by_name_and_id",
|
|
"pt_kill_object_process_tree_by_image_and_id",
|
|
"pt_kill_subject_process_by_image",
|
|
"pt_kill_subject_process_by_name",
|
|
"pt_kill_subject_process_by_name_and_id",
|
|
"pt_kill_subject_process_by_image_and_id",
|
|
"pt_kill_subject_process_tree_by_image",
|
|
"pt_kill_subject_process_tree_by_name",
|
|
"pt_kill_subject_process_tree_by_name_and_id",
|
|
"pt_kill_subject_process_tree_by_image_and_id"
|
|
],
|
|
"events": [
|
|
"pt_module_started",
|
|
"pt_module_stopped",
|
|
"pt_object_process_killed_failed",
|
|
"pt_object_process_killed_successful",
|
|
"pt_object_process_skipped",
|
|
"pt_process_not_found",
|
|
"pt_subject_process_killed_failed",
|
|
"pt_subject_process_killed_successful",
|
|
"pt_subject_process_skipped"
|
|
],
|
|
"fields": [
|
|
"object.fullpath",
|
|
"object.process.fullpath",
|
|
"object.process.id",
|
|
"object.process.name",
|
|
"reason",
|
|
"subject.process.fullpath",
|
|
"subject.process.id",
|
|
"subject.process.name"
|
|
],
|
|
"last_module_update": "2022-08-26 00:00:00",
|
|
"last_update": "2022-06-26 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "yara_scanner",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"yr_object_scan_proc",
|
|
"yr_object_task_scan_proc",
|
|
"yr_scan_fs",
|
|
"yr_subject_scan_proc",
|
|
"yr_subject_task_scan_proc",
|
|
"yr_task_fastscan_fs",
|
|
"yr_task_fastscan_proc",
|
|
"yr_task_fullscan_fs",
|
|
"yr_task_fullscan_proc",
|
|
"yr_task_scan_fs"
|
|
],
|
|
"events": [
|
|
"yr_file_matched_custom",
|
|
"yr_file_matched_high",
|
|
"yr_file_matched_low",
|
|
"yr_file_matched_medium",
|
|
"yr_module_started",
|
|
"yr_module_stopped",
|
|
"yr_object_process_matched_high",
|
|
"yr_object_process_matched_low",
|
|
"yr_object_process_matched_medium",
|
|
"yr_process_matched_custom",
|
|
"yr_subject_process_matched_high",
|
|
"yr_subject_process_matched_low",
|
|
"yr_subject_process_matched_medium"
|
|
],
|
|
"fields": [
|
|
"malware_class",
|
|
"object.fullpath",
|
|
"object.process.fullpath",
|
|
"object.process.id",
|
|
"object.sha256_hash",
|
|
"reason",
|
|
"rule_name",
|
|
"rule_precision",
|
|
"rule_type",
|
|
"rules",
|
|
"subject.process.fullpath",
|
|
"subject.process.id"
|
|
],
|
|
"last_module_update": "2022-11-07 09:11:39",
|
|
"last_update": "2022-11-07 09:11:39"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "file_uploader",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"fu_upload_object_file",
|
|
"fu_upload_object_proc_image",
|
|
"fu_upload_subject_proc_image"
|
|
],
|
|
"events": [
|
|
"fu_module_started",
|
|
"fu_module_stopped",
|
|
"fu_object_file_upload_failed",
|
|
"fu_object_file_upload_successful",
|
|
"fu_object_proc_image_upload_failed",
|
|
"fu_object_proc_image_upload_successful",
|
|
"fu_subject_proc_image_upload_failed",
|
|
"fu_subject_proc_image_upload_successful",
|
|
"fu_upload_internal_error"
|
|
],
|
|
"fields": [
|
