diff --git a/contrib/sigmacover.py b/contrib/sigmacover.py new file mode 100644 index 000000000..3c33e4f2b --- /dev/null +++ b/contrib/sigmacover.py @@ -0,0 +1,160 @@ +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +""" +Project: sigmacover.py +Date: 26/09/2021 +Author: frack113 +Version: 1.1 +Description: + get cover of the rules vs backend +Requirements: + python 3.7 min + $ pip install ruyaml +Todo: + - clean code and bug + - better use of subprocess.run + - have idea +""" + + +import re +import subprocess +import pathlib +import ruyaml +import json +import copy +import platform +import argparse + +def get_sigmac(name,conf): + infos = [] + if conf == None: + options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"] + else: + options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"] + if platform.system() == "Windows": + si = subprocess.STARTUPINFO() + si.dwFlags |= subprocess.STARTF_USESHOWWINDOW + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + startupinfo=si + ) + my_regex = "Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)" + else: + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + ) + my_regex = "Convertion Sigma input \S+/(\w+\.yml) (\w+)" + if not ret.returncode == 0: + print (f"error {ret.returncode} in sigmac") + log = pathlib.Path("sigmac.log") + with log.open() as f: + lines = f.readlines() + for line in lines: + if "Convertion Sigma input" in line: + info = re.findall(my_regex,line)[0] + infos.append(info) + log.unlink() + dump = pathlib.Path("dump.txt") + if dump.exists(): + dump.unlink() + return infos + +def update_dict(my_dict,my_data,backend): + for file,state in my_data: + my_dict[file][backend] = state + +#the backend dict command line options +backend_dict = { + "ala": None, + "ala-rule": None, + "arcsight": "../tools/config/elk-winlogbeat.yml", + "arcsight-esm": "../tools/config/elk-winlogbeat.yml", + "carbonblack": "../tools/config/elk-winlogbeat.yml", + "chronicle": "../tools/config/elk-winlogbeat.yml", + "crowdstrike": "../tools/config/elk-winlogbeat.yml", + "csharp" : None, + "devo": "../tools/config/elk-winlogbeat.yml", + "ee-outliers": "../tools/config/winlogbeat-modules-enabled.yml", + "elastalert": "../tools/config/winlogbeat-modules-enabled.yml", + "elastalert-dsl": "../tools/config/winlogbeat-modules-enabled.yml", + "es-dsl": "../tools/config/winlogbeat-modules-enabled.yml", + "es-eql": "../tools/config/winlogbeat-modules-enabled.yml", + "es-qs": "../tools/config/winlogbeat-modules-enabled.yml", + "es-qs-lr": "../tools/config/logrhythm_winevent.yml", + "es-rule": "../tools/config/winlogbeat-modules-enabled.yml", + "es-rule-eql": "../tools/config/winlogbeat-modules-enabled.yml", + "fireeye-helix": "../tools/config/elk-winlogbeat.yml", + "graylog" : None, + "grep" : None, + "humio": "../tools/config/elk-winlogbeat.yml", + "kibana": "../tools/config/winlogbeat-modules-enabled.yml", + "kibana-ndjson": "../tools/config/winlogbeat-modules-enabled.yml", + "lacework" : None, + "limacharlie" : None, + "logiq" : None, + "logpoint" : None, + "mdatp" : None, + "netwitness" : None, + "netwitness-epl" : None, + "opensearch-monitor": "../tools/config/winlogbeat.yml", + "powershell" : None, + "qradar" : None, + "qualys" : None, + "sentinel-rule" : None, + "splunk": "../tools/config/splunk-windows.yml", + "splunkdm": "../tools/config/splunk-windows.yml", + "splunkxml": "../tools/config/splunk-windows.yml", + "sql": "../tools/config/elk-winlogbeat.yml", + "sqlite": "../tools/config/elk-winlogbeat.yml", + "stix": "../tools/config/stix2.0.yml", + "sumologic" : None, + "sumologic-cse" : None, + "sumologic-cse-rule" : None, + "sysmon": "../tools/config/elk-windows.yml", + "uberagent" : None, + "xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml", + } + +print(""" +███ ███ ████ █▄┼▄█ ███ ┼┼ ███ ███ █▄█ ███ ███ +█▄▄ ┼█┼ █┼▄▄ █┼█┼█ █▄█ ┼┼ █┼┼ █┼█ ███ █▄┼ █▄┼ +▄▄█ ▄█▄ █▄▄█ █┼┼┼█ █┼█ ┼┼ ███ █▄█ ┼█┼ █▄▄ █┼█ + v1.1 bugfix +please wait during the tests +""") +argparser = argparse.ArgumentParser(description="Check Sigma rules with all backend.") +argparser.add_argument("--target", "-t", choices=["yaml","json"], help="Output target format") +cmdargs = argparser.parse_args() + +if cmdargs.target == None: + print("No outpout use -h to see help") + exit() + +#init dict of all rules +default_key_test = {key : "NO TEST" for key in backend_dict.keys()} +the_dico ={} +rules = pathlib.Path("../rules").glob("**/*.yml") +for rule in rules: + the_dico[rule.name] = copy.deepcopy(default_key_test) + +#Check all the backend +for name,opt in backend_dict.items(): + print (f"check backend : {name}") + result = get_sigmac(name,opt) + update_dict(the_dico,result,name) + +#Save +if cmdargs.target.lower() == "yaml": + cover = pathlib.Path("sigmacover.yml") + with cover.open("w") as file: + ruyaml.dump(the_dico, file, Dumper=ruyaml.RoundTripDumper) +else: + cover = pathlib.Path("sigmacover.json") + with cover.open("w") as file: + json_dumps_str = json.dumps(the_dico, indent=4) + file.write(json_dumps_str) diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules-unsupported/win_apt_apt29_tor.yml old mode 100755 new mode 100644 similarity index 100% rename from rules/windows/builtin/win_apt_apt29_tor.yml rename to rules-unsupported/win_apt_apt29_tor.yml diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml new file mode 100644 index 000000000..7c97e8d2c --- /dev/null +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -0,0 +1,21 @@ +title: AWS Attached Malicious Lambda Layer +id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d +description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. +author: Austin Songer +status: experimental +date: 2021/09/23 +references: + - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html +logsource: + service: cloudtrail +detection: + selection: + eventSource: lambda.amazonaws.com + eventName: UpdateFunctionConfiguration + condition: selection +level: medium +tags: + - attack.privilege_escalation +falsepositives: + - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml new file mode 100644 index 000000000..ce6c956bf --- /dev/null +++ b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml @@ -0,0 +1,25 @@ +title: User Added to an Administrator's Azure AD Role +id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7 +description: User Added to an Administrator's Azure AD Role +author: Raphaël CALVET, @MetallicHack +date: 2021/10/04 +references: + - https://attack.mitre.org/techniques/T1098/003/ + - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ +logsource: + service: azure.activitylogs +detection: + selection: + Operation: 'Add member to role.' + Workload: 'AzureActiveDirectory' + ModifiedProperties{}.NewValue|endswith: + - 'Admins' + - 'Administrator' + condition: selection +falsepositives: + - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. +level: medium +status: experimental +tags: + - attack.persistence + - attack.t1098.003 diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml new file mode 100644 index 000000000..643168b45 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -0,0 +1,31 @@ +title: Clipboard Collection with Xclip Tool +id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf +description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +author: 'Pawel Mazur' +status: experimental +date: 2021/09/24 +references: + - https://attack.mitre.org/techniques/T1115/ + - https://linux.die.net/man/1/xclip + - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +logsource: + product: linux + service: auditd +detection: + xclip: + type: EXECVE + a0: xclip + a1: + - '-selection' + - '-sel' + a2: + - clipboard + - clip + a3: '-o' + condition: xclip +tags: + - attack.collection + - attack.t1115 +falsepositives: + - Legitimate usage of xclip tools +level: low diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml new file mode 100644 index 000000000..181bf6528 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -0,0 +1,32 @@ +title: Clipboard Collection of Image Data with Xclip Tool +id: f200dc3f-b219-425d-a17e-c38467364816 +description: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +author: 'Pawel Mazur' +status: experimental +date: 2021/10/01 +references: + - https://attack.mitre.org/techniques/T1115/ + - https://linux.die.net/man/1/xclip +logsource: + product: linux + service: auditd +detection: + xclip: + type: EXECVE + a0: xclip + a1: + - '-selection' + - '-sel' + a2: + - clipboard + - clip + a3: '-t' + a4|startswith: 'image/' + a5: '-o' + condition: xclip +tags: + - attack.collection + - attack.t1115 +falsepositives: + - Legitimate usage of xclip tools +level: low diff --git a/rules/linux/macos_suspicious_macos_firmware_activity.yml b/rules/linux/macos_suspicious_macos_firmware_activity.yml new file mode 100644 index 000000000..cc89eebfe --- /dev/null +++ b/rules/linux/macos_suspicious_macos_firmware_activity.yml @@ -0,0 +1,27 @@ +title: Suspicious MacOS Firmware Activity +id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099 +status: experimental +description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers. +author: Austin Songer @austinsonger +date: 2021/09/30 +references: + - https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml + - https://www.manpagez.com/man/8/firmwarepasswd/ + - https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web +logsource: + category: process_creation + product: macos +detection: + selection1: + Image: '/usr/sbin/firmwarepasswd' + CommandLine|contains: + - 'setpasswd' + - 'full' + - 'delete' + - 'check' + condition: selection1 +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.impact diff --git a/rules/windows/builtin/win_lolbas_execution_of_nltest.yml b/rules/windows/builtin/win_lolbas_execution_of_nltest.yml new file mode 100644 index 000000000..041d524ba --- /dev/null +++ b/rules/windows/builtin/win_lolbas_execution_of_nltest.yml @@ -0,0 +1,30 @@ +title: Correct Execution of Nltest.exe +id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 +status: experimental +author: Arun Chauhan +date: 2021/10/04 +description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm + - https://attack.mitre.org/software/S0359/ +tags: + - attack.discovery + - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts + - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc + - attack.t1016 # enumerate the parent domain of a local machine using /parentdomain +logsource: + product: windows + service: security +detection: + selection: + EventID: 4689 + ProcessName|endswith: nltest.exe + Status: "0x0" + condition: selection +fields: + - "SubjectUserName" + - "SubjectDomainName" +falsepositives: + - Red team activity + - rare legitimate use by an administrator +level: high diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index e947b6ae9..595a57420 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -13,7 +13,6 @@ tags: logsource: product: windows service: security - definition: detection: selection: EventID: 4648 diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index afe1ef752..2856705cd 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -62,7 +62,7 @@ detection: filter2: ProcessName|startswith: - 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions - condition: selection_1 or selection_2 and not filter1 and not filter2 + condition: ( selection_1 or selection_2 ) and not filter1 and not filter2 fields: - ComputerName - SubjectDomainName diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml similarity index 100% rename from rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml rename to rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml diff --git a/rules/windows/file_delete/sysmon_delete_prefetch.yml b/rules/windows/file_delete/sysmon_delete_prefetch.yml new file mode 100755 index 000000000..451971948 --- /dev/null +++ b/rules/windows/file_delete/sysmon_delete_prefetch.yml @@ -0,0 +1,23 @@ +title: Prefetch File Deletion +id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 +status: experimental +description: Detects the deletion of a prefetch file (AntiForensic) +level: high +author: Cedric MAURUGEON +date: 2021/09/29 +tags: + - attack.defense_evasion + - attack.t1070.004 +logsource: + product: windows + category: file_delete +detection: + selection: + TargetFilename|startswith: 'C:\Windows\Prefetch\' + TargetFilename|endswith: '.pf' + exception: + Image: 'C:\windows\system32\svchost.exe' + User: 'NT AUTHORITY\SYSTEM' + condition: selection and not exception +falsepositives: + - Unknown diff --git a/rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml rename to rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml diff --git a/rules/windows/other/win_lateral_movement_condrv.yml b/rules/windows/other/win_lateral_movement_condrv.yml index 796b506fa..6bade50ac 100644 --- a/rules/windows/other/win_lateral_movement_condrv.yml +++ b/rules/windows/other/win_lateral_movement_condrv.yml @@ -15,7 +15,6 @@ tags: logsource: product: windows service: security - definition: detection: selection: EventID: 4674 diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml index f7ed287ec..4599517b9 100644 --- a/rules/windows/powershell/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -68,5 +68,5 @@ detection: - 'secur32' condition: selection falsepositives: - - Unknown + - Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon) level: high diff --git a/rules/windows/powershell/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_susp_zip_compress.yml index be6c466fb..98f882e49 100644 --- a/rules/windows/powershell/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_susp_zip_compress.yml @@ -3,7 +3,7 @@ id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 status: experimental author: frack113 date: 2021/07/20 -modified: 2021/09/07 +modified: 2021/09/30 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md @@ -13,16 +13,23 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: 4103 Module Logging must be enabled , 4104 Script Block Logging must be enable detection: - selection: + selection_4103: EventID: 4103 ContextInfo|contains|all: - 'Compress-Archive ' - ' -Path ' - ' -DestinationPath ' - '$env:TEMP\' - condition: selection + selection_4104: + EventID: 4104 + ScriptBlockText|contains|all: + - 'Compress-Archive ' + - ' -Path ' + - ' -DestinationPath ' + - '$env:TEMP\' + condition: selection_4103 or selection_4104 falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml new file mode 100644 index 000000000..ea11ff858 --- /dev/null +++ b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml @@ -0,0 +1,36 @@ +title: LOLBAS Data Exfiltration by DataSvcUtil.exe +id: e290b10b-1023-4452-a4a9-eb31a9013b3a +status: experimental +author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger +date: 2021/09/30 +description: Detects when a user performs data exfiltration by using DataSvcUtil.exe +references: + - https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 + - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe + - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services + - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +tags: + - attack.exfiltration + - attack.t1567 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '/in:' + - '/out:' + Image|endswith: + - '\DataSvcUtil.