paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-11-02 12:53:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ab0ec432dfc9cc5660b15fed521006f547ae20c2
main/Windows_Sysmon/116101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT17.xml

69 lines
2.6 KiB
XML
Raw Blame History

<group name="windows,sysmon,">
<!-- Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image) -->
<rule id="116101" level="3">
<if_sid>61646</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1021.002,technique_name=SMB/Windows Admin Shares$</field>
<description>Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)</description>
<mitre>
<id>T1021</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_17,</group>
</rule>
<!-- Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image) -->
<rule id="116102" level="3">
<if_sid>61646</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1055; Possible Cobalt Strike post-exploitation jobs.$</field>
<description>Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)</description>
<mitre>
<id>T1055</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_17,</group>
</rule>
<!-- Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image) -->
<rule id="116103" level="3">
<if_sid>61646</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1021.004,technique_name=Remote Services: SSH$</field>
<description>Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)</description>
<mitre>
<id>T1021</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_17,</group>
</rule>
<!-- Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image) -->
<rule id="116104" level="3">
<if_sid>61646</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1059.001,technique_name=PowerShell$</field>
<description>Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)</description>
<mitre>
<id>T1059</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_17,</group>
</rule>
<!-- Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image) -->
<rule id="116105" level="3">
<if_sid>61646</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1049,technique_name=System Network Connections Discovery$</field>
<description>Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)</description>
<mitre>
<id>T1049</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_17,</group>
</rule>
<!-- Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image) -->
<rule id="116106" level="3">
<if_sid>61646</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1033,technique_name=System Owner/User Discovery$</field>
<description>Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)</description>
<mitre>
<id>T1033</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_17,</group>
</rule>
</group>
Reference in New Issue View Git Blame Copy Permalink