search

olafhartong / sysmon-modular

A repository of sysmon configuration modules
MIT License
2.64k stars 588 forks source link

contains all with only one value #144

Closed frack113 closed 2 years ago

frack113 commented 2 years ago

Hi, I have run grep -ri "contains all" | grep -v ';'

12_13_14_registry_event/include_autoruns_and_startup_keys.xml:                          <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject><!--MDE-->
12_13_14_registry_event/include_office.xml:        <TargetObject condition="contains all">software\microsoft\office\16.0\common\internet\server cache\</TargetObject> <!--MDE-->
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">vssadmin.exe delete</CommandLine> <!-- Possible Ransomeware detection or any kind of backup prevention  https://attack.mitre.org/techniques/T1490/-->
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">wbadmin.exe delete</CommandLine> <!-- Deletion of Backup Catalog  https://attack.mitre.org/techniques/T1490/-->
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">bcedit.exe /set</CommandLine> <!-- Modify Windows Recovery features by modifying boot config data  https://attack.mitre.org/techniques/T1490/-->
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="contains all">diskshadow.exe /s</CommandLine> <!--This only applies to versions of Windows Server-->
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1218,technique_name=Proxy Execution of unsigned C# Code" condition="contains all">dnx.exe consoleapp</CommandLine>
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">update --download</CommandLine>
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">update.exe --update</CommandLine>
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">update.exe --ProcessStart</CommandLine>
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">squirrel --download</CommandLine>
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">squirrel.exe --update</CommandLine>
1_process_creation/include_living_off_the_land.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">dxcap.exe -c</CommandLine>
1_process_creation/include_wsl.xml:        <ParentCommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -e</ParentCommandLine>
1_process_creation/include_wsl.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -e</CommandLine> <!--This will execute local PEs on the windows host-->
1_process_creation/include_wsl.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -u root</CommandLine> <!--Run a bash command as root-->
1_process_creation/include_wsl.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe --exec bash</CommandLine> <!--This will execute a command within the distro -->
1_process_creation/include_wsl.xml:          <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">wsl.exe --exec bash</CommandLine>
1_process_creation/include_wsl.xml:          <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">/dev/tcp</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">vssadmin.exe delete</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">wbadmin.exe delete</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">bcedit.exe /set</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="contains all">diskshadow.exe /s</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1218,technique_name=Proxy Execution of unsigned C# Code" condition="contains all">dnx.exe consoleapp</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">update --download</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">update.exe --update</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">update.exe --ProcessStart</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">squirrel --download</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">squirrel.exe --update</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">dxcap.exe -c</CommandLine>
sysmonconfig.xml:        <ParentCommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -e</ParentCommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -e</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -u root</CommandLine>
sysmonconfig.xml:        <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe --exec bash</CommandLine>
sysmonconfig.xml:          <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">wsl.exe --exec bash</CommandLine>
sysmonconfig.xml:          <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">/dev/tcp</CommandLine>
sysmonconfig.xml:        <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject>
sysmonconfig.xml:        <TargetObject condition="contains all">software\microsoft\office\16.0\common\internet\server cache\</TargetObject>

Example wsl.exe -e it is wsl.exe;-e or a simple contains ?

olafhartong commented 2 years ago

great point, thanks! I'll improve these