Contact us
Eli Benitah

Eli Benitah

New SIEM Rules – May 2023

Facebook
Twitter
LinkedIn

Welcome you to our monthly rules update!
We take great pleasure in presenting the most recent rules we created last month to boost your SIEM’s capabilities. Depending on your monitoring products, these rules have been deployed in your system to offer you top-notch security and detection. These new rules join an extensive collection of over 1500 rules that can be integrated into your ArcSight in just a matter of minutes.

Rule Customization
We’ve simplified the process of adapting SIEM rules to suit your organization’s unique needs by allowing you to customize the rules directly from our App.

For MSSPs or companies who manage the SIEM with entities, we created rules to identify the same vector attack on multiple entities.

Cross Platform

  1. Cross Platform: Windows – APT
  2. Cross Platform: Windows – Process Access
  3. Cros s Platform: Windows – Process Creation
  4. Cross Platform: PowerShell Script
  5. Cross Platform: Sysmon – Create Remote Thread
  6. Cross Platform: Sysmon – Create Stream Hash
  7. Cross Platform: Sysmon – Files
  8. Cross Platform: Sysmon – Image Load
  9. Cross Platform: Sysmon – Registry

Web Cache

  1. Download from Suspicious Dyndns Hosts
  2. Goofy Guineapig Backdoor Potential C2 Communication
  3. Java Class Proxy Download
  4. Potential Base64 Encoded User-Agent
  5. Suspicious Base64 Encoded User-Agent

Web Server

  1. Path Traversal Exploitation Attempts
  2. Potential CVE-2023-23752 Exploitation Attempt
  3. Source Code Enumeration Detection by Keyword
  4. Successful IIS Shortname Fuzzing Scan
  5. Suspicious User-Agents Related To Recon Tools
  6. Web Server: Java Payload Strings

New Anti Virus@Check Point

  1. Protection – CheckPoint New Anti Virus

CMS@FireEye

  1. Documents With Network Activity-FireEye
  2. HTML Redirector As Email Attachment-FireEye
  3. IPS Event-FireEye
  4. Riskware Docx-Fireeye
  5. Riskware Encrypted PDF-FireEye
  6. Shortened Link In Email-FireEye

Fortigate@Fortinet

  1. Fortigate Audit – Super admin entered VDOM
  2. Multiple VPN Failed Login – Fortigate
  3. Multiple VPN Failed Login by the same User – Fortigate

Database Security@McAfee

  1. Database Security – Expose database tables

ePolicy Orchestrator@McAfee

  1. ePolicy Orchestrator – Generate SCP Bypass Key

Network Security Manager@McAfee

  1. TCP Sweep – Network Security Manager

DNS Trace Log@Microsoft

  1. Cobalt Strike DNS Beaconing
  2. DNS Query to External Service Interaction Domains
  3. Monero Crypto Coin Mining Pool Lookup
  4. Wannacry Killswitch Domain

Windows WindowsUpdateClient@Microsoft

  1. Windows Update Error

Microsoft Windows@Microsoft

  1. DiagTrackEoP Default Login Username
  2. Goofy Guineapig Backdoor Service Creation
  3. Important Windows Service Terminated Unexpectedly
  4. Important Windows Service Terminated With Error
  5. Malicious Service Installations
  6. Windows Service Terminated With Error

Microsoft Windows@Microsoft/Process Creation

  1. Arbitrary MSI Download Via Devinit.EXE
  2. Cloudflared Tunnel Connections Cleanup
  3. Cloudflared Tunnel Execution
  4. COLDSTEEL RAT Anonymous User Process Execution
  5. COLDSTEEL RAT Cleanup Command Execution
  6. COLDSTEEL RAT Service Persistence Execution
  7. Computer Password Change Via Ksetup.EXE
  8. DumpMinitool Execution
  9. HackTool – Certify Execution
  10. HackTool – Covenant PowerShell Launcher
  11. HackTool – Rubeus Execution
  12. HackTool – Stracciatella Execution
  13. HackTool – winPEAS Execution
  14. Logged-On User Password Change Via Ksetup.EXE
  15. Odbcconf.EXE Suspicious DLL Location
  16. PaperCut MFNG Exploitation Related Indicators
  17. PaperCut MFNG Potential Exploitation
  18. Persistence Via Sticky Key Backdoor
  19. Potential APT FIN7 ReconnaissancePOWERTRASH Related Activity
  20. Potential Arbitrary File Download Via MSEdge.EXE
  21. Potential Exploitation Attempt Of Undocumented WindowsServer RCE
  22. Potential Goofy Guineapig Backdoor Activity
  23. Potential Goofy Guineapig GoolgeUpdate Process Anomaly
  24. Potential Obfuscated Ordinal Call Via Rundll32
  25. Potential Password Reconnaissance Via Findstr.EXE
  26. Potentially Suspicious DLL Registered Via Odbcconf.EXE
  27. Potentially Suspicious GoogleUpdate Child Process
  28. PowerShell Download and Execution Cradles
  29. PUA – Crassus Execution
  30. Read Contents From Stdin Via Cmd.EXE
  31. Regsvr32 Anomaly
  32. Regsvr32 Command Line Without DLL
  33. Regsvr32 Flags Anomaly
  34. Regsvr32 Spawning Explorer
  35. Remote CHM File DownloadExecution Via HH.EXE
  36. Rorschach Ransomware Execution Activity
  37. Suspicious Advpack Call Via Rundll32.EXE
  38. Suspicious Child Process Of Veeam Dabatase
  39. Suspicious Chromium Browser Instance Executed With Custom Extensions
  40. Suspicious DriverDLL Installation Via Odbcconf.EXE
  41. Suspicious DumpMinitool Execution
  42. Suspicious File Download From File Sharing Domain Via Curl.EXE
  43. Suspicious HH.EXE Execution
  44. Suspicious Registration via cscript.exe
  45. Suspicious Regsvr32 Execution From Remote Share
  46. Suspicious Regsvr32 Execution With Image Extension
  47. Uncommon Child Process Spawned By Odbcconf.EXE
  48. Veeam Backup Database Suspicious Query
  49. Veeam Backup Database Credentials Dump Via Sqlcmd.EXE
  50. Visual Studio NodejsTools PressAnyKey Renamed Execution
  51. Windows Kernel Debugger Execution
  52. Windows ShellScripting Processes Spawning Suspicious Programs

PowerShell@Microsoft/PowerShell Script

  1. Active Directory Group Enumeration With Get-AdGroup
  2. Add Windows Capability Via PowerShell Script
  3. AMSI Bypass Pattern Assembly GetType
  4. Disable Powershell Command History
  5. Dnscat Execution
  6. HackTool – Rubeus Execution – ScriptBlock
  7. Invoke-Obfuscation Via Stdin – Powershell
  8. Live Memory Dump Using Powershell
  9. Potential Active Directory Enumeration Using AD Module – PsScript
  10. Potential AMSI Bypass Using NULL Bits – ScriptBlockLogging
  11. Potential In-Memory Execution Using Reflection.Assembly
  12. Potential POWERTRASH Script Execution
  13. Potential RemoteFXvGPUDisablement.EXE Abuse – PowerShell ScriptBlock
  14. PowerShell ADRecon Execution
  15. PowerShell Create Local User
  16. PowerShell Credential Prompt
  17. PowerShell PSAttack
  18. PowerShell Script With File Hostname Resolving Capabilities
  19. Powershell Suspicious Win32_PnPEntity
  20. PSAsyncShell – Asynchronous TCP Reverse Shell
  21. Suspicious GPO Discovery With Get-GPO
  22. Suspicious PowerShell Mailbox SMTP Forward Rule
  23. Unsigned AppX Installation Attempt Using Add-AppxPackage – PsScript
  24. Veeam Backup Servers Credential Dumping Script Execution

SecurityComplianceCenter@Microsoft

  1. Office365: Activity from Anonymous IP Addresses
  2. Office365: Activity from Infrequent Country
  3. Office365: Activity from Suspicious IP Addresses
  4. Office365: Activity Performed by Terminated User
  5. Office365: Creation of Forwarding-Redirect Rule
  6. Office365: Data Exfiltration to Unsanctioned Apps
  7. Office365: eDiscovery search or exported
  8. Office365: Impossible Travel Activity
  9. Office365: Logon from a Risky IP Address
  10. Office365: Potential Ransomware Activity
  11. Office365: PST Export Alert Using New-ComplianceSearchAction
  12. Office365: Suspicious inbox forwarding
  13. Office365: Suspicious OAuth App File Download Activities
  14. Office365: Unusual Volume of File Deletion
  15. Office365: User Restricted from Sending Email

SQL Server@Microsoft

  1. MSSQL: Multiple Failed Logins to SQL Server

Sysmon@Microsoft/Create Remote Thread

  1. HackTool – CACTUSTORCH Remote Thread Creation
  2. HackTool – Potential CobaltStrike Process Injection
  3. Remote Thread Created In KeePass.EXE
  4. Remote Thread Creation In Uncommon Target Image

