Sysmon

The IBM® QRadar® Sysmon Content Extension detects advanced threats on Windows endpoints by using Sysmon logs.

The Sysinternals Sysmon service adds several Event IDs to Windows systems. These new Event IDs are used by system administrators to monitor system processes, network activity, and files. Sysmon provides a more detailed view than the Windows security logs. For more information about Sysmon, see Secure Your Endpoints With QRadar Content for Sysmon (https://securityintelligence.com/news/secure-your-endpoints-with-qradar-content-for-sysmon/).

This content extension provides multiple use cases to detect advanced threats, such as PowerShell abuse, hidden Windows processes, fileless memory attacks, code obfuscation, and many more. This content extension includes new offenses rules, building blocks, reference sets, and custom functions that can help you detect these threats.

Note: Update the Microsoft Windows DSM to the latest version before you install IBM QRadar Sysmon Content Extension.

For more information about the use cases that are covered by this content extension, see the following videos:

This package on Fix Central includes only <MONTH> <YEAR> virtual device security updates and optional packages, installing this release will not update the App Host and the App Host version will not change. Please use App Host <VERSION> for App Host installation or updates.

Video Title Video Link
Sysmon PowerShell Use Case 1 https://youtu.be/PWiw-RpLIbw
Sysmon PowerShell Use Case 2 https://youtu.be/_eaMMo8sPtA
Sysmon PowerShell Use Case 3 https://youtu.be/sZUAuYpSe7Q
Sysmon Use Case 4 Bogus Windows Processes https://youtu.be/gAS-B9gb3RY
Sysmon Use Case 5 Detecting other Libraries https://youtu.be/omWnyACNEcM
Sysmon Use Case 6 Nasty Injection & Encoded Attacks https://youtu.be/kC2hIJxqF8Q
QRadar Privilege Escalation Detection Use Case 7 https://www.youtube.com/watch?v=yitGRL-WJCM
QRadar Privilege Escalation Continued Use Case 8 https://www.youtube.com/watch?v=8u6G6SEw3kE
Sysmon Use Case 9 - More Privilege Escalation Detection https://www.youtube.com/watch?v=0Wy59Otr_Ag
Sysmon Use Case 10 - Creating an Admin Account https://www.youtube.com/watch?v=bJgaFSjuMSs
Sysmon Detecting Name Pipe Impersonation https://www.youtube.com/watch?v=pSBQ7NabDUY
Sysmon Detecting Mimikatz https://www.youtube.com/watch?v=gKa_CZAz3Jc
QRadar Lateral Movement Detection, Example One https://www.youtube.com/watch?v=IBEIN9sl4lk
QRadar Lateral Movement Detection Example Two https://www.youtube.com/watch?v=whjpScDYaY4
QRadar Lateral Movement Detection Example Three (Plain Windows Features) https://www.youtube.com/watch?v=7PXzi3pbmFo
Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Sysmon

IBM Security QRadar Sysmon Content Extension 1.3.1

The following table shows the updated custom properties in IBM Security QRadar Sysmon Content Extension 1.3.1.

Table 1. Updated Custom Properties in IBM Security QRadar Sysmon Content Extension 1.3.1
Name Description
Image The "\bImage:\s.?\\([\\]?)(?:FileVersion|CommandLine):\s" expression is now "\bImage:\s.?\\([\\]?)\s(?:FileVersion|CommandLine):\s"

(Back to top)

IBM Security QRadar Sysmon Content Extension 1.3.0

The Detected a Scheduled Task over Multiple Hosts custom rule received an update to its rule filter. This update is a functional change to ensure if multiple commands are run, each get its own offense.

IBM Security QRadar Sysmon Content Extension 1.2.1

The following table shows the updated custom properties in IBM Security QRadar Sysmon Content Extension 1.2.1.

Table 2. Updated Custom Properties in IBM Security QRadar Sysmon Content Extension 1.2.1
Name Description
Image The New Process Name:\s(.*?)Token Elevation Type\: expression is now New Process Name[:\s\\=]*(.*?)\s+(?:Token Elevation Type)
ShareName The Share\sName\:\s*(?:\\\\\*\\)(.*)\s\sShare\sPath expression is now Share\sName\:\s*(?:\\\\\*\\)(.*?)\s+Share\sPath

(Back to top)

IBM Security QRadar Sysmon Content Extension 1.2.0

The following table shows the custom properties in IBM Security QRadar Sysmon Content Extension 1.2.0.

