Closed yugoslavskiy closed 1 year ago
87, 50.
13, 16, 20
34, 37, 38
43, 48, 50
I have some questions on both 48 and 50:
For 34, I don't think it will be possible to replicate the script
section of the kibana query at this time using sigma and I don't think the query
covers the situation completely so I'm going to skip it for now, but I'm open to feedback and suggestions if anyone has them.
@tas-kmanager:
43, 48, 50
I have some questions on both 48 and 50:
- Page 48 is relying on chain of 2 events (event 1 then event 2), do you think it's better if we split this into 2 rules?
- For page 50, the second event is using ParentOfParent field, which i don't think it's a default Sysmon field. Should i transform this to a rule as is or skip it?
Page 48: make sense to create a rule for rules-unsupported, improving the current situation with lack of examples for the new sigmac converter (which is under development). You are very welcome to do that (:
For page 50: you can add enrichment
field to the rule with the following parameters:
enrichment:
- EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
- EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l
as it was done for this rule. And then it's gonna fly (:
Page 48: make sense to create a rule for rules-unsupported, improving the current situation with lack of examples for the new sigmac converter (which is under development). You are very welcome to do that (:
For page 50: you can add
enrichment
field to the rule with the following parameters:enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l
as it was done for this rule. And then it's gonna fly (:
Thanks for the guidance I will do both of your suggestions, never created unsupported or enrichment sigma before but i will try my best! The existing examples are helpful.
Follow up question for 48. I do have a rule that looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege, do you think i should submit this rule?
Follow up question for 48. I do have a rule that looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege, do you think i should submit this rule?
Hello @tas-kmanager! Yes, absolutely! Just make sure there is no such rule in the ruleset.
38 seems to intend that you use it with the results of 37 - I don't believe that is something supported by sigma, but I'm open to suggestions on how to implement that rule.
38 seems to intend that you use it with the results of 37 - I don't believe that is something supported by sigma, but I'm open to suggestions on how to implement that rule.
@ryanplasma Is it possible to implement with the enrichments, just like we did with here?
Need to be check before close | Page | Sigma Rule ID / Link | Topic |
---|---|---|---|
61 | Not possible | Token swapping, using Mimikatz driver | |
67 | Not possible | Abusing debug privilege. Code injection | |
69 | Not possible | Abusing debug privilege. Code injection | |
74 | X | Abusing debug privilege. Create process with arbitrary parent | |
95 | Not possible | Abusing impersonation + debug privileges. Tokenvator | |
96 | Not possible | Generic detector of token swapping |
Some are Not possible because use logstash and memcached to create custom field
why the link for SIGMA 29 isn't available?
It got renamed :) If you simply search with the ID you'll find it https://github.com/SigmaHQ/sigma/blob/30979206a4741b6fc818fe6f2207715511cd050a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
You can pick up some of the listed Kibana queries from the slides and develop Sigma rules out of them: