wazuh-decoders-rules.md 53KB
Wazuh Decoders & Rules — SOC MVP Reference
Overview
All SOC simulation events carry the marker soc_mvp_test=true in the log body, which anchors the entire detection chain. Rules are split into two profiles per use case:
- Simulation profile (
100xxx): matchusecase_id=<ID>— fired by the simulator script - Production profile (
110xxx): match decoded field values from real log sources
Severity levels: High → 12, Medium → 8, Low → 5
MITRE ATT&CK Framework
What is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally recognised knowledge base that catalogues real-world adversary behaviour. It organises attacks into:
- Tactics — the why (the adversary's goal at each stage, e.g. Initial Access, Persistence, Exfiltration)
- Techniques — the how (the specific method used to achieve that goal, e.g. T1110 Brute Force)
- Sub-techniques — a more precise variant of a technique (e.g. T1110.003 Password Spraying)
Every Wazuh rule in this project tags the alert with one or more technique IDs so that alerts can be mapped onto the ATT&CK kill chain, fed into threat-intelligence platforms (e.g. TheHive, Splunk ES), and used to measure detection coverage.
Tactics Covered by This Ruleset
| Tactic | ATT&CK ID | What it means | Detected by |
|---|---|---|---|
| Reconnaissance | TA0043 | Adversary gathers info before attacking — port scans, AD enumeration | A2-07/09, A4-03/05, C3-04 |
| Initial Access | TA0001 | First foothold into the network — exploiting web apps | B3-02 |
| Execution | TA0002 | Running malicious code on a system | B3-02, B3-06 |
| Persistence | TA0003 | Maintaining access after reboots or credential changes | A4-13, B3-03 |
| Privilege Escalation | TA0004 | Gaining higher-level permissions | A4-07/11/12, C2-04 |
| Defense Evasion | TA0005 | Avoiding detection — disabling security tools or logging | A2-04, B2-01, B3-04 |
| Credential Access | TA0006 | Stealing credentials from systems or services | A3-03/04, A4-01/02/04, B3-01/05 |
| Discovery | TA0007 | Learning about internal environment after access | A4-03/05, C3-04 |
| Lateral Movement | TA0008 | Moving through the network after initial compromise | A4-08, C3-01/02/03 |
| Collection | TA0009 | Gathering data of interest — config files, sensitive docs | A2-05 |
| Command and Control | TA0011 | Adversary communicating with compromised systems | A1-01/02, A2-08/10, B3-06 |
| Impact | TA0040 | Disrupting availability or integrity — log suppression | B2-01 |
Technique Reference
All technique IDs used in this ruleset, with name, tactic, and which use cases apply:
| Technique ID | Name | Tactic | Used In |
|---|---|---|---|
| T1005 | Data from Local System | Collection | A2-05 |
| T1021 | Remote Services | Lateral Movement | C3-01 |
| T1021.001 | Remote Desktop Protocol | Lateral Movement | A2-01, C3-03 |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement | C3-02 |
| T1021.004 | SSH | Lateral Movement | B1-02/03 |
| T1046 | Network Service Discovery | Discovery / Reconnaissance | A2-07/09, C3-04 |
| T1071 | Application Layer Protocol | Command and Control | A2-08/10 |
| T1071.004 | DNS | Command and Control | A1-01 |
| T1078 | Valid Accounts | Defense Evasion / Initial Access / Persistence / Privilege Escalation | A3-01/02/05, A4-06/09/20/22/24, C1-01, C2-02 |
| T1078.002 | Domain Accounts | Privilege Escalation | C2-01 |
| T1078.003 | Local Accounts | Privilege Escalation | A4-10, C2-03 |
| T1087.002 | Domain Account (Discovery) | Discovery | A4-03 |
| T1098 | Account Manipulation | Persistence / Privilege Escalation | A2-02/03, A4-11/12/13, C2-04 |
| T1103 | — | — | — |
| T1105 | Ingress Tool Transfer | Command and Control | B3-06 |
| T1110 | Brute Force | Credential Access | A3-03/04, A4-01/02/04/14/16/17/18, B1-01/03 |
| T1110.003 | Password Spraying | Credential Access | A4-15/19 |
| T1134 | Access Token Manipulation | Defense Evasion / Privilege Escalation | A4-07 |
| T1135 | Network Share Discovery | Discovery | A4-05 |
| T1136 | Create Account | Persistence | A2-03, A4-21/23 |
| T1136.001 | Local Account | Persistence | A4-23 |
| T1136.002 | Domain Account | Persistence | A4-21 |
| T1190 | Exploit Public-Facing Application | Initial Access | B3-02 |
| T1505.003 | Web Shell | Persistence | B3-03 |
| T1550.002 | Pass the Hash | Defense Evasion / Lateral Movement | A4-08 |
| T1562 | Impair Defenses | Defense Evasion | A2-04 |
| T1562.001 | Disable or Modify Tools | Defense Evasion | B3-04 |
| T1562.006 | Indicator Blocking | Defense Evasion | B2-01 |
| T1568 | Dynamic Resolution | Command and Control | A1-02 |
| T1595 | Active Scanning | Reconnaissance | A2-06 |
ATT&CK Coverage Heatmap (by Tactic)
Reconnaissance ██░░░░ A2-07/09, A4-03/05, C3-04
Initial Access ██░░░░ B3-02 (web exploit)
Execution █░░░░░ B3-02/06
Persistence ████░░ A2-03, A4-13/21/23, B3-03
Privilege Escalation████░░ A4-07/11/12, C2-01/04
Defense Evasion ████░░ A2-04, A4-07/08, B2-01, B3-04
Credential Access ██████ A3, A4-01/02/04/14-19, B3-01/05
Discovery ███░░░ A4-03/05, C3-04
Lateral Movement ████░░ A4-08, C3-01/02/03
Collection █░░░░░ A2-05
Command & Control ████░░ A1, A2-08/10, B3-06
Decoder Chain
File: config/wazuh_cluster/local_decoder.xml
How it works
Raw log
└─ soc-mvp-base prematch: soc_mvp_test=true
├─ soc-mvp-dns source=dns
├─ soc-mvp-fgt-traffic source=fortigate + type="traffic"
├─ soc-mvp-fgt-event source=fortigate + type="event"
├─ soc-mvp-fgt-utm source=fortigate + type="utm"
├─ soc-mvp-fgt-vpn source=fortigate + subtype="vpn"
├─ soc-mvp-windows source=windows
├─ soc-mvp-windows-lateral source=windows + dstip= (overrides above)
├─ soc-mvp-vpn source=vpn
├─ soc-mvp-vmware source=vmware (with src_ip)
├─ soc-mvp-vmware-nosrcip source=vmware (no src_ip)
├─ soc-mvp-logmon source=log_monitor
├─ soc-mvp-sysmon source=windows_sysmon
└─ soc-mvp-sysmon-exec source=windows_sysmon + cmdline=
Note: Simulator A2/A3 events include
date=/logid=headers that trigger the built-infortigate-firewall-v6decoder instead ofsoc-mvp-base. Bridge rule 100205 re-anchors those events into the SOC chain.
Decoder Details
| Decoder | Parent | Prematch | Fields Extracted |
|---|---|---|---|
soc-mvp-base |
— | soc_mvp_test=true |
— |
soc-mvp-dns |
base | source=dns |
status (event_type), srcip |
soc-mvp-fgt-traffic |
base | source=fortigate + type="traffic" |
srcip, action |
soc-mvp-fgt-event |
base | source=fortigate + type="event" |
action, srcuser |
soc-mvp-fgt-utm |
base | source=fortigate + type="utm" |
status (subtype), srcip |
soc-mvp-fgt-vpn |
base | source=fortigate + subtype="vpn" |
action, srcuser, srcip |
soc-mvp-windows |
base | source=windows |
id (event_id), srcuser, srcip |
soc-mvp-windows-lateral |
base | source=windows + dstip= |
id, srcuser, srcip, dstip |
soc-mvp-vpn |
base | source=vpn |
status (event_type), srcuser, srcip, extra_data (country) |
soc-mvp-vmware |
base | source=vmware |
status (event_type), srcuser, srcip |
soc-mvp-vmware-nosrcip |
base | source=vmware |
status (event_type), srcuser |
soc-mvp-logmon |
base | source=log_monitor |
status (event_type) |
soc-mvp-sysmon |
base | source=windows_sysmon |
status (event_type), id (event_id), url (process) |
soc-mvp-sysmon-exec |
base | source=windows_sysmon + cmdline= |
status, id, url |
Base Rules
File: config/wazuh_cluster/local_rules.xml
| Rule ID | Level | Description | Trigger |
|---|---|---|---|
| 100200 | 3 | SOC MVP: synthetic test event detected | soc_mvp_test=true in any event |
| 100205 | 3 | SOC MVP: synthetic FortiGate test event (bridge) | Built-in fortigate group rule + soc_mvp_test=true |
| 100210 | 3 | SOC MVP: Appendix A simulation event | if_sid=100200 + section=A |
| 100220 | 3 | SOC MVP: Appendix B simulation event | if_sid=100200 + section=B |
| 100230 | 3 | SOC MVP: Appendix C simulation event | if_sid=100200 + section=C |
Rule 100205 exists to handle A2/A3 simulator events that are processed by the built-in FortiGate decoder. A2/A3 rules use if_sid=100200, 100205 so they fire in both the direct (soc-mvp-base) and FortiGate-decoded paths.
A1 — DNS / Firewall IOC
File: rules/soc-a1-ioc-rules.xml | Decoder: soc-mvp-dns | Source: source=dns
ATT&CK context: DNS-based IOC detection targets the Command and Control tactic. Adversaries use DNS to communicate with malware (C2 beaconing) or to redirect victims to malicious infrastructure via dynamic domain generation. Detecting these queries at the DNS layer is a high-fidelity signal because legitimate applications rarely query known-bad domains.
Simulation Rules
| Rule ID | Level | Use Case | MITRE ID | Technique | Tactic |
|---|---|---|---|---|---|
| 100301 | 8 | A1-01: DNS traffic to malicious domain detected | T1071.004 | Application Layer Protocol: DNS | Command and Control |
| 100302 | 8 | A1-02: DNS IOC domain match from threat feed | T1568 | Dynamic Resolution | Command and Control |
Production Rules
| Rule ID | Level | Match Condition | Description | MITRE ID | Technique |
|---|---|---|---|---|---|
| 110301 | 8 | event_type=ioc_dns_traffic |
DNS query to malicious domain (IOC traffic indicator) | T1071.004 | Application Layer Protocol: DNS |
| 110302 | 8 | event_type=ioc_domain_match |
DNS IOC domain match from threat intelligence feed | T1568 | Dynamic Resolution |
T1071.004 — Application Layer Protocol: DNS Adversaries use DNS queries to communicate with C2 infrastructure, hiding malicious traffic within normal DNS traffic that is often not inspected. Detects beaconing malware or data exfiltration tunnelled over DNS.
T1568 — Dynamic Resolution Adversaries use dynamic DNS or algorithmically generated domain names (DGA) to make their C2 infrastructure harder to block. A domain appearing in a threat feed but not seen before in the environment is a strong indicator.
A2 — FortiGate IPS/IDS & Firewall
File: rules/soc-a2-fortigate-fw-rules.xml | Decoders: soc-mvp-fgt-traffic, soc-mvp-fgt-event, soc-mvp-fgt-utm | Source: source=fortigate
Parent: if_sid=100200, 100205 (both direct and FortiGate-decoded paths)
ATT&CK context: Firewall logs capture both network-level threats (scanning, C2 traffic) and administrative abuse (config changes, account creation). This section spans Reconnaissance, Persistence, Defense Evasion, Collection, and Command and Control — covering the adversary's first steps to establish a foothold and maintain it.
Simulation Rules
| Rule ID | Level | Use Case | MITRE ID | Technique | Tactic |
|---|---|---|---|---|---|
| 100311 | 12 | A2-01: Allowed RDP from public IP | T1021.001 | Remote Desktop Protocol | Lateral Movement |
| 100312 | 12 | A2-02: Firewall admin password changed | T1098 | Account Manipulation | Persistence |
| 100313 | 12 | A2-03: Firewall admin account created | T1136 | Create Account | Persistence |
| 100314 | 12 | A2-04: Firewall email notification disabled | T1562 | Impair Defenses | Defense Evasion |
| 100315 | 5 | A2-05: Firewall configuration downloaded | T1005 | Data from Local System | Collection |
| 100316 | 8 | A2-06: Multiple critical/high IDS alerts detected | T1595 | Active Scanning | Reconnaissance |
| 100317 | 5 | A2-07: Port scanning from public IP detected | T1046 | Network Service Discovery | Discovery |
| 100318 | 8 | A2-08: IOC-matched network traffic blocked by IPS | T1071 | Application Layer Protocol | Command and Control |
| 100319 | 8 | A2-09: Port scanning from internal private IP | T1046 | Network Service Discovery | Discovery |
| 100320 | 8 | A2-10: Communication to known malicious IP (C2 indicator) | T1071 | Application Layer Protocol | Command and Control |
Production Rules
| Rule ID | Level | Match Condition | Description | MITRE ID | Technique |
|---|---|---|---|---|---|
| 110311 | 12 | dstport=3389 + action="accept" |
RDP traffic allowed | T1021.001 | Remote Desktop Protocol |
| 110312 | 12 | action="password-change" |
Admin account password changed | T1098 | Account Manipulation |
| 110313 | 12 | action="create-admin" |
New admin account created | T1136 | Create Account |
| 110314 | 12 | action="config-change" + config_value=disable |
Alerting/notification disabled | T1562 | Impair Defenses |
| 110315 | 5 | action="download-config" |
Firewall configuration file downloaded | T1005 | Data from Local System |
| 110316 | 8 | subtype="ips" + attack="Multiple.Critical |
Multiple critical IPS signatures triggered | T1595 | Active Scanning |
| 110317 | 5 | subtype="anomaly" + attack="TCP.Port.Scan" |
TCP port scan from external IP | T1046 | Network Service Discovery |
| 110318 | 8 | subtype="ips" + ioc_type=ip |
IOC-based IP indicator detected | T1071 | Application Layer Protocol |
| 110319 | 8 | subtype="anomaly" + attack="Internal.Port.Scan" |
Internal port scan from private source | T1046 | Network Service Discovery |
| 110320 | 8 | threat_label="known-c2" |
Traffic to known C2/malicious IP | T1071 | Application Layer Protocol |
T1021.001 — Remote Desktop Protocol
RDP exposed to public IPs is a prime attack vector for ransomware groups and APTs. An inbound accept to port 3389 from a non-private source is anomalous in most corporate environments.
T1098 — Account Manipulation Changing admin credentials or creating backdoor admin accounts on a firewall gives an attacker persistent, privileged access to network infrastructure that is extremely hard to detect and revoke.
