{"Name":"AddUser","Tags":[""],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$net: Image ~= '(?i:C:\\\\Windows\\\\Sys(tem32|wow64)\\\\net1?\\.exe)'","$command: CommandLine ~= 'user.*/ADD'"],"Condition":"$net and $command","Actions":null}
{"Name":"AlternateExplicitCredentialUse","Tags":["Lateral","Security"],"Meta":{"Events":{"Security":[4648]},"Computers":[],"Criticality":4,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$iplh1: IpAddress = '-'","$iplh2: IpAddress = '127.0.0.1'","$iplh3: IpAddress = '::1'","$wlpn: ProcessName ~= 'C:\\\\Windows\\\\System32\\\\winlogon\\.exe'","$wltsn: TargetServerName = 'localhost'"],"Condition":"!$iplh1 and !$iplh2 and !$iplh3 and !$wlpn and !$wltsn","Actions":null}
{"Name":"AnonymousNetworkLogon","Tags":["Lateral","Security"],"Meta":{"Events":{"Security":[4624]},"Computers":[],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$logt: LogonType = '3'","$kerb: AuthenticationPackageName = 'Kerberos'","$user: TargetUserName = 'ANONYMOUS LOGON'","$iplh1: IpAddress = '-'","$iplh2: IpAddress = '127.0.0.1'"],"Condition":"$logt and !$kerb and $user and !$iplh1 and !$iplh2","Actions":null}
{"Name":"AutomatedRecursiveDir","Tags":["Cmd"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$parent: ParentImage ~= '(?i:C:\\\\windows\\\\explorer.exe)'","$exe: Image ~= '(?i:\\\\cmd.exe$)'","$cmd: CommandLine ~= '(?i:dir.*?/s)'"],"Condition":"!$parent and $exe and $cmd","Actions":null}
{"Name":"BlacklistedDomain","Tags":["DNS"],"Meta":{"Events":{"Microsoft-Windows-DNS-Client/Operational":[]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$domainBL: extract('(?P\u003cdom\u003e\\w+\\.\\w+$)',QueryName) in blacklist'","$subdomainBL: extract('(?P\u003csub\u003e\\w+\\.\\w+\\.\\w+$)',QueryName) in blacklist'","$subsubdomainBL: extract('(?P\u003csubsub\u003e\\w+\\.\\w+\\.\\w+\\.\\w+$)',QueryName) in blacklist'"],"Condition":"$domainBL or $subdomainBL or $subsubdomainBL","Actions":null}
{"Name":"BlacklistedHash","Tags":["Blacklist"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1,6,7]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$md5: extract('MD5=(?P\u003cmd5\u003e[A-F0-9]{32})', Hashes) in blacklist","$sha1: extract('SHA1=(?P\u003csha1\u003e[A-F0-9]{40})', Hashes) in blacklist","$sha256: extract('SHA256=(?P\u003csha256\u003e[A-F0-9]{64})', Hashes) in blacklist"],"Condition":"$md5 or $sha1 or $sha256","Actions":null}
{"Name":"BlacklistedImphash","Tags":["Blacklist"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1,6,7]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$imphash: extract('IMPHASH=(?P\u003cimphash\u003e[A-F0-9]{32})', Hashes) in blacklist"],"Condition":"$imphash","Actions":null}
{"Name":"BrowserChild","Tags":["Browser"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":0,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$browser: ParentImage ~= '(?i:\\\\(iexplore|firefox|chrome|MicrosoftEdge|opera|vivaldi)\\.exe)$'"],"Condition":"$browser","Actions":null}
{"Name":"BrowserSuspiciousChild","Tags":["Browser"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$browser: ParentImage ~= '(?i:\\\\(iexplore|firefox|chrome|MicrosoftEdge|opera|vivaldi)\\.exe)$'","$susp: Image ~= '(?i:\\\\(certutil|rundll32|powershell|wscript|cscript|cmd|mshta|regsvr32|msbuild|installutil|regasm)\\.exe)$'","$allowed: CommandLine ~= '(?i:rundll32\\.exe.*?(shell32\\.dll\"{0,1},(OpenAs_RunDLL|SHCreateLocalServerRunDll)|inetcpl\\.cpl\"{0,1},ClearMyTracksByProcess|ieframe.dll\"{0,1},OpenURL))'"],"Condition":"$browser and $susp and !$allowed","Actions":null}
{"Name":"CanaryFileRead","Tags":["Canary"],"Meta":{"Events":{"Security":[4663]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$access: AccessMask \u0026= '0x1'","$canary: ObjectName ~= '(?i:C:\\\\PutYourCanaryHere\\\\)'"],"Condition":"$access and $canary","Actions":null}
{"Name":"CertutilDownloader","Tags":["Tools"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1140","Tactic":"defense-evasion","Reference":"https://attack.mitre.org/techniques/T1140"}],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$certutil: Image ~= '(?i:^c:\\\\windows\\\\sys(tem32|wow64)\\\\certutil\\.exe$)'","$urlcache: CommandLine ~= '(?i: -urlcache )'","$force: CommandLine ~= '(?i: -f )'","$split: CommandLine ~= '(?i: -split )'"],"Condition":"$certutil and $urlcache and $force and $split","Actions":null}
{"Name":"CertutilSuspDecode","Tags":["Tools"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1140","Tactic":"defense-evasion","Reference":"https://attack.mitre.org/techniques/T1140"}],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$certutil: Image ~= '(?i:^c:\\\\windows\\\\sys(tem32|wow64)\\\\certutil\\.exe$)'","$suspdecode: CommandLine ~= '(?i: -decode.*((?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node))|(?i:(\\.ps1|\\.bat|\\.cmd|\\.vb|\\.vbs|\\.vbscript|\\.vbe|\\.js|\\.jse|\\.ws|\\.wsf))))'"],"Condition":"$certutil and $suspdecode","Actions":null}
{"Name":"DefenderActionCriticallyFailed","Tags":["Defender"],"Meta":{"Events":{"Microsoft-Windows-Windows Defender/Operational":[1119,5008]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":[],"Condition":"","Actions":null}
{"Name":"DefenderBehaviourDetected","Tags":["Defender"],"Meta":{"Events":{"Microsoft-Windows-Windows Defender/Operational":[1015]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":[],"Condition":"","Actions":null}
{"Name":"DefenderConfigChanged","Tags":["Defender"],"Meta":{"Events":{"Microsoft-Windows-Windows Defender/Operational":[5007]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":[],"Condition":"","Actions":null}
{"Name":"DefenderFeatureDisabled","Tags":["Defender"],"Meta":{"Events":{"Microsoft-Windows-Windows Defender/Operational":[5010,5012]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":[],"Condition":"","Actions":null}
{"Name":"DefenderMalwareDetected","Tags":["Defender"],"Meta":{"Events":{"Microsoft-Windows-Windows Defender/Operational":[1006,1116]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":[],"Condition":"","Actions":null}
{"Name":"DomainInMisp","Tags":["DNS"],"Meta":{"Events":{"Microsoft-Windows-DNS-Client/Operational":[]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$domainBL: extract('(?P\u003cdom\u003e\\w+\\.\\w+$)',QueryName) in misp'","$subdomainBL: extract('(?P\u003csub\u003e\\w+\\.\\w+\\.\\w+$)',QueryName) in misp'","$subsubdomainBL: extract('(?P\u003csubsub\u003e\\w+\\.\\w+\\.\\w+\\.\\w+$)',QueryName) in misp'"],"Condition":"$domainBL or $subdomainBL or $subsubdomainBL","Actions":null}
{"Name":"DownloadPath","Tags":["Heuristics","Exec","Download"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":1,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$path1: CommandLine ~= '(?i:\\\\Downloads\\\\)'","$path2: CommandLine ~= '(?i:appdata\\\\local\\\\microsoft\\\\windows\\\\temporary internet files\\\\)'"],"Condition":"$path1 or $path2","Actions":null}
{"Name":"DriverLoadedNotValidSig","Tags":["DriverLoaded","Signature"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[6]},"Computers":[],"Criticality":3,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$valid: SignatureStatus = 'Valid'"],"Condition":"!$valid","Actions":null}
{"Name":"DriverLoadedSuspiciousSigStatus","Tags":["DriverLoaded","Signature"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[6]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$valid: SignatureStatus = 'Valid'","$unavailable: SignatureStatus = 'Unavailable'"],"Condition":"!$valid and !$unavailable","Actions":null}
{"Name":"DriverLoadedUnusualPath","Tags":["DriverLoaded"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[6]},"Computers":[],"Criticality":4,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$uspath1: ImageLoaded ~= '(?i:C:\\\\Windows\\\\Sys(wow64|tem32))'","$uspath2: ImageLoaded ~= '(?i:C:\\\\Windows\\\\Sys(tem32|wow64)\\\\drivers)'"],"Condition":"!$uspath1 and !$uspath2","Actions":null}
{"Name":"EmbeddedHTTPLinkInCL","Tags":["Heuristics","HTTP"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":1,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$http: CommandLine ~= '(?i:https?://)'"],"Condition":"$http","Actions":null}
{"Name":"EventClearing","Tags":["PostExploit"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1070","Tactic":"defense-evasion","Reference":"https://attack.mitre.org/techniques/T1070"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$im: Image ~= '(?i:\\\\wevtutil\\.exe$)'","$cmd: CommandLine ~= '(?i: cl | clear-log )'"],"Condition":"$im and $cmd","Actions":null}
{"Name":"ExecDownloadedDocument","Tags":["Heuristics","Exec","Download"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":4,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$path1: Image ~= '(?i:appdata\\\\local\\\\microsoft\\\\windows\\\\temporary internet files\\\\)'","$path2: Image ~= '(?i:\\\\Downloads\\\\)'"],"Condition":"$path1 or $path2","Actions":null}
{"Name":"ExecTimestomping","Tags":["Timestomp"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[2]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exec: TargetFilename ~= '(?i:((?i:(\\.ps1|\\.bat|\\.cmd|\\.vb|\\.vbs|\\.vbscript|\\.vbe|\\.js|\\.jse|\\.ws|\\.wsf))|(?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node))))'","$wl1: TargetFilename ~= '(?i:^C:\\\\Users\\\\.*?\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\CustomDestinations)\\\\[A-Z0-9]{20}.temp$'","$wl2: TargetFilename ~= '(?i:.*~tmp$)'","$wl3: TargetFilename ~= '(?i:C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\)'"],"Condition":"$exec and !($wl1 or $wl2 or $wl3)","Actions":null}
{"Name":"ExecutableADS","Tags":["ADS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[15]},"Computers":[],"ATTACK":[{"ID":"T1096","Tactic":"defense-evasion","Reference":"https://attack.mitre.org/techniques/T1096"}],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$unk:  Hash = 'Unknown'","$impash:  Hash ~= '(?i:(IMPHASH=00000000000000000000000000000000))'"],"Condition":"!($impash or $unk)","Actions":null}
{"Name":"ExecutableFileCreated","Tags":["Heuristics","CreateFile"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[11]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$system: Image ~= '(?i:C:\\\\Windows)'","$defender: Image ~= '(?i:((?i:C:\\\\(PROGRA~(1|2)|Program Files.*?)\\\\)Windows Defender\\\\MsMpEng\\.exe|(?i:C:\\\\(PROGRA~3|ProgramData)\\\\)Microsoft\\\\Windows Defender\\\\platform\\\\.*?\\\\MpCmdRun\\.exe))'","$browsers: Image ~= '(?i:\\\\(iexplore|firefox|chrome|MicrosoftEdge|opera|vivaldi)\\.exe)'","$target: TargetFilename ~= '(?i:c:\\\\.*((?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node))|(?i:(\\.ps1|\\.bat|\\.cmd|\\.vb|\\.vbs|\\.vbscript|\\.vbe|\\.js|\\.jse|\\.ws|\\.wsf)))$)'"],"Condition":"!($system or $browsers or $defender) and $target","Actions":null}
{"Name":"ExecutableUnkExt","Tags":["Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[7]},"Computers":[],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$knownext: ImageLoaded ~= '(?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node))$'"],"Condition":"!$knownext","Actions":null}
{"Name":"ExplicitNetworkLogon","Tags":["Lateral","Security"],"Meta":{"Events":{"Security":[4624]},"Computers":[],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$logt: LogonType = '3'","$user: TargetUserName = 'ANONYMOUS LOGON'","$iplh1: IpAddress = '-'","$iplh2: IpAddress = '127.0.0.1'","$enddol: TargetUserName ~= '\\$$'"],"Condition":"$logt and !($user or $iplh1 or $iplh2 or $enddol)","Actions":null}
{"Name":"ExplorerInjection","Tags":["WHIDS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"ATTACK":[{"ID":"T1055","Tactic":"privilege-escalation","Reference":"https://attack.mitre.org/techniques/T1055"}],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ga: GrantedAccess \u0026= '0x20'","$srcwl: SourceImage ~= '(?i:C:\\\\Windows\\\\System32\\\\(csrss)\\.exe)'","$hosted: SourceImage ~= '(?i:\\\\(lsass|svchost)\\.exe$)'","$win10shared: SourceServices ~= '(?i:(^|,)(AJRouter|AppIDSvc|AppMgmt|AssignedAccessManagerSvc|AxInstSV|BDESVC|BFE|BrokerInfrastructure|BTAGService|bthserv|CertPropSvc|CoreMessagingRegistrar|CscService|DcomLaunch|DeviceAssociationService|DevQueryBroker|diagsvc|DisplayEnhancementService|dmwappushservice|dot3svc|DsSvc|Eaphost|EFS|embeddedmode|EntAppSvc|fdPHost|FDResPub|fhsvc|FrameServer|GraphicsPerfSvc|hidserv|HvHost|icssvc|IKEEXT|IpxlatCfgSvc|KeyIso|KtmRm|lltdsvc|LxpSvc|mpssvc|MSiSCSI|NaturalAuthentication|NcaSvc|NcdAutoSetup|Netlogon|Netman|NetSetupSvc|NetTcpPortSharing|p2pimsvc|p2psvc|PeerDistSvc|pla|PNRPAutoReg|PNRPsvc|PolicyAgent|Power|PrintNotify|QWAVE|RasAuto|RasMan|RemoteAccess|RemoteRegistry|RetailDemo|RmSvc|RpcEptMapper|RpcSs|SamSs|SCardSvr|ScDeviceEnum|SCPolicySvc|seclogon|SensorService|SensrSvc|SessionEnv|SharedAccess|SharedRealitySvc|shpamsvc|SmsRouter|svsvc|SystemEventsBroker|TapiSrv|TermService|TroubleshootingSvc|tzautoupdate|UmRdpService|upnphost|VaultSvc|vmicguestinterface|vmicheartbeat|vmickvpexchange|vmicrdv|vmicshutdown|vmictimesync|vmicvmsession|vmicvss|W32Time|WalletService|WbioSrvc|wcncsvc|WebClient|Wecsvc|WEPHOSTSVC|wercplsupport|WFDSConMgrSvc|WiaRpc|WinRM|wlpasvc|WManSvc|workfolderssvc|WwanSvc|XblAuthManager|XblGameSave|XboxGipSvc|XboxNetApiSvc|AarSvc_\\w+|BcastDVRUserService_\\w+|BluetoothUserService_\\w+|CaptureService_\\w+|ConsentUxUserSvc_\\w+|DeviceAssociationBrokerSvc_\\w+|DevicePickerUserSvc_\\w+|DevicesFlowUserSvc_\\w+|MessagingService_\\w+|OneSyncSvc_\\w+|PimIndexMaintenanceSvc_\\w+|PrintWorkflowUserSvc_\\w+|UnistoreSvc_\\w+|UserDataSvc_\\w+)(,|$))'","$win10svcs: SourceServices ~= '(?i:^(ALG|Appinfo|AppReadiness|AppVClient|AppXSvc|AudioEndpointBuilder|Audiosrv|autotimesvc|BITS|BthAvctpSvc|camsvc|CDPSvc|ClipSVC|COMSysApp|CryptSvc|defragsvc|DeviceInstall|Dhcp|diagnosticshub.standardcollector.service|DiagTrack|DispBrokerDesktopSvc|DmEnrollmentSvc|Dnscache|DoSvc|DPS|DsmSvc|DusmSvc|EventLog|EventSystem|Fax|FontCache|gpsvc|InstallService|iphlpsvc|LanmanServer|LanmanWorkstation|lfsvc|LicenseManager|lmhosts|LSM|MapsBroker|MSDTC|msiserver|NcbService|netprofm|NgcCtnrSvc|NgcSvc|NlaSvc|nsi|PcaSvc|perceptionsimulation|PerfHost|PhoneSvc|PlugPlay|ProfSvc|PushToInstall|RpcLocator|Schedule|SDRSVC|SecurityHealthService|SEMgrSvc|SENS|Sense|SensorDataService|SgrmBroker|ShellHWDetection|smphost|SNMPTRAP|spectrum|Spooler|sppsvc|SSDPSRV|ssh-agent|SstpSvc|StateRepository|stisvc|StorSvc|swprv|SysMain|TabletInputService|Themes|TieringEngineService|TimeBrokerSvc|TokenBroker|TrkWks|TrustedInstaller|UevAgentService|UserManager|UsoSvc|VacSvc|vds|VSS|WaaSMedicSvc|WarpJITSvc|wbengine|Wcmsvc|WdiServiceHost|WdiSystemHost|WdNisSvc|WerSvc|WinDefend|WinHttpAutoProxySvc|Winmgmt|wisvc|WlanSvc|wlidsvc|wmiApSrv|WMPNetworkSvc|WpcMonSvc|WPDBusEnum|WpnService|wscsvc|WSearch|wuauserv|cbdhsvc_\\w+|CDPUserSvc_\\w+|WpnUserService_\\w+)$)'","$sysmon: SourceServices ~= 'Sysmon64'","$expl: TargetImage ~= '(?i:C:\\\\Windows\\\\Explorer\\.exe)'","$srcisparent: SourceProcessGUID = @TargetParentProcessGuid"],"Condition":"$ga and $expl and !($srcisparent or ($hosted and $win10shared) or $win10svcs or $sysmon or $srcwl)","Actions":null}
