Initial commit

skills/incident-response/detection-sigma/assets/rule-templates/lateral-movement.yml

@@ -0,0 +1,69 @@
+title: Lateral Movement via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects lateral movement activity using [specific technique/tool]
+references:
+    - https://attack.mitre.org/tactics/TA0008/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.lateral_movement
+    - attack.t1021  # Replace with specific technique
+logsource:
+    category: process_creation  # or network_connection, authentication
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+        # Examples:
+        # ParentImage|endswith: '\services.exe'
+        # CommandLine|contains: 'psexec'
+        # LogonType: 3  # Network logon
+    filter_legitimate:
+        # Add filters for known false positives
+        # User|contains: 'SVC_'
+    condition: selection and not filter_legitimate
+falsepositives:
+    - Legitimate administrative activity
+    - Scheduled tasks
+    - IT operations
+level: high
+fields:
+    - ComputerName
+    - User
+    - SourceIp
+    - DestinationIp
+    - CommandLine
+
+# Common Lateral Movement Techniques:
+#
+# T1021.001 - Remote Desktop Protocol (RDP)
+# detection:
+#     selection:
+#         EventID: 4624
+#         LogonType: 10  # RemoteInteractive
+#
+# T1021.002 - SMB/Windows Admin Shares
+# detection:
+#     selection:
+#         EventID: 5140
+#         ShareName|endswith:
+#             - 'ADMIN$'
+#             - 'C$'
+#
+# T1021.006 - Windows Remote Management (WinRM)
+# detection:
+#     selection:
+#         EventID: 4624
+#         LogonType: 3
+#         AuthenticationPackageName: 'Negotiate'
+#         ProcessName|endswith: '\wsmprovhost.exe'
+#
+# T1550.002 - Pass the Hash
+# detection:
+#     selection:
+#         EventID: 4624
+#         LogonType: 3
+#         LogonProcessName: 'NtLmSsp'
+#         AuthenticationPackageName: 'NTLM'