T1562 — Impair Defenses Disabling email notifications on a firewall silences a critical alerting channel, allowing subsequent malicious activity to go unnoticed. This is a hallmark pre-attack step.
T1595 — Active Scanning Multiple IPS signature hits in a short window is a strong indicator of automated scanning or exploit frameworks (e.g. Metasploit, Nmap NSE scripts) probing for vulnerabilities.
A3 — FortiGate VPN
File: rules/soc-a3-fortigate-vpn-rules.xml | Decoder: soc-mvp-fgt-vpn | Source: source=fortigate subtype="vpn"
Parent: if_sid=100200, 100205 (both direct and FortiGate-decoded paths)
ATT&CK context: VPN is the primary remote access gateway for most organisations. Attackers target it with brute-force, credential stuffing, and stolen credentials. All A3 rules map to Valid Accounts (T1078) or Brute Force (T1110) — the two most common techniques for initial access via VPN.
Simulation Rules
| Rule ID | Level | Use Case | MITRE ID | Technique | Tactic |
|---|---|---|---|---|---|
| 100331 | 12 | A3-01: VPN login success from guest account | T1078 | Valid Accounts | Initial Access / Defense Evasion |
| 100332 | 12 | A3-02: VPN login success from multiple countries | T1078 | Valid Accounts | Initial Access |
| 100333 | 12 | A3-03: VPN brute-force success (many failures then success) | T1110 | Brute Force | Credential Access |
| 100334 | 5 | A3-04: VPN multiple auth failures (many accounts, one source) | T1110 | Brute Force | Credential Access |
| 100335 | 12 | A3-05: VPN login success from outside Thailand | T1078 | Valid Accounts | Initial Access |
Production Rules
| Rule ID | Level | Match Condition | Description | MITRE ID | Technique |
|---|---|---|---|---|---|
| 110331 | 12 | action="ssl-login-success" + user="guest" |
VPN auth success by guest account | T1078 | Valid Accounts |
| 110332 | 12 | action="ssl-login-success" + previous_country= |
VPN success from different country than last login | T1078 | Valid Accounts |
| 110333 | 12 | action="ssl-login-success" + failed_attempts_before_success= |
VPN success after multiple prior failures | T1110 | Brute Force |
| 110334 | 5 | action="ssl-login-fail" + failed_accounts= |
Multiple account failures from single source IP | T1110 | Brute Force |
| 110335 | 12 | action="ssl-login-success" + expected_country=TH |
VPN auth success from outside Thailand | T1078 | Valid Accounts |
T1078 — Valid Accounts Using legitimately provisioned credentials (stolen, purchased, or guessed) to log in. A guest account or a login from an unexpected country strongly suggests compromised credentials rather than a legitimate user.
T1110 — Brute Force Systematically trying many passwords against an account. A pattern of many failures followed by a success is a reliable brute-force indicator. Multiple accounts failing from one source indicates credential stuffing (using breached password lists).
A4 — Windows / Active Directory
File: rules/soc-a4-windows-ad-rules.xml | Decoder: soc-mvp-windows | Source: source=windows
ATT&CK context: Windows event logs are the richest source of attacker activity on-premise. A4 covers the full attack lifecycle within AD — from external credential attacks (initial access) through privilege escalation and persistence via account manipulation. Windows Security Event IDs are the primary production match signal.
Simulation Rules
| Rule ID | Level | Use Case | MITRE ID | Technique | Tactic |
|---|---|---|---|---|---|
| 100341 | 8 | A4-01: Multiple auth failures from privileged account | T1110 | Brute Force | Credential Access |
| 100342 | 8 | A4-02: Multiple auth failures from service account | T1110 | Brute Force | Credential Access |
| 100343 | 8 | A4-03: AD enumeration via malicious tools (e.g. adfind) | T1087.002 | Account Discovery: Domain Account | Discovery |
| 100344 | 8 | A4-04: Auth failure from public IP | T1110 | Brute Force | Credential Access |
| 100345 | 8 | A4-05: File share enumeration to single destination | T1135 | Network Share Discovery | Discovery |
| 100346 | 12 | A4-06: Authentication success from public IP | T1078 | Valid Accounts | Initial Access |
| 100347 | 12 | A4-07: Privileged account impersonation | T1134 | Access Token Manipulation | Privilege Escalation |
| 100348 | 12 | A4-08: Pass-the-hash RDP authentication success | T1550.002 | Use Alternate Authentication Material: Pass the Hash | Defense Evasion / Lateral Movement |
| 100349 | 12 | A4-09: Authentication success from guest account | T1078 | Valid Accounts | Initial Access |
| 100350 | 12 | A4-10: Service account interactive logon (logon_type=2) | T1078.003 | Valid Accounts: Local Accounts | Privilege Escalation |
