feat(ruleset): add sysmon security pack and simplify built-in docs

EBWi11 · EBWi11 · commit 2858877c02ce · 2026-03-24T22:06:45.000+08:00
Add production-ready Sysmon baseline/intrusion/exclude rulesets focused on high-confidence, low-noise intrusion detection, and update README built-in ruleset paths and summaries to match folder-based organization.

Made-with: Cursor
diff --git a/README.md b/README.md
@@ -128,57 +128,16 @@ AgentSmith-HUB ships with production-ready detection rulesets that you can deplo
 
 ### Kubernetes Audit Log Security
 
-Two rulesets covering **25 detection rules** for Kubernetes audit logs, designed with multi-condition correlation and system-controller exclusion to minimize false positives.
-
-<details>
-<summary><b>k8s_audit_baseline</b> — Workload & RBAC Security Baseline (11 rules)</summary>
-
-Detects Kubernetes configurations that violate security best practices at the point of creation or modification.
-
-| Rule | Detection | Severity | MITRE ATT&CK |
-|------|-----------|----------|---------------|
-| B001–B003 | **Privileged containers** — Pod, Deployment, DaemonSet with `privileged: true` | HIGH | T1611 Privilege Escalation |
-| B004–B005 | **Host namespace sharing** — `hostNetwork` / `hostPID` / `hostIPC` breaks container isolation | HIGH | T1611 Privilege Escalation |
-| B006, B011 | **Container runtime socket mount** — `docker.sock` / `containerd.sock` enables container escape | HIGH | T1611 Privilege Escalation |
-| B007 | **Sensitive hostPath mount** — mounting `/`, `/etc`, `/proc`, `/sys`, `/root` | HIGH | T1611 Privilege Escalation |
-| B008 | **CAP_SYS_ADMIN capability** — near-equivalent to full privileged mode | HIGH | T1611 Privilege Escalation |
-| B009 | **Wildcard ClusterRole** — `resources: ["*"]` or `verbs: ["*"]` grants unrestricted access | HIGH | T1098.001 Persistence |
-| B010 | **cluster-admin binding** — any subject bound to cluster-admin = full cluster compromise | HIGH | T1098.001 Persistence |
-
-</details>
-
-<details>
-<summary><b>k8s_audit_intrusion</b> — Active Intrusion Detection (14 rules)</summary>
-
-Detects highly suspicious operations that indicate active intrusion, lateral movement, or post-exploitation activity.
-
-| Rule | Detection | Severity | MITRE ATT&CK |
-|------|-----------|----------|---------------|
-| I001 | **Exec into kube-system pod** — non-system user shell access to critical pods | HIGH | T1609 Execution |
-| I002 | **Cluster-wide secrets enumeration** — listing secrets across all namespaces | HIGH | T1552.007 Credential Access |
-| I003 | **Anonymous RBAC binding** — granting roles to `system:anonymous` | HIGH | T1098 Persistence |
-| I004 | **Admission webhook tampering** — mutating webhook can intercept all resource creation | HIGH | T1546 Persistence |
-| I005 | **External workload in kube-system** — non-system user deploying to kube-system | HIGH | T1610 Persistence |
-| I006 | **Validating webhook deletion** — disabling OPA/Gatekeeper/Kyverno policy enforcement | HIGH | T1562.001 Defense Evasion |
-| I007 | **Node proxy access** — direct kubelet API access bypassing RBAC | HIGH | T1599 Lateral Movement |
-| I008 | **User impersonation** — assuming another identity via impersonation headers | HIGH | T1134.001 Privilege Escalation |
-| I009 | **kube-system secret/configmap deletion** — disrupting cluster operations | MEDIUM | T1485 Impact |
-| I010 | **Excessive secret access** — 20+ distinct secrets read in 5 min *(threshold)* | MEDIUM | T1552.007 Credential Access |
-| I011 | **Exec shell spray** — exec into 10+ different pods in 3 min *(threshold)* | HIGH | T1609 Lateral Movement |
-| I012 | **Privileged SA token theft** — creating tokens for kube-system service accounts | HIGH | T1528 Credential Access |
-| I013 | **CronJob with reverse shell** — bash reverse shells, nc, base64 obfuscation, attack tools | HIGH | T1053.007 Execution |
-| I014 | **Attack tool / crypto-miner images** — kali, metasploit, xmrig, cobaltstrike, etc. | HIGH | T1610 Execution |
-
-</details>
-
-> **Quick start:** Import the built-in rulesets from `config/ruleset/` (`k8s_audit_baseline.xml` and `k8s_audit_intrusion.xml`), connect your K8s audit log source, and you have production-grade Kubernetes threat detection running in minutes — no tuning needed.
+Two Kubernetes audit rulesets are provided for baseline hardening and active intrusion detection.
+
+> **Quick start:** Import the built-in rulesets from `config/ruleset/k8s_security/` (`k8s_audit_baseline.xml` and `k8s_audit_intrusion.xml`), connect your K8s audit log source, and you have production-grade Kubernetes threat detection running in minutes — no tuning needed.
 
