Documentation

Contents
Contents
Contents
Contents
!
This documentation applies to a beta version of uberAgent (docs for the latest official release)

Default Ruleset

uberAgent ESA’s default ruleset has rules for many common attack vectors. This section gives an overview.

Rule Sources

uberAgent ESA ships with rules from two different sources: vast limits rules and third-party rules. The former are curated by vast limits, while the latter are converted from sources such as the Sigma project.

vast limits Rules

vast limits vendor rules are stored in the configuration file uberAgent-ESA-process-tagging.conf.

Microsoft Office Rules

The rules in this section detect suspicious behavior with MS Office applications.

  • Detect child processes of Microsoft Office applications (dedicated rules for scripts and other types of child processes)
  • Detect Microsoft Office download operations
  • Detect Microsoft Office applications executing macros that access WMI to create child processes
  • Suspicious DLL load by Office
  • Detect loading of MAPI DLLs from processes other than Outlook

Adobe Acrobat Reader Rules

The rules in this section detect suspicious behavior with Adobe Acrobat Reader.

  • Detect child processes of Adobe Reader

File System ACL Rules

The rules in this section detect suspicious behavior related to file system permissions (ACLs).

  • Detect processes started from directories that are user-writeable
  • Detect process starts from directories with a low mandatory integrity label

LOLBAS Rules

The rules in this section detect suspicious behavior related to operating system binaries.

  • Unusual child processes and DLL loads
  • Detect starts from non-default locations
  • Detect proxy execution
  • Detect UAC bypass
  • Detect csc/jsc compile
  • Detect execute from alternate data streams
  • Detect AWL bypass
  • Detect encode and decode operations
  • Detect copy operations
  • Detect download operations

Network Rules

The rules in this section detect suspicious behavior related to network operations.

  • Suspicious network target names
  • PowerShell outbound network connections
  • Suspicious outbound Kerberos connections
  • PowerShell remoting
  • Detect network connects from suspicious sources
  • Detect network connects from Windows processes
  • Detect network connects from third party tools
  • RDP connects from non-RDP software indicating lateral movement
  • Detect network connects to suspicious ports
  • Detect network connects to 80 and 443 from non-browser applications

Third-Party Rules

Sigma rules are stored in the configuration files sigma-*.conf.

Not all Sigma rules are enabled by default. Check the includes in uberAgent.conf and adjust if necessary.

Leave a Reply

Your email address will not be published. Required fields are marked *