Updated after successful CICD run 05/16/2022 18:09:46 UTC

olafhartong · May 16, 2022 · 5e5f6d9 · 5e5f6d9
1 parent e5b0484
commit 5e5f6d9
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/0_custom_configuration/all_modules.txt b/0_custom_configuration/all_modules.txt
diff --git a/sysmonconfig.xml b/sysmonconfig.xml
@@ -782,6 +782,18 @@
         <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">5986</DestinationPort>
         <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">psexec.exe</Image>
         <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">psexesvc.exe</Image>
+        <Rule groupRelation="and">
+          <SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort>
+          <Image condition="is not">C:\Windows\System32\lsass.exe</Image>
+        </Rule>
+        <Rule groupRelation="and">
+          <SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort>
+          <Image condition="is not">c:\Windows\System32\dsamain.exe</Image>
+        </Rule>
+        <Rule groupRelation="and">
+          <SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort>
+          <ProcessId condition="is not">4</ProcessId>
+        </Rule>
         <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users</Image>
         <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\ProgramData</Image>
         <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Temp</Image>