Table 3. Custom Properties in IBM Security QRadar Sysmon Content Extension 1.2.0
Name Description
Image The SourceImage\:\s(.*)\sTargetProcessGuid expression is now SourceImage\:\s(.*?)\sTargetProcessGuid

The Image:\s(.*)\sUser\: expression is now Image:\s(.*?)\sUser\:

The Image:\s(.*?)\s(FileVersion|CommandLine): expression is now \bImage:\s(.*?)\s(?:FileVersion|CommandLine):

The New\sProcess\sName:\s*(.*)\s{2}Token\sElevation\sType\: expression is now New Process Name:\s(.*?)Token Elevation Type\:

The SourceImage\:\s(.*)\sTargetProcessG expression is now SourceImage\:\s.*?\\([^\\]*?)\sTargetProcessG

The following expressions are disabled:
  • Image:\s(.*)\sImageLoaded
  • Image:\s(.*)\sTargetFilename\:
  • Image\:\s(.*)
  • Image\:\s(.*)\sDevice:
  • Image\:\s(.*)\sTargetObject
  • Process\sName\:\s*(.*?)\s*Access\sRequest
ImageName The Image:\s(?:.*\\)?(.*?)\s(?:FileVersion|CommandLine):\s expression is now \bImage:\s.*?\\([^\\]*?)(?:FileVersion|CommandLine):\s

The Image:\s(?:.*\\)?(.*)\sImageLoaded expression is now Image:.*?\\([^\\]*?)\sImageLoaded

The Image:\s(?:.*\\)?(.*)\sTargetFilename\: expression is now Image:.*?\\([^\\]*?)\sTargetFilename

The Image:\s(?:.*\\)?(.*)\sUser\: expression is now Image:\s.*?\\([^\\]*?)\sUser\:

The Image\:\s(?:.*\\)?(.*)\sTargetObject expression is now Image\:\s.*?\\([^\\]*?)\sTargetObject

The SourceImage\:\s(?:.*\\)?(.*)\sTargetProcessGuid expression is now SourceImage\:\s.*?\\([^\\]*?)\sTargetProcessGuid

The New\sProcess\sName:\s*(?:.*\\)?(.*)\s{2}Token\sElevation\sType\: expression is now New Process Name:\s.*?\\([^\\]*?)Token Elevation Type\:

The following expressions are disabled:
  • Image:\s(?:.*\\)?(.*)
  • Image\:\s(?:.*\\)?(.*)
  • Image\:\s(?:.*\\)?(.*)\sTargetObject
  • Image\:\s(?:.*\\)(.*)\sDevice:
  • Process\sName\:\s*(?:.*\\)?(.*?)\s*Access\sRequest
  • SourceImage\:\s(?:.*\\)?(.*)\sTargetProcessG
Process CommandLine The Process Command Line:\s(.*)\sToken Elevation Type expression is now Process Command Line[:\s\\=]+(.*?)\s*(?:Token Elevation Type)
ServiceName The Service Name\:\s*(.*)\sService\sFile expression is now (?i)Service Name[\:\s\=\\]*(.*?)\s+(?:Service File Name:|&&)
SourceImage This custom property is removed from the content extension.

The following table shows the rules updated in IBM Security QRadar Sysmon Content Extension 1.2.0.

Table 4. Rules updated in IBM Security QRadar Sysmon Content Extension 1.2.0
Name Description
Thread Creation by a Process Launched from a Shared Folder Now uses the Image custom property instead of the SourceImage custom property.

The following rules and building blocks are removed in IBM Security QRadar Sysmon Content Extension 1.2.0 because they are duplicates of rules in the IBM Security QRadar Endpoint content extension.

  • BB:BehaviorDefinition: Administrative Share Accessed
  • Credential Dumping using SAM Registry Key
  • Encoded Command Malicious Usage in a Programming Environment
  • Fileless UAC Bypass using Fodhelper
  • Fileless UAC Bypass using sdclt
  • Fileless UAC Bypass using Windows Event Viewer
  • Process Launched by an Unusual Process
  • Programming Environment Started with a Privileged Account
  • Service Configured to Use Powershell
  • Suspicious PSExec Module Usage Detected

The Suspicious PSExec Module Usage Detected rule used to be called Metasploit PSExec Module Usage.

The Powershell Malicious Usage Detected rule has been removed and replaced by the File Decode or Download followed by Suspicious Activity in the Endpoint content pack.

(Back to top)

IBM Security QRadar Sysmon Content Extension 1.1.3

The following table shows the custom properties in IBM Security QRadar Sysmon Content Extension 1.1.3.

Table 5. Custom Properties in IBM Security QRadar Sysmon Content Extension 1.1.3
Name Optimized Capture Group Regex
Service Name Yes 1 Service Name\:\s*(.*)\sService\sFile
ServiceFileName Yes 1 Service\sFile\sName\:\s*(.*)\sService\sType

The following table shows the rules and building blocks in IBM Security QRadar Sysmon Content Extension 1.1.3.