 ### Built-in K8s Ruleset Files
 
 AgentSmith-HUB includes Kubernetes security rulesets out of the box. You can use them directly without writing custom XML first:
 
-- `config/ruleset/k8s_audit_baseline.xml`
-- `config/ruleset/k8s_audit_intrusion.xml`
+- `config/ruleset/k8s_security/k8s_audit_baseline.xml`
+- `config/ruleset/k8s_security/k8s_audit_intrusion.xml`
 
 Recommended onboarding flow:
 
@@ -187,6 +146,21 @@ Recommended onboarding flow:
 3. Verify detections in test mode with real sample events.
 4. Tune thresholds (if needed) for your cluster's normal behavior.
 
+### Sysmon Endpoint Security (Windows)
+
+Two Sysmon rulesets are provided for medium/high-confidence endpoint detection use cases:
+
+- `config/ruleset/sysmon_security/sysmon_baseline.xml`
+- `config/ruleset/sysmon_security/sysmon_intrusion.xml`
+- `config/ruleset/sysmon_security/sysmon_exclude.xml` (strict allowlist template)
+
+Recommended onboarding flow for Sysmon:
+
+1. Ensure your input normalizes core Sysmon fields used by rulesets.
+2. Import `sysmon_baseline.xml` first and validate behavior in test mode.
+3. Import `sysmon_intrusion.xml` and tune based on your endpoint baseline.
+4. Add environment-specific allowlists with a separate EXCLUDE ruleset if needed.
+
 More built-in rulesets for additional data sources are on the roadmap. Contributions are welcome!
 
