From 0e8d1f9b0dff4dc3180f79cf85cb3117f2770278 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 2 Jan 2023 10:59:51 +0100
Subject: [PATCH] Check field name

---
 .../win_apt_gallium.yml                         |  5 +++--
 .../file_rename_win_not_dll_to_dll.yml          | 10 +++++-----
 .../file_rename/file_rename_win_ransomware.yml  | 10 +++++-----
 tests/logsource.json                            | 17 ++++++++++++++---
 tests/test_logsource.py                         |  5 ++++-
 5 files changed, 31 insertions(+), 16 deletions(-)
 rename rules/windows/builtin/{dns_server => dns_server_analytical}/win_apt_gallium.yml (87%)

diff --git a/rules/windows/builtin/dns_server/win_apt_gallium.yml b/rules/windows/builtin/dns_server_analytical/win_apt_gallium.yml
similarity index 87%
rename from rules/windows/builtin/dns_server/win_apt_gallium.yml
rename to rules/windows/builtin/dns_server_analytical/win_apt_gallium.yml
index de0066356..424579ede 100644
--- a/rules/windows/builtin/dns_server/win_apt_gallium.yml
+++ b/rules/windows/builtin/dns_server_analytical/win_apt_gallium.yml
@@ -10,14 +10,15 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
 author: Tim Burrell
 date: 2020/02/07
-modified: 2022/10/09
+modified: 2023/01/02
 tags:
     - attack.credential_access
     - attack.command_and_control
     - attack.t1071
 logsource:
     product: windows
-    service: dns-server
+    service: dns-server-analytical
+    definition: You must enable DNS server analytic events, GUID {EB79061A-A566-4698-9119-3ED2807060E7}
 detection:
     selection:
         EventID: 257
diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml
index 3ca0d7b34..bbf0df66b 100644
--- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml
+++ b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml
@@ -7,7 +7,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
 author: frack113
 date: 2022/02/19
-modified: 2022/10/15
+modified: 2023/01/02
 logsource:
     product: windows
     category: file_rename
@@ -16,16 +16,16 @@ detection:
     to_dll:
         TargetFilename|endswith: '.dll'
     filter_from_dll:
-        - OriginalFilename|endswith:
+        - SourceFilename|endswith:
             - '.dll'
             - '.tmp'  # VSCode FP
-        - OriginalFilename|contains:
+        - SourceFilename|contains:
             - '.dll.'
             - '\SquirrelTemp\temp'
     filter_empty_source:
-        OriginalFilename: ''
+        SourceFilename: ''
     filter_non_existing_source:
-        OriginalFilename: null
+        SourceFilename: null
     filter_tiworker:
         Image|startswith: 'C:\Windows\WinSxS\'
         Image|endswith: '\TiWorker.exe'
diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml
index 92d986cdd..ca8e3f534 100644
--- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml
+++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml
@@ -7,7 +7,7 @@ references:
     - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
 author: frack113
 date: 2022/07/16
-modified: 2022/09/20
+modified: 2023/01/02
 tags:
     - attack.impact
     - attack.t1486
@@ -17,7 +17,7 @@ logsource:
     definition: Use the WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH ETW source
 detection:
     selection:
-        OriginalFilename|endswith:
+        SourceFilename|endswith:
             - '.lnk'
             - '.rtf'
             - '.pst'
@@ -38,7 +38,7 @@ detection:
             - '.png.'
             - '.pdf.'
     filter_generic:
-        TargetFilename|endswith:
+        SourceFilename|endswith:
             - '.tmp'
             - '.bak'
             - '.old'
@@ -46,8 +46,8 @@ detection:
             - '.backup'
             - '.temp'
     filter_anaconda:
-        TargetFilename|startswith: 'C:\ProgramData\Anaconda3\'
-        TargetFilename|endswith: '.c~'
+        SourceFilename|startswith: 'C:\ProgramData\Anaconda3\'
+        SourceFilename|endswith: '.c~'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Backup software
diff --git a/tests/logsource.json b/tests/logsource.json
index c8326215d..b6084181a 100644
--- a/tests/logsource.json
+++ b/tests/logsource.json
@@ -39,9 +39,18 @@
                 "process_tampering":["Image","ProcessGuid","ProcessId","Type","User"],
                 "file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"],
                 "ps_module":["ContextInfo","UserData","Payload"],
-                "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"]
+                "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"],
+                "file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"],
+                "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"]
             },
-            "service":{}
+            "service":{
+                "bits-client":["RemoteName","LocalName","processPath","processId"],
+                "codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer",
+                                            "RequestedPolicy","ValidatedPolicy","Status"],
+                "diagnosis-scripted": ["PackagePath","PackageId"],
+                "firewall-as":["Action","ApplicationPath","ModifyingApplication"],
+                "ldap_debug":["ScopeOfSearch","SearchFilter","DistinguishedName","AttributeList","ProcessId"]
+            }
         },
         "linux":{
             "category":{
@@ -90,7 +99,9 @@
                 "file_delete": ["CommandLine","ParentImage","ParentCommandLine"],
                 "file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"],
                 "image_load": ["CommandLine"],
-                "process_access": ["SourceCommandLine","CallTraceExtended"]
+                "process_access": ["SourceCommandLine","CallTraceExtended"],
+                "file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"],
+                "file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"]
             }
         }
     }
diff --git a/tests/test_logsource.py b/tests/test_logsource.py
index e90796d91..c96e1cb0c 100644
--- a/tests/test_logsource.py
+++ b/tests/test_logsource.py
@@ -159,7 +159,7 @@ class TestRules(unittest.TestCase):
 
 
         self.assertEqual(files_with_fieldname_issues, [], Fore.RED +
-                         "There are rule files which contains unkown field or with cast error")        
+                         "There are rule files which contains unkown field or with cast error, to fix FP update <logsource.json>")
 
 def load_fields_json(name:str):
     data = {}
@@ -185,6 +185,9 @@ def load_fields_json(name:str):
                 data[product]["category"][category] += ["md5","sha1","sha256","Imphash"]
             if "commun" in data[product].keys():
                 data[product]["category"][category] += data[product]["commun"]
+        for service in data[product]["service"]:
+            if "commun" in data[product].keys():
+                data[product]["service"][service] += data[product]["commun"]
 
     return data