OR index= sourcetype= (CommandLine="tasklist" OR CommandLine="net time" OR CommandLine="systeminfo" OR CommandLine="whoami" OR CommandLine="nbtstat" OR CommandLine="net start" OR CommandLine="*\net1 start" OR CommandLine="qprocess" OR CommandLine="nslookup" OR CommandLine="hostname. index= sourcetype= (CommandLine="tasklist" OR CommandLine="net time" OR CommandLine="systeminfo" OR CommandLine="whoami" OR CommandLine="nbtstat" OR CommandLine="net start" OR CommandLine="*\net1 start" OR CommandLine="qprocess" OR CommandLine="nslookup" OR CommandLine="hostname.exe" OR CommandLine="*\net1 user /domain" OR CommandLine="*\net1 group /domain" OR CommandLine="*\net1 group \"domain admins\" /domain" OR CommandLine="*\net1 group \"Exchange Trusted Subsystem\" /domain" OR CommandLine="*\net1 accounts /domain" OR CommandLine="*\net1 user net localgroup administrators" OR CommandLine="netstat -an") False positives depend on scripts and administrative tools used in the monitored environmentįor Splunk you will need your index and sourcetype, and then from this Sigma rule you need logsource and CommandLine to create a Splunk search. '*\net1 user net localgroup administrators'Ĭondition: selection | count() by host > 4 '*\net1 group "Exchange Trusted Subsystem" /domain' It is represented as ( sum ), also known as sigma notation. Let's take this Sigma rule for example: title: Reconnaissance Activity with Net Commandĭescription: Detects a set of commands often used in recon stages by different attack groups Sigma is the eighteenth upper case letter of the ancient Greek alphabet. So I thought it would be helpful to also share my findings on Sigma Rules. Wait Are Sigma Rules Yara Rules As I began my learning on Yara Rules, the topic of Sigma Rules was often brought up. Once I learned the basic search, it became real easy. More details about using Yara Rules in QRadar can be found. I remember when I started using Splunk and how lost I was, specially with Sigma Rules.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |