From fdc45505e009654b00d4a3d7c801dac3fc5ed14c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 23 Sep 2021 08:38:02 -0500 Subject: [PATCH 01/53] Create aws_attached_malicious_lambda_layer.yml --- .../aws_attached_malicious_lambda_layer.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/aws/aws_attached_malicious_lambda_layer.yml diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml new file mode 100644 index 000000000..a57e61df1 --- /dev/null +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -0,0 +1,21 @@ +title: AWS Attached Malicious Lambda Layer +id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d +description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. +author: Austin Songer +status: experimental +date: 2021/09/23 +references: + - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html +logsource: + service: cloudtrail +detection: + selection: + eventSource: lambda.amazonaws.com + eventName: UpdateFunctionConfiguration + condition: selection +level: low +tags: + - attack.privilege_escalation +falsepositives: + - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 8203a2d5f2f1736d3471bee9f48e4ed51cad35e3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 23 Sep 2021 08:40:26 -0500 Subject: [PATCH 02/53] Update aws_attached_malicious_lambda_layer.yml --- rules/cloud/aws/aws_attached_malicious_lambda_layer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index a57e61df1..39c92d704 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -1,5 +1,5 @@ title: AWS Attached Malicious Lambda Layer -id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d +id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. author: Austin Songer status: experimental From 4bbe4962b01b5b2bffd02edf3659cd670dc9ddef Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Fri, 24 Sep 2021 18:40:10 +0200 Subject: [PATCH 03/53] New Rule - Linux - Auditd - Clipboard Collection --- .../lnx_auditd_clipboard_collection.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_clipboard_collection.yml diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml new file mode 100644 index 000000000..4f5f3a004 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -0,0 +1,27 @@ +title: Clipboard Collection with Xclip Tool +id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf +description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +author: 'Pawel Mazur' +status: experimental +date: 2021/09/24 +references: + - https://attack.mitre.org/techniques/T1115/ + - https://linux.die.net/man/1/xclip + - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +logsource: + product: linux + service: auditd +detection: + xclip: + type: EXECVE + a0: xclip + a1: '-selection' + a2: clipboard + a3: '-o' + condition: xclip +tags: + - attack.collection + - attack.t1115 +falsepositives: + - Legitimate usage of xclip tools +level: low \ No newline at end of file From dd2f3e50db5d9887887ceb0ebfdf635d06704b35 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 24 Sep 2021 19:53:21 -0500 Subject: [PATCH 04/53] Create ecs-ms365_defender.yml --- tools/config/ecs-ms365_defender.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 tools/config/ecs-ms365_defender.yml diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml new file mode 100644 index 000000000..c9447407b --- /dev/null +++ b/tools/config/ecs-ms365_defender.yml @@ -0,0 +1,16 @@ +title: Microsoft 365 Defender Logs Elasticsearch ecs mapping +order: 20 +backends: + - es-qs + - es-rule +fieldmappings: + classification: microsoft.m365_defender.alerts.classification + determination: microsoft.m365_defender.alerts.determination + severity: microsoft.m365_defender.alerts.severity + status: microsoft.m365_defender.alerts.status + detectionSource: microsoft.m365_defender.alerts.detectionSource + threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName + registryHive: microsoft.m365_defender.alerts.entities.registryHive + registryKey: microsoft.m365_defender.alerts.entities.registryKey + registryValueType: microsoft.m365_defender.alerts.entities.registryValueType + ipAddress: microsoft.m365_defender.alerts.entities.ipAddress From 176b9662fca9f73773e3f9cf57068ee2b2632415 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 24 Sep 2021 20:01:00 -0500 Subject: [PATCH 05/53] Update ecs-ms365_defender.yml --- tools/config/ecs-ms365_defender.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml index c9447407b..2e6fee3a0 100644 --- a/tools/config/ecs-ms365_defender.yml +++ b/tools/config/ecs-ms365_defender.yml @@ -10,6 +10,7 @@ fieldmappings: status: microsoft.m365_defender.alerts.status detectionSource: microsoft.m365_defender.alerts.detectionSource threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName + entityType: microsoft.m365_defender.alerts.entities.entityType registryHive: microsoft.m365_defender.alerts.entities.registryHive registryKey: microsoft.m365_defender.alerts.entities.registryKey registryValueType: microsoft.m365_defender.alerts.entities.registryValueType From 696f343ac3d3a93e64a9643d56d502de97ce6a83 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 24 Sep 2021 20:02:04 -0500 Subject: [PATCH 06/53] Delete ecs-ms365_defender.yml --- tools/config/ecs-ms365_defender.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 tools/config/ecs-ms365_defender.yml diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml deleted file mode 100644 index 2e6fee3a0..000000000 --- a/tools/config/ecs-ms365_defender.yml +++ /dev/null @@ -1,17 +0,0 @@ -title: Microsoft 365 Defender Logs Elasticsearch ecs mapping -order: 20 -backends: - - es-qs - - es-rule -fieldmappings: - classification: microsoft.m365_defender.alerts.classification - determination: microsoft.m365_defender.alerts.determination - severity: microsoft.m365_defender.alerts.severity - status: microsoft.m365_defender.alerts.status - detectionSource: microsoft.m365_defender.alerts.detectionSource - threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName - entityType: microsoft.m365_defender.alerts.entities.entityType - registryHive: microsoft.m365_defender.alerts.entities.registryHive - registryKey: microsoft.m365_defender.alerts.entities.registryKey - registryValueType: microsoft.m365_defender.alerts.entities.registryValueType - ipAddress: microsoft.m365_defender.alerts.entities.ipAddress From 00f4773eeb79d1fc9611e0f6256263da4507f904 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 24 Sep 2021 20:02:39 -0500 Subject: [PATCH 07/53] Create ecs-ms365_defender.yml --- tools/config/ecs-ms365_defender.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 tools/config/ecs-ms365_defender.yml diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml new file mode 100644 index 000000000..9bf978674 --- /dev/null +++ b/tools/config/ecs-ms365_defender.yml @@ -0,0 +1,18 @@ +title: Microsoft 365 Defender Elasticsearch ecs mapping +order: 20 +backends: + - es-qs + - es-rule +fieldmappings: + classification: microsoft.m365_defender.alerts.classification + determination: microsoft.m365_defender.alerts.determination + severity: microsoft.m365_defender.alerts.severity + status: microsoft.m365_defender.alerts.status + detectionSource: microsoft.m365_defender.alerts.detectionSource + threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName + entityType: microsoft.m365_defender.alerts.entities.entityType + registryHive: microsoft.m365_defender.alerts.entities.registryHive + registryKey: microsoft.m365_defender.alerts.entities.registryKey + registryValueType: microsoft.m365_defender.alerts.entities.registryValueType + ipAddress: microsoft.m365_defender.alerts.entities.ipAddress + From d08d3712bef9aeea86cc8dc4b4be3c91926a0cee Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 25 Sep 2021 19:33:30 +0200 Subject: [PATCH 08/53] Add more debug info --- tools/sigma/sigmac.py | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 350ffb863..52b04a247 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -151,6 +151,7 @@ def main(): logger = logging.getLogger(__name__) if cmdargs.debug: # pragma: no cover + logging.basicConfig(filename='sigmac.log', filemode='w', level=logging.DEBUG) logger.setLevel(logging.DEBUG) if cmdargs.lists: @@ -175,6 +176,8 @@ def main(): argparser.print_usage() sys.exit(ERR_NO_TARGET) + logger.debug("* Target selected %s" % (cmdargs.target)) + rulefilter = None if cmdargs.filter: try: @@ -265,6 +268,7 @@ def main(): output_array = [] for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): logger.debug("* Processing Sigma input %s" % (sigmafile)) + success = True try: if cmdargs.inputs == ['-']: f = sigmafile @@ -325,43 +329,59 @@ def main(): except OSError as e: print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False error = ERR_OPEN_SIGMA_RULE except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e: print("Error: Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False error = ERR_INVALID_YAML if not cmdargs.defer_abort: sys.exit(error) except (SigmaParseError, SigmaCollectionParseError) as e: print("Error: Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False error = ERR_SIGMA_PARSING if not cmdargs.defer_abort: sys.exit(error) except NotSupportedError as e: print("Error: The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_NOT_SUPPORTED if not cmdargs.defer_abort: sys.exit(error) except BackendError as e: print("Error: Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_BACKEND if not cmdargs.defer_abort: sys.exit(error) except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_NOT_IMPLEMENTED if not cmdargs.defer_abort: sys.exit(error) except PartialMatchError as e: print("Error: Partial field match error: %s" % str(e), file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_PARTIAL_FIELD_MATCH if not cmdargs.defer_abort: sys.exit(error) except FullMatchError as e: print("Error: Full field match error", file=sys.stderr) + logger.debug("* Convertion Sigma input %s FAILURE" % (sigmafile)) + success = False if not cmdargs.ignore_backend_errors: error = ERR_FULL_FIELD_MATCH if not cmdargs.defer_abort: @@ -371,11 +391,14 @@ def main(): f.close() except: pass - + + if success : + logger.debug("* Convertion Sigma input %s SUCCESS" % (sigmafile)) + result = backend.finalize() if result: print(result, file=out) - + if cmdargs.output_fields: if cmdargs.output_format == 'json': print(json.dumps(output_array, indent=4, ensure_ascii=False), file=out) From d888ce67bc179a86bedd3501cb28b80af3c8eb9d Mon Sep 17 00:00:00 2001 From: MetallicHack <35694352+MetallicHack@users.noreply.github.com> Date: Sat, 25 Sep 2021 21:57:10 +0200 Subject: [PATCH 09/53] Create azure_ad_user_added_to_sensitive_role.yml --- rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml diff --git a/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml b/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml new file mode 100644 index 000000000..9daeafb98 --- /dev/null +++ b/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml @@ -0,0 +1 @@ +test From f196e3174d6edc30f78d0fa53e2d05dd01ff53fc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 26 Sep 2021 10:54:11 +0200 Subject: [PATCH 10/53] refactor: moved last global rule to unsupported --- .../windows/builtin => rules-unsupported}/win_apt_apt29_tor.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules/windows/builtin => rules-unsupported}/win_apt_apt29_tor.yml (100%) mode change 100755 => 100644 diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules-unsupported/win_apt_apt29_tor.yml old mode 100755 new mode 100644 similarity index 100% rename from rules/windows/builtin/win_apt_apt29_tor.yml rename to rules-unsupported/win_apt_apt29_tor.yml From 5e5af2918bb0e1d4ef4ee7bf9929e8b221cf5133 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 26 Sep 2021 11:24:25 +0200 Subject: [PATCH 11/53] Add sigmacover.py --- contrib/sigmacover.py | 123 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 contrib/sigmacover.py diff --git a/contrib/sigmacover.py b/contrib/sigmacover.py new file mode 100644 index 000000000..0976b809a --- /dev/null +++ b/contrib/sigmacover.py @@ -0,0 +1,123 @@ +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +""" +Project: sigmacover.py +Date: 26/09/2021 +Author: frack113 +Version: 1.0 +Description: + get cover of the rules vs backend + It is more a POC than a script for the moment +Requirements: + $ pip install ruyaml +Todo: + - add output options + - clean code and bug + - better use of subprocess.run + - have idea +""" + + +import re +import subprocess +import pathlib +import ruyaml + + +def get_sigmac(options): + infos = [] + ret = subprocess.run(options,) + log = pathlib.Path("sigmac.log") + with log.open() as f: + lines = f.readlines() + for line in lines: + if "Convertion Sigma input" in line: + info = re.findall("Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)",line)[0] + infos.append(info) + log.unlink() + return infos + +def update_dict(my_dict,my_data,backend): + for file,state in my_data: + my_dict[file][backend] = state + +#the backend dict command line options +backend_dict = { + "ala" : ["python","../tools/sigmac","-t","ala","--debug","-rI","../rules"], + "ala-rule" : ["python","../tools/sigmac","-t","ala-rule","--debug","-rI","../rules"], + "arcsight": ["python","../tools/sigmac","-t","arcsight","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "arcsight-esm": ["python","../tools/sigmac","-t","arcsight-esm","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "carbonblack": ["python","../tools/sigmac","-t","carbonblack","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "chronicle": ["python","../tools/sigmac","-t","chronicle","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "crowdstrike": ["python","../tools/sigmac","-t","crowdstrike","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "csharp" : ["python","../tools/sigmac","-t","csharp","--debug","-rI","../rules"], + "devo": ["python","../tools/sigmac","-t","devo","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "ee-outliers": ["python","../tools/sigmac","-t","ee-outliers","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "elastalert": ["python","../tools/sigmac","-t","elastalert","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "elastalert-dsl": ["python","../tools/sigmac","-t","elastalert-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-dsl": ["python","../tools/sigmac","-t","es-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-eql": ["python","../tools/sigmac","-t","es-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-qs": ["python","../tools/sigmac","-t","es-qs","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-qs-lr": ["python","../tools/sigmac","-t","es-qs-lr","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-rule": ["python","../tools/sigmac","-t","es-rule","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "es-rule-eql": ["python","../tools/sigmac","-t","es-rule-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "fireeye-helix": ["python","../tools/sigmac","-t","fireeye-helix","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "graylog" : ["python","../tools/sigmac","-t","graylog","--debug","-rI","../rules"], + "grep" : ["python","../tools/sigmac","-t","grep","--debug","-rI","../rules"], + "humio": ["python","../tools/sigmac","-t","humio","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "kibana": ["python","../tools/sigmac","-t","kibana","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "kibana-ndjson": ["python","../tools/sigmac","-t","kibana-ndjson","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "lacework" : ["python","../tools/sigmac","-t","lacework","--debug","-rI","../rules"], + "limacharlie" : ["python","../tools/sigmac","-t","limacharlie","--debug","-rI","../rules"], + "logiq" : ["python","../tools/sigmac","-t","logiq","--debug","-rI","../rules"], + "logpoint" : ["python","../tools/sigmac","-t","logpoint","--debug","-rI","../rules"], + "mdatp" : ["python","../tools/sigmac","-t","mdatp","--debug","-rI","../rules"], + "netwitness" : ["python","../tools/sigmac","-t","netwitness","--debug","-rI","../rules"], + "netwitness-epl" : ["python","../tools/sigmac","-t","netwitness-epl","--debug","-rI","../rules"], + "opensearch-monitor": ["python","../tools/sigmac","-t","opensearch-monitor","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "powershell" : ["python","../tools/sigmac","-t","powershell","--debug","-rI","../rules"], + "qradar" : ["python","../tools/sigmac","-t","qradar","--debug","-rI","../rules"], + "qualys" : ["python","../tools/sigmac","-t","qualys","--debug","-rI","../rules"], + "sentinel-rule" : ["python","../tools/sigmac","-t","sentinel-rule","--debug","-rI","../rules"], + "splunk": ["python","../tools/sigmac","-t","splunk","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], + "splunkdm": ["python","../tools/sigmac","-t","splunkdm","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], + "splunkxml": ["python","../tools/sigmac","-t","splunkxml","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], + "sql": ["python","../tools/sigmac","-t","sql","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "sqlite": ["python","../tools/sigmac","-t","sqlite","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], + "stix": ["python","../tools/sigmac","-t","stix","-c","../tools/config/stix2.0.yml","--debug","-rI","../rules"], + "sumologic" : ["python","../tools/sigmac","-t","sumologic","--debug","-rI","../rules"], + "sumologic-cse" : ["python","../tools/sigmac","-t","sumologic-cse","--debug","-rI","../rules"], + "sumologic-cse-rule" : ["python","../tools/sigmac","-t","sumologic-cse-rule","--debug","-rI","../rules"], + "sysmon": ["python","../tools/sigmac","-t","stix","-c","../tools/config/sysmon.yml","--debug","-rI","../rules"], + "uberagent" : ["python","../tools/sigmac","-t","uberagent","--debug","-rI","../rules"], + "xpack-watcher": ["python","../tools/sigmac","-t","xpack-watcher","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + } + +print(""" +███ ███ ████ █▄┼▄█ ███ ┼┼ ███ ███ █▄█ ███ ███ +█▄▄ ┼█┼ █┼▄▄ █┼█┼█ █▄█ ┼┼ █┼┼ █┼█ ███ █▄┼ █▄┼ +▄▄█ ▄█▄ █▄▄█ █┼┼┼█ █┼█ ┼┼ ███ █▄█ ┼█┼ █▄▄ █┼█ + v1.0 +please wait during the tests +""") + +#init dict of all rules +default_key_test = {key : "NO TEST" for key in backend_dict.keys()} +the_dico ={} +rules = pathlib.Path("../rules").glob("**/*.yml") +for rule in rules: + the_dico[rule.name] = default_key_test + +#Check all the backend +for name,opt in backend_dict.items(): + print (f"check backend : {name}") + result = get_sigmac(opt) + update_dict(the_dico,result,name) + +#Save +cover = pathlib.Path("sigmacover.yml") +with cover.open("w") as f: + ruyaml.dump(the_dico, f, Dumper=ruyaml.RoundTripDumper) + From 776cccce30475122431250b141ee917555c44e92 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 26 Sep 2021 17:07:58 +0200 Subject: [PATCH 12/53] Fix windows10 --- contrib/sigmacover.py | 124 ++++++++++++++++++++++++------------------ 1 file changed, 70 insertions(+), 54 deletions(-) diff --git a/contrib/sigmacover.py b/contrib/sigmacover.py index 0976b809a..d498cae2b 100644 --- a/contrib/sigmacover.py +++ b/contrib/sigmacover.py @@ -6,11 +6,12 @@ Project: sigmacover.py Date: 26/09/2021 Author: frack113 -Version: 1.0 +Version: 1.1 Description: get cover of the rules vs backend It is more a POC than a script for the moment Requirements: + python 3.7 min $ pip install ruyaml Todo: - add output options @@ -24,11 +25,23 @@ import re import subprocess import pathlib import ruyaml +import copy - -def get_sigmac(options): +def get_sigmac(name,conf): infos = [] - ret = subprocess.run(options,) + if conf == None: + options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"] + else: + options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"] + si = subprocess.STARTUPINFO() + si.dwFlags |= subprocess.STARTF_USESHOWWINDOW + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + startupinfo=si + ) + if not ret.returncode == 0: + print (f"error {ret.returncode} in sigmac") log = pathlib.Path("sigmac.log") with log.open() as f: lines = f.readlines() @@ -37,6 +50,9 @@ def get_sigmac(options): info = re.findall("Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)",line)[0] infos.append(info) log.unlink() + dump = pathlib.Path("dump.txt") + if dump.exists(): + dump.unlink() return infos def update_dict(my_dict,my_data,backend): @@ -45,54 +61,54 @@ def update_dict(my_dict,my_data,backend): #the backend dict command line options backend_dict = { - "ala" : ["python","../tools/sigmac","-t","ala","--debug","-rI","../rules"], - "ala-rule" : ["python","../tools/sigmac","-t","ala-rule","--debug","-rI","../rules"], - "arcsight": ["python","../tools/sigmac","-t","arcsight","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "arcsight-esm": ["python","../tools/sigmac","-t","arcsight-esm","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "carbonblack": ["python","../tools/sigmac","-t","carbonblack","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "chronicle": ["python","../tools/sigmac","-t","chronicle","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "crowdstrike": ["python","../tools/sigmac","-t","crowdstrike","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "csharp" : ["python","../tools/sigmac","-t","csharp","--debug","-rI","../rules"], - "devo": ["python","../tools/sigmac","-t","devo","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "ee-outliers": ["python","../tools/sigmac","-t","ee-outliers","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "elastalert": ["python","../tools/sigmac","-t","elastalert","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "elastalert-dsl": ["python","../tools/sigmac","-t","elastalert-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-dsl": ["python","../tools/sigmac","-t","es-dsl","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-eql": ["python","../tools/sigmac","-t","es-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-qs": ["python","../tools/sigmac","-t","es-qs","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-qs-lr": ["python","../tools/sigmac","-t","es-qs-lr","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-rule": ["python","../tools/sigmac","-t","es-rule","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "es-rule-eql": ["python","../tools/sigmac","-t","es-rule-eql","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "fireeye-helix": ["python","../tools/sigmac","-t","fireeye-helix","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "graylog" : ["python","../tools/sigmac","-t","graylog","--debug","-rI","../rules"], - "grep" : ["python","../tools/sigmac","-t","grep","--debug","-rI","../rules"], - "humio": ["python","../tools/sigmac","-t","humio","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "kibana": ["python","../tools/sigmac","-t","kibana","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "kibana-ndjson": ["python","../tools/sigmac","-t","kibana-ndjson","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "lacework" : ["python","../tools/sigmac","-t","lacework","--debug","-rI","../rules"], - "limacharlie" : ["python","../tools/sigmac","-t","limacharlie","--debug","-rI","../rules"], - "logiq" : ["python","../tools/sigmac","-t","logiq","--debug","-rI","../rules"], - "logpoint" : ["python","../tools/sigmac","-t","logpoint","--debug","-rI","../rules"], - "mdatp" : ["python","../tools/sigmac","-t","mdatp","--debug","-rI","../rules"], - "netwitness" : ["python","../tools/sigmac","-t","netwitness","--debug","-rI","../rules"], - "netwitness-epl" : ["python","../tools/sigmac","-t","netwitness-epl","--debug","-rI","../rules"], - "opensearch-monitor": ["python","../tools/sigmac","-t","opensearch-monitor","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], - "powershell" : ["python","../tools/sigmac","-t","powershell","--debug","-rI","../rules"], - "qradar" : ["python","../tools/sigmac","-t","qradar","--debug","-rI","../rules"], - "qualys" : ["python","../tools/sigmac","-t","qualys","--debug","-rI","../rules"], - "sentinel-rule" : ["python","../tools/sigmac","-t","sentinel-rule","--debug","-rI","../rules"], - "splunk": ["python","../tools/sigmac","-t","splunk","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], - "splunkdm": ["python","../tools/sigmac","-t","splunkdm","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], - "splunkxml": ["python","../tools/sigmac","-t","splunkxml","-c","../tools/config/splunk-windows.yml","--debug","-rI","../rules"], - "sql": ["python","../tools/sigmac","-t","sql","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "sqlite": ["python","../tools/sigmac","-t","sqlite","-c","../tools/config/elk-winlogbeat.yml","--debug","-rI","../rules"], - "stix": ["python","../tools/sigmac","-t","stix","-c","../tools/config/stix2.0.yml","--debug","-rI","../rules"], - "sumologic" : ["python","../tools/sigmac","-t","sumologic","--debug","-rI","../rules"], - "sumologic-cse" : ["python","../tools/sigmac","-t","sumologic-cse","--debug","-rI","../rules"], - "sumologic-cse-rule" : ["python","../tools/sigmac","-t","sumologic-cse-rule","--debug","-rI","../rules"], - "sysmon": ["python","../tools/sigmac","-t","stix","-c","../tools/config/sysmon.yml","--debug","-rI","../rules"], - "uberagent" : ["python","../tools/sigmac","-t","uberagent","--debug","-rI","../rules"], - "xpack-watcher": ["python","../tools/sigmac","-t","xpack-watcher","-c","../tools/config/winlogbeat.yml","--debug","-rI","../rules"], + "ala": None, + "ala-rule": None, + "arcsight": "../tools/config/elk-winlogbeat.yml", + "arcsight-esm": "../tools/config/elk-winlogbeat.yml", + "carbonblack": "../tools/config/elk-winlogbeat.yml", + "chronicle": "../tools/config/elk-winlogbeat.yml", + "crowdstrike": "../tools/config/elk-winlogbeat.yml", + "csharp" : None, + "devo": "../tools/config/elk-winlogbeat.yml", + "ee-outliers": "../tools/config/winlogbeat-modules-enabled.yml", + "elastalert": "../tools/config/winlogbeat-modules-enabled.yml", + "elastalert-dsl": "../tools/config/winlogbeat-modules-enabled.yml", + "es-dsl": "../tools/config/winlogbeat-modules-enabled.yml", + "es-eql": "../tools/config/winlogbeat-modules-enabled.yml", + "es-qs": "../tools/config/winlogbeat-modules-enabled.yml", + "es-qs-lr": "../tools/config/logrhythm_winevent.yml", + "es-rule": "../tools/config/winlogbeat-modules-enabled.yml", + "es-rule-eql": "../tools/config/winlogbeat-modules-enabled.yml", + "fireeye-helix": "../tools/config/elk-winlogbeat.yml", + "graylog" : None, + "grep" : None, + "humio": "../tools/config/elk-winlogbeat.yml", + "kibana": "../tools/config/winlogbeat-modules-enabled.yml", + "kibana-ndjson": "../tools/config/winlogbeat-modules-enabled.yml", + "lacework" : None, + "limacharlie" : None, + "logiq" : None, + "logpoint" : None, + "mdatp" : None, + "netwitness" : None, + "netwitness-epl" : None, + "opensearch-monitor": "../tools/config/winlogbeat.yml", + "powershell" : None, + "qradar" : None, + "qualys" : None, + "sentinel-rule" : None, + "splunk": "../tools/config/splunk-windows.yml", + "splunkdm": "../tools/config/splunk-windows.yml", + "splunkxml": "../tools/config/splunk-windows.yml", + "sql": "../tools/config/elk-winlogbeat.yml", + "sqlite": "../tools/config/elk-winlogbeat.yml", + "stix": "../tools/config/stix2.0.yml", + "sumologic" : None, + "sumologic-cse" : None, + "sumologic-cse-rule" : None, + "sysmon": "../tools/config/sysmon.yml", + "uberagent" : None, + "xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml", } print(""" @@ -108,12 +124,12 @@ default_key_test = {key : "NO TEST" for key in backend_dict.keys()} the_dico ={} rules = pathlib.Path("../rules").glob("**/*.yml") for rule in rules: - the_dico[rule.name] = default_key_test + the_dico[rule.name] = copy.deepcopy(default_key_test) #Check all the backend for name,opt in backend_dict.items(): print (f"check backend : {name}") - result = get_sigmac(opt) + result = get_sigmac(name,opt) update_dict(the_dico,result,name) #Save From 8f99625a25b3a1137a47375fcaa4f293dfd3916a Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 26 Sep 2021 18:28:07 +0200 Subject: [PATCH 13/53] Fix ubuntu 20 --- contrib/sigmacover.py | 53 ++++++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/contrib/sigmacover.py b/contrib/sigmacover.py index d498cae2b..3c33e4f2b 100644 --- a/contrib/sigmacover.py +++ b/contrib/sigmacover.py @@ -9,12 +9,10 @@ Author: frack113 Version: 1.1 Description: get cover of the rules vs backend - It is more a POC than a script for the moment Requirements: python 3.7 min $ pip install ruyaml Todo: - - add output options - clean code and bug - better use of subprocess.run - have idea @@ -25,7 +23,10 @@ import re import subprocess import pathlib import ruyaml +import json import copy +import platform +import argparse def get_sigmac(name,conf): infos = [] @@ -33,13 +34,21 @@ def get_sigmac(name,conf): options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"] else: options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"] - si = subprocess.STARTUPINFO() - si.dwFlags |= subprocess.STARTF_USESHOWWINDOW - ret = subprocess.run(options, - stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, - startupinfo=si - ) + if platform.system() == "Windows": + si = subprocess.STARTUPINFO() + si.dwFlags |= subprocess.STARTF_USESHOWWINDOW + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + startupinfo=si + ) + my_regex = "Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)" + else: + ret = subprocess.run(options, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + ) + my_regex = "Convertion Sigma input \S+/(\w+\.yml) (\w+)" if not ret.returncode == 0: print (f"error {ret.returncode} in sigmac") log = pathlib.Path("sigmac.log") @@ -47,7 +56,7 @@ def get_sigmac(name,conf): lines = f.readlines() for line in lines: if "Convertion Sigma input" in line: - info = re.findall("Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)",line)[0] + info = re.findall(my_regex,line)[0] infos.append(info) log.unlink() dump = pathlib.Path("dump.txt") @@ -106,7 +115,7 @@ backend_dict = { "sumologic" : None, "sumologic-cse" : None, "sumologic-cse-rule" : None, - "sysmon": "../tools/config/sysmon.yml", + "sysmon": "../tools/config/elk-windows.yml", "uberagent" : None, "xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml", } @@ -115,10 +124,17 @@ print(""" ███ ███ ████ █▄┼▄█ ███ ┼┼ ███ ███ █▄█ ███ ███ █▄▄ ┼█┼ █┼▄▄ █┼█┼█ █▄█ ┼┼ █┼┼ █┼█ ███ █▄┼ █▄┼ ▄▄█ ▄█▄ █▄▄█ █┼┼┼█ █┼█ ┼┼ ███ █▄█ ┼█┼ █▄▄ █┼█ - v1.0 + v1.1 bugfix please wait during the tests """) +argparser = argparse.ArgumentParser(description="Check Sigma rules with all backend.") +argparser.add_argument("--target", "-t", choices=["yaml","json"], help="Output target format") +cmdargs = argparser.parse_args() +if cmdargs.target == None: + print("No outpout use -h to see help") + exit() + #init dict of all rules default_key_test = {key : "NO TEST" for key in backend_dict.keys()} the_dico ={} @@ -133,7 +149,12 @@ for name,opt in backend_dict.items(): update_dict(the_dico,result,name) #Save -cover = pathlib.Path("sigmacover.yml") -with cover.open("w") as f: - ruyaml.dump(the_dico, f, Dumper=ruyaml.RoundTripDumper) - +if cmdargs.target.lower() == "yaml": + cover = pathlib.Path("sigmacover.yml") + with cover.open("w") as file: + ruyaml.dump(the_dico, file, Dumper=ruyaml.RoundTripDumper) +else: + cover = pathlib.Path("sigmacover.json") + with cover.open("w") as file: + json_dumps_str = json.dumps(the_dico, indent=4) + file.write(json_dumps_str) From 6a2785492da90e03c0612790dfcdb557c2b5014f Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Mon, 27 Sep 2021 07:59:43 +0200 Subject: [PATCH 14/53] Update lnx_auditd_clipboard_collection.yml Changes after suggestion. --- .../lnx_auditd_clipboard_collection.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml index 4f5f3a004..643168b45 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -12,16 +12,20 @@ logsource: product: linux service: auditd detection: - xclip: - type: EXECVE - a0: xclip - a1: '-selection' - a2: clipboard - a3: '-o' - condition: xclip + xclip: + type: EXECVE + a0: xclip + a1: + - '-selection' + - '-sel' + a2: + - clipboard + - clip + a3: '-o' + condition: xclip tags: - attack.collection - attack.t1115 falsepositives: - Legitimate usage of xclip tools -level: low \ No newline at end of file +level: low From 6782a7af4d119c999bce62328700441cc13a3e65 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 27 Sep 2021 09:27:01 +0200 Subject: [PATCH 15/53] fix TargetUserName and TargetUserSid for detection --- tools/config/winlogbeat-modules-enabled.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index d46dd2051..f3c487904 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -468,12 +468,8 @@ fieldmappings: TargetOutboundUserName: winlog.event_data.TargetOutboundUserName TargetServerName: winlog.event_data.TargetServerName TargetSid: winlog.event_data.TargetSid - TargetUserName: - service=security: user.name - default: winlog.event_data.TargetUserName - TargetUserSid: - service=security: user.id - default: winlog.event_data.TargetUserSid + TargetUserName: winlog.event_data.TargetUserName + TargetUserSid: winlog.event_data.TargetUserSid TaskContent: winlog.event_data.TaskContent TaskName: winlog.event_data.TaskName TicketEncryptionType: winlog.event_data.TicketEncryptionType From 5ef1c913cf30ab9da66395a281c56af5068fbe8f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 27 Sep 2021 18:33:57 +0200 Subject: [PATCH 16/53] fix: wrong condition https://github.com/SigmaHQ/sigma/issues/2089 --- rules/windows/builtin/win_susp_lsass_dump_generic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index afe1ef752..2856705cd 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -62,7 +62,7 @@ detection: filter2: ProcessName|startswith: - 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions - condition: selection_1 or selection_2 and not filter1 and not filter2 + condition: ( selection_1 or selection_2 ) and not filter1 and not filter2 fields: - ComputerName - SubjectDomainName From a0b48b96d4afe4b2f244d00c18f5b5eacb44dd48 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 27 Sep 2021 18:49:58 +0200 Subject: [PATCH 17/53] Fix 'NoneType' object has no attribute 'lower' --- tools/sigma/backends/sysmon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index ce1524e61..852bd1739 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -217,7 +217,7 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): raise NotSupportedError( "Not supported logsource. Should be product `windows`.") for item in self.logsource.values(): - if item.lower() in self.allowedSource.keys(): + if str(item).lower() in self.allowedSource.keys(): self.table = self.allowedSource.get(item.lower()) break else: From bcf40fa4e4201cd7677054eda47c6b07515f0d31 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 27 Sep 2021 18:59:05 +0200 Subject: [PATCH 18/53] Fix logsource not a string --- rules/windows/builtin/win_susp_logon_explicit_credentials.yml | 1 - rules/windows/other/win_lateral_movement_condrv.yml | 1 - tests/test_rules.py | 3 +++ 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index e947b6ae9..595a57420 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -13,7 +13,6 @@ tags: logsource: product: windows service: security - definition: detection: selection: EventID: 4648 diff --git a/rules/windows/other/win_lateral_movement_condrv.yml b/rules/windows/other/win_lateral_movement_condrv.yml index 796b506fa..6bade50ac 100644 --- a/rules/windows/other/win_lateral_movement_condrv.yml +++ b/rules/windows/other/win_lateral_movement_condrv.yml @@ -15,7 +15,6 @@ tags: logsource: product: windows service: security - definition: detection: selection: EventID: 4674 diff --git a/tests/test_rules.py b/tests/test_rules.py index b715e20ec..370e944b4 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -613,6 +613,9 @@ class TestRules(unittest.TestCase): if key.lower() not in valid_logsource: print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) valid = False + elif not isinstance(logsource[key],str): + print(Fore.RED + "Rule {} has a logsource with an invalid field type ({})".format(file, key)) + valid = False if not valid: faulty_rules.append(file) From bcdf164b4ca32c2c8448e46e9d81efb3fb069eaf Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 27 Sep 2021 19:17:14 +0200 Subject: [PATCH 19/53] fix space --- tools/sigma/backends/sysmon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index 852bd1739..3b592525b 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -217,7 +217,7 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): raise NotSupportedError( "Not supported logsource. Should be product `windows`.") for item in self.logsource.values(): - if str(item).lower() in self.allowedSource.keys(): + if str(item).lower() in self.allowedSource.keys(): self.table = self.allowedSource.get(item.lower()) break else: From 3e7b3073cf3a6b9ffea51603df4271405f77700a Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 27 Sep 2021 23:30:30 -0500 Subject: [PATCH 20/53] Update win_sysmon_driver_unload.yml --- rules/windows/process_creation/win_sysmon_driver_unload.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml index a0b9258b4..505f7d952 100644 --- a/rules/windows/process_creation/win_sysmon_driver_unload.yml +++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml @@ -4,7 +4,7 @@ status: experimental author: Kirill Kiryanov, oscd.community description: Detect possible Sysmon driver unload date: 2019/10/23 -modified: 2020/08/29 +modified: 2021/09/27 references: - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon logsource: @@ -13,6 +13,8 @@ logsource: tags: - attack.defense_evasion - attack.t1070 + - attack.t1562 + - attack.t1562.002 detection: selection: Image|endswith: '\fltmc.exe' From 0d07a78a2da137412d14baf921a4653f0121cf5b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 27 Sep 2021 23:41:19 -0500 Subject: [PATCH 21/53] Update aws_attached_malicious_lambda_layer.yml --- rules/cloud/aws/aws_attached_malicious_lambda_layer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index 39c92d704..7c97e8d2c 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -13,7 +13,7 @@ detection: eventSource: lambda.amazonaws.com eventName: UpdateFunctionConfiguration condition: selection -level: low +level: medium tags: - attack.privilege_escalation falsepositives: From 11dc2761855c162110733882bb4ef1da6906c96b Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 28 Sep 2021 10:33:10 +0200 Subject: [PATCH 22/53] Update filter help --- tools/sigma/sigmac.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 52b04a247..27f07a0cf 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -98,12 +98,16 @@ def set_argparser(): argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)") argparser.add_argument("--filter", "-f", help=""" Define comma-separated filters that must match (AND-linked) to rule to be processed. - Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t. + Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t, target=o. x is one of: low, medium, high, critical. y is one of: experimental, testing, stable. z is a word appearing in an arbitrary log source attribute. t is a tag that must appear in the rules tag list, case-insensitive matching. + o is a target that must appear in the rules target list, case-insensitive matching. Multiple log source specifications are AND linked. + Special filter: + inlastday=X rule create or modified in the last X days period + tlp=valid_tlp if rule have no tlp set to WHITE """) argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format") argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations") From a2418e4d2cadeefa3b6a7bb639a92ff0872b89ca Mon Sep 17 00:00:00 2001 From: zaicurity <59199225+zaicurity@users.noreply.github.com> Date: Tue, 28 Sep 2021 17:39:21 +0200 Subject: [PATCH 23/53] Added alternative command parameter Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. Tested on Windows 10.0.19042 Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ --- rules/windows/process_creation/win_nltest_recon.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_nltest_recon.yml b/rules/windows/process_creation/win_nltest_recon.yml index 46985f8e8..a08640d0d 100644 --- a/rules/windows/process_creation/win_nltest_recon.yml +++ b/rules/windows/process_creation/win_nltest_recon.yml @@ -30,6 +30,7 @@ detection: - '/dclist:' - '/parentdomain' - '/domain_trusts' + - '/trusted_domains' - '/user' condition: selection_nltest and (selection_recon1 or selection_recon2) falsepositives: From 4a66ea04bd7d3ddcbb453d12770beadf9c0f8e0e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 29 Sep 2021 08:26:05 +0200 Subject: [PATCH 24/53] fix tags --- rules/windows/process_creation/win_susp_mpcmdrun_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml index 4dd0c5d20..5265dd136 100644 --- a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml +++ b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml @@ -9,7 +9,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ tags: - attack.defense_evasion - - attack.t1218.010 + - attack.t1218 - attack.command_and_control - attack.t1105 logsource: From 424b0263dfb426c853d258c8c2fd3d4c95a100b3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 29 Sep 2021 08:53:22 +0200 Subject: [PATCH 25/53] add EventID 26 --- tools/config/generic/sysmon.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index a5aaac023..da857d686 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -143,7 +143,9 @@ logsources: category: file_delete product: windows conditions: - EventID: 23 + EventID: + - 23 + - 26 rewrite: product: windows service: sysmon From d3fc6b118de3173f41e5a2a3974ec89ee13eabed Mon Sep 17 00:00:00 2001 From: kidrek Date: Wed, 29 Sep 2021 09:42:17 +0200 Subject: [PATCH 26/53] Add new rule - sysmon_delete_prefetch - AntiForensic --- .../file_delete/sysmon_delete_prefetch.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100755 rules/windows/file_delete/sysmon_delete_prefetch.yml diff --git a/rules/windows/file_delete/sysmon_delete_prefetch.yml b/rules/windows/file_delete/sysmon_delete_prefetch.yml new file mode 100755 index 000000000..013db199d --- /dev/null +++ b/rules/windows/file_delete/sysmon_delete_prefetch.yml @@ -0,0 +1,23 @@ +title: Prefetch file deletion (AntiForensic) +id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 +status: experimental +description: Detects the deletion of a prefetch file (AntiForensic) +level: high +author: Cedric MAURUGEON +date: 2021/09/29 +tags: + - attack.defense_evasion + - attack.t1070.004 +logsource: + product: windows + category: file_delete +detection: + selection: + TargetFilename|startswith: 'C:\Windows\Prefetch\' + TargetFilename|endswith: '.pf' + exception: + Image: 'C:\windows\system32\svchost.exe' + User: 'NT AUTHORITY\SYSTEM' + condition: selection and not exception +falsepositives: + - Unknown From da4a8a0ffdbe1ae7288141bd1cd4de4b0504f6d4 Mon Sep 17 00:00:00 2001 From: kidrek Date: Wed, 29 Sep 2021 09:49:58 +0200 Subject: [PATCH 27/53] Fix title field error --- rules/windows/file_delete/sysmon_delete_prefetch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_delete/sysmon_delete_prefetch.yml b/rules/windows/file_delete/sysmon_delete_prefetch.yml index 013db199d..be238a8f8 100755 --- a/rules/windows/file_delete/sysmon_delete_prefetch.yml +++ b/rules/windows/file_delete/sysmon_delete_prefetch.yml @@ -1,4 +1,4 @@ -title: Prefetch file deletion (AntiForensic) +title: Prefetch file deletion id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 status: experimental description: Detects the deletion of a prefetch file (AntiForensic) From 17ad95cd12a43605165d0819b2b2addef64ef818 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 29 Sep 2021 10:58:00 +0200 Subject: [PATCH 28/53] Update sysmon_delete_prefetch.yml --- rules/windows/file_delete/sysmon_delete_prefetch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_delete/sysmon_delete_prefetch.yml b/rules/windows/file_delete/sysmon_delete_prefetch.yml index be238a8f8..451971948 100755 --- a/rules/windows/file_delete/sysmon_delete_prefetch.yml +++ b/rules/windows/file_delete/sysmon_delete_prefetch.yml @@ -1,4 +1,4 @@ -title: Prefetch file deletion +title: Prefetch File Deletion id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 status: experimental description: Detects the deletion of a prefetch file (AntiForensic) From 2ae2c35a7fd72718339c01028037d134aadd79d9 Mon Sep 17 00:00:00 2001 From: "neonprimetime security (Justin C Miller)" Date: Wed, 29 Sep 2021 07:47:12 -0500 Subject: [PATCH 29/53] mispelled 'mshta.exe' in selection_base it said 'mhsta.exe' and it should say 'mshta.exe' --- rules/windows/process_creation/win_susp_mshta_pattern.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_mshta_pattern.yml b/rules/windows/process_creation/win_susp_mshta_pattern.yml index d9e7e0102..8291ef095 100644 --- a/rules/windows/process_creation/win_susp_mshta_pattern.yml +++ b/rules/windows/process_creation/win_susp_mshta_pattern.yml @@ -16,7 +16,7 @@ logsource: detection: # Binary Selector selection_base: - Image|endswith: '\mhsta.exe' + Image|endswith: '\mshta.exe' # Suspicious parents selection1: ParentImage|endswith: From 056067086c1428e3ab6962ef1611270dbc72fb73 Mon Sep 17 00:00:00 2001 From: webboy2015 Date: Wed, 29 Sep 2021 14:33:36 -0700 Subject: [PATCH 30/53] Create win_lolbas_execution_of_nltest.exe.yaml The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0". --- .../win_lolbas_execution_of_nltest.exe | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_lolbas_execution_of_nltest.exe diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe new file mode 100644 index 000000000..115637467 --- /dev/null +++ b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe @@ -0,0 +1,28 @@ +title: windows lolbas execution of nltest.exe +id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 # https://www.uuidgenerator.net/version4 +status: experimental +author: Arun Chauhan +date: 2021/08/24 +description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm + - https://attack.mitre.org/software/S0359/ +tags: + - attack.discovery + - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts + - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc + - attack.1016 # enumerate the parent domain of a local machine using /parentdomain +logsource: + product: windows + service: security +detection: + selection: + EventID: 4689 + Image|contains: "nltest.exe" + ExitStatus: "0x0" + condition: selection +fields: + - "SubjectUserName" +falsepositives: + - "Red team activity" +level: high From 29d66a965cd91e60142f720bb83e51a48610f457 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 30 Sep 2021 10:03:11 +0200 Subject: [PATCH 31/53] add 4104 --- .../powershell/powershell_susp_zip_compress.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_susp_zip_compress.yml index be6c466fb..98f882e49 100644 --- a/rules/windows/powershell/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_susp_zip_compress.yml @@ -3,7 +3,7 @@ id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 status: experimental author: frack113 date: 2021/07/20 -modified: 2021/09/07 +modified: 2021/09/30 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md @@ -13,16 +13,23 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: 4103 Module Logging must be enabled , 4104 Script Block Logging must be enable detection: - selection: + selection_4103: EventID: 4103 ContextInfo|contains|all: - 'Compress-Archive ' - ' -Path ' - ' -DestinationPath ' - '$env:TEMP\' - condition: selection + selection_4104: + EventID: 4104 + ScriptBlockText|contains|all: + - 'Compress-Archive ' + - ' -Path ' + - ' -DestinationPath ' + - '$env:TEMP\' + condition: selection_4103 or selection_4104 falsepositives: - Unknown level: medium From 67818f125aad1ca9fdbb4c748d537e7c0c58a43f Mon Sep 17 00:00:00 2001 From: hazedav Date: Thu, 30 Sep 2021 09:27:18 -0500 Subject: [PATCH 32/53] fix(backend): add remediation for lacework policy --- tools/sigma/backends/lacework.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py index 414335344..29cc3ea7e 100644 --- a/tools/sigma/backends/lacework.py +++ b/tools/sigma/backends/lacework.py @@ -554,7 +554,7 @@ class LaceworkPolicy: self.description = safe_get(rule, 'description', str) # 14. Get Remediation - self.remediation = "" + self.remediation = 'Remediation steps are not represented in Sigma rule specification' def __iter__(self): for key, attr in { From 82ba266a53e4df0498d8a6cef5346be2ef729419 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Thu, 30 Sep 2021 16:38:39 +0200 Subject: [PATCH 33/53] Add fp note to powershell winapi rule --- rules/windows/powershell/powershell_accessing_win_api.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml index f7ed287ec..4599517b9 100644 --- a/rules/windows/powershell/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -68,5 +68,5 @@ detection: - 'secur32' condition: selection falsepositives: - - Unknown + - Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon) level: high From 76224b0fb2d23a24212bb162318cf04833bb76cd Mon Sep 17 00:00:00 2001 From: zaicurity <59199225+zaicurity@users.noreply.github.com> Date: Thu, 30 Sep 2021 18:12:19 +0200 Subject: [PATCH 34/53] Added alternative nltest command parameter Same as recent change to "Recon Activity with NLTEST" (see commit a2418e4d2cadeefa3b6a7bb639a92ff0872b89ca) Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. Tested on Windows 10.0.19042 Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ --- rules/windows/process_creation/win_trust_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml index 9ff5c5573..e68aa17f1 100644 --- a/rules/windows/process_creation/win_trust_discovery.yml +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -25,6 +25,7 @@ detection: CommandLine|contains: - 'domain_trusts' - 'all_trusts' + - '/trusted_domains' - '/dclist' selection_dsquery_v1: Image|endswith: '\dsquery.exe' From e90094576149b8c04447ecaebed43f3e991a63d9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 30 Sep 2021 19:26:14 +0200 Subject: [PATCH 35/53] Update win_trust_discovery.yml --- rules/windows/process_creation/win_trust_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml index e68aa17f1..7d3009e74 100644 --- a/rules/windows/process_creation/win_trust_discovery.yml +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -13,6 +13,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ + - https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ tags: - attack.discovery - attack.t1482 From b0b95ce32b0808e3a356b6e5fc5666ed841c046b Mon Sep 17 00:00:00 2001 From: Tareq Alkhatib Date: Thu, 30 Sep 2021 16:34:14 -0400 Subject: [PATCH 36/53] Corrected Technique --- .../windows/process_creation/process_mailboxexport_share.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml index d0d621109..4d08c42c1 100644 --- a/rules/windows/process_creation/process_mailboxexport_share.yml +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -25,5 +25,5 @@ fields: - CommandLine - ParentCommandLine tags: - - attack.collection - - attack.t1114 \ No newline at end of file + - attack.persistence + - attack.t1505.003 \ No newline at end of file From 00513ff2c515ae0bed40a7ac4306c6a169e841df Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 30 Sep 2021 18:47:15 -0500 Subject: [PATCH 37/53] Create macos_suspicious_macos_firmware_activity.yml --- ...cos_suspicious_macos_firmware_activity.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/macos_suspicious_macos_firmware_activity.yml diff --git a/rules/linux/macos_suspicious_macos_firmware_activity.yml b/rules/linux/macos_suspicious_macos_firmware_activity.yml new file mode 100644 index 000000000..cc89eebfe --- /dev/null +++ b/rules/linux/macos_suspicious_macos_firmware_activity.yml @@ -0,0 +1,27 @@ +title: Suspicious MacOS Firmware Activity +id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099 +status: experimental +description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers. +author: Austin Songer @austinsonger +date: 2021/09/30 +references: + - https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml + - https://www.manpagez.com/man/8/firmwarepasswd/ + - https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web +logsource: + category: process_creation + product: macos +detection: + selection1: + Image: '/usr/sbin/firmwarepasswd' + CommandLine|contains: + - 'setpasswd' + - 'full' + - 'delete' + - 'check' + condition: selection1 +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.impact From 04acba9c77761b61b60093ee032f1bc9431671a8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 30 Sep 2021 19:58:21 -0500 Subject: [PATCH 38/53] Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml --- ...data_exfiltration_by_using_datasvcutil.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml diff --git a/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml new file mode 100644 index 000000000..71febbac5 --- /dev/null +++ b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml @@ -0,0 +1,36 @@ +title: LOLBAS Data Exfiltration by DataSvcUtil.exe +id: e290b10b-1023-4452-a4a9-eb31a9013b3a +status: experimental +author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger +date: 2021/09/30 +description: Detects when a user performs data exfiltration by using DataSvcUtil.exe +references: + - https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 + - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe + - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services + - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +tags: + - attack.exfiltration + - attack.t1567 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '/in:*' + - '/out:*' + Image|endswith: + - '\DataSvcUtil.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - DataSvcUtil.exe being used may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Penetration Testing +level: medium From 0d22601112a0680330c5ad61928440d683128a62 Mon Sep 17 00:00:00 2001 From: Tareq Alkhatib Date: Fri, 1 Oct 2021 08:40:59 -0400 Subject: [PATCH 39/53] Added Compromise Infrastructure: Web Services technique --- .../windows/process_creation/process_mailboxexport_share.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml index 4d08c42c1..afcf74717 100644 --- a/rules/windows/process_creation/process_mailboxexport_share.yml +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -26,4 +26,6 @@ fields: - ParentCommandLine tags: - attack.persistence - - attack.t1505.003 \ No newline at end of file + - attack.t1505.003 + - attack.resource_development + - attack.t1584.006 \ No newline at end of file From e67770d7ea961514c6eef13c1f887049b9e1de5b Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Fri, 1 Oct 2021 18:43:03 +0200 Subject: [PATCH 40/53] New Rule - Linux - Auditd - Clipboard Collection of Image Data with Xclip Tool --- .../lnx_auditd_clipboard_image_collection.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml new file mode 100644 index 000000000..d9ec837b7 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -0,0 +1,32 @@ +title: Clipboard Collection of Image Data with Xclip Tool +id: f200dc3f-b219-425d-a17e-c38467364816 +description: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +author: 'Pawel Mazur' +status: experimental +date: 2021/10/01 +references: + - https://attack.mitre.org/techniques/T1115/ + - https://linux.die.net/man/1/xclip +logsources: + product: linux + service: auditd +detection: + xclip: + type: EXECVE + a0: xclip + a1: + - '-selection' + - '-sel' + a2: + - clipboard + - clip + a3: '-t' + a4: 'image/png' + a5: '-o' + condition: xclip +tags: + - attack.collection + - attack.t1115 +falsepositives: + - Legitimate usage of xclip tools +level: low \ No newline at end of file From d40b42fc2ce09799fc0dd739b8a0ad2728a25dcf Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Fri, 1 Oct 2021 18:54:12 +0200 Subject: [PATCH 41/53] Update lnx_auditd_clipboard_image_collection.yml fixing a typo --- rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml index d9ec837b7..679063519 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -7,7 +7,7 @@ date: 2021/10/01 references: - https://attack.mitre.org/techniques/T1115/ - https://linux.die.net/man/1/xclip -logsources: +logsource: product: linux service: auditd detection: @@ -29,4 +29,4 @@ tags: - attack.t1115 falsepositives: - Legitimate usage of xclip tools -level: low \ No newline at end of file +level: low From 87df79302d58f605104841c477254f534a4de28b Mon Sep 17 00:00:00 2001 From: webboy2015 Date: Fri, 1 Oct 2021 12:55:37 -0700 Subject: [PATCH 42/53] Update win_lolbas_execution_of_nltest.exe Changed condition as follows: detection: selection: EventID: 4689 ProcessName|endswith: nltest.exe Status: "0x0" condition: selection Included field - SubjectDomainName --- .../process_creation/win_lolbas_execution_of_nltest.exe | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe index 115637467..e36bff3ea 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe +++ b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe @@ -18,11 +18,12 @@ logsource: detection: selection: EventID: 4689 - Image|contains: "nltest.exe" - ExitStatus: "0x0" + ProcessName|endswith: nltest.exe + Status: "0x0" condition: selection fields: - "SubjectUserName" + - "SubjectDomainName" falsepositives: - "Red team activity" level: high From e6b32b90af35f79be188920a175981b083aaee08 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 2 Oct 2021 07:25:11 +0200 Subject: [PATCH 43/53] Update win_lolbas_execution_of_nltest.exe --- .../process_creation/win_lolbas_execution_of_nltest.exe | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe index e36bff3ea..24a70d34c 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe +++ b/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe @@ -1,5 +1,5 @@ -title: windows lolbas execution of nltest.exe -id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 # https://www.uuidgenerator.net/version4 +title: Correct Execution of Nltest.exe +id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 status: experimental author: Arun Chauhan date: 2021/08/24 @@ -25,5 +25,6 @@ fields: - "SubjectUserName" - "SubjectDomainName" falsepositives: - - "Red team activity" + - Red team activity + - rare legitimate use by an administrator level: high From f652745924a6fb75b64779885f13f2ec940a3c13 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 2 Oct 2021 07:53:19 +0200 Subject: [PATCH 44/53] Update and rename win_lolbas_execution_of_nltest.exe to win_lolbas_execution_of_nltest.yml --- ...ecution_of_nltest.exe => win_lolbas_execution_of_nltest.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/process_creation/{win_lolbas_execution_of_nltest.exe => win_lolbas_execution_of_nltest.yml} (93%) diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe b/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml similarity index 93% rename from rules/windows/process_creation/win_lolbas_execution_of_nltest.exe rename to rules/windows/process_creation/win_lolbas_execution_of_nltest.yml index 24a70d34c..f95ad5b80 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_nltest.exe +++ b/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml @@ -11,7 +11,7 @@ tags: - attack.discovery - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc - - attack.1016 # enumerate the parent domain of a local machine using /parentdomain + - attack.t1016 # enumerate the parent domain of a local machine using /parentdomain logsource: product: windows service: security From c2a26923c66cda9c3995e2e87ace259e11a31da7 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Sat, 2 Oct 2021 09:59:37 +0200 Subject: [PATCH 45/53] Update lnx_auditd_clipboard_image_collection.yml --- rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml index 679063519..181bf6528 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -21,7 +21,7 @@ detection: - clipboard - clip a3: '-t' - a4: 'image/png' + a4|startswith: 'image/' a5: '-o' condition: xclip tags: From 81d1bb0e2b73465717e74a5685da594043f1a0e0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 2 Oct 2021 13:32:20 -0500 Subject: [PATCH 46/53] Update process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml --- ...creation_lolbas_data_exfiltration_by_using_datasvcutil.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml index 71febbac5..ea11ff858 100644 --- a/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml +++ b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml @@ -18,8 +18,8 @@ logsource: detection: selection: CommandLine|contains|all: - - '/in:*' - - '/out:*' + - '/in:' + - '/out:' Image|endswith: - '\DataSvcUtil.exe' condition: selection From 96f05f7f191c646460ae2abacf28d13eca619d8f Mon Sep 17 00:00:00 2001 From: MetallicHack <35694352+MetallicHack@users.noreply.github.com> Date: Mon, 4 Oct 2021 15:25:55 +0200 Subject: [PATCH 47/53] Update azure_ad_user_added_to_sensitive_role.yml --- .../azure_ad_user_added_to_sensitive_role.yml | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml b/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml index 9daeafb98..47743d9eb 100644 --- a/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml +++ b/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml @@ -1 +1,23 @@ -test +title: User added to an administrator's Azure AD role +id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7 +description: Detect when an user is added to an administrator's Azure AD role +author: Raphaël CALVET, @MetallicHack +date: 2021/10/04 +references: + - https://attack.mitre.org/techniques/T1098/003/ + - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ +logsource: + service: azure.activitylogs +detection: + selection: + Operation: 'Add member to role.' + Workload: 'AzureActiveDirectory' + ModifiedProperties{}.NewValue|endswith: + - 'Admins' + - 'Administrator' + condition: selection +falsepositives: + - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. +level: medium +status: experimental +tags: persistence From fe439e1998dd1b42ef6ee748801b110992b9b5c9 Mon Sep 17 00:00:00 2001 From: MetallicHack <35694352+MetallicHack@users.noreply.github.com> Date: Mon, 4 Oct 2021 15:26:58 +0200 Subject: [PATCH 48/53] Rename azure_ad_user_added_to_sensitive_role.yml to azure_ad_user_added_to_admin_role.yml --- ...o_sensitive_role.yml => azure_ad_user_added_to_admin_role.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/azure/{azure_ad_user_added_to_sensitive_role.yml => azure_ad_user_added_to_admin_role.yml} (100%) diff --git a/rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml similarity index 100% rename from rules/cloud/azure/azure_ad_user_added_to_sensitive_role.yml rename to rules/cloud/azure/azure_ad_user_added_to_admin_role.yml From 654b5b4bff0717d82ab2fc7a09e764a8ab7496f6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 4 Oct 2021 22:08:47 +0200 Subject: [PATCH 49/53] Update win_lolbas_execution_of_nltest.yml --- .../windows/process_creation/win_lolbas_execution_of_nltest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml b/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml index f95ad5b80..041d524ba 100644 --- a/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml +++ b/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml @@ -2,7 +2,7 @@ title: Correct Execution of Nltest.exe id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 status: experimental author: Arun Chauhan -date: 2021/08/24 +date: 2021/10/04 description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm From 4f86a245f82dcee4256d1545a905fe1d53e0bc17 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 5 Oct 2021 07:30:43 +0200 Subject: [PATCH 50/53] Order file i correct directory --- .../win_lolbas_execution_of_nltest.yml | 0 ...nt_executable_and_script_creation_by_office_using_file_ext.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{process_creation => builtin}/win_lolbas_execution_of_nltest.yml (100%) rename rules/windows/{process_creation => file_event}/file_event_executable_and_script_creation_by_office_using_file_ext.yml (100%) diff --git a/rules/windows/process_creation/win_lolbas_execution_of_nltest.yml b/rules/windows/builtin/win_lolbas_execution_of_nltest.yml similarity index 100% rename from rules/windows/process_creation/win_lolbas_execution_of_nltest.yml rename to rules/windows/builtin/win_lolbas_execution_of_nltest.yml diff --git a/rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules/windows/process_creation/file_event_executable_and_script_creation_by_office_using_file_ext.yml rename to rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml From 80d09483d96a374091e6f8a4d4312b55696a0ab6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 5 Oct 2021 07:33:50 +0200 Subject: [PATCH 51/53] move to builtin --- .../win_susp_multiple_files_renamed_or_deleted.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{file_event => builtin}/win_susp_multiple_files_renamed_or_deleted.yml (100%) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml similarity index 100% rename from rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml rename to rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml From a4100e76b9f1cec722758925169ac9754a720963 Mon Sep 17 00:00:00 2001 From: MetallicHack <35694352+MetallicHack@users.noreply.github.com> Date: Tue, 5 Oct 2021 09:39:03 +0200 Subject: [PATCH 52/53] change title and tags in order to match sigmarules --- rules/cloud/azure/azure_ad_user_added_to_admin_role.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml index 47743d9eb..6d2a27b0b 100644 --- a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml @@ -1,4 +1,4 @@ -title: User added to an administrator's Azure AD role +title: User Added to an Administrator's Azure AD Role id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7 description: Detect when an user is added to an administrator's Azure AD role author: Raphaël CALVET, @MetallicHack @@ -20,4 +20,6 @@ falsepositives: - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. level: medium status: experimental -tags: persistence +tags: + - attack.persistence + - attack.t1098.003 From 030fc2a03ef94923f2cce869669cb67b4f4df93d Mon Sep 17 00:00:00 2001 From: MetallicHack <35694352+MetallicHack@users.noreply.github.com> Date: Tue, 5 Oct 2021 09:40:25 +0200 Subject: [PATCH 53/53] change title and tags in order to match sigmarules --- rules/cloud/azure/azure_ad_user_added_to_admin_role.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml index 6d2a27b0b..ce6c956bf 100644 --- a/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml @@ -1,6 +1,6 @@ title: User Added to an Administrator's Azure AD Role id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7 -description: Detect when an user is added to an administrator's Azure AD role +description: User Added to an Administrator's Azure AD Role author: Raphaël CALVET, @MetallicHack date: 2021/10/04 references: