uberAgent ESA’s default ruleset has rules for many common attack vectors. This section gives an overview.
uberAgent ESA ships with rules from two different sources: vast limits rules and third-party rules. The former are curated by vast limits, while the latter are converted from sources such as the Sigma project.
vast limits vendor rules are stored in the configuration file
The rules in this section detect suspicious behavior with MS Office applications.
- Detect child processes of Microsoft Office applications (dedicated rules for scripts and other types of child processes)
- Detect Microsoft Office download operations
- Detect Microsoft Office applications executing macros that access WMI to create child processes
- Suspicious DLL load by Office
- Detect loading of MAPI DLLs from processes other than Outlook
The rules in this section detect suspicious behavior with Adobe Acrobat Reader.
- Detect child processes of Adobe Reader
The rules in this section detect suspicious behavior related to file system permissions (ACLs).
- Detect processes started from directories that are user-writeable
- Detect process starts from directories with a low mandatory integrity label
The rules in this section detect suspicious behavior related to operating system binaries.
- Unusual child processes and DLL loads
- Detect starts from non-default locations
- Detect proxy execution
- Detect UAC bypass
- Detect csc/jsc compile
- Detect execute from alternate data streams
- Detect AWL bypass
- Detect encode and decode operations
- Detect copy operations
- Detect download operations
The rules in this section detect suspicious behavior related to network operations.
- Suspicious network target names
- PowerShell outbound network connections
- Suspicious outbound Kerberos connections
- PowerShell remoting
- Detect network connects from suspicious sources
- Detect network connects from Windows processes
- Detect network connects from third party tools
- RDP connects from non-RDP software indicating lateral movement
- Detect network connects to suspicious ports
- Detect network connects to 80 and 443 from non-browser applications
Sigma rules are stored in the configuration files
Not all Sigma rules are enabled by default. Check the includes in
uberAgent.conf and adjust if necessary.