Update sentinel_attack_rules.json

heyibrahimkhan · web-flow · commit 3658370ab1fe · 2020-11-06T06:42:43.000+05:00
"and" instead of "or".
Added required spaces as well.
diff --git a/detections/sentinel_attack_rules.json b/detections/sentinel_attack_rules.json
@@ -863,7 +863,7 @@
         "description": "Checks for execution of MITRE ATT&CK T1093",
         "severity": "High",
         "enabled": "true",
-        "query": "Sysmon | where EventID == 1 and ((process_path contains \"smss.exe\" andprocess_parent_command_line !contains \"smss.exe\") or (process_path contains \"csrss.exe\" and (process_parent_command_line !contains \"smss.exe\" andprocess_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"wininit.exe\"andprocess_parent_command_line !contains \"smss.exe\") or (process_path contains \"winlogon.exe\" andprocess_parent_command_line !contains \"smss.exe\") or (process_path contains \"lsass.exe\" andprocess_parent_command_line !contains \"wininit.exe\") or (process_path contains \"LogonUI.exe\" and (process_parent_command_line !contains \"winlogon.exe\" andprocess_parent_command_line !contains \"wininit.exe\")) or (process_path contains \"services.exe\" andprocess_parent_command_line !contains \"wininit.exe\") or (process_path contains \"spoolsv.exe\" andprocess_parent_command_line !contains \"services.exe\") or (process_path contains \"taskhost.exe\" and (process_parent_command_line !contains \"services.exe\" andprocess_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"taskhostw.exe\" and (process_parent_command_line !contains \"services.exe\" andprocess_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"userinit.exe\" and (process_parent_command_line !contains \"dwm.exe\" orprocess_parent_command_line !contains \"winlogon.exe\"))) | extend AccountCustomEntity = UserName | extend HostCustomEntity = Computer | extend FileHashCustomEntity = hash_sha256",
+        "query": "Sysmon | where EventID == 1 and ((process_path contains \"smss.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"csrss.exe\" and (process_parent_command_line !contains \"smss.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"wininit.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"winlogon.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"lsass.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"LogonUI.exe\" and (process_parent_command_line !contains \"winlogon.exe\" and process_parent_command_line !contains \"wininit.exe\")) or (process_path contains \"services.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"spoolsv.exe\" and process_parent_command_line !contains \"services.exe\") or (process_path contains \"taskhost.exe\" and (process_parent_command_line !contains \"services.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"taskhostw.exe\" and (process_parent_command_line !contains \"services.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"userinit.exe\" and (process_parent_command_line !contains \"dwm.exe\" and process_parent_command_line !contains \"winlogon.exe\"))) | extend AccountCustomEntity = UserName | extend HostCustomEntity = Computer | extend FileHashCustomEntity = hash_sha256",
         "queryFrequency": "1H",
         "queryPeriod": "1H",
         "triggerOperator": "GreaterThan",
@@ -1522,4 +1522,4 @@
         "suppressionEnabled": "false"
       }
     ]
-  }
+  }

Original file line number	Diff line number	Diff line change
`@@ -863,7 +863,7 @@`
`863`	`863`	`"description": "Checks for execution of MITRE ATT&CK T1093",`
`864`	`864`	`"severity": "High",`
`865`	`865`	`"enabled": "true",`
`866`		- "query": "Sysmon \| where EventID == 1 and ((process_path contains \"smss.exe\" andprocess_parent_command_line !contains \"smss.exe\") or (process_path contains \"csrss.exe\" and (process_parent_command_line !contains \"smss.exe\" andprocess_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"wininit.exe\"andprocess_parent_command_line !contains \"smss.exe\") or (process_path contains \"winlogon.exe\" andprocess_parent_command_line !contains \"smss.exe\") or (process_path contains \"lsass.exe\" andprocess_parent_command_line !contains \"wininit.exe\") or (process_path contains \"LogonUI.exe\" and (process_parent_command_line !contains \"winlogon.exe\" andprocess_parent_command_line !contains \"wininit.exe\")) or (process_path contains \"services.exe\" andprocess_parent_command_line !contains \"wininit.exe\") or (process_path contains \"spoolsv.exe\" andprocess_parent_command_line !contains \"services.exe\") or (process_path contains \"taskhost.exe\" and (process_parent_command_line !contains \"services.exe\" andprocess_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"taskhostw.exe\" and (process_parent_command_line !contains \"services.exe\" andprocess_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"userinit.exe\" and (process_parent_command_line !contains \"dwm.exe\" orprocess_parent_command_line !contains \"winlogon.exe\"))) \| extend AccountCustomEntity = UserName \| extend HostCustomEntity = Computer \| extend FileHashCustomEntity = hash_sha256",
	`866`	+ "query": "Sysmon \| where EventID == 1 and ((process_path contains \"smss.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"csrss.exe\" and (process_parent_command_line !contains \"smss.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"wininit.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"winlogon.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"lsass.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"LogonUI.exe\" and (process_parent_command_line !contains \"winlogon.exe\" and process_parent_command_line !contains \"wininit.exe\")) or (process_path contains \"services.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"spoolsv.exe\" and process_parent_command_line !contains \"services.exe\") or (process_path contains \"taskhost.exe\" and (process_parent_command_line !contains \"services.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"taskhostw.exe\" and (process_parent_command_line !contains \"services.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"userinit.exe\" and (process_parent_command_line !contains \"dwm.exe\" and process_parent_command_line !contains \"winlogon.exe\"))) \| extend AccountCustomEntity = UserName \| extend HostCustomEntity = Computer \| extend FileHashCustomEntity = hash_sha256",
`867`	`867`	`"queryFrequency": "1H",`
`868`	`868`	`"queryPeriod": "1H",`
`869`	`869`	`"triggerOperator": "GreaterThan",`
`@@ -1522,4 +1522,4 @@`
`1522`	`1522`	`"suppressionEnabled": "false"`
`1523`	`1523`	`}`
`1524`	`1524`	`]`
`1525`		`- }`
	`1525`	`+ }`