mirror of
https://github.com/vxcontrol/soldr-modules.git
synced 2026-07-01 12:47:17 -04:00
662 lines
18 KiB
JSON
662 lines
18 KiB
JSON
[
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "empty",
|
|
"os": {
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "sysmon",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"sysmon_already_installed",
|
|
"sysmon_already_started",
|
|
"sysmon_config_updated_error",
|
|
"sysmon_config_updated_success",
|
|
"sysmon_installed_error",
|
|
"sysmon_installed_success",
|
|
"sysmon_started_error",
|
|
"sysmon_started_success",
|
|
"sysmon_unexpected_stopped",
|
|
"sysmon_unexpected_uninstalled",
|
|
"sysmon_uninstalled_error",
|
|
"sysmon_uninstalled_success",
|
|
"sysmon_updated_error",
|
|
"sysmon_updated_success"
|
|
],
|
|
"fields": [
|
|
"reason",
|
|
"version"
|
|
],
|
|
"last_module_update": "2022-12-20 00:00:00",
|
|
"last_update": "2022-12-20 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "empty",
|
|
"os": {
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "wineventlog",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"wel_module_internal_error",
|
|
"wel_module_started",
|
|
"wel_module_stopped"
|
|
],
|
|
"fields": [
|
|
"reason"
|
|
],
|
|
"last_module_update": "2022-12-22 00:00:00",
|
|
"last_update": "2022-12-22 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "custom",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "lua_interpreter",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [],
|
|
"fields": [],
|
|
"last_module_update": "2022-12-08 00:00:00",
|
|
"last_update": "2022-12-08 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "syslog",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"send_to_syslog"
|
|
],
|
|
"events": [
|
|
"syslog_module_started",
|
|
"syslog_module_stopped"
|
|
],
|
|
"fields": [],
|
|
"last_module_update": "2022-12-08 00:00:00",
|
|
"last_update": "2022-12-08 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "file_remover",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"fr_remove_object_file",
|
|
"fr_remove_object_proc_image",
|
|
"fr_remove_subject_proc_image"
|
|
],
|
|
"events": [
|
|
"fr_module_started",
|
|
"fr_module_stopped",
|
|
"fr_object_file_removed_failed",
|
|
"fr_object_file_removed_successful",
|
|
"fr_object_proc_image_removed_failed",
|
|
"fr_object_proc_image_removed_successful",
|
|
"fr_remove_internal_error",
|
|
"fr_subject_proc_image_removed_failed",
|
|
"fr_subject_proc_image_removed_successful"
|
|
],
|
|
"fields": [
|
|
"object.fullpath",
|
|
"object.process.fullpath",
|
|
"reason",
|
|
"subject.fullpath",
|
|
"subject.process.fullpath"
|
|
],
|
|
"last_module_update": "2022-12-23 00:00:00",
|
|
"last_update": "2022-12-23 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "proc_terminator",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"pt_kill_object_process_by_file_path",
|
|
"pt_kill_object_process_by_image",
|
|
"pt_kill_object_process_by_name",
|
|
"pt_kill_object_process_by_name_and_id",
|
|
"pt_kill_object_process_by_image_and_id",
|
|
"pt_kill_object_process_tree_by_file_path",
|
|
"pt_kill_object_process_tree_by_image",
|
|
"pt_kill_object_process_tree_by_name",
|
|
"pt_kill_object_process_tree_by_name_and_id",
|
|
"pt_kill_object_process_tree_by_image_and_id",
|
|
"pt_kill_subject_process_by_image",
|
|
"pt_kill_subject_process_by_name",
|
|
"pt_kill_subject_process_by_name_and_id",
|
|
"pt_kill_subject_process_by_image_and_id",
|
|
"pt_kill_subject_process_tree_by_image",
|
|
"pt_kill_subject_process_tree_by_name",
|
|
"pt_kill_subject_process_tree_by_name_and_id",
|
|
"pt_kill_subject_process_tree_by_image_and_id"
|
|
],
|
|
"events": [
|
|
"pt_module_started",
|
|
"pt_module_stopped",
|
|
"pt_object_process_killed_failed",
|
|
"pt_object_process_killed_successful",
|
|
"pt_object_process_skipped",
|
|
"pt_process_not_found",
|
|
"pt_subject_process_killed_failed",
|
|
"pt_subject_process_killed_successful",
|
|
"pt_subject_process_skipped"
|
|
],
|
|
"fields": [
|
|
"object.fullpath",
|
|
"object.process.fullpath",
|
|