{"Name":"FilePrivEsc","Tags":["WHIDS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[11]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$wl: TargetFilename ~= '(?i:C:\\\\(Users|ProgramData)\\\\.*)'","$il: IntegrityLevel ~= '(Low|Medium)'"],"Condition":"$il and !$wl","Actions":null}
{"Name":"FromDownloadedDocument","Tags":["Office","Download"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":0,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$pimsoffice: ParentImage ~= '(?i:\\\\(excel|winword|powerpnt|outlook)\\.exe)$'","$pcl: ParentCommandLine ~= '(?i:appdata\\\\local\\\\microsoft\\\\windows\\\\temporary internet files\\\\)'"],"Condition":"$pimsoffice and $pcl","Actions":null}
{"Name":"Heur7zExec","Tags":["Archive","Exec","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1193","Tactic":"initial-access","Reference":"https://attack.mitre.org/techniques/T1193"}],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$pi: ParentImage ~= '(?i:\\\\7zFM\\.exe$)'","$i: Image ~= '(?i:^C:\\\\Users\\\\.*\\\\AppData\\\\Local\\\\Temp\\\\)'","$cl: CommandLine ~= '(\\\\Temp\\\\.*?((?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node))|(?i:(\\.ps1|\\.bat|\\.cmd|\\.vb|\\.vbs|\\.vbscript|\\.vbe|\\.js|\\.jse|\\.ws|\\.wsf))))'"],"Condition":"$pi and ($i or $cl)","Actions":null}
{"Name":"HeurADSInCL","Tags":["Heuristics","ADS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1096","Tactic":"defense-evasion","Reference":"https://attack.mitre.org/techniques/T1096"}],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ads:  CommandLine ~= '(?i:\\.[a-z0-9]{2,5}:\\w*?\\.[a-z0-9]{2,5})'"],"Condition":"$ads","Actions":null}
{"Name":"HeurBrowserInjection","Tags":["Browser"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ct: CallTrace ~= 'UNKNOWN'","$src: SourceImage ~= '(?i:\\\\(iexplore|firefox|chrome|MicrosoftEdge|opera|vivaldi)\\.exe)$'","$dst: TargetImage ~= '(?i:\\\\(iexplore|firefox|chrome|MicrosoftEdge|opera|vivaldi)\\.exe)$'","$write: GrantedAccess \u0026= '0x20'"],"Condition":"$dst and !$src and $ct and $write","Actions":null}
{"Name":"HeurCLWithCreds","Tags":["Heuristics","Lateral"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ruser: CommandLine ~= '(?i: /U )'","$rhost: CommandLine ~= '(?i: /S )'","$rpwd: CommandLine ~= '(?i: /P )'"],"Condition":"$ruser and $rhost and $rpwd","Actions":null}
{"Name":"HeurCallShellcode","Tags":["Heuristics","RemoteThread","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[8]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$stfunc: StartFunction = ''","$stmod: StartModule = ''"],"Condition":"$stfunc and $stmod","Actions":null}
{"Name":"HeurDnsFromSuspicious","Tags":["DNS","Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[22]},"Computers":[],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$susp: Image ~= '(?i:\\\\(certutil|rundll32|powershell|wscript|cscript|cmd|mshta|regsvr32|msbuild|installutil|regasm)\\.exe)$'"],"Condition":"$susp","Actions":null}
{"Name":"HeurDropper","Tags":["Heuristics","CreateFile"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[11]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$susp: Image ~= '(?i:\\\\(certutil|rundll32|powershell|wscript|cscript|cmd|mshta|regsvr32|msbuild|installutil|regasm)\\.exe)$'","$target: TargetFilename ~= '((?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node))|(?i:(\\.ps1|\\.bat|\\.cmd|\\.vb|\\.vbs|\\.vbscript|\\.vbe|\\.js|\\.jse|\\.ws|\\.wsf)))$'","$poltest: TargetFilename ~= '(?i:C:\\\\Users\\\\.*?\\\\AppData\\\\Local\\\\Temp\\\\__PSScriptPolicyTest_.*?\\.ps1)'"],"Condition":"$susp and $target and !$poltest","Actions":null}
{"Name":"HeurLongDomain","Tags":["DNS","Heuristics"],"Meta":{"Events":{"Microsoft-Windows-DNS-Client/Operational":[]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ldomain: QueryName ~= '.{50,}'"],"Condition":"$ldomain","Actions":null}
{"Name":"HeurMaliciousAccess","Tags":["Heuristics","WHIDS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ct: CallTrace ~= 'UNKNOWN'","$whitelist: SourceImage ~= '(?i:(?i:C:\\\\Windows\\\\Sys(wow64|tem32)\\\\)(sdiagnhost|svchost)\\.exe)'","$windows: TargetImage ~= '(?i:C:\\\\Windows\\\\)'","$write: GrantedAccess \u0026= '0x20'","$read: GrantedAccess \u0026= '0x10'","$srcisparent: SourceProcessGUID = @TargetParentProcessGuid"],"Condition":"!$srcisparent and $windows and $ct and ($write or $read) and !$whitelist","Actions":null}
{"Name":"HeurOfficeThreat","Tags":["Heuristics","WHIDS","MSOffice"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$anc: Ancestors ~= '(?i:\\\\(excel|winword|powerpnt|outlook)\\.exe)'","$tools: Image ~= '((?i:\\\\(rundll32|powershell|wscript|cscript|cmd|mshta|regsvr32|msbuild|installutil|regasm|dnx|rcsi|WinDbg|cdb|tracker|cmstp|msiexec|mavinject|SyncAppvPublishingServer|Odbcconf|msxsl|wmic)\\.exe)|(?i:\\\\(certutil)\\.exe))'"],"Condition":"$tools and $anc","Actions":null}
{"Name":"HeurPersistentRAT","Tags":["Heuristics","WHIDS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exist: Ancestors ~= '(?i:^System\\|)'","$anc: Ancestors ~= '(?i:C:\\\\Windows\\\\explorer\\.exe)'","$schedsvc: ParentServices ~= '^(Schedule|BrokerInfrastructure,DcomLaunch,Power,SystemEventsBroker)$'","$tools: Image ~= '(?i:\\\\(ping|systeminfo|net1?|xcopy|nbtstat|bitsadmin|netstat|powershell|cmd|cscript|wscript|arp|at|certutil|dsquery|ipconfig|netsh|reg|route|schtasks|wusa|wmic|sc|rundll32|qprocess|tasklist|query)\\.exe$)'"],"Condition":"$exist and $tools and !$anc and !$schedsvc","Actions":null}
{"Name":"HeurRAT","Tags":["Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$tools: Image ~= '(?i:\\\\(ping|systeminfo|net1?|xcopy|nbtstat)\\.exe$)'","$parent: ParentImage ~= '(?i:C:\\\\Windows\\\\.*\\\\(powershell|cmd|wscript|cscript|msiexec|net)\\.exe$)'"],"Condition":"$tools and !$parent","Actions":null}
{"Name":"HeurRemotePayload","Tags":["Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$susp: Image ~= '((?i:\\\\(certutil|rundll32|powershell|wscript|cscript|cmd|mshta|regsvr32|msbuild|installutil|regasm)\\.exe)|(?i:\\\\wmic\\.exe))'","$rempld: CommandLine ~= '(?i:(\\\\\\\\.*?\\\\|https?://).*\\.\\w{2,5})'"],"Condition":"$susp and $rempld","Actions":null}
{"Name":"HeurSpawnShell","Tags":["Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$shell: Image ~= '(?i:\\\\(powershell|cmd)\\.exe$)'","$validparent: ParentImage ~= '(?i:(c:\\\\Windows\\\\Explorer\\.exe|c:\\\\Windows\\\\.*\\\\(powershell|cmd)\\.exe)$)'"],"Condition":"$shell and !$validparent","Actions":null}
{"Name":"HeurSuspFileWrite","Tags":["Heuristics"],"Meta":{"Events":{"Security":[4663]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$access: AccessMask \u0026= '0x2'","$user_proc: ProcessName ~= '(?i:C:\\\\Users\\\\)'","$target: ObjectName ~= '(?i:C:\\\\Windows\\\\).*((?i:(\\.ps1|\\.bat|\\.cmd|\\.vb|\\.vbs|\\.vbscript|\\.vbe|\\.js|\\.jse|\\.ws|\\.wsf))|(?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node)))$'"],"Condition":"$access and $target","Actions":null}
{"Name":"HeurSysmonLongDomain","Tags":["DNS","Heuristics","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[22]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ldomain: QueryName ~= '.{50,}'","$ip6: QueryName ~= 'ip6\\.arpa\\.$'"],"Condition":"$ldomain and !$ip6","Actions":null}
{"Name":"HeurWebShell","Tags":["Heuristics","WHIDS","WebShell"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$anc: Ancestors ~= '(?:\\\\(tomcat.*?|w3wp|php-cgi|nginx|httpd|apache.*?)\\.exe)'","$tools: Image ~= '(?i:\\\\(ping|systeminfo|net1?|xcopy|nbtstat|bitsadmin|netstat|powershell|cmd|cscript|wscript|arp|at|certutil|dsquery|ipconfig|netsh|reg|route|schtasks|wusa|wmic|sc|rundll32|qprocess|tasklist|query)\\.exe$)'"],"Condition":"$tools and $anc","Actions":null}
