Detection Engineering

Create and manage detection rules

Detection Rules

PowerShell Encoded Command

Active

MITRE: T1059.001 Updated: 2024-12-13

Credential Dumping - LSASS

Active

MITRE: T1003.001 Updated: 2024-12-12

Lateral Movement - WMI

Testing

MITRE: T1021.003 Updated: 2024-12-13

Suspicious Registry Persistence

Active

MITRE: T1547.001 Updated: 2024-12-11

Data Exfiltration - DNS

Testing

MITRE: T1048.003 Updated: 2024-12-10

Privilege Escalation - UAC Bypass

Disabled

MITRE: T1548.002 Updated: 2024-12-09

PowerShell Encoded Command

T1059.001 Active

Severity:

High

Author:

Sarah Chen

False Positives:

3 this week

Sigma Rule

Rule Testing

Test against sample logs

MATCHED 2024-12-13 10:45:22

powershell.exe -enc SGVsbG8gV29ybGQK Host: WKS-CLIENT-042 | User: john.doe

MATCHED 2024-12-13 10:42:15

powershell.exe -encodedcommand UABvAHcAZQByAFMAaABlAGwAbAA= Host: WKS-CLIENT-038 | User: admin_svc

NOT MATCHED 2024-12-13 10:40:03

powershell.exe -File C:\Scripts\backup.ps1 Host: SRV-BACKUP-01 | User: SYSTEM

MATCHED 2024-12-13 10:38:47

powershell.exe -ec aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQA Host: WKS-CLIENT-015 | User: alice.smith

Test Results: 3 matched, 1 not matched out of 4 test logs

Statistics

Detections (7 days)

142

True Positives

89%

(126)

False Positives

11%

(16)

Detection Rate

False Positives (3)

Legitimate Admin Script User: it_admin 2024-12-13 09:15

SCCM Deployment System: SRV-SCCM-01 2024-12-12 14:30

Monitoring Script User: monitoring_svc 2024-12-12 08:45

Deployment

Deployed To:

Wazuh SIEM

Elasticsearch

Splunk

Last Deployed: 2024-12-13 08:30:15