|
| 1 | + |
| 2 | +INSERT INTO public.utm_alert_response_rule VALUES (43, 'Windows Defender Exclusions Added via PowerShell', 'Automatically removes any Windows Defender exclusions added via PowerShell to prevent defense evasion.', '[{"operator":"IS","field":"name","value":"Windows Defender Exclusions Added via PowerShell"}]', '''powershell.exe -Command "Remove-MpPreference -ExclusionPath \"$(log.message | regex_extract -pattern ''''-ExclusionPath\s+''''(.+?)'''')\""'' ; ''powershell.exe -Command "Remove-MpPreference -ExclusionProcess \"$(log.message | regex_extract -pattern ''''-ExclusionProcess\s+''''(.+?)'''')\""''', false, 'windows', NULL, 'admin', '2025-08-21 01:06:59.177318', 'admin', '2025-11-10 17:26:44.510513', NULL, true); |
| 3 | +INSERT INTO public.utm_alert_response_rule VALUES (37, 'Windows: Possible Brute Force Attack', 'Detects patterns of repeated and rapid login attempts from the same IP address or source, indicating a potential brute force attack. This playbook responds by blacklisting the adversary''s IP in the firewall to block further connections.', '[{"operator":"IS","field":"name","value":"Windows: Possible Brute Force Attack"}]', 'netsh advfirewall firewall add rule name="Block-Brute-Force-$(adversary.ip)" dir=in action=block remoteip="$(adversary.ip)" enable=yes', false, 'windows', NULL, 'admin', '2025-07-30 13:16:08.342486', 'admin', '2025-11-10 17:26:58.839489', NULL, true); |
| 4 | +INSERT INTO public.utm_alert_response_rule VALUES (44, 'Windows: PowerShell Keylogging Script', 'Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Terminate the process using the detected process name.', '[{"operator":"IS","field":"name","value":"Windows: PowerShell Keylogging Script"}]', 'taskkill /F /PID $(log.winlogEventDataProcessId) ; taskkill /F /IM $(log.winlogEventDataProcessName)', false, 'windows', NULL, 'admin', '2025-08-25 23:49:30.14447', 'maykel', '2025-09-17 16:17:39.748827', NULL, true); |
| 5 | +INSERT INTO public.utm_alert_response_rule VALUES (38, 'Windows: Multiple Logon Failure Followed by Logon Success', 'Detects a sequence of multiple failed login attempts immediately followed by a successful login from the same IP address or source. This playbook responds by blocking the adversary''s IP and disabling the user account.', '[{"operator":"IS","field":"name","value":"Windows: Multiple Logon Failure Followed by Logon Success"}]', 'netsh advfirewall firewall add rule name="Block-Brute-Force-Success-$(adversary.ip)" dir=in action=block remoteip="$(adversary.ip)" enable=yes ; net user "$(target.user)" /active:no', false, 'windows', NULL, 'admin', '2025-07-30 13:28:18.178386', 'admin', '2025-09-11 14:17:41.67997', NULL, true); |
| 6 | +INSERT INTO public.utm_alert_response_rule VALUES (27, 'Windows Server - Failed RDP Brute Force Response', 'Automates a simple, direct response to RDP brute-force attempts by blocking the attacker''s IP.', '[{"operator":"IS","field":"name","value":"RDP Brute Force Attack"}]', 'netsh advfirewall firewall add rule name="Block-RDP-Brute-Force-$(adversary.ip)" dir=in action=block remoteip="$(adversary.ip)" enable=yes', false, 'windows', NULL, 'admin', '2025-07-21 15:36:37.752404', 'admin', '2025-09-11 14:17:46.972405', '', true); |
| 7 | +INSERT INTO public.utm_alert_response_rule VALUES (30, 'Windows Server - PowerShell Empire Detection', 'Detects potential PowerShell Empire framework usage based on characteristic command patterns, obfuscation techniques, and encoded payloads. This playbook automates actions to kill suspicious processes, delete malicious files, and disable compromised user accounts.', '[{"operator":"IS","field":"name","value":"PowerShell Empire Detection"}]', 'taskkill /F /IM "$(target.process)" ; Remove-Item -LiteralPath "$(target.file)" -Force -Recurse ; net user "$(target.user)" /active:no', false, 'windows', NULL, 'admin', '2025-07-21 16:24:30.144016', 'admin', '2025-09-11 14:17:49.276392', NULL, true); |
| 8 | +INSERT INTO public.utm_alert_response_rule VALUES (40, 'Windows: A user account was added to administration groups', 'Disable the user account that was added to an administrative group to prevent privilege escalation. |
| 9 | +', '[{"operator":"IS","field":"name","value":"Windows: A user account was added to administration groups"}]', 'net user "$(target.user)" /active:no |
| 10 | +', false, 'windows', NULL, 'admin', '2025-08-20 16:53:47.031384', 'admin', '2025-09-11 14:17:54.071588', NULL, true); |
| 11 | +INSERT INTO public.utm_alert_response_rule VALUES (36, 'System Linux: Attempt to Disable Syslog Service', 'Detects attempts to disable the syslog service to disrupt event logging and evade security controls. This playbook responds by logging out and disabling the user account involved.', '[{"operator":"IS","field":"name","value":"System Linux: Attempt to Disable Syslog Service"}]', 'sudo pkill -KILL -u $(target.user) ; sudo usermod --expiredate 1 $(target.user)', false, 'ubuntu', NULL, 'admin', '2025-07-30 13:10:01.375524', 'admin', '2025-09-11 14:18:07.87563', NULL, true); |
| 12 | +INSERT INTO public.utm_alert_response_rule VALUES (42, 'Windows: Disable Windows Firewall Rules via Netsh', 'Re-enables Windows Firewall rules that were disabled by the detected netsh command. |
| 13 | +', '[{"operator":"IS","field":"name","value":"Windows: Disable Windows Firewall Rules via Netsh"}]', 'netsh advfirewall set allprofiles state on |
| 14 | +', false, 'windows', NULL, 'admin', '2025-08-21 00:04:56.548359', 'admin', '2025-09-11 14:17:11.064259', NULL, true); |
| 15 | +INSERT INTO public.utm_alert_response_rule VALUES (29, 'Windows Server - Volume Shadow Copy Deletion', 'Detects and responds to unauthorized deletion of Volume Shadow Copies by terminating suspicious processes, logging out the user, and disabling the user account.', '[{"operator":"IS","field":"name","value":"Volume Shadow Copy Deletion"}]', 'taskkill /F /IM "$(target.process)" ; logoff $(target.user) ; net user "$(target.user)" /active:no', false, 'windows', NULL, 'admin', '2025-07-21 16:06:25.490435', 'admin', '2025-09-11 14:17:14.95432', NULL, true); |
| 16 | +INSERT INTO public.utm_alert_response_rule VALUES (31, 'Linux - Ubuntu - Brute Force User via SSH', 'Detects multiple failed SSH authentication attempts from the same source IP, indicating a potential brute force attack. This playbook blocks the attacking IP, disables the targeted user account, and initiates a host shutdown.', '[{"operator":"IS","field":"name","value":"SSH Brute Force Attempts"}]', 'sudo ufw insert 1 deny from $(adversary.ip) to any port 22 proto tcp ; sudo usermod --expiredate 1 $(target.user) ; sudo shutdown -h now', false, 'ubuntu', NULL, 'admin', '2025-07-21 18:55:28.968204', 'admin', '2025-09-11 14:17:02.54344', NULL, true); |
| 17 | +INSERT INTO public.utm_alert_response_rule VALUES (32, 'Linux - CentOS/RHEL - CVE Vulnerability Detection in RHEL System', 'Detects critical CVE vulnerabilities on RHEL-based systems. Upon detection, this playbook initiates an immediate server shutdown to prevent exploitation.', '[{"operator":"IS","field":"name","value":"CVE Vulnerability Detection in RHEL System"}]', 'sudo shutdown -h now', false, 'centos', NULL, 'admin', '2025-07-21 19:25:03.883518', 'maykel', '2025-09-17 16:17:42.806521', NULL, true); |
| 18 | +INSERT INTO public.utm_alert_response_rule VALUES (34, 'Linux - Process Injection Techniques Detection', 'Detects and responds to suspicious process injection techniques on Ubuntu 20.04/22.04 LTS. This playbook automates disabling the user account associated with the anomalous process execution.', '[{"operator":"IS","field":"name","value":"Process Execution Anomalies"}]', 'sudo usermod --expiredate 1 $(target.user)', false, 'ubuntu', NULL, 'admin', '2025-07-24 18:15:26.605242', 'maykel', '2025-10-15 21:07:02.163459', NULL, true); |
| 19 | +INSERT INTO public.utm_alert_response_rule VALUES (35, 'System Linux: Possible Brute Force Attack', 'Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.', '[{"operator":"IS","field":"name","value":"System Linux: Possible Brute Force Attack"}]', 'sudo ufw deny from $(adversary.ip) to any', false, 'ubuntu', NULL, 'admin', '2025-07-30 01:23:44.667895', 'maykel', '2025-09-17 19:33:08.862106', NULL, true); |
| 20 | +INSERT INTO public.utm_alert_response_rule VALUES (41, 'Windows Defender: Protection Disabled', 'Re-enable Windows Defender protection to restore security defenses.', '[{"operator":"IS","field":"name","value":"Windows Defender: Protection Disabled"}]', '"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Enable', false, 'windows', NULL, 'admin', '2025-08-20 17:28:58.710767', 'maykel', '2025-09-17 16:17:19.899829', NULL, true); |
| 21 | +INSERT INTO public.utm_alert_response_rule VALUES (28, 'Windows Server - AdminSDHolder Abuse Detection', 'Detects modifications to the AdminSDHolder object, which can be used for persistence by granting elevated privileges. This playbook automates disabling the user account that performed the modification.', '[{"operator":"IS","field":"name","value":"AdminSDHolder Abuse Detection"}]', 'net user "$(adversary.user)" /active:no', false, 'windows', NULL, 'admin', '2025-07-21 15:52:59.512221', 'admin', '2025-09-11 14:17:59.212754', NULL, true); |
| 22 | +INSERT INTO public.utm_alert_response_rule VALUES (1, 'Windows: A user account was added to administration groups', 'Disable the user account that was added to an administrative group to prevent privilege escalation.', '[{"operator":"IS","field":"name","value":"Windows: A user account was added to administration groups"}]', 'net user "$(target.user)" /active:no', false, 'windows', NULL, 'maykel', '2025-09-13 20:24:00.667045', 'maykel', '2025-09-18 12:56:47.534763', NULL, true); |
| 23 | +INSERT INTO public.utm_alert_response_rule VALUES (48, 'Windows: Volume Shadow Copy Deletion', 'Kill Suspicious Process, Disable Compromised User Account and Logout Compromised User.', '[{"operator":"IS","field":"name","value":"Volume Shadow Copy Deletion"}]', 'powershell taskkill /F /IM "$(target.process)" & net user "$(target.user)" /active:no & logoff $(target.user)', false, 'windows', NULL, 'maykel', '2025-09-03 03:41:35.824516', 'maykel', '2025-09-03 03:45:56.409799', NULL, true); |
| 24 | +INSERT INTO public.utm_alert_response_rule VALUES (33, 'Linux - CentOS/RHEL - RHEL-Specific Kernel Exploitation Attempt', 'Detects attempts to exploit kernel vulnerabilities specific to RHEL-based systems. This playbook automates logging out and disabling the user account associated with the exploitation attempt.', '[{"operator":"IS","field":"name","value":"RHEL-Specific Kernel Exploitation Attempt"}]', 'sudo pkill -KILL -u $(target.user) ; sudo usermod --expiredate 1 $(target.user)', false, 'centos', NULL, 'admin', '2025-07-21 19:35:09.53047', 'admin', '2025-09-11 14:17:11.860741', NULL, true); |
| 25 | +INSERT INTO public.utm_alert_response_rule VALUES (45, 'Windows: Disabling Windows Defender Security Settings via PowerShell', 'enable Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.', '[{"operator":"IS","field":"name","value":"Windows: Disabling Windows Defender Security Settings via PowerShell"}]', 'powershell Set-MpPreference -DisableRealtimeMonitoring $(if ("$(log.message)" -match ''-DisableRealtimeMonitoring'') { $false } else { $true }) ; powershell Set-MpPreference -DisableBehaviorMonitoring $(if ("$(log.message)" -match ''-DisableBehaviorMonitoring'') { $false } else { $true }) ; powershell Set-MpPreference -PUAProtection $(if ("$(log.message)" -match ''-PUAProtection'') { ''"Enabled"'' } else { ''"Disabled"'' }) ; powershell Set-MpPreference -MAPSReporting $(if ("$(log.message)" -match ''-MAPSReporting'') { 1 } else { 0 }) ; powershell Set-MpPreference -CloudProtection $(if ("$(log.message)" -match ''CloudProtection'') { 1 } else { 0 }) ; powershell Remove-MpPreference -ExclusionProcess $(if ("$(log.message)" -match ''-ExclusionProcess'') { ''"evil.exe"'' } else { ''"Not A Process"'' })', false, 'windows', NULL, 'maykel', '2025-08-30 15:50:58.22476', 'admin', '2025-09-11 14:17:17.742859', NULL, true); |
| 26 | +INSERT INTO public.utm_alert_response_rule VALUES (46, 'Windows: Multiple remote access login failures', 'Block the IP that is establishing the connection.', '[{"operator":"IS","field":"name","value":"Windows: Multiple remote access login failures"}]', 'powershell New-NetFirewallRule -DisplayName "Blocked_BruteForce_IP" -Direction Inbound -RemoteAddress "$(origin.ip)" -Action Block -Protocol Any -Profile Any -Enabled True', false, 'windows', NULL, 'maykel', '2025-08-30 19:42:23.870136', 'admin', '2025-09-11 14:17:22.106034', NULL, true); |
| 27 | +INSERT INTO public.utm_alert_response_rule VALUES (47, 'Windows: Remote Desktop Enabled in Windows Firewall by Netsh', 'Disable inbound Remote Desktop Protocol and remove Firewall rule.', '[{"operator":"IS","field":"name","value":"Windows: Remote Desktop Enabled in Windows Firewall by Netsh"}]', 'powershell Set-ItemProperty -Path ''HKLM:\System\CurrentControlSet\Control\Terminal Server'' -Name ''fDenyTSConnections'' -Value 1 -Force;if ("$(log.message)" -match ''name=([^''''"\s]+)'') { Remove-NetFirewallRule -DisplayName $matches[1] -ErrorAction SilentlyContinue }', false, 'windows', NULL, 'maykel', '2025-09-01 21:03:20.282646', 'admin', '2025-09-11 14:18:13.915659', NULL, true); |
| 28 | + |
| 29 | + |
0 commit comments