add relaying from unexpected processes

olafhartong · May 16, 2022 · e5b0484 · e5b0484
1 parent 87aa4ac
commit e5b0484
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/3_network_connection_initiated/include_relaying.xml b/3_network_connection_initiated/include_relaying.xml
@@ -0,0 +1,20 @@
+<Sysmon schemaversion="4.30">
+	<EventFiltering>
+		<RuleGroup name="" groupRelation="or">
+			<NetworkConnect onmatch="include">
+				<Rule groupRelation="and">
+					<SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort>
+					<Image condition="is not">C:\Windows\System32\lsass.exe</Image>
+        		</Rule>
+				<Rule groupRelation="and">
+					<SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort>
+					<Image condition="is not">c:\Windows\System32\dsamain.exe</Image>
+        		</Rule>
+				<Rule groupRelation="and">
+					<SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort>
+					<ProcessId condition="is not">4</ProcessId>
+        		</Rule>
+			</NetworkConnect>
+		</RuleGroup>
+	</EventFiltering>
+</Sysmon>