|
"object.fullpath",
|
|
"object.process.fullpath",
|
|
"reason",
|
|
"subject.fullpath",
|
|
"subject.process.fullpath"
|
|
],
|
|
"last_module_update": "2022-09-30 00:00:00",
|
|
"last_update": "2022-09-30 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"linux": [
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "correlator_linux",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"Auxiliary_SuspiciousWeightsTrojan_Linux_subject_a",
|
|
"Local_Recon_by_Web_User",
|
|
"Malware_Exploit_Elf_CVE_2019_14287_a",
|
|
"Malware_Exploit_Elf_CVE_2021_4034_a",
|
|
"Malware_Trojan_Linux_Generic_a",
|
|
"Malware_Trojan_Spy_Linux_Generic_a",
|
|
"Raw_Socket",
|
|
"Reverse_Tunneling_via_SSH",
|
|
"Suspicious_Create_File_Attribute_Hidden",
|
|
"Suspicious_Create_File_Boot_Modification",
|
|
"Suspicious_Create_File_Boot_RCScripts",
|
|
"Suspicious_Create_File_Ldd_PreloadDynamicLibrary",
|
|
"Suspicious_Create_File_Scheduler_At",
|
|
"Suspicious_Create_File_Scheduler_Cron",
|
|
"Suspicious_Create_File_Scheduler_SystemdTimer",
|
|
"Suspicious_Create_File_Shell_Config",
|
|
"Suspicious_Create_File_Ssh_AuthorizedKeys",
|
|
"Suspicious_Create_File_Systemd_Service",
|
|
"Suspicious_Create_File_Xdg_Autostart",
|
|
"Suspicious_Create_Process_Chkconfig_DisableRCScripts",
|
|
"Suspicious_Create_Process_Iptables_ModifyFirewall",
|
|
"Suspicious_Create_Process_Service_Disable",
|
|
"Suspicious_Create_Process_Setenforce_ModifySELinux",
|
|
"Suspicious_Create_Process_Sudo_Bruteforce",
|
|
"Suspicious_Create_Process_WipeData_Destruction",
|
|
"Suspicious_Read_File_Email_Local",
|
|
"Suspicious_Read_File_Fstab_Configuration",
|
|
"Suspicious_Read_File_Passwd_CredentialsEnumeration",
|
|
"Suspicious_Read_File_Polkit_Policy",
|
|
"Suspicious_Read_File_Shadow_CredentialsDumping",
|
|
"Suspicious_Read_System_BIOS_Reconnaissance",
|
|
"Suspicious_Read_System_DMI_CheckVM",
|
|
"Suspicious_Read_System_Kernel_ASLR",
|
|
"Suspicious_Read_System_Kernel_PtraceScope",
|
|
"Suspicious_Read_System_KeyState_Keylogger",
|
|
"Suspicious_Read_System_PCI_GPU",
|
|
"Suspicious_Read_System_PCI_USB",
|
|
"Suspicious_Read_System_Proc_ARPSessions",
|
|
"Suspicious_Read_System_Proc_BootCmdline",
|
|
"Suspicious_Read_System_Proc_Modules",
|
|
"Suspicious_Read_System_Proc_Route",
|
|
"Suspicious_Read_System_Proc_SCSI",
|
|
"Suspicious_Read_System_Proc_TCPSessions",
|
|
"Suspicious_Write_Disk_Data_DirectAccess",
|
|
"Suspicious_Write_File_PAM_Persistence",
|
|
"Suspicious_Write_Process_Inject_Ptrace",
|
|
"Tunneling_via_SSH",
|
|
"Tunneling_via_SSHuttle_Client",
|
|
"Tunneling_via_SSHuttle_Server"
|
|
],
|
|
"fields": [
|
|
"action",
|
|
"alert.key",
|
|
"category.generic",
|
|
"category.high",
|
|
"category.low",
|
|
"correlation_name",
|
|
"correlation_type",
|
|
"event_src.asset",
|
|
"event_src.host",
|
|
"event_src.hostname",
|
|
"event_src.id",
|
|
"event_src.ip",
|
|
"event_src.subsys",
|
|
"event_src.title",
|
|
"event_src.vendor",
|
|
"importance",
|
|
"incident.aggregation.key",
|
|
"incident.aggregation.timeout",
|
|
"incident.category",
|
|
"incident.severity",
|
|
"labels",
|
|
"numfield1",
|
|
"numfield2",
|
|
"object",
|
|
"object.account.group",
|
|
"object.account.id",
|
|
"object.account.name",
|
|
"object.fullpath",
|
|
"object.name",
|
|
"object.path",
|
|
"object.process.cmdline",
|
|
"object.process.cwd",
|
|
"object.process.fullpath",
|
|
"object.process.id",
|
|
"object.process.meta",
|
|
"object.process.name",
|
|
"object.process.parent.id",
|
|
"object.process.path",
|
|
"object.state",
|
|
"object.value",
|
|
"status",
|
|
"subject",
|
|
"subject.account.id",
|
|
"subject.account.name",
|
|
"subject.account.privileges",
|
|
"subject.account.session_id",
|
|
"subject.process.fullpath",
|
|
"subject.process.id",
|
|
"subject.process.meta",
|
|
"subject.process.name",
|
|
"subject.process.parent.id",
|
|
"subject.process.path",
|
|
"subject.type"
|
|
],
|
|
"last_module_update": "2022-11-07 12:52:12",
|
|
"last_update": "2022-11-07 12:52:12"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"windows": [
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "correlator",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"Abnormal_Directory_for_Process",
|
|
"Abusing_CredSSP",
|
|
"Access_System_Credential_files_via_cmdline",
|
|
"Access_into_Sensitive_Files_via_Network_Share",
|
|
"Accessibility_Feature_Tool_Abuse",
|
|
"Account_Created_on_Local_System",
|
|
"Account_Discovery",
|
|
"Account_or_Group_discovery_via_SAM_R",
|
|
"Add_new_user_in_commandline",
|
|
"Alternate_Data_Stream",
|
|
"Audit_XP_params_change",
|
|
"Auxiliary_SuspiciousWeightsTrojan_Windows_subject_a",
|
|
"Auxiliary_SuspiciousWeightsTrojan_Windows_subject_b",
|
|
"BitsJob_Download_and_Run",
|
|
"COM_object_persistence",
|
|
"CVE_2021_41379_Subrule_Elevation_service_chain",
|
|
"CVE_2021_41379_Subrule_Start_elevation",
|
|
"CVE_2021_41379_exploitation",
|
|
"CVE_2022_26500_26501_exploitation",
|
|
"CVE_2022_26503_Subrule_1",
|
|
"CVE_2022_26503_Subrule_2",
|
|
"CVE_2022_26503_exploitation",
|
|
"Client_Side_Execution_via_DCOM",
|
|
"Clipboard_Access",
|
|
"Clipboard_Access_Powershell",
|
|
"Cmstp_AWL_Bypass",
|
|
"Cobalt_Strike_Assembly",
|
|
"Cobalt_Strike_Payload_Delivery_Check",
|
|
"Cobalt_Strike_Pipe_from_AdminShare",
|
|
"Cobalt_Strike_Process_Injection",
|
|
"Cobalt_Strike_Psexec_Jump",
|
|
"Cobalt_Strike_SMB_Beacon",
|
|
"Cobalt_Strike_Service_Move",
|
|
"Code_Execution_Via_JDK_Tools",
|
|
"Command_Processor_Autorun_Modify",
|
|
"Computer_object_ldap_request",
|
|
"ControlPanel_AWL_Bypass",
|
|
"Copy_Mimikatz_To_Share",
|
|
"Credential_Access_to_Passwords_Storage",
|
|
"Credential_Dump_in_Local_Registry",
|
|
"Csc_AWL_Bypass",
|
|
"DRSUAPI_User_Enumeration",
|
|
"DSInternals_Usage",
|
|
"Disable_Credential_Guard",
|
|
"Disable_LSA_Protection",
|
