Skip to content

Latest commit

 

History

History
60 lines (53 loc) · 4.42 KB

f9cea291-9030-4e41-9836-6dd9274d6df4.md

File metadata and controls

60 lines (53 loc) · 4.42 KB
Raw

Products: VMware - Carbon Black Cloud

Rules

Rule ID Rule Name
MATCH-S00139 Abnormal Parent-Child Process Combination
FIRST-S00040 First Seen cURL execution from User
MATCH-S00429 LSASS Memory Dumping
MATCH-S00161 Malicious PowerShell Get Commands
MATCH-S00419 Multiple File Extensions
MATCH-S00402 Normalized Security Signal
MATCH-S00136 PowerShell Encoded Command
MATCH-S00149 PowerShell File Download
MATCH-S00449 Powershell Execution Policy Bypass
MATCH-S00167 Recon Using Common Windows Commands
MATCH-S00328 Rubeus Hack Tool
MATCH-S00529 Schtasks Scheduling Job On Remote System
MATCH-S00547 Script Execution Via WMI
MATCH-S00447 Script Interpreter Launched by Cmd
MATCH-S00296 Shadow Copies Deletion Using OS Utilities
MATCH-S00406 Shadow Copy Creation
OUTLIER-S00009 Spike in PowerShell Command Line Length From Host
MATCH-S00191 Suspicious PowerShell Keywords
MATCH-S00164 Suspicious Shells Spawned by Web Servers
LEGACY-S00108 Threat Intel - Matched File Hash
MATCH-S00150 WMI Launching Shell
MATCH-S00570 WMIPRVSE Spawning Process
MATCH-S00400 Web Download via Office Binaries
MATCH-S00159 Windows - Permissions Group Discovery
MATCH-S00281 Windows - PowerShell Process Discovery
MATCH-S00185 Windows - Remote System Discovery
MATCH-S00170 Windows - Scheduled Task Creation
MATCH-S00552 Windows Connhost Started Forcefully
MATCH-S00178 Windows Query Registry
LEGACY-S00171 Windows Service Executed from Nonstandard Execution Path
MATCH-S00919 chage command use on host

Log Mappers

Log Mapper ID Log Mapper Name
c79ca29b-5742-4668-982f-7ef30300299d Carbon Black Cloud - CONTAINER_RUNTIME
81112448-48b5-4799-bc6e-a712a87ca34c Carbon Black Cloud - FACET
1780bb82-3701-457c-a922-33e7a397199e Carbon Black Cloud - Observation event
50ee5df8-20ae-4183-a282-b96369005935 Carbon Black Cloud API Call
4acf430c-7582-4e40-a3ce-050f7f78bd29 Carbon Black Cloud Alert - CB_ANALYTICS
020bc223-86b6-4b9b-9c39-4864eed1510b Carbon Black Cloud Alert - Tuned Activity
dd54ac26-28af-431e-b488-8c51ad764016 [Carbon Black Cloud Alert - WATCHLIST
821e00a8-8bd7-42ce-8414-4e04db6a5e37 Carbon Black Cloud Cross Process Event
ea82e9f2-d2a1-4150-b47b-1af1f38d14e4 Carbon Black Cloud File Modification
ce848916-0ff5-4c9c-9817-8e6d1af3b9b1 Carbon Black Cloud Module Load
3fe47187-8a81-4e1a-b80b-c0f2c4237ff6 Carbon Black Cloud Network Connection
9564da72-7e2e-4a97-bc3b-0367314f15c8 Carbon Black Cloud Process Auditing
82792c8e-dbec-4e10-ae42-b6a0944dec23 Carbon Black Cloud Registry Modification
c56b1897-8e99-42f8-a5bc-9b56a4b7ab43 Carbon Black Cloud Script Load
d6296fb1-a1b1-4431-a93d-566cfef15a45 Carbon Black Cloud Watchlist Hit