{"Name":"HeurZipExec","Tags":["Archive","Exec","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1193","Tactic":"initial-access","Reference":"https://attack.mitre.org/techniques/T1193"}],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$pi: ParentImage ~= '(?i:C:\\\\Windows\\\\Explorer\\.exe$)'","$cl: CommandLine ~= '(?i:\\\\Temp.*?\\\\[^\\\\]*\\.zip\\\\[^\\\\]*((?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node))|(?i:(\\.ps1|\\.bat|\\.cmd|\\.vb|\\.vbs|\\.vbscript|\\.vbe|\\.js|\\.jse|\\.ws|\\.wsf))))'"],"Condition":"$pi and $cl","Actions":null}
{"Name":"HeuristicPrivEsc","Tags":["PrivEsc","Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$src_image_wl: SourceImage ~= '(?i:(?i:C:\\\\Windows\\\\Sys(wow64|tem32)\\\\)(taskmgr)\\.exe)'","$sync_access: GrantedAccess = '0x100000'","$src_user: SourceUser ~= '(?i:NT AUTHORITY\\\\)'","$tgt_user: TargetUser ~= '(?i:NT AUTHORITY\\\\)'"],"Condition":"!$sync_access and (!$src_user and $tgt_user) and !$src_image_wl","Actions":null}
{"Name":"HeuristicSamlibDll","Tags":["Mimikatz","Credentials","DLL"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[7]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$il1: ImageLoaded ~= '(?i:\\\\samlib.dll$)'","$system32: Image ~= '(?i:C:\\\\Windows\\\\System32\\\\[^\\\\]*?\\.exe)'","$programfile: Image ~= '(?i:C:\\\\Program Files.*?\\\\.*)'","$exp: Image ~= '(?i:^C:\\\\Windows\\\\explorer.exe$)'"],"Condition":"$il1 and !$system32 and !$programfile and !$exp","Actions":null}
{"Name":"HeuristicSuspiciousAccess","Tags":["Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$unk_calltrace: CallTrace ~= 'UNKNOWN'","$sync_access: GrantedAccess = '0x100000'","$src_user: SourceUser ~= '(?i:NT AUTHORITY\\\\)'","$tgt_user: TargetUser ~= '(?i:NT AUTHORITY\\\\)'"],"Condition":"!$sync_access and (!$src_user and $tgt_user) and $unk_calltrace","Actions":null}
{"Name":"HeuristicVaultcliDll","Tags":["Mimikatz","Credentials","DLL"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[7]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$il1: ImageLoaded ~= '(?i:\\\\vaultcli.dll$)'","$system32: Image ~= '(?i:C:\\\\Windows\\\\System32\\\\[^\\\\]*?\\.exe)'","$searchui: Image ~= '(?i:(?i:C:\\\\Windows\\\\SystemApps\\\\).*?\\\\searchui\\.exe)'"],"Condition":"$il1 and !($system32 or $searchui)","Actions":null}
{"Name":"HiddenPsExec","Tags":["Powershell","Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":9,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$psexec: Product = 'Sysinternals PsExec'","$im: Image ~= '(?i:\\\\psexe(c|svc).exe$)'"],"Condition":"$psexec and !$im","Actions":null}
{"Name":"HighlyPolymorphicCode","Tags":["WHIDS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[25]},"Computers":[],"ATTACK":[{"ID":"T1093","Tactic":"defense-evasion","Reference":"https://attack.mitre.org/techniques/T1093"}],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$lowboundproc: ProcessIntegrity \u003e= '50'"],"Condition":"$lowboundproc","Actions":null}
{"Name":"InfoRemotePath","Tags":["Info","Lateral"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":0,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$rpath: CommandLine ~= '(?i:\\\\\\\\[\\w\\.]+)'"],"Condition":"$rpath","Actions":null}
{"Name":"InfoSuspiciousParent","Tags":["Info"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":0,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$susp: ParentImage ~= '(?i:\\\\(certutil|rundll32|powershell|wscript|cscript|cmd|mshta|regsvr32|msbuild|installutil|regasm)\\.exe)$'"],"Condition":"$susp","Actions":null}
{"Name":"LargeBase64","Tags":["Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":3,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$lb64: CommandLine ~= '[0-9A-Za-z]{512,}'"],"Condition":"$lb64","Actions":null}
{"Name":"LargeCL512","Tags":["Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":2,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$lcl: CommandLine ~= '.{512,}'","$llcl: CommandLine ~= '.{999,}'","$wlp1: Image ~= '^C:\\\\Program Files.*?\\\\Mozilla Firefox\\\\firefox\\.exe$'","$wlp2: Image ~= '^C:\\\\Program Files.*?\\\\Google\\\\Chrome\\\\Application\\\\chrome\\.exe$'","$wlp3: Image ~= '(?i:Java.*\\\\jp2launcher.exe$)'","$wlp4: Image ~= '(?i:\\\\(java\\.exe))'"],"Condition":"$lcl and !($llcl or $wlp1 or $wlp2 $wlp3 or $wlp4)","Actions":null}
{"Name":"LargeCL999","Tags":["Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":3,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$lcl: CommandLine ~= '.{999,}'","$wlp1: Image ~= '^C:\\\\Program Files.*?\\\\Mozilla Firefox\\\\firefox\\.exe$'","$wlp2: Image ~= '^C:\\\\Program Files.*?\\\\Google\\\\Chrome\\\\Application\\\\chrome\\.exe$'","$wlp3: Image ~= '(?i:Java.*\\\\jp2launcher.exe$)'","$wlp4: Image ~= '(?i:\\\\(java\\.exe))'"],"Condition":"$lcl and !$wlp1 and !$wlp2 and !$wlp3 and !$wlp4","Actions":null}
{"Name":"LateralWMI","Tags":["WMI","Lateral"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$wmi: Image ~= '(?i:\\\\wmic\\.exe$)'","$node: CommandLine ~= '(?i:/node:)'"],"Condition":"$wmi and $node","Actions":null}
{"Name":"LogonFromExternal","Tags":["Lateral","Security"],"Meta":{"Events":{"Security":[4624]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$iplh1: IpAddress = '-'","$iplh2: IpAddress = '127.0.0.1'","$iplh3: IpAddress = '::1'","$privip: IpAddress ~= '(?i:(^127\\.)|(^10\\.)|(^172\\.1[6-9]\\.)|(^172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(^192\\.168\\.))'"],"Condition":"!($privip or $iplh1 or $iplh2 or $iplh3)","Actions":null}
{"Name":"MSOfficeThreat","Tags":["Office","Threat"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1193","Tactic":"initial-access","Reference":"https://attack.mitre.org/techniques/T1193"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$pimsoffice: ParentImage ~= '(?i:\\\\(excel|winword|powerpnt|outlook)\\.exe)$'","$susp: Image ~= '(?i:\\\\(certutil|rundll32|powershell|wscript|cscript|cmd|mshta|regsvr32|msbuild|installutil|regasm)\\.exe)$'","$fp1: CommandLine ~= '(?i:shell32\\.dll,(OpenAs_RunDLL|SHCreateLocalServerRunDll|Control_RunDLL))'"],"Condition":"$pimsoffice and !$fp1 and $susp","Actions":null}
{"Name":"MaliciousLsassAccess","Tags":["Mimikatz","Credentials","Lsass"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"ATTACK":[{"ID":"T1003","Tactic":"Credential Access","Reference":"https://attack.mitre.org/techniques/T1003/"}],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ct: CallTrace ~= 'UNKNOWN'","$lsass: TargetImage ~= '(?i:\\\\lsass\\.exe$)'"],"Condition":"$lsass and $ct","Actions":null}
{"Name":"MaliciousSvchostAccess","Tags":["Invoke-Phant0m","SvcHost"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ct: CallTrace ~= 'UNKNOWN'","$svchost: TargetImage ~= '(?i:windows\\\\sys(tem32|wow64)\\\\svchost\\.exe$)'"],"Condition":"$svchost and $ct","Actions":null}
{"Name":"MediumPolymorphicCode","Tags":["WHIDS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[25]},"Computers":[],"ATTACK":[{"ID":"T1093","Tactic":"defense-evasion","Reference":"https://attack.mitre.org/techniques/T1093"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$lowboundproc: ProcessIntegrity \u003e= '15'","$upboundproc: ProcessIntegrity \u003c '50'"],"Condition":"$lowboundproc and $upboundproc","Actions":null}