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - DataSvcUtil.exe being used may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Penetration Testing +level: medium diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml index d0d621109..afcf74717 100644 --- a/rules/windows/process_creation/process_mailboxexport_share.yml +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -25,5 +25,7 @@ fields: - CommandLine - ParentCommandLine tags: - - attack.collection - - attack.t1114 \ No newline at end of file + - attack.persistence + - attack.t1505.003 + - attack.resource_development + - attack.t1584.006 \ No newline at end of file diff --git a/rules/windows/process_creation/win_nltest_recon.yml b/rules/windows/process_creation/win_nltest_recon.yml index 46985f8e8..a08640d0d 100644 --- a/rules/windows/process_creation/win_nltest_recon.yml +++ b/rules/windows/process_creation/win_nltest_recon.yml @@ -30,6 +30,7 @@ detection: - '/dclist:' - '/parentdomain' - '/domain_trusts' + - '/trusted_domains' - '/user' condition: selection_nltest and (selection_recon1 or selection_recon2) falsepositives: diff --git a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml index 4dd0c5d20..5265dd136 100644 --- a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml +++ b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml @@ -9,7 +9,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ tags: - attack.defense_evasion - - attack.t1218.010 + - attack.t1218 - attack.command_and_control - attack.t1105 logsource: diff --git a/rules/windows/process_creation/win_susp_mshta_pattern.yml b/rules/windows/process_creation/win_susp_mshta_pattern.yml index d9e7e0102..8291ef095 100644 --- a/rules/windows/process_creation/win_susp_mshta_pattern.yml +++ b/rules/windows/process_creation/win_susp_mshta_pattern.yml @@ -16,7 +16,7 @@ logsource: detection: # Binary Selector selection_base: - Image|endswith: '\mhsta.exe' + Image|endswith: '\mshta.exe' # Suspicious parents selection1: ParentImage|endswith: diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml index a0b9258b4..505f7d952 100644 --- a/rules/windows/process_creation/win_sysmon_driver_unload.yml +++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml @@ -4,7 +4,7 @@ status: experimental author: Kirill Kiryanov, oscd.community description: Detect possible Sysmon driver unload date: 2019/10/23 -modified: 2020/08/29 +modified: 2021/09/27 references: - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon logsource: @@ -13,6 +13,8 @@ logsource: tags: - attack.defense_evasion - attack.t1070 + - attack.t1562 + - attack.t1562.002 detection: selection: Image|endswith: '\fltmc.exe' diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml index 9ff5c5573..7d3009e74 100644 --- a/rules/windows/process_creation/win_trust_discovery.yml +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -13,6 +13,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ + - https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ tags: - attack.discovery - attack.t1482 @@ -25,6 +26,7 @@ detection: CommandLine|contains: - 'domain_trusts' - 'all_trusts' + - '/trusted_domains' - '/dclist' selection_dsquery_v1: Image|endswith: '\dsquery.exe' diff --git a/tests/test_rules.py b/tests/test_rules.py index b715e20ec..370e944b4 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -613,6 +613,9 @@ class TestRules(unittest.TestCase): if key.lower() not in valid_logsource: print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) valid = False + elif not isinstance(logsource[key],str): + print(Fore.RED + "Rule {} has a logsource with an invalid field type ({})".format(file, key)) + valid = False if not valid: faulty_rules.append(file) diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml new file mode 100644 index 000000000..9bf978674 --- /dev/null +++ b/tools/config/ecs-ms365_defender.yml @@ -0,0 +1,18 @@ +title: Microsoft 365 Defender Elasticsearch ecs mapping +order: 20 +backends: + - es-qs + - es-rule +fieldmappings: + classification: microsoft.m365_defender.alerts.classification + determination: microsoft.m365_defender.alerts.determination + severity: microsoft.m365_defender.alerts.severity + status: microsoft.m365_defender.alerts.status + detectionSource: microsoft.m365_defender.alerts.detectionSource + threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName + entityType: microsoft.m365_defender.alerts.entities.entityType + registryHive: microsoft.m365_defender.alerts.entities.registryHive + registryKey: microsoft.m365_defender.alerts.entities.registryKey + registryValueType: microsoft.m365_defender.alerts.entities.registryValueType + ipAddress: microsoft.m365_defender.alerts.entities.ipAddress + diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index a5aaac023..da857d686 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -143,7 +143,9 @@ logsources: category: file_delete product: windows conditions: - EventID: 23 + EventID: + - 23 + - 26 rewrite: product: windows service: sysmon diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index