|
"Disable_Restricted_Admin_Mode",
|
|
"Dnscmd_AWL_Bypass",
|
|
"Domain_Controllers_Discovery",
|
|
"Domain_Trust_Discovery",
|
|
"Download_File_Through_Curl",
|
|
"Download_File_Through_Windows_Defender",
|
|
"Downloading_Remote_File_Via_Lolbas",
|
|
"Empire_Stager",
|
|
"Esentutil_Copy_File",
|
|
"Execute_Encoded_Powershell",
|
|
"Execute_Malicious_Command",
|
|
"Execute_Malicious_Powershell_Cmdlet",
|
|
"Execute_PSEXEC",
|
|
"Execute_Suspicious_Command_via_cmd",
|
|
"Failed_LSASS_Injection",
|
|
"Fast_Create_and_Delete_Account",
|
|
"Finger_AWL_Bypass",
|
|
"Groups_And_Users_Enumeration",
|
|
"Hidden_Scheduled_Task",
|
|
"Hidden_Service_Create",
|
|
"Hide_Account_from_Logon_Screen",
|
|
"IEExec_AWL_Bypass",
|
|
"Impacket_SMBEXEC",
|
|
"Impacket_Secretsdump",
|
|
"InstallUtil_AWL_Bypass",
|
|
"Intercept_Creds_from_MSTSC",
|
|
"Internal_Monologue_Attack",
|
|
"KeePass_Keys_Extraction",
|
|
"KeePass_Persistence",
|
|
"Koadic_MSHTA_Stager",
|
|
"Koadic_REGSVR32_Stager",
|
|
"Koadic_Rundll32_Stager",
|
|
"Koadic_WMIC_Stager",
|
|
"LAPS_Enumeration",
|
|
"LOLBin_Copying",
|
|
"LSA_SSP_Change",
|
|
"Lazagne_Usage",
|
|
"Local_Pass_the_Hash",
|
|
"Lsass_Dump_via_SilentProcessExit",
|
|
"Lsass_SilentProcessExit_Keys",
|
|
"MSBuild_AWL_Bypass",
|
|
"MSHTA_AWL_Bypass",
|
|
"MSXSL_AWL_Bypass",
|
|
"Malicious_CHM_File",
|
|
"Malicious_Office_Document",
|
|
"Malware_Backdoor_Win32_Evilnum_a",
|
|
"Malware_Backdoor_Win32_Havex_a",
|
|
"Malware_Backdoor_Win32_NetWire_b",
|
|
"Malware_Backdoor_Win32_Pteredo_a",
|
|
"Malware_Backdoor_Win64_Throwback_b",
|
|
"Malware_Exploit_Win32_CVE_2022_30190_a",
|
|
"Malware_Exploit_Win32_PrintSpooler_a",
|
|
"Malware_Hacktool_Win32_CrackMapExec_a",
|
|
"Malware_Trojan_Dropper_MSOffice_Launcher_a",
|
|
"Malware_Trojan_Dropper_Script_Generic_a",
|
|
"Malware_Trojan_Dropper_Win32_Generic_k",
|
|
"Malware_Trojan_Ransom_Win32_Generic_a",
|
|
"Malware_Trojan_Ransom_Win32_Generic_b",
|
|
"Malware_Trojan_Win32_Generic_a",
|
|
"Malware_Trojan_Win32_Generic_o",
|
|
"Malware_Trojan_Win32_Generic_s",
|
|
"Malware_Trojan_Win32_Generic_t",
|
|
"Mavinject_AWL_Bypass",
|
|
"Metasploit_Payload",
|
|
"Microsoft_Teams_AWL_Bypass",
|
|
"Mimikatz_Command",
|
|
"Msiexec_AWL_Bypass",
|
|
"NetCat_Usage",
|
|
"Network_Share_Discovery",
|
|
"Odbcconf_AWL_Bypass",
|
|
"Office_File_with_Macros",
|
|
"Office_Normal_dotm_modification",
|
|
"Office_XLL_modification",
|
|
"Password_Policy_Discovery",
|
|
"Pcalua_AWL_Bypass",
|
|
"Permission_Groups_Discovery",
|
|
"Persistence_Netsh_DLL",
|
|
"Port_Forwarding_or_Tunneling",
|
|
"Potential_Users_Or_Groups_Enumeration_Process",
|
|
"Potential_domain_groups_and_users_enumeration_handle",
|
|
"Potential_localgroups_and_administrators_enumeration_handle",
|
|
"Powershell_Remoting",
|
|
"Process_Discovery",
|
|
"Proxy_Tools_Usage",
|
|
"RDP_Session_Hijacking",
|
|
"Reading_Registry_Objects",
|
|
"RegAsm_or_RegSvcs_AWL_Bypass",
|
|
"Registry_Winlogon_Helper",
|
|
"Regsvr32_AWL_Bypass",
|
|
"Remote_Admin_Share_Access",
|
|
"Remote_Code_Execution_Via_AtSvc",
|
|
"Remote_Connection_through_SMBEXEC_WinXP",
|
|
"Remote_Copy_Credential_Dump_Artifact",
|
|
"Remote_Copying_Malicious_File",
|
|
"Remote_File_Download_Via_Certutil",
|
|
"Remote_Password_Dump",
|
|
"Remoting_Impacket_PsExec",
|
|
"Remoting_SysInternals_PsExec",
|
|
"Remoting_WMI",
|
|
"Remoting_WinExec",
|
|
"Remoting_Windows_Shell",
|
|
"Remove_Access_To_Sensitive_Account",
|
|
"Remove_Account_From_Sensitive_Group",
|
|
"Rubeus_Usage",
|
|
"RunAs_Subrule_Login",
|
|
"RunAs_System_or_External_tools",
|
|
"Run_Malicious_Msbuild_Project",
|
|
"Run_whoami_as_System",
|
|
"Rundll32_AWL_Bypass",
|
|
"SPN_LDAP_requests",
|
|
"Scheduled_Task_Was_Created_Or_Updated_Via_Schtasks",
|
|
"Search_Stored_Credentials",
|
|
"Service_Created_or_Modified",
|
|
"Shadow_Copies_Deletion_with_Builtin_Tools",
|
|
"Shadow_Key_Creation",
|
|
"Shadow_Screen_save",
|
|
"Shadow_Screen_saves_PowerShell",
|
|
"SharpSploit_Usage",
|
|
"SharpWMI_Usage",
|
|
"Sharphound_Client_Side",
|
|
"Sharphound_Server_Side",
|
|
"SilentTrinity_Stager",
|
|
"Sliver_Shell_Usage",
|
|
"Software_Discovery",
|
|
"Spoolsv_Priv_Escalation",
|
|
"Stop_Important_Service",
|
|
"Stop_Important_Service_registry",
|
|
"Subrule_Sharphound_Client_Side",
|
|
"Subrule_Sharphound_Server_Side",
|
|
"Suspicious_Access_To_Users_Folder",
|
|
"Suspicious_Child_from_Messenger_Process",
|
|
"Suspicious_Create_File_FromBrowser_SuspiciousExtension",
|
|
"Suspicious_Create_File_FromMessenger_SuspiciousExtension",
|
|
"Suspicious_Create_File_PartitionMaster_DirectAccess",
|
|
"Suspicious_Create_File_RawDisk_DirectAccess",
|
|
"Suspicious_Create_Object_Account_Persistence",
|
|
"Suspicious_Create_Process_At_Persistence",
|
|
"Suspicious_Create_Process_BitsAdmin_RestrictionBypass",
|
|
"Suspicious_Create_Process_Debugger_Inject",
|
|
"Suspicious_Create_Process_DirectoryMock_UACBypass",
|
|
"Suspicious_Create_Process_NetSh_NetShell",
|
|
"Suspicious_Create_Process_Ping_SelfDelete",
|
|
"Suspicious_Create_Process_RunScript_WScript",
|
|
"Suspicious_Create_Process_Schtasks_Persistence",
|
|
"Suspicious_Create_Process_TaskKill_TerminateProcess",
|
|
"Suspicious_Create_Process_VSTOInstaller_OfficeAddIns",
|
|
"Suspicious_Create_Process_VirtualInstance_Evasion",
|
|
"Suspicious_Create_Process_WinDef_AddExclusion",
|
|
"Suspicious_Create_Process_WinDef_ChangeSettings",
|
|
"Suspicious_Create_Process_WithDebugger_Execution_Predetect_2_1",
|
|
"Suspicious_Create_Process_WusaExtract_UACBypass",
|
|
"Suspicious_Create_Registry_Key_SafeBoot",
|
|
"Suspicious_Delete_Registry_Key_ETWProvider",
|
|
"Suspicious_Delete_Registry_Key_RunAsPPL",
|
|
"Suspicious_Delete_Registry_Key_SafeBoot",
|
|
"Suspicious_Delete_Registry_Key_Service",
|
|
"Suspicious_Delete_Registry_Key_TaskSD",
|
|
"Suspicious_File_Created_by_Legal_Process",
|
|
"Suspicious_Windows_Kernel_creating",
|
|
"Suspicious_Wmic_Command",
|
|
"Suspicious_Write_File_EfiSystemPartition_Persistence",
|
|
"Suspicious_Write_File_USB_AirSpread",
|
|
"Suspicious_Write_Process_Inject_CreateRemoteThread",
|
|
"Suspicious_Write_Registry_Key_CPL",
|
|
"Suspicious_Write_Registry_Key_ChangeDefaultFileAssociation",
|
|
"Suspicious_Write_Registry_Key_ChangeFirewallPolicy",
|
|
"Suspicious_Write_Registry_Key_ChangeRdpPort",
|
|
"Suspicious_Write_Registry_Key_CredentialsDelegation",
|
|
"Suspicious_Write_Registry_Key_DisableAppLaunch",
|
|
"Suspicious_Write_Registry_Key_DisableTaskManager",
|
|
"Suspicious_Write_Registry_Key_DisableUAC",
|
|
"Suspicious_Write_Registry_Key_FlashConfigEnrollee",
|
|
"Suspicious_Write_Registry_Key_ImagePath",
|
|
"Suspicious_Write_Registry_Key_InjectAppCertDlls",
|
|
"Suspicious_Write_Registry_Key_InjectAppInitDLLs",
|
|
"Suspicious_Write_Registry_Key_InjectImageFileExecutionOptions",
|
|
"Suspicious_Write_Registry_Key_InjectLoadAppInitDLLs",
|
|
"Suspicious_Write_Registry_Key_InjectSilentProcessExit",
|
|
"Suspicious_Write_Registry_Key_KillAntivirus",
|
|
"Suspicious_Write_Registry_Key_LsaComponents",
|
|
"Suspicious_Write_Registry_Key_ModifyRdpSettings",
|
|
"Suspicious_Write_Registry_Key_OfficeTemplate",
|
|
"Suspicious_Write_Registry_Key_ProxyHijack",
|
|
"Suspicious_Write_Registry_Key_SafeBoot",
|
|
"Suspicious_Write_Registry_Key_ScreenSaver",
|
|
"Suspicious_Write_Registry_Key_SvchostContextService",
|
|
"Suspicious_Write_Registry_Key_TerminalContextService",
|
|
"Suspicious_Write_Registry_Key_TimeProviders",
|
|
"Suspicious_process_execution_sequence",
|
|
"Sysmon_Driver_Unload",
|
|
"System_Information_Discovery",
|
|
"System_Network_Configuration_Discovery",
|
|
"System_Network_Connections_Discovery",
|
|
"System_Service_Discovery",
|
|
"TikiTorch_Process_Injection",
|
|
"Universal_Windows_Platform_Apps_Modify",
|
|
"User_object_ldap_request",
|
|
"Userinitmprlogonscript_Modify",
|
|
"WDAC_Bypass_via_Dbgsrv",
|
|
"WDigest_Enable",
|
|
"WMI_Subscriptions",
|
|
"WinAPI_Access_from_Powershell",
|
|
"Windows_Accessibility_StickyKey_modification",
|
|
"Windows_Autorun_Modification",
|
|
"Windows_Defender_Disable",
|
|
"Windows_Eventlog_cleaning",
|
|
"Windows_Hacktool_Usage",
|
|
"Windows_Malicious_service_registration",
|
|
"Windows_Registry_sensitive_keys_modification",
|
|
"Windows_Service_Installed",
|
|
"Windows_Shadow_copy_removal",
|
|
"Windows_WMI_event_consumer_registration",
|
|
"Windows_WMI_event_subscription_removal",
|
|
"Windows_firewall_enable_local_RDP",
|
|
"XSL_Script_WMIC_Execution"
|
|
],
|
|
"fields": [
|
|
"action",
|
|
"alert.context",
|
|
"alert.key",
|
|
"category.generic",
|
|
"category.high",
|
|
"category.low",
|
|
"chain_id",
|
|
"correlation_name",
|
|
"correlation_type",
|
|
"dst.asset",
|
|
"dst.fqdn",
|
|
"dst.host",
|
|
"dst.hostname",
|
|