"object.process.id",
|
|
"object.process.name",
|
|
"reason",
|
|
"subject.process.fullpath",
|
|
"subject.process.id",
|
|
"subject.process.name"
|
|
],
|
|
"last_module_update": "2022-12-20 00:00:00",
|
|
"last_update": "2022-12-20 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "yara_scanner",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"yr_object_scan_proc",
|
|
"yr_object_task_scan_proc",
|
|
"yr_scan_fs",
|
|
"yr_subject_scan_proc",
|
|
"yr_subject_task_scan_proc",
|
|
"yr_task_fastscan_fs",
|
|
"yr_task_fastscan_proc",
|
|
"yr_task_fullscan_fs",
|
|
"yr_task_fullscan_proc",
|
|
"yr_task_scan_fs"
|
|
],
|
|
"events": [
|
|
"yr_file_matched_custom",
|
|
"yr_file_matched_high",
|
|
"yr_file_matched_low",
|
|
"yr_file_matched_medium",
|
|
"yr_module_started",
|
|
"yr_module_stopped",
|
|
"yr_object_process_matched_high",
|
|
"yr_object_process_matched_low",
|
|
"yr_object_process_matched_medium",
|
|
"yr_process_matched_custom",
|
|
"yr_subject_process_matched_high",
|
|
"yr_subject_process_matched_low",
|
|
"yr_subject_process_matched_medium"
|
|
],
|
|
"fields": [
|
|
"malware_class",
|
|
"object.fullpath",
|
|
"object.process.fullpath",
|
|
"object.process.id",
|
|
"object.sha256_hash",
|
|
"reason",
|
|
"rule_name",
|
|
"rule_precision",
|
|
"rule_type",
|
|
"rules",
|
|
"subject.process.fullpath",
|
|
"subject.process.id"
|
|
],
|
|
"last_module_update": "2023-01-26 00:00:00",
|
|
"last_update": "2023-01-26 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "file_uploader",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"fu_upload_object_file",
|
|
"fu_upload_object_proc_image",
|
|
"fu_upload_subject_proc_image"
|
|
],
|
|
"events": [
|
|
"fu_module_started",
|
|
"fu_module_stopped",
|
|
"fu_object_file_upload_failed",
|
|
"fu_object_file_upload_successful",
|
|
"fu_object_proc_image_upload_failed",
|
|
"fu_object_proc_image_upload_successful",
|
|
"fu_subject_proc_image_upload_failed",
|
|
"fu_subject_proc_image_upload_successful",
|
|
"fu_upload_internal_error"
|
|
],
|
|
"fields": [
|
|
"object.fullpath",
|
|
"object.process.fullpath",
|
|
"reason",
|
|
"subject.fullpath",
|
|
"subject.process.fullpath"
|
|
],
|
|
"last_module_update": "2022-12-20 00:00:00",
|
|
"last_update": "2022-12-20 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"linux": [
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "correlator_linux",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"Malware_Exploit_Elf_CVE_2021_4034_a",
|
|
"Suspicious_Create_File_Boot_Modification",
|
|
"Suspicious_Create_File_Boot_RCScripts",
|
|
"Suspicious_Create_File_Scheduler_Cron",
|
|
"Suspicious_Create_File_Ssh_AuthorizedKeys",
|
|
"Suspicious_Create_Process_Iptables_ModifyFirewall",
|
|
"Suspicious_Read_File_Passwd_CredentialsEnumeration",
|
|
"Suspicious_Read_File_Shadow_CredentialsDumping",
|
|
"Suspicious_Write_File_PAM_Persistence",
|
|
"Suspicious_Write_Process_Inject_Ptrace"
|
|
],
|
|
"fields": [
|
|
"category.generic",
|
|
"category.high",
|
|
"correlation_name",
|
|
"numfield1",
|
|
"object.fullpath",
|
|
"object.name",
|
|
"object.path",
|
|
"object.process.cmdline",
|
|
"object.process.fullpath",
|
|
"object.process.id",
|
|
"object.process.name",
|
|
"object.process.parent.id",
|
|
"object.process.path",
|
|
"object.state",
|
|
"object.value",
|
|
"subject.process.fullpath",
|
|
"subject.process.id",
|
|
"subject.process.meta",
|
|
"subject.process.name",
|
|
"subject.process.parent.id",
|
|
"subject.process.path"
|
|
],
|
|
"last_module_update": "2022-12-20 00:00:00",
|
|
"last_update": "2022-12-20 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "responder",
|
|
"os": {
|
|
"windows": [
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "correlator",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"Suspicious_Create_Process_BitsAdmin_RestrictionBypass",
|
|
"Suspicious_Create_Process_NetSh_NetShell",
|
|
"Suspicious_Create_Process_Ping_SelfDelete",
|
|
"Suspicious_Create_Process_Schtasks_Persistence",
|
|
"Suspicious_Write_File_USB_AirSpread",
|
|