| 100351 | 12 | A4-11: Account added to custom privileged group | T1098 | Account Manipulation | Persistence |
| 100352 | 12 | A4-12: Account added to Domain Admins or privileged group | T1098 | Account Manipulation | Persistence |
| 100353 | 12 | A4-13: DSRM password reset on domain controller | T1098 | Account Manipulation | Persistence |
| 100354 | 5 | A4-14: One account failing from many sources | T1110 | Brute Force | Credential Access |
| 100355 | 5 | A4-15: Many accounts failing from one source (spray indicator) | T1110.003 | Password Spraying | Credential Access |
| 100356 | 5 | A4-16: Guest account multiple auth failures | T1110 | Brute Force | Credential Access |
| 100357 | 5 | A4-17: One account failing from one source | T1110 | Brute Force | Credential Access |
| 100358 | 5 | A4-18: Multiple interactive logon denials | T1110 | Brute Force | Credential Access |
| 100359 | 5 | A4-19: Password spray pattern detected | T1110.003 | Password Spraying | Credential Access |
| 100360 | 5 | A4-20: Auth attempt from disabled account | T1078 | Valid Accounts | Defense Evasion |
| 100361 | 5 | A4-21: Domain account created | T1136.002 | Create Account: Domain Account | Persistence |
| 100362 | 5 | A4-22: Local account re-enabled | T1078 | Valid Accounts | Persistence |
| 100363 | 5 | A4-23: Local account created | T1136.001 | Create Account: Local Account | Persistence |
| 100364 | 5 | A4-24: Domain account re-enabled | T1078 | Valid Accounts | Persistence |
Production Rules
| Rule ID | Level | Event ID | Match Condition | Description | MITRE ID | Technique |
|---|---|---|---|---|---|---|
| 110341 | 8 | 4625 | is_admin=true |
Privileged account auth failures | T1110 | Brute Force |
| 110342 | 8 | 4625 | is_service=true |
Service account auth failures | T1110 | Brute Force |
| 110343 | 8 | 4688 | process=adfind.exe |
AD enumeration tool executed | T1087.002 | Account Discovery: Domain Account |
| 110346 | 12 | 4624 | logon_type=10 |
Remote interactive auth success | T1078 | Valid Accounts |
| 110348 | 12 | 4624 | auth_package="NTLM" + pth_indicator=true |
Pass-the-hash via NTLM | T1550.002 | Pass the Hash |
| 110349 | 12 | 4624 | account="guest" |
Guest account auth success | T1078 | Valid Accounts |
| 110350 | 12 | 4624 | logon_type=2 + is_service=true |
Service account interactive logon | T1078.003 | Valid Accounts: Local Accounts |
| 110352 | 12 | 4728 | target_group= |
Account added to privileged domain group | T1098 | Account Manipulation |
| 110353 | 12 | 4732 | target_group= |
Account added to privileged local group | T1098 | Account Manipulation |
| 110354 | 12 | 4794 | — | DSRM account password set on DC | T1098 | Account Manipulation |
| 110359 | 5 | 4625 | spray=true |
Password spray pattern indicator | T1110.003 | Password Spraying |
| 110361 | 5 | 4720 | — | New user account created | T1136 | Create Account |
| 110362 | 5 | 4722 | — | User account re-enabled | T1078 | Valid Accounts |
T1087.002 — Account Discovery: Domain Account Tools like AdFind, BloodHound, and ldapdomaindump query Active Directory to map users, groups, and trust relationships — essential for planning privilege escalation paths. Event ID 4688 (process creation) is used to catch the tool execution.
T1134 — Access Token Manipulation An attacker with sufficient privilege duplicates or steals the access token of a more privileged process, effectively impersonating that account without needing its password.
T1550.002 — Pass the Hash The NTLM hash of a password can be used directly for authentication without knowing the plaintext password. Detected by NTLM authentication with logon type 10 (Remote Interactive) from an anomalous source.
T1098 — Account Manipulation (DSRM — A4-13) The Directory Services Restore Mode (DSRM) account is a local administrator on every Domain Controller. Resetting its password (event 4794) and enabling remote login to it gives an attacker a persistent, offline backdoor to the DC that survives domain-level password resets.
T1110.003 — Password Spraying Rather than many attempts on one account (which triggers lockout), the attacker tries one or two common passwords across many accounts. Harder to detect per-account but visible as a low-and-slow horizontal pattern across Event ID 4625 failures.
B1 — VMware vCenter / ESXi
File: rules/soc-b1-vmware-rules.xml | Decoders: soc-mvp-vmware, soc-mvp-vmware-nosrcip | Source: source=vmware
ATT&CK context: Hypervisor compromise is catastrophic — full control of all guest VMs, storage, and networking. B1 targets Brute Force against vCenter (the management plane) and SSH enablement on ESXi hosts, which is the most common first step attackers take after gaining vCenter admin access.
