From 38061960715931b0cc5f1323003d29b76549fa25 Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 14:57:22 +0300 Subject: [PATCH 01/14] Create win_mshta_invoke_html.yml --- .../win_mshta_invoke_html.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/win_mshta_invoke_html.yml diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml new file mode 100644 index 000000000..098b35b0e --- /dev/null +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -0,0 +1,31 @@ +status: experimental +author: Beyu Denis, oscd.community +date: 2020/10/18 +description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Mshtml.yml + - https://twitter.com/pabraeken/status/998567549670477824 + - https://windows10dll.nirsoft.net/mshtml_dll.html +tags: + - attack.execution + - attack.t1085 +logsource: + category: process_creation + product: windows +detection: + selection: + ProcessCommandline|contains|all: + - 'Mshtml.dll' + - 'PrintHTML' + Image|endswith:: + - '\rundll32.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage + - Penetration test +level: medium \ No newline at end of file From 91692e49cd65ed481f4b17c909d9e6bbeff243ca Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:02:03 +0300 Subject: [PATCH 02/14] Update win_mshta_invoke_html.yml --- rules/windows/process_creation/win_mshta_invoke_html.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml index 098b35b0e..ee9570572 100644 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -14,10 +14,10 @@ logsource: product: windows detection: selection: - ProcessCommandline|contains|all: + ProcessCommandline|contains|all: - 'Mshtml.dll' - 'PrintHTML' - Image|endswith:: + Image|endswith: - '\rundll32.exe' condition: selection fields: From 5b35991cdde23214035659d7fbbfcfe375ae81d0 Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:05:01 +0300 Subject: [PATCH 03/14] Update win_mshta_invoke_html.yml --- rules/windows/process_creation/win_mshta_invoke_html.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml index ee9570572..6daa3e92f 100644 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -4,8 +4,8 @@ date: 2020/10/18 description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Mshtml.yml - - https://twitter.com/pabraeken/status/998567549670477824 - - https://windows10dll.nirsoft.net/mshtml_dll.html + - https://twitter.com/pabraeken/status/998567549670477824 + - https://windows10dll.nirsoft.net/mshtml_dll.html tags: - attack.execution - attack.t1085 From ad11fc7b0e4eaaea2723d49bb8bdda28cca0addb Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:14:13 +0300 Subject: [PATCH 04/14] Update win_mshta_invoke_html.yml --- rules/windows/process_creation/win_mshta_invoke_html.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml index 6daa3e92f..b7a74e7d1 100644 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -1,4 +1,5 @@ status: experimental +id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 author: Beyu Denis, oscd.community date: 2020/10/18 description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). From 6b39f7bb6e4a272bbadd473002769bc5f760fc85 Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:19:58 +0300 Subject: [PATCH 05/14] Update win_mshta_invoke_html.yml --- rules/windows/process_creation/win_mshta_invoke_html.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml index b7a74e7d1..669c89af1 100644 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -1,3 +1,4 @@ +title: invoke html via mshta status: experimental id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 author: Beyu Denis, oscd.community @@ -18,6 +19,7 @@ detection: ProcessCommandline|contains|all: - 'Mshtml.dll' - 'PrintHTML' + - '.hta' Image|endswith: - '\rundll32.exe' condition: selection From 468fd40dda0b60fa79483a8c6a16a0af54531acf Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:23:44 +0300 Subject: [PATCH 06/14] Update win_mshta_invoke_html.yml --- rules/windows/process_creation/win_mshta_invoke_html.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml index 669c89af1..2e5fdcebd 100644 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -1,4 +1,4 @@ -title: invoke html via mshta +title: 'invoke html via mshta' status: experimental id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 author: Beyu Denis, oscd.community From fabf2a03fe8587e6fe7d6e886976eab4b7af488d Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:29:43 +0300 Subject: [PATCH 07/14] Delete win_mshta_invoke_html.yml --- .../win_mshta_invoke_html.yml | 34 ------------------- 1 file changed, 34 deletions(-) delete mode 100644 rules/windows/process_creation/win_mshta_invoke_html.yml diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml deleted file mode 100644 index 2e5fdcebd..000000000 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: 'invoke html via mshta' -status: experimental -id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 -author: Beyu Denis, oscd.community -date: 2020/10/18 -description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Mshtml.yml - - https://twitter.com/pabraeken/status/998567549670477824 - - https://windows10dll.nirsoft.net/mshtml_dll.html -tags: - - attack.execution - - attack.t1085 -logsource: - category: process_creation - product: windows -detection: - selection: - ProcessCommandline|contains|all: - - 'Mshtml.dll' - - 'PrintHTML' - - '.hta' - Image|endswith: - - '\rundll32.exe' - condition: selection -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine -falsepositives: - - System administrator Usage - - Penetration test -level: medium \ No newline at end of file From e7c9ead4693fe1a8875ed2f007490ddb166262c5 Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 17:06:09 +0300 Subject: [PATCH 08/14] [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code --- .../process_creation_dotnet.