diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index bafb98285..7bebef0de 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -46,3 +46,6 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe 1a31b18a-f00c-4061-9900-f735b96c99fc;Remote Access Tool Services Have Been Installed - System;ServiceName: TeamViewer c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Installed - Security;ServiceName: TeamViewer +b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\.exe +b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\.exe +b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe diff --git a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml index 5cdff8f14..db4b02263 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 author: Florian Roth, @0xrawsec date: 2018/06/03 -modified: 2022/08/24 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.s0139 @@ -17,9 +17,9 @@ logsource: definition: 'Requirements: Sysmon config with Imphash logging activated' detection: selection: - Hashes|contains: 'IMPHASH=' + Hash|contains: 'IMPHASH=' filter: - Hashes|contains: 'IMPHASH=00000000000000000000000000000000' + Hash|contains: 'IMPHASH=00000000000000000000000000000000' condition: selection and not filter fields: - TargetFilename diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index b0da98354..e756ff433 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -6,7 +6,7 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 author: Florian Roth date: 2022/08/24 -modified: 2022/11/12 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.s0139 @@ -108,7 +108,7 @@ detection: - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller - - Hashes|contains: # Sysmon field hashes contains all types + - Hash|contains: # Sysmon field hashes contains all types - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam diff --git a/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml b/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml index 1be44592b..60ffcf498 100644 --- a/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml +++ b/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml @@ -6,6 +6,7 @@ references: - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware author: Nasreddine Bencherchali date: 2022/12/16 +modified: 2022/12/30 tags: - attack.privilege_escalation - attack.t1543 @@ -42,21 +43,21 @@ detection: - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0' - 'MD5=909f3fc221acbe999483c87d9ead024a' selection_hash: - - SHA256: + - sha256: - '0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc' - '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c' - '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104' - 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c' - '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4' - 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497' - - SHA1: + - sha1: - '31cc8718894d6e6ce8c132f68b8caaba39b5ba7a' - 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d' - '6debce728bcff73d9d1d334df0c6b1c3735e295c' - 'cc65bf60600b64feece5575f21ab89e03a728332' - '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e' - 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98' - - MD5: + - md5: - '10f3679384a03cb487bda9621ceb5f90' - '04a88f5974caa621cee18f34300fc08a' - '6fcf56f6ca3210ec397e55f727353c4a' diff --git a/rules/windows/driver_load/driver_load_win_process_hacker.yml b/rules/windows/driver_load/driver_load_win_process_hacker.yml index 5275b99d0..b6f1bd10a 100644 --- a/rules/windows/driver_load/driver_load_win_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_process_hacker.yml @@ -8,6 +8,7 @@ references: - https://github.com/winsiderss/systeminformer author: Florian Roth date: 2022/11/16 +modified: 2022/12/30 tags: - attack.privilege_escalation - cve.2021.21551 @@ -48,7 +49,7 @@ detection: - 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4' - 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138' selection_systeminformer_hashes: - SHA256: + sha256: - '8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24' - 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454' - '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d' diff --git a/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml index 3d34cd8c1..0bc040cb0 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml @@ -6,7 +6,7 @@ references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ author: Nasreddine Bencherchali date: 2022/07/28 -modified: 2022/08/24 +modified: 2022/12/30 tags: - attack.privilege_escalation - attack.t1543.003 @@ -20,9 +20,9 @@ detection: - 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' - 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1' selection_other: - - MD5: 'a179c4093d05a3e1ee73f6ff07f994aa' - - SHA1: '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' - - SHA256: '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1' + - md5: 'a179c4093d05a3e1ee73f6ff07f994aa' + - sha1: '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' + - sha256: '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1' driver_img: ImageLoaded|endswith: '\aswArPot.sys' driver_status: diff --git a/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml index bc5b26d8d..f776c8f90 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml @@ -6,7 +6,7 @@ references: - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ author: Florian Roth date: 2021/05/05 -modified: 2022/11/10 +modified: 2022/12/30 tags: - attack.privilege_escalation - cve.2021.21551 @@ -27,13 +27,13 @@ detection: - 'MD5=C996D7971C49252C582171D9380360F2' - 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244' selection_hash: - - SHA256: + - sha256: - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' - - SHA1: + - sha1: - 'c948ae14761095e4d76b55d9de86412258be7afd' - '10b30bdee43b3a2ec4aa63375577ade650269d25' - - MD5: + - md5: - 'c996d7971c49252c582171d9380360f2' - 'd2fd132ab7bbc6bbb87a84f026fa0244' condition: 1 of selection* diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml index 8e2449b70..af9c07288 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml @@ -21,7 +21,7 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part author: Nasreddine Bencherchali date: 2022/08/18 -modified: 2022/11/29 +modified: 2022/12/30 tags: - attack.privilege_escalation - attack.t1543.003 @@ -556,7 +556,7 @@ detection: - 'SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184' - 'SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d' selection_other: - - SHA1: + - sha1: # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT - '2261198385d62d2117f50f631652eded0ecc71db' - '8db869c0674221a2d3280143cbb0807fac08e0cc' @@ -820,7 +820,7 @@ detection: - '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f' - '755349d56cdd668ca22eebc4fc89f0cccef47327' - '56af49e030eb85528e82849d7d1b6147f3c4973e' - - SHA256: + - sha256: # The list below is from https://github.com/namazso/physmem_drivers - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162' - '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748' diff --git a/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml index 42d3e4bff..23430aa01 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml @@ -10,7 +10,7 @@ references: - https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details author: Florian Roth date: 2022/07/25 -modified: 2022/07/26 +modified: 2022/12/30 tags: - attack.privilege_escalation - attack.t1543.003 @@ -27,13 +27,13 @@ detection: - 'SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427' - 'SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B' selection_other: - - MD5: + - md5: - '9ab9f3b75a2eb87fafb1b7361be9dfb3' - 'c832a4313ff082258240b61b88efa025' - - SHA1: + - sha1: - 'fe10018af723986db50701c8532df5ed98b17c39' - '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46' - - SHA256: + - sha256: - '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427' - 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b' condition: 1 of selection* diff --git a/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml index 13997bf2a..a3cd49955 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml @@ -7,6 +7,7 @@ references: - https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details author: Florian Roth date: 2022/07/26 +modified: 2022/12/30 tags: - attack.privilege_escalation - attack.t1543.003 @@ -28,15 +29,15 @@ detection: - 'MD5=376B1E8957227A3639EC1482900D9B97' - 'MD5=45C2D133D41D2732F3653ED615A745C8' selection_other: - - SHA256: + - sha256: - '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8' - '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa' - '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5' - - SHA1: + - sha1: - '74e4e3006b644392f5fcea4a9bae1d9d84714b57' - '18f34a0005e82a9a1556ba40b997b0eae554d5fd' - '4e56e0b1d12664c05615c69697a2f5c5d893058a' - - MD5: + - md5: - '3247014ba35d406475311a2eab0c4657' - '376b1e8957227a3639ec1482900d9b97' - '45c2d133d41d2732f3653ed615a745c8' diff --git a/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml index 6226c2b2b..92d286c44 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml @@ -7,6 +7,7 @@ references: - https://github.com/alfarom256/CVE-2022-3699/ author: Florian Roth date: 2022/11/10 +modified: 2022/12/30 tags: - attack.privilege_escalation - cve.2021.21551 @@ -21,9 +22,9 @@ detection: - 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F' - 'MD5=B941C8364308990EE4CC6EADF7214E0F' selection_hash: - - SHA256: 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' - - SHA1: 'b89a8eef5aeae806af5ba212a8068845cafdab6f' - - MD5: 'b941c8364308990ee4cc6eadf7214e0f' + - sha256: 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' + - sha1: 'b89a8eef5aeae806af5ba212a8068845cafdab6f' + - md5: 'b941c8364308990ee4cc6eadf7214e0f' condition: 1 of selection* falsepositives: - Legitimate driver loads (old driver that didn't receive an update) diff --git a/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml b/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml index 1f9d079e1..9342cfd8d 100644 --- a/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml @@ -6,6 +6,7 @@ references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Nasreddine Bencherchali date: 2022/10/26 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.t1070 @@ -14,8 +15,8 @@ logsource: product: windows detection: selection: - FileName|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\' - FileName|contains: '_Cmdlet_' + TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\' + TargetFilename|contains: '_Cmdlet_' condition: selection falsepositives: - Possible FP during log rotation diff --git a/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml b/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml index 13c3fa8ae..690d0d406 100644 --- a/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml +++ b/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml @@ -6,6 +6,7 @@ references: - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html author: Tim Rauch date: 2022/09/16 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.t1070 @@ -14,8 +15,8 @@ logsource: product: windows detection: selection: - FileName|startswith: 'C:\inetpub\logs\LogFiles\' - FileName|endswith: '.log' + TargetFilename|startswith: 'C:\inetpub\logs\LogFiles\' + TargetFilename|endswith: '.log' condition: selection falsepositives: - During uninstallation of the IIS service diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index bfeb4b580..ff1d3c1fd 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -6,7 +6,7 @@ references: - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 author: Florian Roth date: 2017/11/04 -modified: 2022/10/04 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.t1218.011 @@ -46,7 +46,7 @@ detection: - CommandLine|contains: 'PcaSvc.dll,PcaPatchSdbTask' filter_update_processes: ParentImage: 'C:\Windows\System32\svchost.exe' - RemoteAddress|endswith: ':443' + DestinationPort: 443 condition: selection and not 1 of filter* falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 3bbce1ac4..0a7e959c1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -8,7 +8,7 @@ references: - https://adsecurity.org/?p=2604 author: frack113 date: 2021/10/20 -modified: 2022/12/02 +modified: 2022/12/30 tags: - attack.execution - attack.t1059.001 @@ -25,8 +25,8 @@ detection: - 'bypass' - 'RemoteSigned' filter: - - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' - - ScriptBlockText|contains: + # - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' Powershell event id 4104 do not have ParentImage + ScriptBlockText|contains: - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')" - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')" - '\AppData\Roaming\Code\' diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index 9dcd17630..a2f99f466 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -13,7 +13,7 @@ references: - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html author: Austin Songer @austinsonger date: 2021/10/12 -modified: 2022/10/11 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.t1562.004 @@ -23,12 +23,12 @@ logsource: definition: Script block logging must be enabled detection: selection_args: - CommandLine|contains|all: + ScriptBlockText|contains|all: - 'Set-NetFirewallProfile ' - ' -Enabled ' - ' False' selection_opt: - CommandLine|contains: + ScriptBlockText|contains: - ' -All ' - 'Public' - 'Domain' diff --git a/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml b/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml index 0aa1a2032..ebba51d54 100644 --- a/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml @@ -9,6 +9,7 @@ references: - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html author: Tim Rauch date: 2022/09/14 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.t1562 @@ -21,7 +22,7 @@ detection: - '\powershell.exe' - '\pwsh.exe' - '\powershell_ise.exe' - - OriginalFilename: 'PowerShell.EXE' + - OriginalFileName: 'PowerShell.EXE' selection_args: CommandLine|contains|all: - 'Set-NetFirewallProfile ' diff --git a/rules/windows/process_creation/proc_creation_win_gmer_execution.yml b/rules/windows/process_creation/proc_creation_win_gmer_execution.yml index 74374c55a..81cbf312a 100644 --- a/rules/windows/process_creation/proc_creation_win_gmer_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gmer_execution.yml @@ -6,6 +6,7 @@ references: - http://www.gmer.net/ author: Nasreddine Bencherchali date: 2022/10/05 +modified: 2022/10/30 tags: - attack.defense_evasion logsource: @@ -20,9 +21,9 @@ detection: - 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57' - 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173' selection_other: - - MD5: 'e9dc058440d321aa17d0600b3ca0ab04' - - SHA1: '539c228b6b332f5aa523e5ce358c16647d8bbe57' - - SHA256: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173' + - md5: 'e9dc058440d321aa17d0600b3ca0ab04' + - sha1: '539c228b6b332f5aa523e5ce358c16647d8bbe57' + - sha256: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml index 7434c0452..593b33c53 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml @@ -6,6 +6,7 @@ references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html author: Tim Rauch date: 2022/09/28 +modified: 2022/12/30 tags: - attack.credential_access - attack.t1003 @@ -15,7 +16,7 @@ logsource: detection: selection_name: - Image|endswith: '\aspnet_regiis.exe' - - OriginalFilename: 'aspnet_regiis.exe' + - OriginalFileName: 'aspnet_regiis.exe' selection_args: CommandLine|contains|all: - 'connectionStrings' diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml index 78a67801a..60146d1d1 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml @@ -8,7 +8,7 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ author: Tim Rauch, Janantha Marasinghe date: 2022/11/08 -modified: 2022/12/17 +modified: 2022/12/30 tags: - attack.credential_access - attack.t1003 @@ -18,7 +18,7 @@ logsource: detection: selection_base_name: - Image|endswith: '\appcmd.exe' - - OriginalFilename: 'appcmd.exe' + - OriginalFileName: 'appcmd.exe' selection_base_list: CommandLine|contains: 'list ' selection_standalone: diff --git a/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml b/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml index 417f3166e..0ec0a933c 100644 --- a/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml @@ -7,6 +7,7 @@ references: - https://github.com/sensepost/impersonate author: Sai Prashanth Pulisetti @pulisettis date: 2022/12/21 +modified: 2022/12/30 tags: - attack.privilege_escalation - attack.defense_evasion @@ -29,9 +30,9 @@ detection: - 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' - 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62' selection_hash_ext: - - MD5: '9520714AB576B0ED01D1513691377D01' - - SHA256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' - - IMPHASH: '0A358FFC1697B7A07D0E817AC740DF62' + - md5: '9520714AB576B0ED01D1513691377D01' + - sha256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' + - Imphash: '0A358FFC1697B7A07D0E817AC740DF62' condition: all of selection_commandline_* or 1 of selection_hash_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_nimgrab.yml b/rules/windows/process_creation/proc_creation_win_nimgrab.yml index 104d41304..5e1915ed7 100644 --- a/rules/windows/process_creation/proc_creation_win_nimgrab.yml +++ b/rules/windows/process_creation/proc_creation_win_nimgrab.yml @@ -6,6 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 date: 2022/08/28 +modified: 2022/12/30 tags: - attack.command_and_control - attack.t1105 @@ -23,7 +24,7 @@ detection: selection_hash: - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 - - imphash: C07FDDD21D123EA9B3A08EEF44AAAC45 + - Imphash: C07FDDD21D123EA9B3A08EEF44AAAC45 condition: 1 of selection_* falsepositives: - Legitimate use of Nim on developer systems diff --git a/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml b/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml index 70ea738d4..89e6565be 100644 --- a/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml +++ b/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml @@ -9,6 +9,7 @@ references: - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html author: Tim Rauch date: 2022/09/27 +modified: 2022/12/30 tags: - attack.lateral_movement - attack.t1021 @@ -20,7 +21,7 @@ detection: - Image|endswith: - '\cmd.exe' - '\powershell.exe' - - OriginalFilename: + - OriginalFileName: - 'Cmd.Exe' - 'PowerShell.EXE' selection_args: diff --git a/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml b/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml index f1200cf28..aa1739035 100644 --- a/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml +++ b/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/mrd0x/status/1511489821247684615 author: Florian Roth date: 2022/04/06 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.t1036 @@ -17,7 +18,7 @@ logsource: detection: selection: - Image|endswith: '\DumpMinitool.exe' - - OriginalName: 'DumpMinitool.exe' + - OriginalFileName: 'DumpMinitool.exe' filter_folder: Image|contains: - '\Microsoft Visual Studio\' diff --git a/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml b/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml index 4b7373ffb..da3e26906 100644 --- a/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml @@ -12,6 +12,7 @@ references: - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html author: Tim Rauch date: 2022/09/20 +modified: 2022/12/30 tags: - attack.impact - attack.t1490 @@ -20,15 +21,15 @@ logsource: product: windows detection: selection_get: - ScriptBlockText|contains: + CommandLine|contains: - 'Get-WmiObject' - 'gwmi' - 'Get-CimInstance' - 'gcim' selection_shadowcopy: - ScriptBlockText|contains: 'Win32_Shadowcopy' + CommandLine|contains: 'Win32_Shadowcopy' selection_delete: - ScriptBlockText|contains: + CommandLine|contains: - '.Delete()' - 'Remove-WmiObject' - 'rwmi' diff --git a/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml b/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml index 944fabc36..ce8d65149 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml @@ -6,6 +6,7 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18 author: Tim Rauch (rule), Elastic (idea) date: 2022/10/21 +modified: 2022/12/30 tags: - attack.t1566 - attack.t1566.001 @@ -17,7 +18,7 @@ detection: selection_parent: ParentImage|endswith: '\onenote.exe' selection_opt_name: - - OriginalFilename: + - OriginalFileName: - 'RUNDLL32.exe' - 'REGSVR32.exe' - 'bitsadmin.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml b/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml index 2d8f279ff..7f31b5dd2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml @@ -9,7 +9,7 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community date: 2019/10/25 -modified: 2022/10/21 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.t1218.008 @@ -19,7 +19,7 @@ logsource: detection: selection_1_name: - Image|endswith: '\odbcconf.exe' - - OriginalFilename: 'odbcconf.exe' + - OriginalFileName: 'odbcconf.exe' selection_1_cli: CommandLine|contains: - '-a' diff --git a/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml index bcccd5b72..a84539737 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml @@ -8,6 +8,7 @@ references: - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ author: Florian Roth, Nasreddine Bencherchali date: 2022/10/10 +modified: 2022/12/30 logsource: category: process_creation product: windows @@ -39,7 +40,7 @@ detection: - sha256: - '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32' - '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c' - - imphash: + - Imphash: - '444d210cea1ff8112f256a4997eed7ff' - '0479f44df47cfa2ef1ccc4416a538663' condition: 1 of selection* diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml index 494e98675..504b362cb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -8,7 +8,7 @@ references: - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ author: Florian Roth date: 2022/10/10 -modified: 2022/11/16 +modified: 2022/12/30 logsource: category: process_creation product: windows @@ -47,7 +47,7 @@ detection: - sha256: - 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f' - 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4' - - imphash: + - Imphash: - '04de0ad9c37eb7bd52043d2ecac958df' - '3695333c60dedecdcaff1590409aa462' condition: 1 of selection* diff --git a/rules/windows/process_creation/proc_creation_win_susp_secedit.yml b/rules/windows/process_creation/proc_creation_win_susp_secedit.yml index 337be8505..3eeb2237b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_secedit.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_secedit.yml @@ -7,6 +7,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit author: Janantha Marasinghe date: 2022/11/18 +modified: 2022/12/30 tags: - attack.discovery - attack.persistence @@ -42,9 +43,9 @@ detection: CommandLine|contains|all: - '/configure' - '/db' - filter: - SubjectUserName|endswith: '$' - condition: selection_img and (1 of selection_flags_*) and not filter + #filter: + # SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log + condition: selection_img and (1 of selection_flags_*) falsepositives: - Legitimate administrative use level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml index 93c142377..89b23fde0 100644 --- a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml +++ b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml @@ -6,9 +6,9 @@ references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120 - https://twitter.com/filip_dragovic/status/1590052248260055041 - https://twitter.com/filip_dragovic/status/1590104354727436290 -author: Florian Roth +author: Florian Roth, Tim Shelton (fp werfault) date: 2022/11/10 -modified: 2022/12/15 +modified: 2022/12/30 tag: - attack.privilege_escalation - attack.t1068 @@ -23,10 +23,12 @@ detection: - '\Sysmon64.exe' filter: - Image: + - 'C:\Windows\Sysmon.exe' - 'C:\Windows\Sysmon64.exe' - 'C:\Windows\System32\conhost.exe' - 'wevtutil.exe' - 'C:\WINDOWS\system32\wevtutil.exe' + - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version. condition: selection and not filter falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml index 67414d7d6..3f8b35c96 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml @@ -7,6 +7,7 @@ references: - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf author: frack113 date: 2022/07/17 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.t1112 @@ -17,7 +18,7 @@ detection: selection: TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName filter: - details|contains: NetworkService + Details|contains: NetworkService condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index 8a908a175..f9d88f28a 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -7,6 +7,7 @@ references: - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf author: frack113 date: 2022/07/17 +modified: 2022/12/30 tags: - attack.defense_evasion - attack.t1112 @@ -19,7 +20,7 @@ detection: - '\Software\Microsoft\Fax\Device Providers\' - '\ImageName' filter: - details: '%systemroot%\system32\fxst30.dll' #Windows 10 + Details: '%systemroot%\system32\fxst30.dll' #Windows 10 condition: selection and not filter falsepositives: - Unknown diff --git a/tests/test_logsource.py b/tests/test_logsource.py new file mode 100644 index 000000000..560ce3efa --- /dev/null +++ b/tests/test_logsource.py @@ -0,0 +1,170 @@ +#!/usr/bin/env python3 +""" +Checks for logsource or fieldname errors on all rules + +WIP version + +Run using the command +# python test_rules.py +""" + +import os +import unittest +import yaml +import re +from attackcti import attack_client +from colorama import init +from colorama import Fore +import collections + + +class TestRules(unittest.TestCase): + + path_to_rules = "rules" + + windows_category={ + "process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion","Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"], + "file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"], + "network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort","DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname","SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"], + "sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"], + "process_termination":["Image","ProcessGuid","ProcessId","User"], + "driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"], + "image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid","ProcessId","Product","Signature","SignatureStatus","Signed","User"], + "create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress","StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"], + "raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"], + "process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId","SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"], + "raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"], + "file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], + "registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"], + "registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject",], + "registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"], + "registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"], + "registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"], + "create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"], + "pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"], + "wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"], + "dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"], + "file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"], + "clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"], + "process_tampering":["Image","ProcessGuid","ProcessId","Type","User"], + "file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"], #SYSMONEVENT_FILE_BLOCK_SHREDDING