Table 6. Rules and Building Blocks in IBM Security QRadar Sysmon Content Extension 1.1.3
Type Name Description
Rule Download via Encoded Command Initiated This rule triggers when a download of a PowerShell script is initiated from a programming environment type cmd or Powershell.
Rule Malicious Service Installed This rule triggers when a service categorized as malicious has been installed.
Rule Metasploit PSExec Module Usage This rule triggers when a usage of the PSExec module is detected.
Rule PSExec Process Observed on a Compromised Host This rule triggers when a PsExec process has been detected on a compromised host.
Rule Remote Management Service Connected to lsass Pipe This rule triggers when a remote management service is connected to lsass pipe.
Rule Service Binary Located in a Shared Folder This rule triggers when a service binary is located in a shared folder.
Rule Service Configured to Use a Pipe This rule triggers when a service is configured to use a pipe.
Rule Service Configured to Use Powershell This rule triggers when a service is configured to use Powershell.
Rule Service Installed on a Compromised Host This rule triggers when a service has been created on a compromised host.

The following table shows the custom properties, rules, and building blocks that are renamed in IBM Security QRadar Sysmon Content Extension 1.1.3.

Table 7. Custom properties, rules, building blocks , saved searches, and reference data that are renamed in IBM Security QRadar Sysmon Content Extension 1.1.3
Old Name New Name
A Hidden Network Share Has Been Added Hidden Network Share Added
A Malicious Service Has Been Installed in a System Malicious Service Installed
A Network Share Has Been Accessed From a Compromised Host Network Share Accessed from a Compromised Host
A Network Share Has Been Added In a Compromised Host Network Share Added to a Compromised Host
A Pipe Has Been Created Followed by Updating Service Binary Path to Connect to The Created Pipe Pipe Created Followed by Service Binary Path Update
a Remoting Service Created a Powershell Script File Powershell Script Created by a Remote Management Service
A Scheduled Task Has Been Created in a Compromised Host Scheduled Task Created on a Compromised Host
A Service Has Been Installed in a Compromised Host Service Installed on a Compromised Host
Abnormal Parent for a System Process Unusual Parent for a System Process
An Administrative share Has Been Accessed Administrative Share Accessed
An Administrative share Has Been Accessed From a Compromised Machine Administrative Share Accessed from a Compromised Host
BB: A Scheduled Task Has Been Created BB:CategoryDefinition: Scheduled Task Creation
BB: An Administrative share Has Been Accessed BB:BehaviorDefinition: Administrative Share Accessed
BB: CreateRemoteThread Detected BB:CategoryDefinition: Remote Thread Creation
BB: CreateRemoteThread excluded cases BB:BehaviorDefinition: Remote Thread Creation False-Positives
BB: Detected a Powershell Process BB:CategoryDefinition: Programming Environment
BB: Detected a Scheduled Task based on Process Creation Event Part 2 BB:CategoryDefinition: Scheduled Task Creation by a Process
BB: Normal Windows Processes Accessed lsass.exe BB:CategoryDefinition: Processes Allowed to Access lsass
BB: Pipe Has Been Created BB:CategoryDefinition: Pipe Creation
BB: Process created a Network Connection BB:CategoryDefinition: Network Connection
BB: PsExec Has Been Detected BB:BehaviorDefinition: PsExec Process Observed
BB: Service Binary Path Has Been Set or Updated BB:BehaviorDefinition: Service Binary Path Set or Update
Childless Process Launched/Spawned a Process Process Launched by an Unusual Process
Command Shell Started With a System Privileges Programming Environment Started With a Privileged Account
Detected a Fileless UAC Bypass using Fodhelper Fileless UAC Bypass using Fodhelper
Detected a Fileless UAC Bypass using sdclt Fileless UAC Bypass using sdclt
Detected a Fileless UAC Bypass using Windows Event Viewer Fileless UAC Bypass using Windows Event Viewer
Detected A Known Process Started With A New Unseen Hash Known Process Started with A Different Hash
Detected a Long Value in Windows Registry Unusual Value Size in Windows Registry
Detected a Malicious Access to lsass Process Suspicious Access to lsass Process
Detected a Malicious Access to lsass Process from Unknown Call Trace Suspicious Access to lsass Process from Unknown Call Trace
Detected a New Unseen Process Started with a System User Privileges New Process Started with a Privileged Account
Detected a Possible Credential Dumping Tool Potential Credential Dumping Tool Detected
Detected a Possible Keylogger Potential Keylogger Detected
Detected a Remotely Executed Process over Multiple Hosts Remote Process Execution on Multiple Hosts
Detected a Remoting Service Connected to Lsass Pipe Remote Management Service Connected to lsass Pipe
Detected a Scheduled Task over Multiple Hosts Scheduled Task Created on Multiple Hosts
Detected a Service Binary Path Changed followed by a User or Group Added Service Binary Path Update Followed by User or Group Modification
Detected a Service Configured to Use a Pipe Service Configured to Use a Pipe
Detected a Service Configured to Use Powershell Service Configured to Use Powershell
Detected a Service with an Executable Binary Located in a Shared Folder Service Binary Located in a Shared Folder
Detected a Suspicious Svchost Process Suspicious Svchost Process
Detected Abnormal Parent for a Process Unusual Parent for a Process
Detected An Unknown / Unseen Process (Based On The Process Hash) Unknown Process Hash Observed
Detected An Unknown / Unseen Process (Based On The Process Name) Unknown Process Name Observed
Detected Excessive Execution of SC Command Excessive Use of SC Command
Detected Excessive Usage of System Tools From a Single Machine Excessive System Tools Usage from a Single Host
Detected Mimikatz Based on IMP Hash Mimikatz IMP Hash Observed
Detected PsExec with a Different Process Name PsExec Process Masquerading
Excessive Failed Attempts to Access a Network Shared Resource From a Compromised Host Excessive Network Share Access Failures from a Compromised Host
Excessive Failed Attempts to Access an Administrative Share From a Single source Excessive Administrative Share Access Failures from the Same Host
Lsass Process Connected to a Pipe Lsass Process Connected to a Pipe
Metasploit PSExec Module Has Been Detected Metasploit PSExec Module Usage
Possible Locky Ransomware detected based on rundll32 with qwerty argument Rundll32 with qwerty Argument Usage
Possible UAC Bypass - A Scheduled Task Has Been Configured to Run With Highest Privileges UAC Bypass - Scheduled Task Configured to Run With Highest Privileges
Powershell Has Been Launched Powershell Process Observed
Powershell Has Been Launched in a Compromised Host Powershell Process Observed on a Compromised Host
Powershell Malicious Usage Detected with Encoded Command Encoded Command Malicious Usage in a Programming Environment
Powershell Script download with EncodedCommand Download via Encoded Command Initiated
Process Baselining: Process Hash Process Baselining: Process Hash
Process Baselining: Process Name Process Baselining: Process Name
Process Baselining: Process Name to Hash Process Baselining: Process Name to Hash
Process Baselining: Process Name to Parent Process Process Baselining: Process Name to Parent Process
Process Baselining: Process Started with a System User Privileges Process Baselining: Process Started with System User Privileges
Process Created a Thread From a Process That was Launched From a Temp Directory Thread Creation by a Process Launched From a Temp Directory
Process Created a Thread Into Another Process Thread Creation into a Process different from the Initial one
Process Created a Thread into lsass Process Thread Creation into lsass Process
Process Created a Thread into System Process Thread Creation into a System Process
Process Launched From a Shared Folder Process Launched from a Shared Folder
Process Launched From a Shared Folder and Created Thread into Another Process Thread Creation by a Process Launched from a Shared Folder
Process Launched From Temp Directory Process Launched from a Temp Directory
Process Loaded Executable from Temp Directory Executable Loaded from Temp Directory
Process Started from Unusual Directories (Recycle.bin, ..) Process Launched from Unusual Directory
PsExec Has Been Detected PsExec Process Observed
PsExec Has Been Launched From a Compromised Host PsExec Process Observed on a Compromised Host
SAM Registry key - Enumerate sub-keys (users) Credential Dumping using SAM Registry Key
Service Binary Path Has Been Updated Followed by a CreateRemoteThread Detected From the Same Process Service Binary Path Update Followed by Remote Thread Creation
Service Binary Path Has Been Updated Followed by a Network Connection From the Same Process Service Binary Path Update Followed by Network Connection
Shadow Copies Delete Detected Shadow Copies Deletion
System Process Started From Unusual Directory System Process Launched From Unusual Directory
Unsigned Driver Has Been Loaded Into Windows Kernel Unsigned Driver Loaded In Windows Kernel
Unsigned Executable Loaded Into lsass.exe Unsigned Executable Loaded In lsass
Unsigned Executable Loaded Into Sensitive System Process Unsigned Executable Loaded In Sensitive System Process
Whoami /groups Has Been Executed Group or Account Discovery

(Back to top)

IBM Security QRadar Sysmon Content Extension 1.1.2

The following table shows the custom properties in IBM Security QRadar Sysmon Content Extension 1.1.2.

Table 8. Custom Properties in IBM Security QRadar Sysmon Content Extension 1.1.2
Name Regex
Image Image:\s(.*?)\s(FileVersion|CommandLine):
ImageName Image:\s(?:.*\\)?(.*?)\s(?:FileVersion|CommandLine):\s
LoadedImage ImageLoaded:\s(.*?)\s(FileVersion|Hashes)\:
LoadedImageName ImageLoaded\:\s(?:.*\\)(.*?)\s*(FileVersion|Hashes)\:

The following table shows the rules and building blocks in IBM Security QRadar Sysmon Content Extension 1.1.2.

Table 9. Rules in IBM Security QRadar Sysmon Content Extension 1.1.2
Name Description
Process Baselining: Process Name to Hash Added a rule response to populate the ProcessNametoHashRefMapOfSetKeys reference set.
Process Baselining: Process Name to Parent Process Added a rule response to populate the ProcesstoParentProcessPathRefMapKeys reference set.
Detected A Known Process Started With A New Unseen Hash Detects when a known process starts with a new unseen hash.
Detected Abnormal Parent for a Process Detects an abnormal parent for a process.
Process Baselining: Process Hash Provides a baseline for process hashes.
Process Baselining: Process Name Provides a baseline for process names, with standard Windows logs or Sysmon logs.
Detected An Unknown / Unseen Process (Based On The Process Hash) Detects any unusual or unknown process hashes.
Detected An Unknown / Unseen Process (Based On The Process Name) Detects any unusual or unknown process names.
Process Launched From a Shared Folder and Created Thread into Another Process Updated one of the rule tests.

The following table shows the reference data in IBM Security QRadar Sysmon Content Extension 1.1.2.

Table 10. Reference Data in IBM Security QRadar Sysmon Content Extension 1.1.2
Type Name Description
Reference Set Profiled Process Names Stores the baseline list of process names.
Reference Set Profiled Process Hashes Stores the baseline list of process hashes.
Reference Set ProcessNametoHashRefMapOfSetKeys Stores the keys used in the map of sets that maps a process name to its hash.
Reference Set ProcesstoParentProcessPathRefMapKeys Stores the keys used in the map of sets that maps a process name to its parent process.
Reference Map of Sets ProcessMaptoProcessParentPath Changed the element type to alpha-numeric ignore case.
Reference Map of Sets ProcessNametoHash Changed the element type to alpha-numeric ignore case.

The following table shows the saved searches in IBM Security QRadar Sysmon Content Extension 1.1.2.

Table 11. Saved Searches in IBM Security QRadar Sysmon Content Extension 1.1.2
Name Description
Unknown Process Hash Has Been Started Updated the search criteria.
Abnormal Parent for a Process Updated the search criteria.
Unknown Process Name Has Been Started This search shows unknown processes based on the proces name.

(Back to top)

IBM Security QRadar Content Extension 1.1.1

In 1.1.1, two rules and two AQL functions were removed due to possible performance issues:
  • Rule: Detected a Known Process Started With Unseen Hash
  • Rule: Detected Abnormal Parent for a Process
  • Custom function: checkWithMapOfSets
  • Custom function: IsItWhiteListedProcess

(Back to top)

IBM Security QRadar Sysmon Content Extension 1.1.0

IBM Security QRadar Sysmon Content Extension 1.1.0 includes new rules to establish baseline processes, and to detect the following activities:
  • Privilege escalation
  • Fileless user account control (UAC) bypasses
  • Credential dumping
  • Lateral movement techniques
  • The Metasploit PSExec implementation
  • Malicious PowerShell usage

This version also includes new custom properties, saved searches, and AQL custom function. A new icon is added to the QRadar admin settings to configure an authorization token for Sysmon custom functions.

The following table describes the changes that are included in IBM Security QRadar Sysmon Content Extension 1.1.0