 ## Features at a Glance
diff --git a/config/ruleset/sysmon_security/sysmon_baseline.xml b/config/ruleset/sysmon_security/sysmon_baseline.xml
@@ -0,0 +1,119 @@
+<!-- ============================================================================
+     Sysmon — Baseline Security Policy (Low-Noise Medium/High Severity)
+     ============================================================================
+     Type:     DETECTION
+     Purpose:  Detect high-confidence endpoint behaviors from Windows Sysmon logs
+               with strict signal controls to keep false positives low.
+     Scope:    Windows Sysmon events (primarily Event ID 1/10/11/13/22)
+     Notes:
+       - Focused on medium/high severity only.
+       - Most rules require multiple conditions (behavior + context).
+       - Rule IDs are stable for triage workflow and suppression management.
+     ============================================================================ -->
+
+<root type="DETECTION" name="sysmon_baseline" author="AgentSmith">
+
+    <!-- ================================================================
+         S-B001 — Suspicious Encoded PowerShell
+         Severity: HIGH
+         ================================================================ -->
+    <rule id="S-B001" name="Suspicious encoded PowerShell execution">
+        <check type="EQU" field="event.code">1</check>
+        <check type="INCL" field="process.executable">powershell</check>
+        <checklist condition="enc and hidden and bypass">
+            <check id="enc" type="REGEX" field="process.command_line">(?i)(-enc|-encodedcommand)\s+[A-Za-z0-9+/=]{20,}</check>
+            <check id="hidden" type="REGEX" field="process.command_line">(?i)(-w|/w|--windowstyle)\s*hidden</check>
+            <check id="bypass" type="REGEX" field="process.command_line">(?i)(-ep|--executionpolicy)\s*bypass</check>
+        </checklist>
+        <append field="alert_id">S-B001</append>
+        <append field="severity">high</append>
+        <append field="category">baseline</append>
+        <append field="description">Encoded PowerShell with hidden window and policy bypass</append>
+        <append field="mitre_tactic">Execution</append>
+        <append field="mitre_technique_id">T1059.001</append>
+    </rule>
+
+    <!-- ================================================================
+         S-B002 — Office/Browser spawning script engines
+         Severity: HIGH
+         ================================================================ -->
+    <rule id="S-B002" name="Office or browser spawned script engine">
+        <check type="EQU" field="event.code">1</check>
+        <check type="REGEX" field="process.parent.executable">(?i)(winword|excel|powerpnt|outlook|chrome|msedge|firefox)\.exe$</check>
+        <check type="REGEX" field="process.executable">(?i)(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32)\.exe$</check>
+        <append field="alert_id">S-B002</append>
+        <append field="severity">high</append>
+        <append field="category">baseline</append>
+        <append field="description">User-facing app spawned a high-risk script/LOLBin child process</append>
+        <append field="mitre_tactic">Execution</append>
+        <append field="mitre_technique_id">T1204</append>
+    </rule>
+
+    <!-- ================================================================
+         S-B003 — Run/RunOnce persistence write
+         Severity: HIGH
+         ================================================================ -->
+    <rule id="S-B003" name="Run key persistence created or modified">
+        <check type="EQU" field="event.code">13</check>
+        <check type="REGEX" field="registry.path">(?i)\\(CurrentVersion\\Run|CurrentVersion\\RunOnce)(\\|$)</check>
+        <check type="REGEX" field="process.executable">(?i)(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32)\.exe$</check>
+        <append field="alert_id">S-B003</append>
+        <append field="severity">high</append>
+        <append field="category">baseline</append>
+        <append field="description">High-risk process modified Run/RunOnce persistence key</append>
+        <append field="mitre_tactic">Persistence</append>
+        <append field="mitre_technique_id">T1547.001</append>
+    </rule>
+
+    <!-- ================================================================
+         S-B004 — Suspicious startup-folder artifact
+         Severity: MEDIUM
+         ================================================================ -->
+    <rule id="S-B004" name="Script or executable dropped to startup folder">
+        <check type="EQU" field="event.code">11</check>
+        <check type="REGEX" field="file.path">(?i)\\(ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup|Users\\[^\\]+\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup)\\</check>
+        <check type="REGEX" field="file.path">(?i)\.(ps1|vbs|js|hta|cmd|bat|exe|dll)$</check>
+        <append field="alert_id">S-B004</append>
+        <append field="severity">medium</append>
+        <append field="category">baseline</append>
+        <append field="description">Potential startup persistence payload dropped to Startup folder</append>
+        <append field="mitre_tactic">Persistence</append>
+        <append field="mitre_technique_id">T1547.001</append>
+    </rule>
+
+    <!-- ================================================================
