paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-11-04 13:53:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update 111101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT12.xml

Browse Source
This commit is contained in:
taylor_socfortress
2025-08-06 11:01:00 -05:00
committed by GitHub
parent 483a31b80f
commit 98d10c9e91
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Windows_Sysmon/111101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT12.xml
View File

@@ -488,14 +488,14 @@
<options>no_full_log</options> <options>no_full_log</options>
<group>sysmon_event_12,</group> <group>sysmon_event_12,</group>
</rule> </rule>
<rule id="111145" level="12"> <rule id="111145" level="10">
<field name="win.eventdata.targetObject" type="pcre2">(?i)\\\\Explorer\\\\FileExts</field> <field name="win.eventdata.targetObject" type="pcre2">(?i)\\\\Explorer\\\\FileExts</field>
<description>Change Default File Association via \Explorer\FileExts (T1546.001)</description> <description>Change Default File Association via \Explorer\FileExts (T1546.001)</description>
<mitre> <mitre>
<id>T1546.001</id> <id>T1546.001</id>
</mitre> </mitre>
</rule> </rule>
<rule id="111146" level="12"> <rule id="111146" level="10">
<if_group>sysmon_event_12</if_group> <if_group>sysmon_event_12</if_group>
<field name="win.eventdata.targetObject" type="pcre2">(?i)HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Google\\\\Chrome\\\\Extensions\\\\[a-z0-9]+</field> <field name="win.eventdata.targetObject" type="pcre2">(?i)HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Google\\\\Chrome\\\\Extensions\\\\[a-z0-9]+</field>
<field name="win.eventdata.eventType" type="pcre2">(?i)^CreateKey$</field> <field name="win.eventdata.eventType" type="pcre2">(?i)^CreateKey$</field>
@@ -507,7 +507,7 @@
<group>sysmon_event_12,</group> <group>sysmon_event_12,</group>
</rule> </rule>
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) --> <!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
<rule id="111147" level="12"> <rule id="111147" level="10">
<if_sid>61614</if_sid> <if_sid>61614</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1546,technique_name=Registry Key Creation \(Persistence\)$</field> <field name="win.eventdata.RuleName">^technique_id=T1546,technique_name=Registry Key Creation \(Persistence\)$</field>
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description> <description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
@@ -518,7 +518,7 @@
<group>sysmon_event_12,</group> <group>sysmon_event_12,</group>
</rule> </rule>
<rule id="111148" level="12"> <rule id="111148" level="10">
<if_sid>61614</if_sid> <if_sid>61614</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1036.004,technique_name=Service Registry Key Creation$</field> <field name="win.eventdata.RuleName">^technique_id=T1036.004,technique_name=Service Registry Key Creation$</field>
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description> <description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>