Type Name Change description
Rule Unusual Process (ex: word, iexplore, AcroRd..) launched a Command Shell Detects if an unusual process, such as MS Word, Internet Explorer, Acrobat Reader, starts a command shell or PowerShell.
Rule Detected a Remotely Executed Process over Multiple Hosts Detects any remotely run process that uses PowerShell, wmi, or PSExec as well-known lateral movement techniques.
Rule Detected a Scheduled Task over Multiple Hosts Detects a scheduled task over multiple hosts.
Rule Metasploit PSExec Module Has Been Detected Detects the Metasploit implementation of the PSExec tool.
Rule PSExec Has Been Launched From a Compromised Host Detects if PSExec is going to be launched from a host that is marked as a compromised host.
Rule PSExec Has Been Detected Detects if any host launches PSExec.
Rule Detected PSExec with a Different Process Name Detects if PSExec is uploaded with a different name.
Rule Command Shell Started With a System Privileges Detects if a command shell is started with escalated privileges. For example, if a regular user starts the command shell as a Windows System user.
Rule Process Baselining: Process Started with a System User Privileges Provides a baseline for which processes usually start with a system privilege. This baseline is used by other rules to detect if a new process starts with a system privilege. This baseline can indicate whether someone tries to do a privilege escalation.
Rule Detected a New Unseen Process Started with a System User Privileges Detects if a new or unusual process starts with a system privilege. By default this rule is disabled. As part of your maintenance routine, run the process baseline rules for one week before you enable this rule.
Rule Process Baselining: Process Name to Parent Process Provides a baseline to identify the parent processes for each process. This baseline can help to detect unusual processes.
Rule Process Baselining: Process Name to Hash Provides a baseline for process names and their corresponding hashes. This baseline can help to detect if an unknown process starts, or if a process starts with a new hash. This information can also be used to integrate Sysmon logs with other logs.
Rule Detected Excessive Usage of System Tools From a Single Machine Detects excess usage from a single machine of several system tools such as:
  • lcacl.exe
  • procdump.exe
  • vssadmin.exe
  • accesschk.exe
  • netsh.exe
  • arp.exe
  • systeminfo.exe
  • whoami.exe
Rule Detected a Service Configured to Use PowerShell Detects if any service is configured to use PowerShell.
Rule Detected a Long Value in Windows Registry Detects if an attacker tried to add or set a registry key by using a long value, such as a PowerShell encoded command.
Rule Detected a Service with an Executable Binary Located in a Shared Folder Detects if any service is configured to start an executable binary from a shared folder.
Rule Detected a Service Configured to Use a Pipe Detects if any service is configured to connect to a pipe.
Rule A Pipe Has Been Created Followed by Updating Service Binary Path to Connect to The Created Pipe Detects a named pipe impersonation, which is a technique for privilege escalation.
Rule Detected a Service Binary Path Changed followed by a User or Group Added Detects if a user or group is added after a service binary path changed.
Rule Service Binary Path Has Been Updated Followed by a Network Connection From the Same Process Detects if a process attempts to configure or add a service and detects if the same process creates an outbound connection.
Rule Detected Excessive Execution of SC Command Detects if the service controller command is used excessively.
Rule Detected an Unquoted Service Binary Path with Spaces Detects if an unquoted service binary path contains spaces. A file path that is not enclosed within quotation marks and contains spaces in the path can be leveraged. For example, C:\Program Files (x86)\.
Rule Possible UAC Bypass - A Scheduled Task Has Been Configured to Run With Highest Privileges Detects if a scheduled task is created to run by using the highest privileges.
Rule Service Binary Path Has Been Updated Followed by a CreateRemoteThread Detected From the Same Process Detects if a process attempts to configure or add a service, and detects if the same process creates a thread into other processes.
Rule Process Launched From a Shared Folder Detects if any process starts from a shared folder.
Rule Process Launched From a Shared Folder and Created Thread into Another Process Detect if a process starts from a shared folder and creates a thread in another process.
Rule A Remoting Service Created a PowerShell Script File Detects if any remoting service, such as wsmprovhost, psexesvc, or wmiprvse, creates a PowerShell script file.
Rule LSASS Process Connected to a Pipe Detects if any pipe connects to an activity that is initiated from the Local Security Authority Subsystem Service (LSASS) process, which can lead to dumping credentials.
Rule Detected a Remoting Service Connected to LSASS Pipe Detects if any remoting service, such as wsmprovhost, psexesvc, or wmiprvse, attempts to connect to a pipe called LSASS.
Rule Detected a Fileless UAC Bypass using sdclt Detects a user account control (UAC) bypass attempt that uses sdclt.exe, the Windows process that allows users to run backup and restore operations. By default, sdclt.exe runs with a high integrity level. After the process starts, it looks for specific keys in the registry. If the keys exist, it runs them.
Rule Detected a Fileless UAC Bypass using Fodhelper Detects if the Fodhelper process is used to bypass UAC in Windows 10 by hijacking a special key in the registry.
Rule Detected a Fileless UAC Bypass using Windows Event Viewer Detects if the Windows event viewer is used to bypass UAC.
Rule Unsigned Driver Has Been Loaded Into Windows Kernel Detects any attempt to load an unsigned driver into the Windows kernel.
Rule A Service Has Been Installed in a Compromised Host Detects any service installation on a host that is marked as a compromised host.
Rule A Scheduled Task Has Been Created in a Compromised Host Detects any attempt to create a scheduled task on a host that is marked as a compromised host.
Rule Excessive Denied SMB Traffic From a Compromised Host Detects excessive SMB traffic that is denied from a compromised host.
Rule Excessive Failed Attempts to Access an Administrative Share From a Single source Detects excessive failed attempts to access administrative shares from a single source host.
Rule Excessive Failed Attempts to Access a Network Shared Resource From a Compromised Host Detects excessive failed attempts to access shared folders over multiple hosts in the network from a compromised host.