"Suspicious_Write_Process_Inject_CreateRemoteThread",
|
|
"Suspicious_Write_Process_Inject_ProcessTampering",
|
|
"Suspicious_Write_Registry_Key_LsaComponents",
|
|
"Suspicious_Write_Registry_Key_SafeBoot",
|
|
"Suspicious_Write_Registry_Key_ScreenSaver"
|
|
],
|
|
"fields": [
|
|
"category.generic",
|
|
"category.high",
|
|
"correlation_name",
|
|
"numfield1",
|
|
"object.fullpath",
|
|
"object.name",
|
|
"object.new_value",
|
|
"object.path",
|
|
"object.process.cmdline",
|
|
"object.process.fullpath",
|
|
"object.process.guid",
|
|
"object.process.id",
|
|
"object.process.name",
|
|
"object.process.parent.fullpath",
|
|
"object.process.parent.id",
|
|
"object.process.parent.name",
|
|
"object.process.path",
|
|
"object.property",
|
|
"object.type",
|
|
"object.value",
|
|
"reason",
|
|
"subject.process.cmdline",
|
|
"subject.process.fullpath",
|
|
"subject.process.guid",
|
|
"subject.process.id",
|
|
"subject.process.name",
|
|
"subject.process.path"
|
|
],
|
|
"last_module_update": "2023-05-24 00:00:00",
|
|
"last_update": "2023-05-24 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "empty",
|
|
"os": {
|
|
"linux": [
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "file_reader",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"frd_module_internal_error",
|
|
"frd_module_started",
|
|
"frd_module_stopped"
|
|
],
|
|
"fields": [
|
|
"reason"
|
|
],
|
|
"last_module_update": "2022-12-22 00:00:00",
|
|
"last_update": "2022-12-22 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "generic",
|
|
"os": {
|
|
"darwin": [
|
|
"amd64"
|
|
],
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
],
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "shell",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [
|
|
"shell_start",
|
|
"shell_stop"
|
|
],
|
|
"events": [
|
|
"shell_action_exec_failed",
|
|
"shell_action_exec_success"
|
|
],
|
|
"fields": [
|
|
],
|
|
"last_module_update": "2022-02-12 00:00:00",
|
|
"last_update": "2022-02-12 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "empty",
|
|
"os": {
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "auditd",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"auditd_error"
|
|
],
|
|
"fields": [
|
|
"message"
|
|
],
|
|
"tags": [],
|
|
"last_module_update": "2023-05-24 00:00:00",
|
|
"last_update": "2023-05-24 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "empty",
|
|
"os": {
|
|
"windows": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "osquery",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"osquery_already_installed",
|
|
"osquery_already_started",
|
|
"osquery_config_updated_error",
|
|
"osquery_config_updated_success",
|
|
"osquery_flagfile_updated_error",
|
|
"osquery_flagfile_updated_success",
|
|
"osquery_installed_error",
|
|
"osquery_installed_success",
|
|
"osquery_started_error",
|
|
"osquery_started_success",
|
|
"osquery_unexpected_stopped",
|
|
"osquery_unexpected_uninstalled",
|
|
"osquery_uninstalled_error",
|
|
"osquery_uninstalled_success"
|
|
],
|
|
"fields": [
|
|
"reason",
|
|
"version"
|
|
],
|
|
"last_module_update": "2022-12-27 00:00:00",
|
|
"last_update": "2022-12-27 00:00:00"
|
|
},
|
|
{
|
|
"group_id": "",
|
|
"policy_id": "",
|
|
"state": "release",
|
|
"template": "empty",
|
|
"os": {
|
|
"linux": [
|
|
"386",
|
|
"amd64"
|
|
]
|
|
},
|
|
"name": "osquery_linux",
|
|
"version": {
|
|
"major": 1,
|
|
"minor": 0,
|
|
"patch": 0
|
|
},
|
|
"actions": [],
|
|
"events": [
|
|
"osquery_linux_already_installed",
|
|
"osquery_linux_already_started",
|
|
"osquery_linux_config_updated_error",
|
|
"osquery_linux_config_updated_success",
|
|
"osquery_linux_installed_error",
|
|
"osquery_linux_installed_success",
|
|
"osquery_linux_started_error",
|
|
"osquery_linux_started_success",
|
|
"osquery_linux_unexpected_stopped",
|
|
"osquery_linux_unexpected_uninstalled",
|
|
"osquery_linux_uninstalled_error",
|
|
"osquery_linux_uninstalled_success"
|
|
],
|
|
"fields": [
|
|
"reason",
|
|
"version"
|
|
],
|
|
"last_module_update": "2022-12-27 00:00:00",
|
|
"last_update": "2022-12-27 00:00:00"
|
|
}
|
|
] |