d46dd2051..f3c487904 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -468,12 +468,8 @@ fieldmappings: TargetOutboundUserName: winlog.event_data.TargetOutboundUserName TargetServerName: winlog.event_data.TargetServerName TargetSid: winlog.event_data.TargetSid - TargetUserName: - service=security: user.name - default: winlog.event_data.TargetUserName - TargetUserSid: - service=security: user.id - default: winlog.event_data.TargetUserSid + TargetUserName: winlog.event_data.TargetUserName + TargetUserSid: winlog.event_data.TargetUserSid TaskContent: winlog.event_data.TaskContent TaskName: winlog.event_data.TaskName TicketEncryptionType: winlog.event_data.TicketEncryptionType diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py index 414335344..29cc3ea7e 100644 --- a/tools/sigma/backends/lacework.py +++ b/tools/sigma/backends/lacework.py @@ -554,7 +554,7 @@ class LaceworkPolicy: self.description = safe_get(rule, 'description', str) # 14. Get Remediation - self.remediation = "" + self.remediation = 'Remediation steps are not represented in Sigma rule specification' def __iter__(self): for key, attr in { diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index ce1524e61..3b592525b 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -217,7 +217,7 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): raise NotSupportedError( "Not supported logsource. Should be product `windows`.") for item in self.logsource.values(): - if item.lower() in self.allowedSource.keys(): + if str(item).lower() in self.allowedSource.keys(): self.table = self.allowedSource.get(item.lower()) break else: diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 350ffb863..27f07a0cf 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -98,12 +98,16 @@ def set_argparser(): argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)") argparser.add_argument("--filter", "-f", help=""" Define comma-separated filters that must match (AND-linked) to rule to be processed. - Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t. + Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t, target=o. x is one of: low, medium, high, critical. y is one of: experimental, testing, stable. z is a word appearing in an arbitrary log source attribute. t is a tag that must appear in the rules tag list, case-insensitive matching. + o is a target that must appear in the rules target list, case-insensitive matching. Multiple log source specifications are AND linked. + Special filter: + inlastday=X rule create or modified in the last X days period + tlp=valid_tlp if rule have no tlp set to WHITE """) argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format") argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations") @@ -151,6 +155,7 @@ def main(): logger = logging.getLogger(__name__) if cmdargs.debug: # pragma: no cover + logging.basicConfig(filename='sigmac.log', filemode='w', level=logging.DEBUG) logger.setLevel(logging.DEBUG) if cmdargs.lists: @@ -175,6 +180,8 @@ def main(): argparser.print_usage() sys.exit(ERR_NO_TARGET) + logger.debug("* Target selected %s" % (cmdargs.target)) + rulefilter = None if cmdargs.filter: try: @@ -265,6 +272,7 @@ def main(): output_array = [] for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): logger.debug("* Processing Sigma input %s" % (sigmafile)) + success = True try: if cmdargs.inputs == ['-']: f = sigmafile @@ -325,43 +333,59 @@ def main(): except OSError as e: print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False error = ERR_OPEN_SIGMA_RULE except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e: print("Error: Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False error = ERR_INVALID_YAML if not cmdargs.defer_abort: sys.exit(error) except (SigmaParseError, SigmaCollectionParseError) as e: print("Error: Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False error = ERR_SIGMA_PARSING if not cmdargs.defer_abort: sys.exit(error) except NotSupportedError as e: print("Error: The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_NOT_SUPPORTED if not cmdargs.defer_abort: sys.exit(error) except BackendError as e: print("Error: Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_BACKEND if not cmdargs.defer_abort: sys.exit(error) except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_NOT_IMPLEMENTED if not cmdargs.defer_abort: sys.exit(error) except PartialMatchError as e: print("Error: Partial field match error: %s" % str(e), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_PARTIAL_FIELD_MATCH if not cmdargs.defer_abort: sys.exit(error) except FullMatchError as e: print("Error: Full field match error", file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_FULL_FIELD_MATCH if not cmdargs.defer_abort: @@ -371,11 +395,14 @@ def main(): f.close() except: pass - + + if success : + logger.debug("* Convertion Sigma input %s SUCCESS" % (sigmafile)) + result = backend.finalize() if result: print(result, file=out) - + if cmdargs.output_fields: if cmdargs.output_format == 'json': print(json.dumps(output_array, indent=4, ensure_ascii=False), file=out)