Sysmon@Microsoft/Create Stream Hash

  1. Potential Suspicious Winget Package Installation
  2. Potentially Suspicious File Download From ZIP TLD

Sysmon@Microsoft/Files

  1. Goofy Guineapig Backdoor IOC
  2. HackTool – Dumpert Process Dumper Default File
  3. LiveKD Driver Creation
  4. LiveKD Driver Creation By Uncommon Process
  5. LiveKD Kernel Memory Dump File Created
  6. NTDS.DIT Created
  7. Potential APT FIN7 Related PowerShell Script Created
  8. Potential COLDSTEEL Persistence Service DLL Creation
  9. Potential COLDSTEEL RAT File Indicators
  10. PowerShell Module File Created By Non-PowerShell Process
  11. Process Explorer Driver Creation By Non-Sysinternals Binary
  12. Process Monitor Driver Creation By Non-Sysinternals Binary
  13. RDP File Creation From Suspicious Application
  14. SNAKE Malware Kernel Driver File Indicator
  15. SNAKE Malware WerFault Persistence File Creation
  16. Suspicious File Created In PerfLogs
  17. WinSxS Executable File Creation By Non-System Process

Sysmon@Microsoft/Image Load

  1. Active Directory Parsing DLL Loaded Via Office Application
  2. Potential DLL Sideloading Of DBGCORE.DLL
  3. Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
  4. Potential Goopdate.DLL Sideloading
  5. Potential Libvlc.DLL Sideloading
  6. Potential SolidPDFCreator.DLL Sideloading
  7. UAC Bypass With Fake DLL

Sysmon@Microsoft/Network Connection

  1. Microsoft Binary Suspicious Communication Endpoint

Sysmon@Microsoft/Pipe Created

  1. ADFS Database Named Pipe Connection

Sysmon@Microsoft/Registry

  1. Folder Removed From Exploit Guard ProtectedFolders List – Registry
  2. Removal Of AMSI Provider Registry Keys
  3. Removal Of Index Value to Hide Schedule Task – Registry
  4. Removal Of SD Value to Hide Schedule Task – Registry
  5. Terminal Server Client Connection History Cleared – Registry
  6. CMSTP Execution Registry Event
  7. Creation of a Local Hidden User Account by Registry
  8. Disable Security Events Logging Adding Reg Key MiniNt
  9. Esentutl Volume Shadow Copy Service Keys
  10. FlowCloud Malware
  11. HybridConnectionManager Service Installation – Registry
  12. Leviathan Registry Key Activity
  13. NetNTLM Downgrade Attack – Registry
  14. OceanLotus Registry Activity
  15. OilRig APT Registry Persistence
  16. Pandemic Registry Key
  17. Registry Entries For Azorult Malware
  18. UAC Bypass Via Wsreset
  19. Wdigest CredGuard Registry Modification
  20. Windows Credential Editor Registry
  21. Enable Local Manifest Installation With Winget
  22. New ODBC Driver Registered
  23. Outlook TaskNote Reminder Received
  24. Potential Encrypted Registry Blob Related To SNAKE Malware
  25. Potentially Suspicious ODBC Driver Registered
  26. Winget Admin Settings Modification

System or Application Event@Microsoft

  1. Certificate Private Key Acquired

Windows Defender Antivirus@Microsoft

  1. PSExec and WMI Process Creations Block

IAM@OKTA

  1. OKTA: FastPass Phishing Detection

PenTera@Pcysys

  1. Pantera Tag (Add Pentera Tag to scanned hosts)

Portnox

  1. Device Received Voucher – Portnox
  2. Limited Authentication – Portnox
  3. New Endpoint – Portnox
  4. Dublicate IP – Portnox
  5. Duplicate MAC – Portnox
  6. Multiple MACs on Same Port – Portnox
  7. Service in Monitor Mode – Portnox
  8. Set Port Location – Portnox
  9. Portnox – User Login to Console
  10. Raspberry Pi Foundation – Portnox
  11. Rouge Device – Portnox
  12. Unauthorized Hub – Portnox

TSOC@TrapX

  1. TrapX – Connection Event
  2. TrapX – Scan Event

Deep Discovery Analyzer@Trend Micro

  1. TrendMicro DDA: High Risk by Sandbox

More to explorer

New Deployed Rules

November 5, 2023 No Comments

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

November 5, 2023 No Comments

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

October 31, 2023 No Comments

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Follow us:

Facebook-f Linkedin-in Twitter

Site map

Get in Touch:

[email protected]o

+972-523-429108

Hanofar 2, Raanana, israel

Contact Us >

Time to market

One-day SIEM integration

Learn more