Simulation Rules
| Rule ID | Level | Use Case | MITRE ID | Technique | Tactic |
|---|---|---|---|---|---|
| 100401 | 12 | B1-01: vCenter login failures followed by success (brute-force) | T1110 | Brute Force | Credential Access |
| 100402 | 8 | B1-02: ESXi SSH service enabled on host | T1021.004 | Remote Services: SSH | Lateral Movement |
| 100403 | 12 | B1-03: ESXi SSH brute-force failures followed by success | T1110 | Brute Force | Credential Access |
Production Rules
| Rule ID | Level | Match Condition | Description | MITRE ID | Technique |
|---|---|---|---|---|---|
| 110401 | 12 | event_type=vmware_vcenter_login_fail_success |
vCenter login burst pattern (failures then success) | T1110 | Brute Force |
| 110402 | 8 | event_type=vmware_esxi_enable_ssh |
ESXi SSH service enabled | T1021.004 | Remote Services: SSH |
| 110403 | 12 | event_type=vmware_esxi_ssh_fail_success |
ESXi SSH brute-force then success | T1110 | Brute Force |
T1021.004 — Remote Services: SSH ESXi does not run SSH by default. Enabling it provides direct shell access to the hypervisor, bypassing vCenter authentication entirely. Any unauthorised SSH enablement on an ESXi host should be treated as a critical incident.
B2 — Log Monitoring
File: rules/soc-b2-logmon-rules.xml | Decoder: soc-mvp-logmon | Source: source=log_monitor
ATT&CK context: Log gaps are a Defense Evasion indicator. An attacker who has gained access to a log source (firewall, DC, EDR) may stop or tamper with its logging to remove evidence of their activity. Detecting that a previously active log stream has gone silent is an important meta-detection capability.
Simulation Rules
| Rule ID | Level | Use Case | MITRE ID | Technique | Tactic |
|---|---|---|---|---|---|
| 100411 | 5 | B2-01: Log loss detected on expected stream | T1562.006 | Impair Defenses: Indicator Blocking | Defense Evasion |
Production Rules
| Rule ID | Level | Match Condition | Description | MITRE ID | Technique |
|---|---|---|---|---|---|
| 110411 | 5 | event_type=log_loss_detection |
Log ingestion loss detected on monitored stream | T1562.006 | Impair Defenses: Indicator Blocking |
T1562.006 — Impair Defenses: Indicator Blocking Adversaries may stop logging services, block log forwarding, or delete log files to prevent defenders from detecting their actions. A log loss alert does not confirm malicious intent (hardware/network failure can cause it too) but must always be investigated promptly.
B3 — Windows Sysmon
File: rules/soc-b3-sysmon-rules.xml | Decoders: soc-mvp-sysmon, soc-mvp-sysmon-exec | Source: source=windows_sysmon
ATT&CK context: Sysmon provides deep process and file-level telemetry that Windows Security logs lack. B3 detects post-exploitation activity: credential dumping, web application compromise, and security tool removal — all high-confidence, late-stage attack indicators.
Simulation Rules
| Rule ID | Level | Use Case | MITRE ID | Technique | Tactic |
|---|---|---|---|---|---|
| 100421 | 12 | B3-01: LSASS memory dump via procdump (Sysmon event 10) | T1003.001 | OS Credential Dumping: LSASS Memory | Credential Access |
| 100422 | 12 | B3-02: SQL injection attempt via web process (event 1) | T1190 | Exploit Public-Facing Application | Initial Access |
| 100423 | 12 | B3-03: Webshell file creation in web root (event 11) | T1505.003 | Server Software Component: Web Shell | Persistence |
| 100424 | 12 | B3-04: Security agent uninstalled via msiexec | T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion |
| 100425 | 12 | B3-05: LSASS dump via Task Manager (event 10) | T1003.001 | OS Credential Dumping: LSASS Memory | Credential Access |
| 100426 | 8 | B3-06: Certutil used to download remote payload | T1105 | Ingress Tool Transfer | Command and Control |
Production Rules
| Rule ID | Level | Sysmon Event | Match Condition | Description | MITRE ID | Technique |
|---|---|---|---|---|---|---|
| 110421 | 12 | Event 10 (ProcessAccess) | target_process=lsass.exe |
LSASS process access | T1003.001 | OS Credential Dumping: LSASS Memory |
| 110422 | 12 | Event 1 (ProcessCreate) | event_type=sysmon_sql_injection |
SQL injection pattern in web process | T1190 | Exploit Public-Facing Application |
| 110423 | 12 | Event 11 (FileCreate) | event_type=sysmon_webshell |
File creation in web root by web process | T1505.003 | Server Software Component: Web Shell |
| 110424 | 12 | Event 1 (ProcessCreate) | event_type=sysmon_security_agent_uninstall |
Security agent removal via msiexec | T1562.001 | Impair Defenses: Disable or Modify Tools |
| 110425 | 12 | Event 10 (ProcessAccess) | event_type=sysmon_lsass_dump_taskmgr |
LSASS dump via Task Manager | T1003.001 | OS Credential Dumping: LSASS Memory |
| 110426 | 8 | Event 1 (ProcessCreate) | process=certutil.exe + cmdline= |
certutil.exe download pattern | T1105 | Ingress Tool Transfer |
T1003.001 — OS Credential Dumping: LSASS Memory The Windows LSASS (Local Security Authority Subsystem Service) process stores password hashes and Kerberos tickets in memory. Tools like Mimikatz, procdump, and Task Manager's "Create dump file" feature can extract these credentials for offline cracking or direct pass-the-hash use. Sysmon Event ID 10 (ProcessAccess with lsass.exe as the target) is the most reliable detection point.
