tum
/
soc


			
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798
							<!--
  SOC Proposal Rules — Appendix B3: Windows Sysmon
  Simulation profile rule IDs : 100421-100426
  Production profile rule IDs : 110421-110426

  Production rules use specific built-in Wazuh Sysmon SIDs as parents
  to avoid the N×M rule-tree explosion from if_group=sysmon:
    61603 → Sysmon event 1  (process create)
    61612 → Sysmon event 10 (process access)
    61613 → Sysmon event 11 (file create)
-->
<group name="soc_mvp,appendix_b,b3,sysmon,">

  <!-- ── Simulation profile ── -->


  <!-- ── Production profile ──
       Parents are specific built-in Wazuh Sysmon SIDs (not if_group=sysmon)
       to avoid N×M rule-tree explosion.
  -->

  <!-- B3-01: LSASS process access via procdump (Sysmon event 10)
       Parent: 61612 (Sysmon event 10 - process access) -->
  <rule id="110421" level="12">
    <if_sid>61612</if_sid>
    <field name="win.eventdata.targetImage" type="pcre2">(?i)lsass\.exe</field>
    <description>B3-01 [PROD] Sysmon: LSASS process access detected (event 10)</description>
    <group>soc_prod,b3,credential_access,lsass,</group>
    <mitre><id>T1003.001</id></mitre>
  </rule>

  <!-- B3-02: SQL injection keywords in process command line (Sysmon event 1)
       Parent: 61603 (Sysmon event 1 - process create) -->
  <rule id="110422" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)select|union|insert|drop|exec</field>
    <description>B3-02 [PROD] Sysmon: SQL keyword in process command line (event 1)</description>
    <group>soc_prod,b3,webapp,sqli,</group>
    <mitre><id>T1190</id></mitre>
  </rule>

  <!-- B3-03: Web script file creation (Sysmon event 11)
       Parent: 61613 (Sysmon event 11 - file create) -->
  <rule id="110423" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.targetFilename" type="pcre2">\.(?:php|aspx|asp|jsp)$</field>
    <description>B3-03 [PROD] Sysmon: web script file created (possible webshell, event 11)</description>
    <group>soc_prod,b3,webapp,webshell,</group>
    <mitre><id>T1505.003</id></mitre>
  </rule>

  <!-- B3-04: msiexec uninstall (Sysmon event 1)
       Parent: 61603 (Sysmon event 1 - process create) -->
  <rule id="110424" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)msiexec</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)/x|/uninstall</field>
    <description>B3-04 [PROD] Sysmon: msiexec uninstall detected (event 1)</description>
    <group>soc_prod,b3,defense_evasion,</group>
    <mitre><id>T1562.001</id></mitre>
  </rule>

  <!-- B3-05: LSASS dump via Task Manager (Sysmon event 10)
       Parent: 61612 (Sysmon event 10 - process access) -->
  <rule id="110425" level="12">
    <if_sid>61612</if_sid>
    <field name="win.eventdata.sourceImage" type="pcre2">(?i)Taskmgr\.exe</field>
    <field name="win.eventdata.targetImage" type="pcre2">(?i)lsass\.exe</field>
    <description>B3-05 [PROD] Sysmon: LSASS dump via Task Manager (event 10)</description>
    <group>soc_prod,b3,credential_access,lsass,</group>
    <mitre><id>T1003.001</id></mitre>
  </rule>

  <!-- B3-06: certutil download (Sysmon event 1)
       Parent: 61603 (Sysmon event 1 - process create) -->
  <rule id="110426" level="8">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)certutil\.exe</field>
    <description>B3-06 [PROD] Sysmon: certutil.exe execution detected (event 1)</description>
    <group>soc_prod,b3,download,</group>
    <mitre><id>T1105</id></mitre>
  </rule>

  <!-- ── Production normalized key=value path (soc-mvp production profile) ── -->


</group>