add IsExecutable + "ps_module":["ContextInfo","UserData","Payload"], + "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"], + } + + # Calculate once use many times + windows_category_keys = windows_category.keys() + + # Aurora FP + windows_category["process_creation"] += ["GrandparentCommandLine"] + windows_category["network_connection"] += ["CommandLine","ParentImage"] + windows_category["create_remote_thread"] += ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage","SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine","IsInitialThread","RemoteCreation"] + windows_category["file_delete"] += ["CommandLine","ParentImage","ParentCommandLine"] + windows_category["file_event"] += ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"] + windows_category["image_load"] += ["CommandLine"] + windows_category["process_access"] += ["SourceCommandLine","CallTraceExtended"] + + + windows_commun = ["EventID","Provider_Name"] + + # Helper functions + def yield_next_rule_file_path(self, path_to_rules: str) -> str: + for root, _, files in os.walk(path_to_rules): + for file in files: + yield os.path.join(root, file) + + def get_rule_yaml(self, file_path: str) -> dict: + data = [] + + with open(file_path, encoding='utf-8') as f: + yaml_parts = yaml.safe_load_all(f) + for part in yaml_parts: + data.append(part) + + return data + + def get_rule_part(self, file_path: str, part_name: str): + yaml_dicts = self.get_rule_yaml(file_path) + for yaml_part in yaml_dicts: + if part_name in yaml_part.keys(): + return yaml_part[part_name] + + return None + + def get_detection_field(self,detection: dict): + data = [] + + def get_field_name(selection: dict): + name = [] + for field in selection: + if "|" in field: + name.append(field.split('|')[0]) + else: + name.append(field) + return name + + for search_identifier in detection: + if isinstance(detection[search_identifier], dict): + data += get_field_name(detection[search_identifier]) + if isinstance(detection[search_identifier], list): + for list_value in detection[search_identifier]: + if isinstance(list_value, dict): + data += get_field_name(list_value) + + return data + + def fill_logsource(self,logsource: dict) -> dict: + data = {"product":"","category":"","service":""} + + data["product"] = logsource["product"] if "product" in logsource.keys() else "" + data["category"] = logsource["category"] if "category" in logsource.keys() else "" + data["service"] = logsource["service"] if "service" in logsource.keys() else "" + + return data + + def add_hash(self): + for key in self.windows_category_keys: + if "Hashes" in self.windows_category[key]: + self.windows_category[key].append("md5") + self.windows_category[key].append("sha1") + self.windows_category[key].append("sha256") + self.windows_category[key].append("Imphash") + if "Hash" in self.windows_category[key]: # Sysmon 15 create_stream_hash + self.windows_category[key].append("md5") + self.windows_category[key].append("sha1") + self.windows_category[key].append("sha256") + self.windows_category[key].append("Imphash") + + # + # test functions + # + def test_fieldname_case(self): + files_with_fieldname_issues = [] + + self.add_hash() + + for file in self.yield_next_rule_file_path(self.path_to_rules): + logsource = self.get_rule_part(file_path=file, part_name="logsource") + detection = self.get_rule_part(file_path=file, part_name="detection") + + if logsource and detection : + full_logsource = self.fill_logsource(logsource) + + if full_logsource['product'] == "windows": + if full_logsource['category'] in self.windows_category_keys: + for field in self.get_detection_field(detection): + list_field = self.windows_category[full_logsource['category']] + self.windows_commun + + if not field in list_field: + print( + Fore.RED + "Rule {} has the invalid field <{}>".format(file, field)) + files_with_fieldname_issues.append(file) + + self.assertEqual(files_with_fieldname_issues, [], Fore.RED + + "There are rule files which contains unkown field or with case error") + + +if __name__ == "__main__": + init(autoreset=True) + # Run the tests + unittest.main() diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 27ebcc03c..451a256b7 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -805,11 +805,9 @@ fieldmappings: CommandLine: command ProcessCommandLine: command ParentCommandLine: parent_command - IMPHASH: file_hash_imphash Imphash: file_hash_imphash - SHA256: file_hash_sha256 - MD5: file_hash_md5 - SHA1: file_hash_sha1 + sha256: file_hash_sha256 + md5: file_hash_md5 sha1: file_hash_sha1 SubjectUserSid: correlation_session_id SubjectSid: correlation_session_id