+         S-B005 — Remote-script style LOLBin command
+         Severity: HIGH
+         ================================================================ -->
+    <rule id="S-B005" name="LOLBin with remote script or URL pattern">
+        <check type="EQU" field="event.code">1</check>
+        <check type="REGEX" field="process.executable">(?i)(mshta|regsvr32|rundll32)\.exe$</check>
+        <check type="REGEX" field="process.command_line">(?i)(https?://|scrobj\.dll|javascript:|vbscript:)</check>
+        <append field="alert_id">S-B005</append>
+        <append field="severity">high</append>
+        <append field="category">baseline</append>
+        <append field="description">LOLBin commandline indicates remote script execution pattern</append>
+        <append field="mitre_tactic">Defense Evasion</append>
+        <append field="mitre_technique_id">T1218</append>
+    </rule>
+
+    <!-- ================================================================
+         S-B006 — Unusual scheduler abuse chain
+         Severity: MEDIUM
+         ================================================================ -->
+    <rule id="S-B006" name="Suspicious schtasks command writing script payload">
+        <check type="EQU" field="event.code">1</check>
+        <check type="INCL" field="process.executable">schtasks.exe</check>
+        <checklist condition="create and payload">
+            <check id="create" type="REGEX" field="process.command_line">(?i)\s/create(\s|$)</check>
+            <check id="payload" type="REGEX" field="process.command_line">(?i)(powershell|wscript|cscript|mshta|rundll32|regsvr32|cmd\.exe\s+/c)</check>
+        </checklist>
+        <append field="alert_id">S-B006</append>
+        <append field="severity">medium</append>
+        <append field="category">baseline</append>
+        <append field="description">Scheduled task created with script/LOLBin execution payload</append>
+        <append field="mitre_tactic">Persistence</append>
+        <append field="mitre_technique_id">T1053.005</append>
+    </rule>
+
+</root>
diff --git a/config/ruleset/sysmon_security/sysmon_exclude.xml b/config/ruleset/sysmon_security/sysmon_exclude.xml
@@ -0,0 +1,53 @@
+<!-- ============================================================================
+     Sysmon — Exclude Template (High-Precision Allowlist)
+     ============================================================================
+     Type:     EXCLUDE
+     Purpose:  Provide a safe allowlist template for known benign behaviors.
+               This file is intentionally strict and uses placeholder values.
+               By default, rules do NOT match until placeholders are replaced.
+     Scope:    Windows Sysmon events (1/10)
+
+     How to use:
+       1) Copy this file and keep it environment-specific.
+       2) Replace placeholder values with exact host/user/path combinations.
+       3) Never use broad wildcards for critical behaviors (especially LSASS).
+       4) Validate with test data before enabling in production.
+     ============================================================================ -->
+
+<root type="EXCLUDE" name="sysmon_exclude" author="AgentSmith">
+
+    <!-- ================================================================
+         X001 — Allow approved LSASS dump troubleshooting via procdump
+         Targeted to suppress S-I006 only for explicitly approved runbooks.
+         IMPORTANT:
+           - Keep host and user exact.
+           - Keep process path exact.
+           - Keep commandline marker exact.
+         ================================================================ -->
+    <rule id="X001" name="Approved procdump LSASS troubleshooting">
+        <check type="EQU" field="event.code">1</check>
+        <check type="EQU" field="host.name">__REPLACE_WITH_APPROVED_HOST__</check>
+        <check type="EQU" field="user.name">__REPLACE_WITH_APPROVED_USER__</check>
+        <check type="EQU" field="process.executable">__REPLACE_WITH_APPROVED_PROCDUMP_PATH__</check>
+        <check type="INCL" field="process.command_line">__REPLACE_WITH_APPROVED_RUNBOOK_MARKER__</check>
+    </rule>
+
+    <!-- ================================================================
+         X002 — Allow approved comsvcs minidump workflow
+         Targeted to suppress S-I004 only when fully approved and documented.
+         IMPORTANT:
+           - Must include exact host + user + commandline marker.
+           - Do not allow this globally.
+         ================================================================ -->
+    <rule id="X002" name="Approved rundll32 comsvcs minidump workflow">
+        <check type="EQU" field="event.code">1</check>
+        <check type="EQU" field="host.name">__REPLACE_WITH_APPROVED_HOST__</check>
+        <check type="EQU" field="user.name">__REPLACE_WITH_APPROVED_USER__</check>
+        <check type="EQU" field="process.executable">C:\Windows\System32\rundll32.exe</check>
+        <checklist condition="comsvcs and marker">
+            <check id="comsvcs" type="INCL" field="process.command_line">comsvcs.dll</check>
+            <check id="marker" type="INCL" field="process.command_line">__REPLACE_WITH_APPROVED_RUNBOOK_MARKER__</check>
+        </checklist>
+    </rule>
+
+</root>
diff --git a/config/ruleset/sysmon_security/sysmon_intrusion.xml b/config/ruleset/sysmon_security/sysmon_intrusion.xml