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_dotnet.yml diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml new file mode 100644 index 000000000..552f357f8 --- /dev/null +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -0,0 +1,33 @@ +title: dotnet.exe exec dll and execute unsigned code LOLBIN +status: experimental +id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 +author: Beyu Denis, oscd.community +date: 2020/10/18 +description: dotnet.exe will execute any DLL and execute unsigned code +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml + - https://twitter.com/_felamos/status/1204705548668555264 + - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ +tags: + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + ProcessCommandline|contains: + - '*.dll' + - '*.csproj' + Image|endswith: + - '\dotnet.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage + - Penetration test +level: medium \ No newline at end of file From 744d27d8928b67a19182027ca4becd27e36dd31c Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 17:08:52 +0300 Subject: [PATCH 09/14] [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code --- rules/windows/process_creation/process_creation_dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index 552f357f8..86f10b43d 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -18,7 +18,7 @@ detection: selection: ProcessCommandline|contains: - '*.dll' - - '*.csproj' + - '*.csproj' Image|endswith: - '\dotnet.exe' condition: selection From 2b731300fb098b345899ecc1ac6d06dbbeaabbb7 Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 17:13:41 +0300 Subject: [PATCH 10/14] [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code =/ --- rules/windows/process_creation/process_creation_dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index 86f10b43d..90659e7be 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -1,4 +1,4 @@ -title: dotnet.exe exec dll and execute unsigned code LOLBIN +title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN status: experimental id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 author: Beyu Denis, oscd.community From 54b75b73b269fcd8908e565ac9501973b3837d5a Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 17:37:14 +0300 Subject: [PATCH 11/14] [OSCD] process_creation_msdeploy --- .../process_creation_msdeploy.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_msdeploy.yml diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml new file mode 100644 index 000000000..263ff5bb2 --- /dev/null +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -0,0 +1,34 @@ +title: Msdeploy.exe LOLBIN +status: experimental +id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 +author: Beyu Denis, oscd.community +date: 2020/10/18 +description: launch binary via msdeploy.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml + - https://twitter.com/pabraeken/status/995837734379032576 + - https://twitter.com/pabraeken/status/999090532839313408 +tags: + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + ProcessCommandline|contains|all: + - 'verb:sync' + - '-source:RunCommand' + - '-dest:runCommand' + Image|endswith: + - '\msdeploy.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage + - Penetration test +level: medium \ No newline at end of file From e93dd7fe61fa88db9076faed2155aa4dc3bec5fd Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 1 Nov 2020 15:25:12 +0300 Subject: [PATCH 12/14] fix --- rules/windows/process_creation/process_creation_dotnet.yml | 6 +++--- .../windows/process_creation/process_creation_msdeploy.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index 90659e7be..9182bb218 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -16,9 +16,9 @@ logsource: product: windows detection: selection: - ProcessCommandline|contains: - - '*.dll' - - '*.csproj' + Commandline|endswith: + - '.dll' + - '.csproj' Image|endswith: - '\dotnet.exe' condition: selection diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml index 263ff5bb2..236e747d3 100644 --- a/rules/windows/process_creation/process_creation_msdeploy.yml +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -1,9 +1,9 @@ -title: Msdeploy.exe LOLBIN +title: Execute Files with Msdeploy.exe status: experimental id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 author: Beyu Denis, oscd.community date: 2020/10/18 -description: launch binary via msdeploy.exe +description: Detects file execution using the msdeploy.exe lolbin references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml - https://twitter.com/pabraeken/status/995837734379032576 @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - ProcessCommandline|contains|all: + Commandline|contains|all: - 'verb:sync' - '-source:RunCommand' - '-dest:runCommand' From 9649cccfbc03a18fb765d037e01ccf15313be0da Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 13/14] restore tests --- .github/workflows/sigma-test.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/sigma-test.yml diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml new file mode 100644 index 000000000..d451debbd --- /dev/null +++ b/.github/workflows/sigma-test.yml @@ -0,0 +1,31 @@ +# This workflow will install Python dependencies, run tests and lint with a single version of Python +# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions + +name: Sigma Tools and Rule Tests + +on: + push: + branches: + - "*" + pull_request: + branches: [ master, oscd ] + +jobs: + test-sigma: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up Python 3.8 + uses: actions/setup-python@v1 + with: + python-version: 3.8 + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r tools/requirements.txt -r tools/requirements-devel.txt + - name: Test Sigma Tools and Rules + run: | + make test + - name: Test SQL(ite) Backend + run: | + make test-backend-sql