"dst.ip",
|
|
"dst.mac",
|
|
"dst.port",
|
|
"event_src.asset",
|
|
"event_src.category",
|
|
"event_src.fqdn",
|
|
"event_src.host",
|
|
"event_src.hostname",
|
|
"event_src.ip",
|
|
"event_src.rule",
|
|
"event_src.subsys",
|
|
"event_src.title",
|
|
"event_src.vendor",
|
|
"importance",
|
|
"incident.aggregation.key",
|
|
"incident.aggregation.time_window",
|
|
"incident.aggregation.timeout",
|
|
"incident.attacking_addresses",
|
|
"incident.category",
|
|
"incident.severity",
|
|
"labels",
|
|
"numfield1",
|
|
"object",
|
|
"object.account.domain",
|
|
"object.account.fullname",
|
|
"object.account.id",
|
|
"object.account.name",
|
|
"object.account.privileges",
|
|
"object.account.session_id",
|
|
"object.domain",
|
|
"object.fullpath",
|
|
"object.hash",
|
|
"object.id",
|
|
"object.name",
|
|
"object.new_value",
|
|
"object.path",
|
|
"object.process.cmdline",
|
|
"object.process.cwd",
|
|
"object.process.fullpath",
|
|
"object.process.guid",
|
|
"object.process.hash",
|
|
"object.process.id",
|
|
"object.process.meta",
|
|
"object.process.name",
|
|
"object.process.original_name",
|
|
"object.process.parent.cmdline",
|
|
"object.process.parent.fullpath",
|
|
"object.process.parent.guid",
|
|
"object.process.parent.id",
|
|
"object.process.parent.name",
|
|
"object.process.parent.path",
|
|
"object.process.path",
|
|
"object.process.version",
|
|
"object.property",
|
|
"object.query",
|
|
"object.state",
|
|
"object.storage.fullpath",
|
|
"object.storage.id",
|
|
"object.storage.name",
|
|
"object.storage.path",
|
|
"object.type",
|
|
"object.value",
|
|
"object.vendor",
|
|
"object.version",
|
|
"reason",
|
|
"src.asset",
|
|
"src.fqdn",
|
|
"src.host",
|
|
"src.hostname",
|
|
"src.ip",
|
|
"src.mac",
|
|
"src.port",
|
|
"status",
|
|
"subject",
|
|
"subject.account.domain",
|
|
"subject.account.fullname",
|
|
"subject.account.id",
|
|
"subject.account.name",
|
|
"subject.account.privileges",
|
|
"subject.account.session_id",
|
|
"subject.name",
|
|
"subject.process.cmdline",
|
|
"subject.process.cwd",
|
|
"subject.process.fullpath",
|
|
"subject.process.guid",
|
|
"subject.process.hash",
|
|
"subject.process.id",
|
|
"subject.process.meta",
|
|
"subject.process.name",
|
|
"subject.process.original_name",
|
|
"subject.process.parent.id",
|
|
"subject.process.path",
|
|
"subject.process.version",
|
|
"subject.type",
|
|
"subject.version"
|
|
],
|
|
"last_module_update": "2022-10-26 00:00:00",
|
|
"last_update": "2022-10-26 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "empty",
|
|
"os": {
|
|
"linux": [
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "file_reader",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"frd_module_internal_error",
|
|
"frd_module_started",
|
|
"frd_module_stopped"
|
|
],
|
|
"fields": [
|
|
"reason"
|
|
],
|
|
"last_module_update": "2022-11-02 00:00:00",
|
|
"last_update": "2022-11-02 00:00:00"
|
|
}
|
|
] |