T1505.003 — Server Software Component: Web Shell After exploiting a web application, attackers drop a small script (PHP, ASPX, JSP) into the web root that accepts commands via HTTP requests. Sysmon Event ID 11 (FileCreate) in web-accessible directories by the web server process is a high-fidelity indicator.
T1562.001 — Impair Defenses: Disable or Modify Tools
Attackers remove or disable endpoint security agents (AV, EDR) to eliminate the primary detection mechanism before executing their final objective. msiexec /x targeting known security agent GUIDs is a common pattern.
T1105 — Ingress Tool Transfer
certutil.exe is a legitimate Windows binary for certificate management but is widely abused (LOLBin) to download files from the internet using its -urlcache -split -f options. This is a classic living-off-the-land technique because many environments allow it past security controls.
C1 — Impossible Travel Detection
File: rules/soc-c1-c3-rules.xml | Decoder: soc-mvp-vpn (prod) / soc-mvp-windows (sim) | Source: source=vpn / source=windows
ATT&CK context: Impossible travel targets Valid Accounts (T1078) — specifically the scenario where stolen credentials are used by an attacker in one geography while the legitimate user is in another. A login from Thailand followed by a login from Russia 10 minutes later is physically impossible; one of them is a threat actor.
Full impossible-travel correlation requires the
soc-integratordetection service. Wazuh rules flag per-event geo-anomaly candidates; upstream correlation confirms the travel impossibility.
Simulation Rules
| Rule ID | Level | Use Case | MITRE ID | Technique | Tactic |
|---|---|---|---|---|---|
| 100501 | 12 | C1-01: Impossible travel — VPN login from geographically distant location | T1078 | Valid Accounts | Initial Access / Defense Evasion |
Production Rules
| Rule ID | Level | Match Condition | Description | MITRE ID | Technique |
|---|---|---|---|---|---|
| 110501 | 12 | event_type=vpn_login_success |
VPN login with geo context — impossible travel candidate | T1078 | Valid Accounts |
| 110502 | 15 | event_type=c1_impossible_travel |
Impossible travel confirmed by soc-integrator correlation | T1078 | Valid Accounts |
T1078 — Valid Accounts (Impossible Travel) This is the highest-confidence valid-account detection because it does not rely on password patterns or known bad IPs — it relies on physical impossibility. Rule 110502 (level 15, the highest in this ruleset) fires only after the soc-integrator has correlated two logins and confirmed they cannot represent the same person travelling normally.
C2 — Advanced Credential Abuse & Privilege Misuse
File: rules/soc-c1-c3-rules.xml | Decoder: soc-mvp-windows | Source: source=windows
ATT&CK context: C2 detects insider threat and post-compromise privilege abuse patterns that are individually legitimate but anomalous in context — an admin logging in at 3am, a service account used interactively, a dormant account suddenly active. These require behavioural baselining to distinguish real attacks from noise.
Simulation Rules
| Rule ID | Level | Use Case | MITRE ID | Technique | Tactic |
|---|---|---|---|---|---|
| 100511 | 12 | C2-01: Privileged account used outside business hours | T1078.002 | Valid Accounts: Domain Accounts | Privilege Escalation |
| 100512 | 8 | C2-02: Dormant account activation detected | T1078 | Valid Accounts | Defense Evasion |
| 100513 | 12 | C2-03: Service account interactive logon | T1078.003 | Valid Accounts: Local Accounts | Privilege Escalation |
| 100514 | 12 | C2-04: Rapid privilege escalation followed by sensitive resource access | T1098 | Account Manipulation | Persistence |
Production Rules
| Rule ID | Level | Event ID | Match Condition | Description | MITRE ID | Technique |
|---|---|---|---|---|---|---|
| 110511 | 12 | 4624 | is_admin=true + event_type=windows_auth_success |
Privileged account auth success — off-hours | T1078.002 | Valid Accounts: Domain Accounts |
| 110512 | 8 | 4624 | event_type=windows_auth_success + legacy. |
Dormant/legacy account auth success | T1078 | Valid Accounts |
| 110513 | 12 | 4624 | is_service=true + logon_type=10 |
Service account interactive logon (type 10) | T1078.003 | Valid Accounts: Local Accounts |
| 110514 | 12 | 4732 | is_admin=true |
Rapid privilege escalation: group change by admin | T1098 | Account Manipulation |
T1078.002 — Valid Accounts: Domain Accounts (Off-Hours) Domain admin activity outside normal business hours (e.g. 2–5am local time) is a known attacker signature — legitimate admins rarely work at those hours but attackers work when defenders are asleep. Requires time-of-day context from the soc-integrator for production correlation.
T1078.003 — Valid Accounts: Local Accounts (Service Account Interactive Logon) Service accounts are designed for automated processes, not interactive sessions. A service account logging in interactively (logon type 10 = Remote Interactive, or type 2 = Local Interactive) indicates either credential theft or an insider using a service account to evade personal activity tracking.
