Transcription
QLean for IBM Securitywww.scnsoft.comQRadar SIEM: Admin GuideMITRE Windows Integration Appfor IBM Security QRadar SIEMADMIN GUIDE 2021 ScienceSoft Page 1 from 43
MITRE Windows Integration App:Admin GuideTable of ContentsOverview.3Supported Versions .3Extension Installation .3Downloading Extension . 3Installing Extension . 4App Description .4Rules overview . 4Rules structure . 5Application side . 6Prerequisites .7Configuring WinCollect Agent . 8Configuring Sysmon. 9Usage.10Add legitimate Windows Users and Machine (host) . 10Map rules to MITRE Techniques via Use Case Manager (Optional) . 10Manually . 10Automatically . 11Troubleshooting .12Appendix A: Release notes.13Appendix B: Custom Properties .14Appendix C: Custom Rules.15 2021 ScienceSoft Page 2 from 43
MITRE Windows Integration App:Admin GuideOverviewMITRE Windows Integration App tactics by ScienceSoft are based on the logs provided by a Microsoft Sysmontool that is configured in a certain way.System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system,remains resident across system reboots to monitor and log system activity to the Windows event log. Itprovides detailed information about process creations, network connections, and changes to file creation time.By collecting the events it generates using Windows Event Collection or SIEM agents and subsequentlyanalyzing them, you can identify malicious or anomalous activity and understand how intruders and malwareoperate on your network.While massively tested and tuned, some rules are disabled by default to prevent potential false-positives onthe production SIEM environment, so make sure to enable them after the Sysmon configuration is done.IMPORTANT: This complimentary application is a part of the full set of the MITRE Windows Integration Appcreated by ScienceSoft. You can request this package as a commercial product along with the professionalservices support for Sysmon configuration and troubleshooting at qlean@scnsoft.com.Supported VersionsSupported QRadar versions are: 7.3.2 GA and higherNOTE: this solution is developed by ScienceSoft and is not supported by IBM. You can request your owncustom QRadar application to be developed via the following email address: qlean@scnsoft.com.Extension InstallationThe current application is distributed as a QRadar extension. In order to install it, please follow the steps below:Downloading Extension Go to https://exchange.xforce.ibmcloud.com/hubLog in using your IBMidFilter by Type: Custom Rule 2021 ScienceSoft Page 3 from 43
MITRE Windows Integration App:Admin Guide Select MITRE Windows Integration App extensionClick Download button at the top right cornerSave the extension zip fileInstalling Extension Log in to the QRadar UIGo to Admin tabOpen Extensions ManagementClick Add buttonSelect Install immediately checkbox, click Browse button, locate the extension file downloadedfrom IBM App Exchange, and click Add buttonConfirm all the steps and wait for installation to finish. This may take a while.Close Extensions Management window, press Ctrl F5 to fully reload QRadar UI.Deploy changes if requested by QRadarApp DescriptionRules overviewTo get the list of MITRE ATT&CK rules please follow the steps below. Go to Offense tabClick Rules link Click Group drop-down and select a MITRE group. 2021 ScienceSoft Page 4 from 43
MITRE Windows Integration App:Admin GuideRules structureClick any MITRE ATT&CK group rule for more details.IMPORTANT: In order to make MITRE ATT&CK rules to trigger, you must configure Sysmon for every ruleyou are interested in. The Notes section of every rule contains a detailed configuration to be performed.Please scroll down the Notes section to review the whole configuration guide for the rule.Press Next (3) button to check Rule Response part. 2021 ScienceSoft Page 5 from 43
MITRE Windows Integration App:Admin GuideThe following wizard page shows the CRE event that will be generated when the rule triggers. Event Namefield contains the unique id and name of MITRE ATT&CK tactics. Event Description field contains a shortdescription.Application sideThe application has the following tabs: Authentication token – with this tab you automatically map the MITRE ATT&CK rules with Use CaseManager. Check Usage paragraph of this guide.Hints – contains description and short instruction how to configure a Sysmon service. 2021 ScienceSoft Page 6 from 43
MITRE Windows Integration App:Admin Guide Sysmon Rules – a text form where you can copy or download all Sysmon queries related to this rulesset.PrerequisitesThe following software versions are required for proper configuration of audit settings and forwarding to IBMQRadar: WinCollect Agent 7.2.8 or higherSysmon 12.03 or higherTo verify if Sysmon is present and running on your Windows host, verify these steps:With powershell (as admin):get-service sysmon*With GUI: Open run menu, type Win RType in opened window: services.mscFind Sysmon or Sysmon64, verify if it installed and running 2021 ScienceSoft Page 7 from 43
MITRE Windows Integration App:Admin GuideIn the same way for WinCollect:With powershell (as admin):get-service wincollectWith GUI: Open run menu, type Win RType in opened window: services.mscFind WinCollect, verify if it installed and runningConfiguring WinCollect AgentWinCollect is a Syslog event forwarder that administrators can use to forward events from Windows logs toQRadar. WinCollect can collect events from systems locally or be configured to remotely poll other Windowssystems for events.For WinCollect installation, please refer to the IBM documentation. 2021 ScienceSoft Page 8 from 43
MITRE Windows Integration App:Admin GuideWe recommend use following XPath queries for WinCollect configuration: QueryList Query Id "0" Path "Events Of Interest" Select Path "Security" * /Select SuppressPath "Security" (*[System[(EventID 5154orEventID 5156orEventID 5157orEventID 5158)]])or(*[(EventData[Data[@Name 'SubjectUserName'] 'ANONYMOUSLOGON']orEventData[Data[@Name 'TargetUserName'] 'ANONYMOUS LOGON'])]) /Suppress Select Path "System" (*[System[(EventID 104 or EventID 1056 or EventID 7000 or EventID 7011 orEventID 7013 or EventID 7030 or EventID 7031 or EventID 7035 or EventID 7036 or EventID 7040 orEventID 7045)]]) /Select SelectPath "Application" (*[((System[Provider[@Name 'MsiInstaller']and(EventID 1022orEventID 1033 or EventID 1034)]) or System[(Level 2) and (EventID 1000)])]) /Select Select Path "Microsoft-Windows-PowerShell/Admin" * /Select Select Path "Microsoft-Windows-PowerShell/Operational" (*[System[(EventID 4103 or EventID 4104)]]) /Select SelectPath "Microsoft-Windows-AppLocker/EXEandDLL" (*[(System[(EventID 8002)andUserData/RuleAndFileData/PolicyName! "DLL"]) or System[(EventID 8003 or EventID 8004)]]) /Select Select Path "Microsoft-Windows-AppLocker/MSI and Script" (*[System[(EventID 8005 or EventID 8006or EventID 8007)]]) /Select SelectPath "Microsoft-Windows-Sysmon/Operational" (*[System[(EventID 1orEventID 3orEventID 7 or EventID 8 or EventID 9 or EventID 10 orEventID 11 or EventID 12 or EventID 13 orEventID 14 or EventID 17 or EventID 18 or EventID 19 or EventID 20 or EventID 21)]]) /Select SelectPath "Microsoft-Windows-SecurityMitigations/KernelMode" (*[System[Provider[@Name 'Microsoft-Windows-Security-Mitigations'or@Name 'Microsoft-Windows-WER-Diag'or@Name 'Microsoft-Windows-Win32k'or@Name 'Win32k']and((EventID 1 and EventID 24) or EventID 5 or EventID 260)]]) /Select SelectPath "Microsoft-Windows-SecurityMitigations/UserMode" (*[System[Provider[@Name 'Microsoft-Windows-Security-Mitigations'or@Name 'Microsoft-Windows-WER-Diag'or@Name 'Microsoft-Windows-Win32k'or@Name 'Win32k']and((EventID 1 and EventID 24) or EventID 5 or EventID 260)]]) /Select /Query /QueryList Configuring SysmonSysmon is a free solution initially developed by Mark Russinovich and Thomas Garnier from former WinternalsSoftware company and currently maintained by Microsoft. The tool is designed to extend the current loggingcapabilities in Windows to aid in understanding and detecting attackers by behavior. It was developed originallyfor internal use at Microsoft.All of the events generated by Sysmon are saved in Microsoft-Windows-Sysmon/Operational EventLog inorder to accommodate security products that already leverage the EventLog, and to make the events easierto view and collect.Download an installation file from Microsoft. The tool supports 64-bit and 32-bit systems and uses a singlecommand line tool for installation and configuration management. Extract it to any folder and run a command:sysmon64.exe –I sysmon.xmlWhere sysmon.xml is pre-created configuration file:Sample of configuration: Sysmon schemaversion "4.22" EventFiltering RuleGroup name "" groupRelation "or" FileCreate onmatch "include" Rule groupRelation "or" TargetFilename name "T1170" condition "end with" .hta /TargetFilename /Rule /RuleGroup /EventFiltering /Sysmon 2021 ScienceSoft Page 9 from 43
MITRE Windows Integration App:Admin GuideNOTE: Find full configuration file in Application UI FormTo update the current configuration, run the following command:C:\Windows\Sysmon64.exe –c sysmon.xmlNOTE: You can easily install and configure both WinCollect Agent and Sysmon in an automated mode onmultiple windows hosts using required XPath and Sysmon configuration with IBM-validated professionalsolution called QWAD QWAD WinCollect Assisted Deployment available on IBM App Exchange.UsageAdd legitimate Windows Users and Machine (host)Most of the rules do have the following test defined in rule WindowsUsersWhitelist- AlphaNumeric (Ignore Case)and NOT when any of Machine ID (custom) are contained in any of MITRE: Windows Machines Whitelist- AlphaNumeric (Ignore Case)Add legitimate user names to the MITRE: Windows Users Whitelist and MITRE: Windows MachinesWhitelist reference sets in order to avoid false-positive offenses.NOTE: Please refer to Appendix C for complete list of rules available in this package.Map rules to MITRE Techniques via Use Case Manager (Optional)Windows MITRE rules can be mapped to MITRE Techniques with UCM Use Case Manager that you can getfrom IBM App Exchange.There are two ways to do that: manually in Use Case Manager, or automatically via MITRE WindowsIntegration App application.-ManuallyTo map techniques click ATT&CK Action button on the main page of Use Case Manager and select Import.Click an upload icon and select a map file with .json extension, then click Import. 2021 ScienceSoft Page 10 from 43
MITRE Windows Integration App:Admin GuideYou can download a mapping json file from Application. Open MITRE Windows App interface. Move to Hintstab, then click Download Mapping File button. AutomaticallyLogin to QRadar UIGo to Admin tabCreate new Authorized ServiceOpen the MITRE Windows Integration App interfaceOn the initial run you’ll be presented with a configuration field to enter Authorization TokenEnter Authorization Token generated on previous step (1)Press Save button to save configuration 2021 ScienceSoft Page 11 from 43
MITRE Windows Integration App:Admin GuideAfter that the app will once map all rules from it. Check the status bar to be sure that has happened.NOTE: Be sure that you have Use Case Manager installed.TroubleshootingThis application is provided “as-is”. You can provide any suggestions how to make it better and requestprofessional services support for Sysmon configuration and troubleshooting at qlean@scnsoft.com. 2021 ScienceSoft Page 12 from 43
MITRE Windows Integration App:Admin GuideAppendix A: Release notes1.0.0Initial version 2021 ScienceSoft Page 13 from 43
MITRE Windows Integration App:Admin GuideAppendix B: Custom PropertiesSeveral custom properties are provided to enhance Sysmon events normalization. The custom propertieslisted below will be installed automatically along with the application.NameTarget User NameMachine IDSysmon Rule NameDescriptionDefault custom extraction of Target UserNameDSMextractionpayload. of Machine ID.Defaultfromcustomfrom DSMpayload.Nameof rulethat triggered the event. 2021 ScienceSoft Page 14 from 43RegexTarget.*?AccountComputer ([ \s] )Name[\:\\\ \s] (.*?)\s (?:AccountDomain Target Domain: && \s)RuleName:\s (. )\s Utc
MITRE Windows Integration App:Admin GuideAppendix C: Custom RulesComplete list of rules provided with application:Rule NameLogicMITRE.WIN.T1003.005.RULEOS Credential Dumping:Cached Domain Credentialswhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [1]AND when the event matchesSysmon Rule Name (custom) isany of T1003AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [1]AND when the event matchesSysmon Rule Name (custom) isany of T1007AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [1]AND when the event matchesSysmon Rule Name (custom) isany of T1012MITRE.WIN.T1007.RULESystem Service DiscoveryMITRE.WIN.T1012.RULEQuery Registry 2021 ScienceSoftNotesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section ProcessCreateonmatch "include" add following lines: CommandLine name "T1003.005"condition "contains" HKLM\SECURITY\CACHE /CommandLine Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section ProcessCreateonmatch "include" add following lines: OriginalFileName name "T1007"condition "contains" LoadOrd /OriginalFileName OriginalFileName name "T1007"condition "is" PsService.exe /OriginalFileName Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section ProcessCreateonmatch "include" add following lines: OriginalFileName name "T1012"condition "contains" Regsize /OriginalFileName Page 15 from 43