{"Name":"NTLMDowngradeAttack","Tags":["Credentials","Lsass"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[13]},"Computers":[],"ATTACK":[{"ID":"T1003","Tactic":"Credential Access","Reference":"https://attack.mitre.org/techniques/T1003/"}],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ntlmminclientsec: TargetObject ~= '^(?i:HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\NtlmMinClientSec)'","$lmcompatlevel: TargetObject ~= '^(?i:HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\LMCompatibilityLevel)'","$restsendntlmtraffic: TargetObject ~= '^(?i:HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\RestrictSendingNTLMTraffic)'","$setval: EventType = 'SetValue'","$v0x0: Details = 'DWORD (0x00000000)'","$v0x1: Details = 'DWORD (0x00000001)'","$v0x2: Details = 'DWORD (0x00000002)'"],"Condition":"($lmcompatlevel and $setval and ($v0x0 or $v0x1 or $v0x2)) or ($restsendntlmtraffic and $setval and $v0x0) or $ntlmminclientsec","Actions":null}
{"Name":"NTLMDowngradeAttackSecurity","Tags":["Credentials"],"Meta":{"Events":{"Security":[4657]},"Computers":[],"ATTACK":[{"ID":"T1003","Tactic":"Credential Access","Reference":"https://attack.mitre.org/techniques/T1003/"}],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$msv1key: ObjectName ~= '(?i:\\\\SYSTEM\\\\ControlSet.*?\\\\Control\\\\Lsa\\\\MSV1_0)'","$lsakey: ObjectName ~= '(?i:\\\\SYSTEM\\\\ControlSet.*?\\\\Control\\\\Lsa)'","$restsendntlmtraffic:  ObjectValueName = 'RestrictSendingNTLMTraffic'","$lmcompatlevel:  ObjectValueName = 'LMCompatibilityLevel'","$ntlmminclientsec:  ObjectValueName = 'NtlmMinClientSec'"],"Condition":"($lsakey and $lmcompatlevel) or ($msv1key and ($restsendntlmtraffic or $ntlmminclientsec)) ","Actions":null}
{"Name":"Nbtstat.exe","Tags":["Tool"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":2,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exe: Image ~= '(?i:\\\\nbtstat\\.exe$)'"],"Condition":"$exe","Actions":null}
{"Name":"Net.exe","Tags":["Tool"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":2,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exe: Image ~= '(?i:\\\\net1?\\.exe$)'"],"Condition":"$exe","Actions":null}
{"Name":"NewADS","Tags":["ADS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[15]},"Computers":[],"ATTACK":[{"ID":"T1096","Tactic":"defense-evasion","Reference":"https://attack.mitre.org/techniques/T1096"}],"Criticality":0,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$broker: Image ~= '(?i:C:\\\\Windows\\\\system32\\\\browser_broker.exe)'","$target: TargetFilename ~= '(?i::Zone\\.Identifier$)'"],"Condition":"!($broker and $target)","Actions":null}
{"Name":"NewAutorun","Tags":["Registry","Autorun"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[13]},"Computers":[],"ATTACK":[{"ID":"T1060","Tactic":"persistence","Reference":"https://attack.mitre.org/techniques/T1060"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$eventtype: EventType = 'SetValue'","$run: TargetObject ~= '(?i:(?i:\\\\SOFTWARE(\\\\WOW6432Node)??)\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run)'","$runonce: TargetObject ~= '(?i:(?i:\\\\SOFTWARE(\\\\WOW6432Node)??)\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce)'","$uimls: TargetObject ~= '(?i:\\\\Environment\\\\UserInitMprLogonScript$)'","$com: TargetObject ~= '(?i:(?i:HKCR(\\\\WOW6432Node)??)\\\\CLSID)'"],"Condition":"$eventtype and ($run or $runonce or $uimls or $com)","Actions":null}
{"Name":"NewExeCreatedInRoot","Tags":["Heuristics","CreateFile"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[11]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$smss: Image ~= '(?i:C:\\\\Windows\\\\System32\\\\smss\\.exe)'","$pageswap: TargetFilename ~= '(?i:C:\\\\(page|swap)file\\.sys)'","$target: TargetFilename ~= '(?i:c:\\\\[^\\\\]*?((?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node))|(?i:(\\.ps1|\\.bat|\\.cmd|\\.vb|\\.vbs|\\.vbscript|\\.vbe|\\.js|\\.jse|\\.ws|\\.wsf)))$)'"],"Condition":"$target and !($smss and $pageswap)","Actions":null}
{"Name":"NewLocalAdmin","Tags":[""],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$net: Image ~= '(?i:C:\\\\Windows\\\\Sys(tem32|wow64)\\\\net1?\\.exe)'","$command: CommandLine ~= '(?i:localgroup\\s+Administrators.*?/ADD)'"],"Condition":"$net and $command","Actions":null}
{"Name":"NewRemoteScheduledTask","Tags":["ScheduledTasks","Lateral"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1053","Tactic":"privilege-escalation","Reference":"https://attack.mitre.org/techniques/T1053"}],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$schtasks: Image ~= '(?i:^c:\\\\windows\\\\system32\\\\schtasks\\.exe$)'","$create: CommandLine ~= '(?i:/(create|xml))'","$remote: CommandLine ~= '(?i:/S )'"],"Condition":"$schtasks and $remote and $create ","Actions":null}
{"Name":"NewSchedTaskInReg","Tags":["Registry","Autorun","ScheduledTasks"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[13]},"Computers":[],"ATTACK":[{"ID":"T1053","Tactic":"privilege-escalation","Reference":"https://attack.mitre.org/techniques/T1053"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$eventtype: EventType = 'SetValue'","$newid: TargetObject ~= '(?i:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\.*?\\\\Id$)'"],"Condition":"$eventtype and $newid","Actions":null}
{"Name":"NewSchedTaskOnDisk","Tags":["ScheduledTasks"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[11]},"Computers":[],"ATTACK":[{"ID":"T1053","Tactic":"privilege-escalation","Reference":"https://attack.mitre.org/techniques/T1053"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$target: TargetFilename ~= '(?i:^C:\\\\Windows\\\\Sys(tem32|wow64)\\\\Tasks\\\\)'"],"Condition":"$target","Actions":null}
{"Name":"NewScheduledTask","Tags":["ScheduledTasks"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1053","Tactic":"privilege-escalation","Reference":"https://attack.mitre.org/techniques/T1053"}],"Criticality":4,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$schtasks: Image ~= '(?i:^c:\\\\windows\\\\sys(tem32|wow64)\\\\schtasks\\.exe$)'","$create: CommandLine ~= '(?i:/(xml|create))'","$remote: CommandLine ~= '(?i:/S )'"],"Condition":"$schtasks and !$remote and $create","Actions":null}
{"Name":"NotWhitelisted","Tags":["Whitelist"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1,6,7]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$md5: extract('MD5=(?P\u003cmd5\u003e[A-F0-9]{32})', Hashes) in whitelist","$sha1: extract('SHA1=(?P\u003csha1\u003e[A-F0-9]{40})', Hashes) in whitelist","$sha256: extract('SHA256=(?P\u003csha256\u003e[A-F0-9]{64})', Hashes) in whitelist"],"Condition":"!($md5 and $sha1 and $sha256)","Actions":null}
{"Name":"OfficeDropper","Tags":["Office","Dropper"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[11]},"Computers":[],"ATTACK":[{"ID":"T1193","Tactic":"initial-access","Reference":"https://attack.mitre.org/techniques/T1193"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$office: Image ~= '(?i:\\\\(excel|winword|powerpnt|outlook)\\.exe)$'","$target: TargetFilename ~= '((?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node))|(?i:(\\.ps1|\\.bat|\\.cmd|\\.vb|\\.vbs|\\.vbscript|\\.vbe|\\.js|\\.jse|\\.ws|\\.wsf)))$'"],"Condition":"$office and $target","Actions":null}
{"Name":"OfficeDropperExec","Tags":["Office","Dropper"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1193","Tactic":"initial-access","Reference":"https://attack.mitre.org/techniques/T1193"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$pimsoffice: ParentImage ~= '(?i:\\\\(excel|winword|powerpnt|outlook)\\.exe)$'","$whitelisted: Image ~= '^((?i:C:\\\\Windows\\\\)|(?i:C:\\\\(PROGRA~(1|2)|Program Files.*?)\\\\)|(?i:C:\\\\ProgramData\\\\AppV\\\\))'"],"Condition":"$pimsoffice and !$whitelisted","Actions":null}
