diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml index 84390c481..acce751be 100644 --- a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -7,13 +7,12 @@ author: Bhabesh Raj status: experimental level: critical references: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - - https://nvd.nist.gov/vuln/detail/cve-2021-26858 date: 2021/03/03 tags: - attack.t1203 - attack.execution + - cve.2021.26858 logsource: category: file_event product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml index 10aaacd2b..0b591d74a 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml @@ -4,8 +4,6 @@ status: experimental description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html - - https://nvd.nist.gov/vuln/detail/CVE-2020-10189 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189 - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 author: Florian Roth date: 2020/03/25 @@ -18,6 +16,7 @@ tags: - attack.t1059.003 - attack.t1059 # an old one - attack.s0190 + - cve.2020.10189 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index 4056fcdb7..25032789c 100644 --- a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -6,13 +6,13 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ - - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - attack.persistence - attack.t1136.001 + - cve.2021.35211 # - threat_group.DEV-0322 detection: selection1: diff --git a/rules/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/windows/process_creation/win_susp_servu_process_pattern.yml index 90b50893a..c1a92be58 100644 --- a/rules/windows/process_creation/win_susp_servu_process_pattern.yml +++ b/rules/windows/process_creation/win_susp_servu_process_pattern.yml @@ -6,12 +6,12 @@ author: Florian Roth date: 2021/07/14 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ - - https://nvd.nist.gov/vuln/detail/cve-2021-35211 logsource: category: process_creation product: windows tags: - attack.credential_access + - cve.2021.35211 detection: selection: ParentImage|endswith: '\Serv-U.exe' diff --git a/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml index 1126237c2..5a9aa6a18 100644 --- a/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -8,12 +8,12 @@ modified: 2021/09/09 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ - - https://nvd.nist.gov/vuln/detail/cve-2021-33771 - - https://nvd.nist.gov/vuln/detail/cve-2021-31979 tags: - attack.credential_access - attack.t1566 - attack.t1203 + - cve.2021.33771 + - cve.2021.31979 # - threat_group.Sourgum logsource: product: windows diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index ad3f790db..c73733567 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -4,11 +4,11 @@ status: experimental description: Detects a suspicious printer driver installation with an empty Manufacturer value references: - https://twitter.com/SBousseaden/status/1410545674773467140 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 author: Florian Roth date: 2020/07/01 tags: - attack.privilege_escalation + - cve.2021.1675 logsource: category: registry_event product: windows diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index db8f4a1fd..22fa2806b 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -6,11 +6,11 @@ references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 - - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth tags: - attack.execution + - cve.2021.1675 + - cve.2021.34527 date: 2021/07/04 modified: 2021/07/28 logsource: diff --git a/tests/test_rules.py b/tests/test_rules.py index 6d10f80ec..b31c8eab0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -75,20 +75,13 @@ class TestRules(unittest.TestCase): def test_optional_tags(self): files_with_incorrect_tags = [] - + tags_pattern = re.compile(r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}") for file in self.yield_next_rule_file_path(self.path_to_rules): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: for tag in tags: - if tag.startswith("attack."): - continue - elif tag.startswith("car."): - continue - elif tag.startswith("cve."): - print(Fore.RED + "Rule {} has the cve tag <{}> but is it a references (https://nvd.nist.gov/)".format(file, tag)) - files_with_incorrect_tags.append(file) - else: - print(Fore.RED + "Rule {} has the unknown tag <{}>".format(file, tag)) + if tags_pattern.match(tag) == None: + print(Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag)) files_with_incorrect_tags.append(file) self.assertEqual(files_with_incorrect_tags, [], Fore.RED + @@ -450,7 +443,7 @@ class TestRules(unittest.TestCase): "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)") # Upgrade Detection Rule License 1.1 - def test_author(self): + def test_optional_author(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): author_str = self.get_rule_part(file_path=file, part_name="author") @@ -459,9 +452,6 @@ class TestRules(unittest.TestCase): if not isinstance(author_str, str): print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) faulty_rules.append(file) - else: - print(Fore.YELLOW + "Rule {} has no 'author' field".format(file)) - faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'author' fields. (has to be a string even if it contains many author)")