MITRE Windows Integration App:Admin GuideMITRE.WIN.T1021.001.RULERemote Services: RemoteDesktop ProtocolMITRE.WIN.T1021.003.RULERemote Services:Distributed ComponentObject ModelMITRE.WIN.T1021.006.RULERemote Services: WindowsRemote ManagementAND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [12 or 13 or14]AND when the event matchesSysmon Rule Name (custom) isany of T1021AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [12 or 13 or14]AND when the event matchesSysmon Rule Name (custom) isany of T1021AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent Log 2021 ScienceSoft OriginalFileName name "T1012"condition "is" ru.exe /OriginalFileName Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section RegistryEventonmatch "include" add following lines: TargetObject name "T1021.001"condition "is" HKLM\SOFTWARE\Policies\Microsoft\Windows NT\TerminalServices /TargetObject Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section RegistryEventonmatch "include" add following lines: TargetObject name "T1021.003"condition "is" HKLM\SOFTWARE\Microsoft\Ole /TargetObject Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable: Page 16 from 43
MITRE Windows Integration App:Admin GuideAND when the event matchesEvent ID is any of [1 or 3]AND when the event matchesSysmon Rule Name (custom) isany of T1021AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericMITRE.WIN.T1027.RULEObfuscated Files orInformationMITRE.WIN.T1037.001.RULEBoot or Logon InitializationScripts: Logon Script(Windows)when the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [1]AND when the event matchesSysmon Rule Name (custom) isany of T1027AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [12 or 13 or14]AND when the event matchesSysmon Rule Name (custom) isany of T1037AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in any 2021 ScienceSoftIn section ProcessCreateonmatch "include" add following lines: Image name "T1021.006"condition "image" winrm.cmd /Image OriginalFileName name "T1021.006"condition "is" wsmprovhost.exe /OriginalFileName In section NetworkConnectonmatch "include" add following lines: DestinationPort name "T1021.006"condition "is" 5986 /DestinationPort Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section ProcessCreateonmatch "include" add following lines: CommandLine name "T1027"condition "contains" ˆ /CommandLine CommandLine name "T1027"condition "contains" ././ /CommandLine Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section RegistryEventonmatch "include" add following lines: TargetObject name "T1037.001"condition "contains" HKCU\Environment\UserInitMprLogonScript /TargetObject TargetObject name "T1037.001"condition "contains" HKEY CURRENT USER\Environment"UserInitMprLogonScript" /TargetObject Get more Windows MITRE rules: Page 17 from 43
MITRE Windows Integration App:Admin GuideMITRE.WIN.T1037.005.RULEBoot or Logon InitializationScripts: Startup ItemsMITRE.WIN.T1040.RULENetwork SniffingMITRE.WIN.T1049.RULESystem NetworkConnections Discoveryof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [11]AND when the event matchesSysmon Rule Name (custom) isany of T1037AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [1]AND when the event matchesSysmon Rule Name (custom) isany of T1040AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [1 or 3 or 17or 18]AND when the event matchesSysmon Rule Name (custom) isany of T1049AND NOT when any of MachineID (custom) are contained inany of MITRE: Windows 2021 ty/siem/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section FileCreateonmatch "include" add following lines: TargetFilename name "T1037.005"condition "contains" \Startup\ /TargetFilename Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section ProcessCreateonmatch "include" add following lines: OriginalFileName name "T1040"condition "is" PktMon.exe /OriginalFileName Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section ProcessCreateonmatch "include" add following lines: OriginalFileName name "T1049"condition "is" netstat.exe /OriginalFileName In section NetworkConnectonmatch "include" add following lines: Image name "T1049" Page 18 from 43
MITRE Windows Integration App:Admin GuideMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericMITRE.WIN.T1052.001.RULEExfiltration Over PhysicalMedium: Exfiltration overUSBMITRE.WIN.T1053.RULEScheduled Task/Jobwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [2003 or 2004or 2006 or 2010 or 2100 or2101 or 2105 or 2106]AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [1 or 3 or 7 or11]AND when the event matchesSysmon Rule Name (custom) isany of T1053AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumeric 2021 ScienceSoftcondition "image" netstat.exe /Image In section PipeEventonmatch "include" add following lines: PipeName name "T1049"condition "beginwith" \srvsvc /PipeName Get more Windows MITRE em/windows-mitre-attack-rulesNo action required.Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section ProcessCreateonmatch "include" add following lines: OriginalFileName name "T1053"condition "containsany" schtasks.exe;sctasks.exe /OriginalFileName OriginalFileName name "T1053"condition "is" taskeng.exe /OriginalFileName In section NetworkConnectonmatch "include" add following lines: Image name "T1053"condition "image" schtasks.exe /Image Image name "T1053"condition "image" at.exe /Image Image name "T1053"condition "image" taskeng.exe /Image Page 19 from 43
MITRE Windows Integration App:Admin GuideIn section ImageLoadonmatch "include" add following lines: ImageLoaded name "T1053"condition "endwith" taskschd.dll /ImageLoaded In section FileCreateonmatch "include" add following lines: TargetFilename name "T1053"condition "beginwith" C:\Windows\SysWOW64\Tasks /TargetFilename TargetFilename name "T1053"condition "beginwith" C:\Windows\system32\Tasks /TargetFilename TargetFilename name "T1053"condition "beginwith" C:\Windows\Tasks\ /TargetFilename MITRE.WIN.T1053.002.RULEScheduled Task/Job: At(Windows)MITRE.WIN.T1053.005.RULEScheduled Task/Job:Scheduled Taskwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [106 or 140 or141 or 4698 or 4700 or 4701]AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [106 or 140 or141 or 4698 or 4700 or 4701]AND NOT when any of MachineID (custom) are contained inany of MITRE: Windows 2021 ScienceSoftGet more Windows MITRE em/windows-mitre-attack-rulesNo action required.Get more Windows MITRE em/windows-mitre-attack-rulesNo action required.Get more Windows MITRE em/windows-mitre-attack-rules Page 20 from 43
MITRE Windows Integration App:Admin GuideMITRE.WIN.T1056.001.RULEInput Capture: KeyloggingMITRE.WIN.T1059.006.RULECommand and ScriptingInterpreter: PythonMITRE.WIN.T1059.007.RULECommand and ScriptingInterpreter:JavaScript/JScriptMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [12 or 13 or14]AND when the event matchesSysmon Rule Name (custom) isany of T1056AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [1]AND when the event matchesSysmon Rule Name (custom) isany of T1059AND NOT when any of MachineID (custom) are contained inany of MITRE: WindowsMachines Whitelist AlphaNumericAND NOT when any ofUsername are contained in anyof MITRE: Windows UsersWhitelist - AlphaNumericwhen the event(s) weredetected by one or more ofMicrosoft Windows SecurityEvent LogAND when the event matchesEvent ID is any of [1]AND when the event matchesSysmon Rule Name (custom) is 2021 ScienceSoftThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section RegistryEventonmatch "include" add following lines: TargetObject name "T1056.001"condition "contains" e /TargetObject Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on Sysmonconfiguration. Following options shouldbe enable:In section ProcessCreateonmatch "include" add following lines: Image name "T1059.006"condition "image" python.exe /Image Get more Windows MITRE em/windows-mitre-attack-rulesThis is rule based on S
from IBM App Exchange, and click Add button Confirm all the steps and wait for installation to finish. This may take a while. Close Extensions Management window, press Ctrl F5 to fully reload QRadar UI. Deploy changes if requested by QRadar App Description Rules overview To get the list of MITRE ATT&CK rules please follow the steps below.