{"Name":"PSC#Win32API","Tags":["Powershell","C#","ScriptBlock"],"Meta":{"Events":{"Microsoft-Windows-PowerShell/Operational":[]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$api: ScriptBlockText ~= '(?i:(OpenProcess|OpenThread|SetThreadContext|OpenThreadToken|GetProcAddress|OpenThreadToken|OpenProcessToken|CreateProcess|WriteProcessMemory|ReadProcessMemory|VirtualAlloc))'"],"Condition":"$api","Actions":null}
{"Name":"PSInvokeExpression","Tags":["Powershell"],"Meta":{"Events":{"Microsoft-Windows-PowerShell/Operational":[4103]},"Computers":[],"ATTACK":[{"ID":"T1202","Tactic":"Defense Evasion","Reference":"https://attack.mitre.org/techniques/T1202/"}],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ci: Payload ~= 'CommandInvocation\\(Invoke-Expression\\)'"],"Condition":"$ci","Actions":null}
{"Name":"Ping.exe","Tags":["Tool"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":2,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exe: Image ~= '(?i:\\\\ping\\.exe$)'"],"Condition":"$exe","Actions":null}
{"Name":"PowershellEmbeddedC#","Tags":["Powershell","EmbeddedCode"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":3,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ps: ParentImage ~= '(?i:\\\\powershell.exe$)'","$csc: Image ~= '(?i:\\\\csc.exe$)'"],"Condition":"$csc and $ps","Actions":null}
{"Name":"PowershellExecEnc","Tags":["Powershell","Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1202","Tactic":"Defense Evasion","Reference":"https://attack.mitre.org/techniques/T1202/"}],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$i: Image ~= '(?i:\\\\powershell.exe$)'","$enc: CommandLine ~= '(?i: (-|/)e[ncodedcommands]* )'"],"Condition":"$i and $enc","Actions":null}
{"Name":"PowershellLargeCL","Tags":["Heuristics","CL"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":4,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$lcl: CommandLine ~= '.{512,}'","$ps: Image ~= '(?i:\\\\powershell.exe$)'"],"Condition":"$lcl and $ps","Actions":null}
{"Name":"PowershellSamlibDll","Tags":["Mimikatz","Credentials","Powershell","DLL"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[7]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$il: ImageLoaded ~= '(?i:\\\\samlib.dll$)'","$ps: Image ~= '(?i:\\\\powershell\\.exe$)'"],"Condition":"$ps and $il","Actions":null}
{"Name":"PowershellStdin","Tags":["Powershell"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1202","Tactic":"Defense Evasion","Reference":"https://attack.mitre.org/techniques/T1202/"}],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ps: Image ~= '(?i:\\\\powershell.exe$)'","$arg: CommandLine ~= '(?i: (-|/)c[ommand]*\\s+-)'"],"Condition":"$ps and $arg","Actions":null}
{"Name":"ProcPrivEsc","Tags":["WHIDS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ga: GrantedAccess \u0026= '0x20'","$srclow: SourceIntegrityLevel = 'Low'","$srcmed: SourceIntegrityLevel = 'Medium'","$srchigh: SourceIntegrityLevel = 'High'","$tgtmed: TargetIntegrityLevel = 'Medium'","$tgthigh: TargetIntegrityLevel = 'High'","$tgtsys: TargetIntegrityLevel = 'System'"],"Condition":"$ga and (($srclow and ($tgtmed or $tgthigh or $tgtsys)) or ($srcmed and ($tgthigh or $tgtsys)) or ($srchigh and $tgtsys))","Actions":null}
{"Name":"ProcessCreate","Tags":null,"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":null,"Criticality":0,"Disable":false,"Filter":true,"Schema":"2.0.0"},"Matches":[],"Condition":"","Actions":null}
{"Name":"PsExec","Tags":["Powershell","Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$psexec: Product = 'Sysinternals PsExec'","$im: Image ~= '(?i:\\\\psexe(c|svc).exe$)'"],"Condition":"$psexec and $im","Actions":null}
{"Name":"PsExec4624","Tags":["Lateral","Security"],"Meta":{"Events":{"Security":[4624]},"Computers":[],"Criticality":5,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$psexec: ProcessName ~= '(?i:\\\\PSEXESVC\\.exe$)'"],"Condition":"$psexec","Actions":null}
{"Name":"PsExecCommand","Tags":["Powershell","Heuristics"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$psexesvc: ParentImage ~= '(?i:\\\\psexesvc.exe$)'"],"Condition":"$psexesvc","Actions":null}
{"Name":"Reg.exe","Tags":["Tool"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":2,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exe: Image ~= '(?i:\\\\reg\\.exe$)'"],"Condition":"$exe","Actions":null}
{"Name":"Regsvr32ApplockerBypass","Tags":["Regsvr32","AppLockerBypass","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1117","Tactic":"execution","Reference":"https://attack.mitre.org/techniques/T1117"}],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$im: Image ~= '(?i:^c:\\\\windows\\\\sys(wow64|tem32)\\\\regsvr32.exe$)'","$sw1: CommandLine ~= '(?i: /n )'","$sw2: CommandLine ~= '(?i: /s )'","$sw3: CommandLine ~= '(?i: /u )'","$sw4: CommandLine ~= '(?i: /i:)'"],"Condition":"$im and $sw4 and $sw3 and $sw2 and $sw1","Actions":null}
{"Name":"RunningScheduledTask","Tags":["ScheduledTasks"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1053","Tactic":"privilege-escalation","Reference":"https://attack.mitre.org/techniques/T1053"}],"Criticality":3,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$schtasks: ParentImage ~= '(?i:^c:\\\\windows\\\\system32\\\\schtasks\\.exe$)'"],"Condition":"$schtasks","Actions":null}
{"Name":"SecurityLogClearing","Tags":["PostExploit"],"Meta":{"Events":{"Security":[1102]},"Computers":[],"ATTACK":[{"ID":"T1070","Tactic":"defense-evasion","Reference":"https://attack.mitre.org/techniques/T1070"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":[],"Condition":"","Actions":null}
{"Name":"ServiceDeletion","Tags":["Services"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":3,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$sc: Image ~= '(?i:sc.exe$)'","$op: CommandLine ~= '(?i: (delete) )'"],"Condition":"$sc and $op","Actions":null}
{"Name":"StopSvchostAccess","Tags":["Invoke-Phant0m","SvcHost"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$svchost: TargetImage ~= '(?i:C:\\\\windows\\\\sys(tem32|wow64)\\\\svchost\\.exe)'","$wl: SourceImage ~= '((?i:C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\.*?\\\\MsMpEng\\.exe|C:\\\\Program Files.*?\\\\Windows Defender\\\\.*?\\.exe)|(?i:C:\\\\Windows\\\\sysmon(64)?\\.exe)|(?i:C:\\\\Windows\\\\Sys(wow64|tem32)\\\\[^\\\\]*\\.exe)|(?i:C:\\\\Windows\\\\sys(tem32|wow64)\\\\wbem\\\\wmiprvse\\.exe))'","$stopresume: GrantedAccess \u0026= '0x0800'","$terminate: GrantedAccess \u0026= '0x0001'"],"Condition":"$svchost and ($stopresume or $terminate) and !$wl","Actions":null}
{"Name":"SuspWMIC","Tags":["WMI"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$wmic: Image ~= '(?i:\\\\wmic\\.exe$)'","$proc: CommandLine ~= '(?i:process\\s+call\\s+create)'"],"Condition":"$wmic and $proc","Actions":null}
{"Name":"SuspWriteAccess","Tags":["WHIDS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"ATTACK":[{"ID":"T1055","Tactic":"privilege-escalation","Reference":"https://attack.mitre.org/techniques/T1055"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ga: GrantedAccess \u0026= '0x20'","$wlsvcs: SourceServices ~= '(?i:(Sysmon64|Appinfo|PcaSvc|Themes))'","$srcwl: SourceImage ~= '(?i:(?i:C:\\\\Windows\\\\Sys(wow64|tem32)\\\\)(conhost|csrss|lsass)\\.exe)'","$trgwl: TargetImage ~= '(?i:(?i:C:\\\\(PROGRA~(1|2)|Program Files.*?)\\\\WindowsApps\\\\)(Microsoft\\.MicrosoftOfficeHub_.*?\\\\LocalBridge\\.exe))'","$srcisparent: SourceProcessGUID = @TargetParentProcessGuid","$srcistarget: SourceImage = @TargetImage","$srcissystem: SourceIntegrityLevel = 'System'"],"Condition":"$ga and !($wlsvcs or $srcwl or $trgwl or $srcissystem or $srcisparent or $srcistarget)","Actions":null}
{"Name":"SuspiciousADS","Tags":["ADS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[15]},"Computers":[],"ATTACK":[{"ID":"T1096","Tactic":"defense-evasion","Reference":"https://attack.mitre.org/techniques/T1096"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$target: TargetFilename ~= '(?i:((?i:(\\.ps1|\\.bat|\\.cmd|\\.vb|\\.vbs|\\.vbscript|\\.vbe|\\.js|\\.jse|\\.ws|\\.wsf))|(?i:(\\.acm|\\.ax|\\.com|\\.cpl|\\.dic|\\.dll|\\.drv|\\.ds|\\.efi|\\.exe|\\.grm|\\.iec|\\.ime|\\.lex|\\.msstyles|\\.mui|\\.ocx|\\.olb|\\.rll|\\.rs|\\.scr|\\.sys|\\.tlb|\\.tsp|\\.winmd|\\.node))))$'"],"Condition":"$target","Actions":null}
{"Name":"SuspiciousLsassAccess","Tags":["Mimikatz","Credentials","Lsass"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[10]},"Computers":[],"ATTACK":[{"ID":"T1003","Tactic":"Credential Access","Reference":"https://attack.mitre.org/techniques/T1003/"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$ctwdef: CallTrace ~= '(?i:windows defender)'","$ga: GrantedAccess \u0026= '0x10'","$lsass: TargetImage ~= '(?i:\\\\lsass\\.exe$)'","$wmiprvse: SourceImage ~= '(?i:(?i:C:\\\\Windows\\\\Sys(wow64|tem32)\\\\)wbem\\\\wmiprvse\\.exe)'","$taskmgr: SourceImage ~= '(?i:(?i:C:\\\\Windows\\\\Sys(wow64|tem32)\\\\)taskmgr\\.exe)'","$boot: SourceImage ~= '(?i:C:\\\\Windows\\\\system32\\\\(wininit|csrss)\\.exe)'"],"Condition":"$lsass and $ga and !($ctwdef or $wmiprvse or $taskmgr or $boot)","Actions":null}
{"Name":"SuspiciousRundll32","Tags":["Rundll32"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[7]},"Computers":[],"ATTACK":[{"ID":"T1085","Tactic":"execution","Reference":"https://attack.mitre.org/techniques/T1085"}],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$im: Image ~= '(?i:^c:\\\\windows\\\\sys(wow64|tem32)\\\\rundll32.exe$)'","$pgfiles: ImageLoaded ~= '(?i:^C:\\\\(PROGRA~2|Program Files.*?)\\\\)'","$windows: ImageLoaded ~= '(?i:^C:\\\\Windows\\\\)'"],"Condition":"$im and !($pgfiles or $windows)","Actions":null}
{"Name":"SuspiciousService","Tags":["SvcHost","ImageLoaded","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":4,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$parent: ParentImage ~= '(?i:C:\\\\Windows\\\\(System32|SysWOW64)\\\\services\\.exe)'","$windows: Image ~= '(?i:C:\\\\Windows\\\\)'","$programfile: Image ~= '(?i:C:\\\\(PROGRA~2|Program Files.*?)\\\\.*)'"],"Condition":"$parent and !$windows and !$programfile","Actions":null}
{"Name":"SuspiciousServiceCreated","Tags":["Services"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$sc: Image ~= '(?i:sc.exe$)'","$op: CommandLine ~= '(?i: (create) )'","$binpath: CommandLine ~= '?i:(binPath=.*?C:\\\\Windows)'"],"Condition":"$sc and $op and !$binpath","Actions":null}
{"Name":"SuspiciousServiceInstallation","Tags":["Services","Registry","Autorun"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[13]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$eventtype: EventType = 'SetValue'","$key1: TargetObject ~= '(?i:^HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\.*?\\\\ImagePath$)'","$key2: TargetObject ~= '(?i:^HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\.*?\\\\Parameters\\\\ServiceDll$)'","$systemroot: Details ~= '(?i:%%SystemRoot%%)'","$service: Image ~= '(?i:C:\\\\Windows\\\\system32\\\\services.exe)'"],"Condition":"$eventtype and ($key1 or $key2) and !($systemroot or $service)","Actions":null}
{"Name":"SvcHostBadParent","Tags":["SvcHost","Heuristics","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$svchost: Image ~= '(?i:^c:\\\\windows\\\\sys(tem32|wow64)\\\\svchost\\.exe$)'","$pservices: ParentImage ~= '(?i:^C:\\\\Windows\\\\sys(tem32|wow64)\\\\(services|svchost)\\.exe$)'"],"Condition":"$svchost and !$pservices","Actions":null}
{"Name":"SvcHostMimic","Tags":["SvcHost","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$im: Image ~= '(?i:\\\\svchost)'","$svchost: Image ~= '(?i:c:\\\\windows\\\\sys(tem32|wow64)\\\\svchost.exe$)'"],"Condition":"$im and !$svchost","Actions":null}
{"Name":"SvcHostUnsignedDll","Tags":["SvcHost","ImageLoaded","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[7]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$im: Image ~= '(?i:C:\\\\Windows\\\\System32\\\\svchost\\.exe)'","$unsigned: Signed = 'false'"],"Condition":"$im and $unsigned","Actions":null}
{"Name":"SvcHostUntrustedDLL","Tags":["SvcHost","ImageLoaded","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[7]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$im: Image ~= '(?i:C:\\\\Windows\\\\System32\\\\svchost\\.exe)'","$trusted: Signature ~= '^(Microsoft Windows|Microsoft Corporation|Microsoft Windows Component Publisher|Microsoft Windows Publisher|Microsoft Windows 3rd party Component)$'"],"Condition":"$im and !$trusted","Actions":null}
{"Name":"SysmonConfigChanged","Tags":["Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[16]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":[],"Condition":"","Actions":null}
{"Name":"SysmonConfigTampering","Tags":["Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[12,13]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$set: EventType = 'SetValue'","$del: EventType = 'DeleteValue'","$sysmon: Image ~= '(?i:C:\\\\Windows\\\\Sysmon.exe)'","$target: TargetObject ~= '(?i:HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\SysmonDrv\\\\Parameters\\\\(Options|HashingAlgorithm|Rules))'"],"Condition":"$target and ($set or $del) and !$sysmon","Actions":null}
{"Name":"SysmonDomainInMisp","Tags":["DNS","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[22]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$domainBL: extract('(?P\u003cdom\u003e\\w+\\.\\w+$)',QueryName) in misp'","$subdomainBL: extract('(?P\u003csub\u003e\\w+\\.\\w+\\.\\w+$)',QueryName) in misp'","$subsubdomainBL: extract('(?P\u003csubsub\u003e\\w+\\.\\w+\\.\\w+\\.\\w+$)',QueryName) in misp'"],"Condition":"$domainBL or $subdomainBL or $subsubdomainBL","Actions":null}
{"Name":"SysmonFingerprinting","Tags":["Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$sysmon: Product = 'Sysinternals Sysmon'","$sysmonim: Image ~= '(?i:C:\\\\Windows\\\\.*sysmon.*)'","$arg: CommandLine ~= '(?i:\\s-c\\s*$)'"],"Condition":"($sysmon or $sysmonim) and $arg","Actions":null}
{"Name":"SysmonRegFingerprinting","Tags":["Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[12]},"Computers":[],"Criticality":7,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$create: EventType = 'CreateKey'","$sysmon: Image ~= '(?i:C:\\\\Windows\\\\Sysmon.exe)'","$target: TargetObject ~= '(?i:^HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\SysmonDrv\\\\Parameters)'"],"Condition":"$target and $create and !$sysmon","Actions":null}
{"Name":"SysmonStateChanged","Tags":["Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[4]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$start: State = 'Started'"],"Condition":"!$start","Actions":null}
{"Name":"SystemInfo.exe","Tags":["Tool"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":2,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exe: Image ~= '(?i:\\\\systeminfo\\.exe$)'"],"Condition":"$exe","Actions":null}
{"Name":"Taskkill.exe","Tags":["Tool"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":2,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exe: Image ~= '(?i:\\\\taskkill\\.exe$)'"],"Condition":"$exe","Actions":null}
{"Name":"Tasklist.exe","Tags":["Tool"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":2,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exe: Image ~= '(?i:\\\\tasklist\\.exe$)'"],"Condition":"$exe","Actions":null}
