From 03cc78e91633ea8260bec5e365d015ffbf5ee6fc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 09:25:16 +0100 Subject: [PATCH] feat: filename test enhancements (#3812) --- ...tstrike_getsystem_service_installation.yml | 6 +- .../net_firewall_cleartext_protocols.yml} | 0 ...win_codeintegrity_blocked_driver_load.yml} | 0 ...n_security_group_modification_logging.yml} | 0 .../win_security_workstation_was_locked.yml} | 0 .../system/win_system_pcap_drivers.yml | 4 +- ...n_taskscheduler_rare_schtask_creation.yml} | 0 ...win_taskscheduler_susp_task_locations.yml} | 0 ...api_in_powershell_credentials_dumping.yml} | 0 ...ry_win_remote_access_software_domains.yml} | 0 ...yml => driver_load_win_mal_creddumper.yml} | 0 ...=> driver_load_win_mal_poortry_driver.yml} | 0 ...owershell_script_installed_as_service.yml} | 0 ...yml => driver_load_win_process_hacker.yml} | 0 ....yml => driver_load_win_susp_temp_use.yml} | 0 ...ad_win_vuln_avast_anti_rootkit_driver.yml} | 0 ...l => driver_load_win_vuln_dell_driver.yml} | 0 ...s.yml => driver_load_win_vuln_drivers.yml} | 0 ...=> driver_load_win_vuln_drivers_names.yml} | 0 ... driver_load_win_vuln_gigabyte_driver.yml} | 0 ...l => driver_load_win_vuln_hevd_driver.yml} | 0 ...yml => driver_load_win_vuln_hw_driver.yml} | 0 ...=> driver_load_win_vuln_lenovo_driver.yml} | 0 ... driver_load_win_vuln_winring0_driver.yml} | 0 ...vert.yml => driver_load_win_windivert.yml} | 0 ...ccess_win_shellcode_inject_msf_empire.yml} | 0 ....yml => proc_access_win_susp_seclogon.yml} | 0 ...api_in_powershell_credentials_dumping.yml} | 0 ...roc_creation_win_wmic_tamper_defender.yml} | 0 ...cleanup_handler_new_entry_persistence.yml} | 0 ...stry_set_natural_language_persistence.yml} | 0 tests/test_rules.py | 137 +++++++++++++++++- 32 files changed, 141 insertions(+), 6 deletions(-) rename {rules/windows/driver_load => rules-unsupported}/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml (96%) rename rules/{compliance/firewall_cleartext_protocols.yml => network/firewall/net_firewall_cleartext_protocols.yml} (100%) rename rules/windows/builtin/code_integrity/{win_codeintergiry_blocked_driver_load.yml => win_codeintegrity_blocked_driver_load.yml} (100%) rename rules/{compliance/group_modification_logging.yml => windows/builtin/security/win_security_group_modification_logging.yml} (100%) rename rules/{compliance/workstation_was_locked.yml => windows/builtin/security/win_security_workstation_was_locked.yml} (100%) rename rules/windows/builtin/taskscheduler/{win_rare_schtask_creation.yml => win_taskscheduler_rare_schtask_creation.yml} (100%) rename rules/windows/builtin/taskscheduler/{win_task_scheduler_susp_task_locations.yml => win_taskscheduler_susp_task_locations.yml} (100%) rename rules/windows/create_remote_thread/{create_remote_thread_winapi_in_powershell_credentials_dumping.yml => create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml} (100%) rename rules/windows/dns_query/{dns_query_remote_access_software_domains.yml => dns_query_win_remote_access_software_domains.yml} (100%) rename rules/windows/driver_load/{driver_load_mal_creddumper.yml => driver_load_win_mal_creddumper.yml} (100%) rename rules/windows/driver_load/{driver_load_mal_poortry_driver.yml => driver_load_win_mal_poortry_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_powershell_script_installed_as_service.yml => driver_load_win_powershell_script_installed_as_service.yml} (100%) rename rules/windows/driver_load/{driver_load_process_hacker.yml => driver_load_win_process_hacker.yml} (100%) rename rules/windows/driver_load/{driver_load_susp_temp_use.yml => driver_load_win_susp_temp_use.yml} (100%) mode change 100755 => 100644 rename rules/windows/driver_load/{driver_load_vuln_avast_anti_rootkit_driver.yml => driver_load_win_vuln_avast_anti_rootkit_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_dell_driver.yml => driver_load_win_vuln_dell_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_drivers.yml => driver_load_win_vuln_drivers.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_drivers_names.yml => driver_load_win_vuln_drivers_names.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_gigabyte_driver.yml => driver_load_win_vuln_gigabyte_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_hevd_driver.yml => driver_load_win_vuln_hevd_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_hw_driver.yml => driver_load_win_vuln_hw_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_lenovo_driver.yml => driver_load_win_vuln_lenovo_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_winring0_driver.yml => driver_load_win_vuln_winring0_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_windivert.yml => driver_load_win_windivert.yml} (100%) rename rules/windows/process_access/{process_access_win_shellcode_inject_msf_empire.yml => proc_access_win_shellcode_inject_msf_empire.yml} (100%) rename rules/windows/process_access/{process_access_win_susp_seclogon.yml => proc_access_win_susp_seclogon.yml} (100%) rename rules/windows/process_access/{process_access_winapi_in_powershell_credentials_dumping.yml => proc_access_win_winapi_in_powershell_credentials_dumping.yml} (100%) rename rules/windows/process_creation/{proc_creation_wmic_tamper_defender.yml => proc_creation_win_wmic_tamper_defender.yml} (100%) rename rules/windows/registry/registry_add/{registry_set_disk_cleanup_handler_new_entry_persistence.yml => registry_add_disk_cleanup_handler_new_entry_persistence.yml} (100%) rename rules/windows/registry/registry_set/{regsitry_set_natural_language_persistence.yml => registry_set_natural_language_persistence.yml} (100%) diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml similarity index 96% rename from rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename to rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index b3afed27b..4f23f2659 100644 --- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -3,14 +3,14 @@ id: d585ab5a-6a69-49a8-96e8-4a726a54de46 related: - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 type: derived -status: test +status: unsupported description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2022/10/09 +modified: 2022/12/22 tags: - attack.privilege_escalation - attack.t1134.001 @@ -51,4 +51,4 @@ fields: - ImagePath falsepositives: - Highly unlikely -level: critical +level: critical \ No newline at end of file diff --git a/rules/compliance/firewall_cleartext_protocols.yml b/rules/network/firewall/net_firewall_cleartext_protocols.yml similarity index 100% rename from rules/compliance/firewall_cleartext_protocols.yml rename to rules/network/firewall/net_firewall_cleartext_protocols.yml diff --git a/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml similarity index 100% rename from rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml rename to rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml diff --git a/rules/compliance/group_modification_logging.yml b/rules/windows/builtin/security/win_security_group_modification_logging.yml similarity index 100% rename from rules/compliance/group_modification_logging.yml rename to rules/windows/builtin/security/win_security_group_modification_logging.yml diff --git a/rules/compliance/workstation_was_locked.yml b/rules/windows/builtin/security/win_security_workstation_was_locked.yml similarity index 100% rename from rules/compliance/workstation_was_locked.yml rename to rules/windows/builtin/security/win_security_workstation_was_locked.yml diff --git a/rules/windows/builtin/system/win_system_pcap_drivers.yml b/rules/windows/builtin/system/win_system_pcap_drivers.yml index 5a2361e62..d0ae0f782 100644 --- a/rules/windows/builtin/system/win_system_pcap_drivers.yml +++ b/rules/windows/builtin/system/win_system_pcap_drivers.yml @@ -6,14 +6,14 @@ references: - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more author: Cian Heasley date: 2020/06/10 -modified: 2021/11/27 +modified: 2022/12/22 tags: - attack.discovery - attack.credential_access - attack.t1040 logsource: product: windows - service: security + service: system definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml similarity index 100% rename from rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml rename to rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml similarity index 100% rename from rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml rename to rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml b/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml similarity index 100% rename from rules/windows/dns_query/dns_query_remote_access_software_domains.yml rename to rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml similarity index 100% rename from rules/windows/driver_load/driver_load_mal_creddumper.yml rename to rules/windows/driver_load/driver_load_win_mal_creddumper.yml diff --git a/rules/windows/driver_load/driver_load_mal_poortry_driver.yml b/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_mal_poortry_driver.yml rename to rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml diff --git a/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml similarity index 100% rename from rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml rename to rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml diff --git a/rules/windows/driver_load/driver_load_process_hacker.yml b/rules/windows/driver_load/driver_load_win_process_hacker.yml similarity index 100% rename from rules/windows/driver_load/driver_load_process_hacker.yml rename to rules/windows/driver_load/driver_load_win_process_hacker.yml diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml old mode 100755 new mode 100644 similarity index 100% rename from rules/windows/driver_load/driver_load_susp_temp_use.yml rename to rules/windows/driver_load/driver_load_win_susp_temp_use.yml diff --git a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_dell_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_drivers.yml rename to rules/windows/driver_load/driver_load_win_vuln_drivers.yml diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_drivers_names.yml rename to rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml diff --git a/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_hevd_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_hw_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_hw_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_winring0_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml similarity index 100% rename from rules/windows/driver_load/driver_load_windivert.yml rename to rules/windows/driver_load/driver_load_win_windivert.yml diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml similarity index 100% rename from rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml rename to rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml diff --git a/rules/windows/process_access/process_access_win_susp_seclogon.yml b/rules/windows/process_access/proc_access_win_susp_seclogon.yml similarity index 100% rename from rules/windows/process_access/process_access_win_susp_seclogon.yml rename to rules/windows/process_access/proc_access_win_susp_seclogon.yml