C3 — Lateral Movement & Internal Reconnaissance
File: rules/soc-c1-c3-rules.xml | Decoders: soc-mvp-windows, soc-mvp-windows-lateral | Source: source=windows
ATT&CK context: After establishing initial access, attackers move laterally to reach high-value targets (domain controllers, file servers, backup systems). C3 detects the burst patterns that characterise automated lateral movement tools (Cobalt Strike, Impacket, BloodHound) — many hosts contacted in a short time window.
Simulation Rules
| Rule ID | Level | Use Case | MITRE ID | Technique | Tactic |
|---|---|---|---|---|---|
| 100521 | 12 | C3-01: Multiple auth successes across different hosts | T1021 | Remote Services | Lateral Movement |
| 100522 | 12 | C3-02: SMB/RDP lateral movement burst pattern | T1021.002 | Remote Services: SMB/Windows Admin Shares | Lateral Movement |
| 100523 | 15 | C3-03: Admin account accessing many servers rapidly | T1021.001 | Remote Services: RDP | Lateral Movement |
| 100524 | 8 | C3-04: Internal scanning / enumeration burst pattern | T1046 | Network Service Discovery | Discovery / Reconnaissance |
Production Rules
| Rule ID | Level | Event ID | Match Condition | Description | MITRE ID | Technique |
|---|---|---|---|---|---|---|
| 110521 | 12 | 4624 | dstport=3389 + event_type=windows_auth_success |
RDP auth success to remote host | T1021.001 | Remote Services: RDP |
| 110522 | 12 | 4624 | dstport=445 + event_type=windows_lateral_movement |
SMB lateral movement burst | T1021.002 | SMB/Windows Admin Shares |
| 110523 | 15 | 4624 | is_admin=true + event_type=windows_auth_success |
Admin RDP success to multiple servers rapidly | T1021.001 | Remote Services: RDP |
| 110524 | 8 | — | event_type=internal_scan |
Internal scanning/enumeration burst | T1046 | Network Service Discovery |
T1021 — Remote Services (Lateral Movement) An account successfully authenticating to many distinct internal hosts in a short time window (minutes, not hours) is a reliable lateral movement signal. Legitimate admin activity is targeted and intentional; lateral movement tools spray credentials across IP ranges.
T1046 — Network Service Discovery (Internal Scanning) After initial compromise, attackers scan internal subnets to map the network — identifying domain controllers, databases, backup servers, and other high-value targets. Internal port scanning is anomalous in most environments and should be treated as a high-priority finding.
Rule ID Summary
| Range | Section | Count |
|---|---|---|
| 100200, 100205, 100210, 100220, 100230 | Base / grouping | 5 |
| 100301–100302 / 110301–110302 | A1 DNS IOC | 4 |
| 100311–100320 / 110311–110320 | A2 FortiGate FW | 20 |
| 100331–100335 / 110331–110335 | A3 FortiGate VPN | 10 |
| 100341–100364 / 110341–110362 | A4 Windows/AD | 37 |
| 100401–100403 / 110401–110403 | B1 VMware | 6 |
| 100411 / 110411 | B2 Log Monitor | 2 |
| 100421–100426 / 110421–110426 | B3 Sysmon | 12 |
| 100501 / 110501–110502 | C1 Impossible Travel | 3 |
| 100511–100514 / 110511–110514 | C2 Credential Abuse | 8 |
| 100521–100524 / 110521–110524 | C3 Lateral Movement | 8 |
| Total | 115 |
Running the Simulator
cd scripts
# Single batch (all use cases)
WAZUH_API_USER=wazuh-wui WAZUH_API_PASS='MyS3cr37P450r.*-' \
python3 send-wazuh-api-sim.py --selector all --batch
# Continuous (all use cases, 65s between rounds to stay under rate limit)
WAZUH_API_USER=wazuh-wui WAZUH_API_PASS='MyS3cr37P450r.*-' \
python3 send-wazuh-api-sim.py --selector all --batch --forever --delay 65
# Single section
WAZUH_API_USER=wazuh-wui WAZUH_API_PASS='MyS3cr37P450r.*-' \
python3 send-wazuh-api-sim.py --selector a2 --batch
# Single use case
WAZUH_API_USER=wazuh-wui WAZUH_API_PASS='MyS3cr37P450r.*-' \
python3 send-wazuh-api-sim.py --selector A2-01 --count 1
Wazuh Operations
# Reload rules (no container restart needed)
docker exec wazuh-single-wazuh.manager-1 /var/ossec/bin/wazuh-control reload
# Test a single event
echo 'soc_mvp_test=true source=dns event_type=ioc_dns_traffic src_ip=1.2.3.4' | \
docker exec -i wazuh-single-wazuh.manager-1 /var/ossec/bin/wazuh-logtest
# Watch live alerts for SOC rules
docker exec wazuh-single-wazuh.manager-1 \
tail -f /var/ossec/logs/alerts/alerts.json | grep --line-buffered "soc_mvp"