{"Name":"UnkDstPort","Tags":["Network"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[3]},"Computers":[],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$dstlocalhost: DestinationIp = '127.0.0.1'","$dstprivip: DestinationIp ~= '(?i:(^127\\.)|(^10\\.)|(^172\\.1[6-9]\\.)|(^172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(^192\\.168\\.))'","$unk: DestinationPortName ~= '^$'","$system: Image ~= '^(?i:C:\\\\Windows\\\\Sys(wow64|tem32)\\\\)'","$init: Initiated = 'true'"],"Condition":"!$system and !$dstprivip and !$dstlocalhost and $unk and $init","Actions":null}
{"Name":"UnkPrivDstPort","Tags":["Network"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[3]},"Computers":[],"Criticality":6,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$dstlocalhostv6: DestinationIp = '0:0:0:0:0:0:0:1'","$dstlocalhost: DestinationIp = '127.0.0.1'","$dstprivip: DestinationIp ~= '(?i:(^127\\.)|(^10\\.)|(^172\\.1[6-9]\\.)|(^172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(^192\\.168\\.))'","$unk: DestinationPortName ~= '^$'","$system: Image ~= '^(?i:C:\\\\Windows\\\\Sys(wow64|tem32)\\\\)'","$init: Initiated = 'true'"],"Condition":"!$system and $dstprivip and !($dstlocalhost or $dstlocalhostv6) and $unk and $init","Actions":null}
{"Name":"UnknownServices","Tags":["WHIDS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exist: Services ~= '.'","$na: Services = 'N/A'","$hosted: Image ~= '(?i:\\\\(lsass|svchost)\\.exe$)'","$sysmon: Services = 'Sysmon64'","$win10shared: Services ~= '(?i:(^|,)(AJRouter|AppIDSvc|AppMgmt|AssignedAccessManagerSvc|AxInstSV|BDESVC|BFE|BrokerInfrastructure|BTAGService|bthserv|CertPropSvc|CoreMessagingRegistrar|CscService|DcomLaunch|DeviceAssociationService|DevQueryBroker|diagsvc|DisplayEnhancementService|dmwappushservice|dot3svc|DsSvc|Eaphost|EFS|embeddedmode|EntAppSvc|fdPHost|FDResPub|fhsvc|FrameServer|GraphicsPerfSvc|hidserv|HvHost|icssvc|IKEEXT|IpxlatCfgSvc|KeyIso|KtmRm|lltdsvc|LxpSvc|mpssvc|MSiSCSI|NaturalAuthentication|NcaSvc|NcdAutoSetup|Netlogon|Netman|NetSetupSvc|NetTcpPortSharing|p2pimsvc|p2psvc|PeerDistSvc|pla|PNRPAutoReg|PNRPsvc|PolicyAgent|Power|PrintNotify|QWAVE|RasAuto|RasMan|RemoteAccess|RemoteRegistry|RetailDemo|RmSvc|RpcEptMapper|RpcSs|SamSs|SCardSvr|ScDeviceEnum|SCPolicySvc|seclogon|SensorService|SensrSvc|SessionEnv|SharedAccess|SharedRealitySvc|shpamsvc|SmsRouter|svsvc|SystemEventsBroker|TapiSrv|TermService|TroubleshootingSvc|tzautoupdate|UmRdpService|upnphost|VaultSvc|vmicguestinterface|vmicheartbeat|vmickvpexchange|vmicrdv|vmicshutdown|vmictimesync|vmicvmsession|vmicvss|W32Time|WalletService|WbioSrvc|wcncsvc|WebClient|Wecsvc|WEPHOSTSVC|wercplsupport|WFDSConMgrSvc|WiaRpc|WinRM|wlpasvc|WManSvc|workfolderssvc|WwanSvc|XblAuthManager|XblGameSave|XboxGipSvc|XboxNetApiSvc|AarSvc_\\w+|BcastDVRUserService_\\w+|BluetoothUserService_\\w+|CaptureService_\\w+|ConsentUxUserSvc_\\w+|DeviceAssociationBrokerSvc_\\w+|DevicePickerUserSvc_\\w+|DevicesFlowUserSvc_\\w+|MessagingService_\\w+|OneSyncSvc_\\w+|PimIndexMaintenanceSvc_\\w+|PrintWorkflowUserSvc_\\w+|UnistoreSvc_\\w+|UserDataSvc_\\w+)(,|$))'","$win10svcs: Services ~= '(?i:^(ALG|Appinfo|AppReadiness|AppVClient|AppXSvc|AudioEndpointBuilder|Audiosrv|autotimesvc|BITS|BthAvctpSvc|camsvc|CDPSvc|ClipSVC|COMSysApp|CryptSvc|defragsvc|DeviceInstall|Dhcp|diagnosticshub.standardcollector.service|DiagTrack|DispBrokerDesktopSvc|DmEnrollmentSvc|Dnscache|DoSvc|DPS|DsmSvc|DusmSvc|EventLog|EventSystem|Fax|FontCache|gpsvc|InstallService|iphlpsvc|LanmanServer|LanmanWorkstation|lfsvc|LicenseManager|lmhosts|LSM|MapsBroker|MSDTC|msiserver|NcbService|netprofm|NgcCtnrSvc|NgcSvc|NlaSvc|nsi|PcaSvc|perceptionsimulation|PerfHost|PhoneSvc|PlugPlay|ProfSvc|PushToInstall|RpcLocator|Schedule|SDRSVC|SecurityHealthService|SEMgrSvc|SENS|Sense|SensorDataService|SgrmBroker|ShellHWDetection|smphost|SNMPTRAP|spectrum|Spooler|sppsvc|SSDPSRV|ssh-agent|SstpSvc|StateRepository|stisvc|StorSvc|swprv|SysMain|TabletInputService|Themes|TieringEngineService|TimeBrokerSvc|TokenBroker|TrkWks|TrustedInstaller|UevAgentService|UserManager|UsoSvc|VacSvc|vds|VSS|WaaSMedicSvc|WarpJITSvc|wbengine|Wcmsvc|WdiServiceHost|WdiSystemHost|WdNisSvc|WerSvc|WinDefend|WinHttpAutoProxySvc|Winmgmt|wisvc|WlanSvc|wlidsvc|wmiApSrv|WMPNetworkSvc|WpcMonSvc|WPDBusEnum|WpnService|wscsvc|WSearch|wuauserv|cbdhsvc_\\w+|CDPUserSvc_\\w+|WpnUserService_\\w+)$)'"],"Condition":"$exist and !($na or $sysmon or ($hosted and $win10shared) or $win10svcs)","Actions":null}
{"Name":"UntrustedDriverLoaded","Tags":["DriverLoaded","Sysmon"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[6]},"Computers":[],"ATTACK":[{"ID":"T1014","Tactic":"Defense Evasion","Reference":"https://attack.mitre.org/techniques/T1014/"}],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$trusted: Signature ~= '^(Microsoft Windows|Microsoft Corporation)$'"],"Condition":"!$trusted","Actions":null}
{"Name":"UntrustedService","Tags":["WHIDS"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[7]},"Computers":[],"ATTACK":[{"ID":"T1035","Tactic":"Execution","Reference":"https://attack.mitre.org/techniques/T1035/"}],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$loaded: ImageLoaded ~= '(?i:\\.exe$)'","$pservice: ParentImage ~= '(?i:(?i:C:\\\\Windows\\\\Sys(wow64|tem32)\\\\)services\\.exe)'","$trusted: Signature ~= '^(Microsoft Windows|Microsoft Corporation|Microsoft Windows Component Publisher|Microsoft Windows Publisher|Microsoft Windows 3rd party Component)$'"],"Condition":"$loaded and $pservice and !$trusted","Actions":null}
{"Name":"UserTempExec","Tags":["Heuristics","Exec"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":4,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$pi: ParentImage ~= '^C:\\\\Users\\\\.*\\\\AppData\\\\Local\\\\Temp\\\\'","$i: Image ~= '^C:\\\\Users\\\\.*\\\\AppData\\\\Local\\\\Temp\\\\'"],"Condition":"$pi or $i","Actions":null}
{"Name":"WMIApplockerBypassAttempt","Tags":["WMI"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1220","Tactic":"execution","Reference":"https://attack.mitre.org/techniques/T1220"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$wmi: Image ~= '(?i:\\\\wmic\\.exe$)'","$format: CommandLine ~= '(?i:/format:.*\\.xsl)'"],"Condition":"$wmi and $format","Actions":null}
{"Name":"WMIEvents","Tags":["WMI"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[19,20,21]},"Computers":[],"ATTACK":[{"ID":"T1084","Tactic":"persistence","Reference":"https://attack.mitre.org/techniques/T1084"}],"Criticality":10,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":[],"Condition":"","Actions":null}
{"Name":"WMIPrvseCommand","Tags":["WMI"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"ATTACK":[{"ID":"T1047","Tactic":"execution","Reference":"https://attack.mitre.org/techniques/T1047"}],"Criticality":8,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$wmi: ParentImage ~= '(?i:\\\\wmiprvse\\.exe$)'"],"Condition":"$wmi","Actions":null}
{"Name":"WindowsTempExec","Tags":["Heuristics","Exec"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":3,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$wtpi: ParentImage ~= '^C:\\\\Windows\\\\Temp'","$wti: Image ~= '^C:\\\\Windows\\\\Temp'"],"Condition":"$wtpi or $wti","Actions":null}
{"Name":"Xcopy.exe","Tags":["Tool"],"Meta":{"Events":{"Microsoft-Windows-Sysmon/Operational":[1]},"Computers":[],"Criticality":2,"Disable":false,"Filter":false,"Schema":"2.0.0"},"Matches":["$exe: Image ~= '(?i:\\\\xcopy\\.exe$)'"],"Condition":"$exe","Actions":null}