Rule A Network Share Has Been Accessed From a Compromised Host Detects if a compromised host successfully accessed a shared folder.
Rule A Network Share Has Been Added In a Compromised Host Detects if a compromised host adds a shared folder or file.
Rule Detected SMB Traffic From a Compromised Host Into Other Hosts Detects outbound SMB traffic from a compromised host to other hosts.
Rule Detected a Successful Login From a Compromised Host Into Other Hosts Detects successful logins from a compromised host to other hosts.
Rule An Administrative share Has Been Accessed Detects if an administrative share is accessed.
Rule A Hidden Network Share Has Been Added Detects the creation of a hidden shared file.
Rule PowerShell Has Been Launched Detects if a host starts PowerShell.
Rule PowerShell Has Been Launched in a Compromised Host Detects if a compromised host starts PowerShell.
Rule A Malicious Service Has Been Installed in a System Detects if a known malicious service is installed in the system.
Rule Childless Process Launched/Spawned a Process Detects if a process that is intended to be childless launches a child process.
Rule Shadow Copies Delete Detected Detects if shadow copies are deleted.
Rule Detected a Suspicious Svchost Process Detects a malicious svchost process.
Rule Detected Mimikatz Based on IMP Hash Detects the Mimikatz post-exploitation tool based on whether the Invoke Mimikatz PowerShell (IMP) Hash is used.
Rule A Command Shell or Powershell Has been Launched From a Remote System Detects if any remoting service, such as wsmprovhost, psexesvc, or wmiprvse, starts a command shell or PowerShell on a remote system.
Rule Whoami /groups Has Been Executed Detects if the whoami or group command is used by before any privilege escalation technique.
Rule SAM Registry key - Enumerate sub-keys (users) Detects any attempt to enumerate the SAM registry key.
Rule Detected a Registry Dump For SAM or System Key Detects any attempt to dump the SAM registry.
Rule SAM Registry key Has Been Accessed - using regedit Detects any attempt to access the SAM registry key
Rule Process Created a Thread into LSASS Process Detects any attempt to create a thread into the LSASS process.
Rule Unsigned Executable Loaded Into LSASS.exe Detects any attempt to load an unsigned executable file into the LSASS process.
Rule Detected a Malicious Access to LSASS Process Detects any malicious access to the LSASS process.
Rule Detected a Malicious Access to LSASS Process from Unknown Call Trace Detects any fileless attempts to access the LSASS process.
Rule Process Started from Unusual Directories (Recycle.bin, ..) Detects if a process starts from an unusual directory, such as the recycle bin.
Rule Detected a Possible Credential Dumping Tool
Used as an extra mark if any of the following rules match:
  • Detected a Malicious Access to LSASS Process
  • Detected a Malicious Access to LSASS Process from Unknown Call Trace
  • Detected a Registry Dump For SAM or System Key
  • Process Created a Thread into LSASS Process
  • SAM Registry key - Enumerate sub-keys (users)
  • SAM Registry key Has Been Accessed - using regedit
  • Detected Mimikatz Based on IMP Hash
  • Detected a Remoting Service Connected to LSASS Pipe
  • LSASS Process Connected to a Pipe
Rule Detected a Possible Keylogger Detects if a machine is infected with a keylogger.
Rule Possible Locky Ransomware detected based on rundll32 with qwerty argument Detect a known signature for Locky ransomware.
Rule PowerShell Malicious Usage Detected with Encoded Command Updated to detect more malicious uses of PowerShell.
Rule PowerShell Malicious Usage Detected Updated to detect more malicious uses of PowerShell.
Building Block BB: PSExec Has Been Detected Used in the PSExec rules.
Building Block BB: Process created a Network Connection Used in rules that correlate network connections with other activities.
Building Block BB: An Administrative share Has Been Accessed Used in rules that detect any malicious activities with shared folders.
Building Block BB: CreateRemoteThread Detected Used in rules that detect the creation of remote threads.
Building Block BB: Normal Windows Processes Accessed LSASS.exe Used in rules that detect the LSASS process.
Building Block BB: Detected a PowerShell Process Used in rules that detect PowerShell processes.
Building Block BB: A Scheduled Task Has Been Created Used in rules that detect scheduled tasks.
Building Block BB: Detected a Scheduled Task based on Process Creation Event Part 1 Used in rules that detect scheduled tasks based on process event creation.
Building Block BB: Pipe Has Been Created Used in rules that detect pipe creation.
Building Block BB: Detected a Scheduled Task based on Process Creation Event Part 2 Used in rules that detect scheduled tasks based on process event creation.
Building Block BB: Service Binary Path Has Been Set or Updated Used in rules that detect if a service path binary is set or updated.
Building Block BB: CreateRemoteThread excluded cases Used in rules that detect the creation of remote threads.
Saved Search Abnormal Parent for a Process This search shows any process with an unusual parent, based on the baselined data
Saved Search Network Connection Detected by Windows Sensitive Processes This search shows any connection that is initiated from a Windows sensitive process.
Saved Search Process Access to LSASS This search shows any process that accessed LSASS.
Saved Search Remotely Launched Executables via WMI or PowerShell This search shows processes that were run remotely.
Saved Search Service Binary Path Has Been Set or Updated This search shows any new service or if the location of the service binary changes.
Saved Search Unknown Process Hash Has Been Started This search shows any unseen process hashes.
Saved Search Unsigned Executable Loaded Into Sensitive System Process This search shows any attempt to load an unsigned executable file into sensitive system processes.
Saved Search Very Long Command Line Detected This search shows long command line text.
Reference Set Whitelisted Hashes Contains a list of whitelisted hashes.
Reference Set Systools Contains a list of tools that are used by system administrators.
Reference Set Processes Hashes Started as System User Contains a list of process hashes that can start with a system level privileges.
Reference Set Compromised Hosts Contains a list that is populated with any compromised hosts.
Reference Set Process Name to Hash Contains a list of process names that are mapped to their hashes.
Reference Set IOCs - Malicious Service Names Contains a list of well-known malicious service names.

(Back to top)

IBM Security QRadar Sysmon Content Extension 1.0.0

The following table describes the changes that are included in IBM Security QRadar Sysmon Content Extension 1.0.0

Type Name Change description
Rule Unsigned Executable or DLL Loaded from Temp Directory Detects when unassigned executable or DLL is loaded from a temporary directory.
Rule Process Launched From Temp Directory Detects when a process is launched from a temporary directory.
Rule Unsigned Executable or DLL Loaded Into Sensitive System Process Detects when an unassigned executable or DLL is loaded into another sensitive system processes.
Rule Process Created a Thread into System Process Detects when a process creates a thread in a system process.
Rule Process Created a Thread From a Process That was Launched From a Temp Director Detects when a process creates a thread from a process that was launched from a temporary directory.
Rule Process Created a Thread Into Another Process Detects when a process creates a thread in another process.
Rule PowerShell Malicious Usage Detected Detects malicious PowerShell usage.
Rule PowerShell Malicious Usage Detected with Encoded Command Detects malicious PowerShell usage with an encoded command.
Rule PowerShell script has been downloaded Detects when a PowerShell script is downloaded.
Rule System Process Started from Unusual Directory Detects when a system process starts from an unusual directory.
Rule Abnormal Parent for a System Process Detects when an abnormal parent for a system process is present.
Rule Suspicious svchost Process Detected Detects suspicious svchost processes.
Rule Shadow Copies Delete Detected Detects when a shadow copy file is deleted.
Building Block BB: Unsigned Executable or DLL Loaded Into Sensitive System Process Part 1 Used by the Unsigned Executable or DLL Loaded Into Sensitive System Process rule.
Building Block BB: Detected a downloaded PowerShell Script Used by the PowerShell script has been downloaded rule.
Building Block BB: Detected a downloaded PowerShell Script with EncodedCommand Used by the PowerShell Malicious Usage Detected with Encoded Command rule.
Custom Property Image Image:\s(.*)\sImageLoaded
Custom Property ImageName Image:\s(?:.*\\)(.*)\sImageLoaded
Custom Property Signed Signed:\s(true|false)
Custom Property Signature Signature:\s(.*)\sSignatureStatus
Custom Property SignatureStatus SignatureStatus:\s(Valid)
Custom Property LoadedImage ImageLoaded:\s(.*)\sHashes
Custom Property Image Image:\s(.*)\sCommandLine
Custom Property ImageName Image:\s(?:.*\\)(.*)\sCommandLine
Custom Property ParentImage ParentImage:\s(.*)\sParentCommandLine
Custom Property ParentImageName ParentImage:\s(?:.*\\)(.*)\sParentCommandLine
Custom Property Target Image Name TargetImage:\s(?:.*\\)(.*)\sNewThreadId
Custom Property SourceImage SourceImage:\s(.*)\sTargetProcessGuid
Custom Property TargetImage TargetImage:\s(.*)\sNewThreadId
Custom Property PS Encoded Command [\-^]{1,2}[Ee^]{1,2}[NnCcOoDdEeMmAa^]*[\s^]+(\S+)
Custom Property Process CommandLine CommandLine:\s(.*)\sCurrentDirectory
Custom Property SourceImageTempPath SourceImage:\s+.*((?:Windows\\Temp)|(?:AppData\\Local\\Temp))\\.*
Custom Property ImageTempPath Image:\s+.*((?:Windows\\Temp)|(?:AppData\\Local\\Temp))\\.*
Custom Property ImageLoadedTempPath ImageLoaded:\s+.*((?:Windows\\Temp)|(?:AppData\\Local\\Temp))\\.*
Custom Property Process CommandLine Process Command Line:\s*(.*)\s*Token Elevation Type
Custom Property PS Encoded Command Process Command Line:\s*powershell.*[\-^]{1,2}[Ee^]{1,2}[NnCcOoDdEeMmAa^]*[\s^]+(\S+)\s*Token Elevation Type
Custom Property ImageName New Process Name:\s*(?:.*\\)(\S*)\s*Token\sElevation\sType\:
Custom Property SHA1 Hash SHA1=(\w+)
Custom Property MD5 Hash MD5=(\w*)
Custom Property SHA256 Hash SHA256=(\w*)
Custom Property IMP Hash IMPHASH=(\w*)
Custom Property Image New Process Name:\s*(\S*)\s*Token\sElevation\sType\:
Custom Function base64Decode Decodes the base64 text from the PowerShell encoded command into a normal readable string.
Custom Function PScmdFilter Filters the process command line from the Sysmon events.
Saved Search Very Long Command Line Detected This is an event search to match on long process command lines from Sysmon events.
Reference Set TempFilePath Contains a list of file paths of the temporary directory.
Reference Set Windows Sensitive Processes Contains a list of all Windows-sensitive processes.
Reference Set ProcessMaptoProcessPath Contains a list of process names and the paths to those processes.
Reference Set ProcessMaptoProcessParentPath Contains a list of process names and the paths to the parent processes.

(Back to top)