diff --git a/rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml b/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml rename to rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml diff --git a/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml similarity index 100% rename from rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml rename to rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml diff --git a/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml b/rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml similarity index 100% rename from rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml rename to rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml diff --git a/tests/test_rules.py b/tests/test_rules.py index b7d9e8f0e..0e7d70d6c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -729,10 +729,145 @@ class TestRules(unittest.TestCase): print( Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) + else: + # This test make sure that every rules has a filename that corresponds to + # It's specific logsource. + # Fix Issue #1381 (https://github.com/SigmaHQ/sigma/issues/1381) + logsource = self.get_rule_part(file_path=file, part_name="logsource") + if logsource: + pattern_prefix = "" + os_infix = "" + os_bool = False + for key,value in logsource.items(): + if key == "definition": + pass + else: + if key == "product": + # This is to get the OS for certain categories + if value == "windows": + os_infix = "win_" + elif value == "macos": + os_infix = "macos_" + elif value == "linux": + os_infix = "lnx_" + # For other stuff + elif value == "aws": + pattern_prefix = "aws_" + elif value == "azure": + pattern_prefix = "azure_" + elif value == "gcp": + pattern_prefix = "gcp_" + elif value == "gworkspace": + pattern_prefix = "gworkspace_" + elif value == "m365": + pattern_prefix = "microsoft365_" + elif value == "okta": + pattern_prefix = "okta_" + elif value == "onelogin": + pattern_prefix = "onelogin_" + elif key == "category": + if value == "process_creation": + pattern_prefix = "proc_creation_" + os_bool = True + elif value == "image_load": + pattern_prefix = "image_load_" + elif value == "file_event": + pattern_prefix = "file_event_" + os_bool = True + elif value == "registry_set": + pattern_prefix = "registry_set_" + elif value == "registry_add": + pattern_prefix = "registry_add_" + elif value == "registry_event": + pattern_prefix = "registry_event_" + elif value == "registry_delete": + pattern_prefix = "registry_delete_" + elif value == "registry_rename": + pattern_prefix = "registry_rename_" + elif value == "process_access": + pattern_prefix = "proc_access_" + os_bool = True + elif value == "driver_load": + pattern_prefix = "driver_load_" + os_bool = True + elif value == "dns_query": + pattern_prefix = "dns_query_" + os_bool = True + elif value == "ps_script": + pattern_prefix = "posh_ps_" + elif value == "ps_module": + pattern_prefix = "posh_pm_" + elif value == "ps_classic_start": + pattern_prefix = "posh_pc_" + elif value == "pipe_created": + pattern_prefix = "pipe_created_" + elif value == "network_connection": + pattern_prefix = "net_connection_" + os_bool = True + elif value == "file_rename": + pattern_prefix = "file_rename_" + os_bool = True + elif value == "file_delete": + pattern_prefix = "file_delete_" + os_bool = True + elif value == "file_change": + pattern_prefix = "file_change_" + os_bool = True + elif value == "file_access": + pattern_prefix = "file_access_" + os_bool = True + elif value == "create_stream_hash": + pattern_prefix = "create_stream_hash_" + elif value == "create_remote_thread": + pattern_prefix = "create_remote_thread_win_" + elif value == "dns": + pattern_prefix = "net_dns_" + elif value == "firewall": + pattern_prefix = "net_firewall_" + elif value == "webserver": + pattern_prefix = "web_" + elif key == "service": + if value == "auditd": + pattern_prefix = "lnx_auditd_" + elif value == "modsecurity": + pattern_prefix = "modsec_" + elif value == "diagnosis-scripted": + pattern_prefix = "win_diagnosis_scripted_" + elif value == "firewall-as": + pattern_prefix = "win_firewall_as_" + elif value == "msexchange-management": + pattern_prefix = "win_exchange_" + elif value == "security": + pattern_prefix = "win_security_" + elif value == "system": + pattern_prefix = "win_system_" + elif value == "taskscheduler": + pattern_prefix = "win_taskscheduler_" + elif value == "terminalservices-localsessionmanager": + pattern_prefix = "win_terminalservices_" + elif value == "windefend": + pattern_prefix = "win_defender_" + elif value == "wmi": + pattern_prefix = "win_wmi_" + elif value == "codeintegrity-operational": + pattern_prefix = "win_codeintegrity_" + elif value == "bits-client": + pattern_prefix = "win_bits_client_" + elif value == "applocker": + pattern_prefix = "win_applocker_" + + # This value is used to test if we should add the OS infix for certain categories + if os_bool: + pattern_prefix += os_infix + if pattern_prefix != "": + if not filename.startswith(pattern_prefix): + print( + Fore.YELLOW + "Rule {} has a file name that doesn't match our standard naming convention.".format(file)) + faulty_rules.append(file) name_lst.append(filename) self.assertEqual(faulty_rules, [], Fore.RED + - r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character.') + r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character. It also has to follow the following naming convention https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/Sigmahq_filename_rule.md') def test_title(self): faulty_rules = []