Merge pull request #4200 from nasbench/fxi-tests

feat: update test_rules.py

rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml

@@ -6,6 +6,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
 author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
 date: 2023/04/20
+modified: 2023/04/25
 tags:
     - attack.execution
 logsource:
@@ -76,8 +77,7 @@ detection:
             - 'localgroup Administrators'
             - '/add'
     selection_child_net:
-        CommandLine|contains:
-            - 'net' # Covers net1
+        CommandLine|contains: 'net' # Covers net1
         CommandLine|contains|all:
             - 'user'
             - '/add'

rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml

@@ -6,6 +6,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
 author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
 date: 2023/04/20
+modified: 2023/04/25
 tags:
     - attack.execution
 logsource:
@@ -78,8 +79,7 @@ detection:
             - 'localgroup Administrators'
             - '/add'
     selection_child_net:
-        CommandLine|contains:
-            - 'net' # Covers net1
+        CommandLine|contains: 'net' # Covers net1
         CommandLine|contains|all:
             - 'user'
             - '/add'
@@ -116,7 +116,7 @@ detection:
             - 'download.microsoft.com'
             - 'manageengine.com'
             - 'msiexec'
-    condition: all of selection_parent_path and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main
+    condition: all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main
 falsepositives:
     - Unlikely
 level: critical

rules-emerging-threats/2023/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml

@@ -1,5 +1,5 @@
 title: PaperCut MF/NG Potential Exploitation
-id: de1bd0b6-6d59-417c-86d9-a44114aede3b
+id: 0934ac71-a331-4e98-a034-d49c491fbbcb
 status: test
 description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut
 references:
@@ -7,6 +7,7 @@ references:
     - https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml
 author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea)
 date: 2023/04/20
+modified: 2023/04/25
 tags:
     - attack.execution
 logsource:
@@ -16,9 +17,23 @@ detection:
     selection:
         ParentImage|endswith: '\pc-app.exe'
         Image|endswith:
+            - '\bash.exe'
+            - '\calc.exe'
+            - '\certutil.exe'
             - '\cmd.exe'
+            - '\csc.exe'
+            - '\cscript.exe'
+            - '\dllhost.exe'
+            - '\mshta.exe'
+            - '\msiexec.exe'
             - '\powershell.exe'
             - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\scriptrunner.exe'
+            - '\wmic.exe'
+            - '\wscript.exe'
+            - '\wsl.exe'
     condition: selection
 falsepositives:
     - Legitimate administration activity

rules-placeholder/windows/builtin/security/win_pass_the_hash.yml

@@ -1,32 +0,0 @@
-title: Pass the Hash Activity
-id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
-status: test
-description: Detects the attack technique pass the hash which is used to move laterally inside the network
-author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
-references:
-  - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
-date: 2017/03/08
-modified: 2021/11/27
-logsource:
-  product: windows
-  service: security
-  definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
-detection:
-  selection:
-    EventID:
-      - 4624
-      - 4625
-    LogonType: '3'
-    LogonProcessName: 'NtLmSsp'
-    WorkstationName: '%Workstations%'
-    ComputerName: '%Workstations%'
-  filter:
-    TargetUserName: 'ANONYMOUS LOGON'
-  condition: selection and not filter
-falsepositives:
-  - Administrator activity
-level: medium
-tags:
-  - attack.lateral_movement
-  - car.2016-04-004
-  - attack.t1550.002

rules-placeholder/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml

@@ -1,30 +0,0 @@
-title: Remote Registry Management Using Reg Utility
-id: 68fcba0d-73a5-475e-a915-e8b4c576827e
-status: test
-description: Remote registry management using REG utility from non-admin workstation
-author: Teymur Kheirkhabarov, oscd.community
-references:
-  - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-date: 2019/10/22
-modified: 2021/11/27
-logsource:
-  product: windows
-  service: security
-detection:
-  selection_1:
-    EventID: 5145
-    RelativeTargetName|contains: '\winreg'
-  filter:
-    IpAddress: '%Admins_Workstations%'
-  condition: selection_1 and not filter
-falsepositives:
-  - Legitimate usage of remote registry management by administrator
-level: medium
-tags:
-  - attack.defense_evasion
-  - attack.t1112
-  - attack.discovery
-  - attack.t1012
-  - attack.credential_access
-  - attack.t1552.002
-  - attack.s0075

rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml

@@ -1,16 +1,16 @@
-title: 'Possible Zerologon (CVE-2020-1472) Exploitation'
+title: Potential Zerologon (CVE-2020-1472) Exploitation
 id: dd7876d8-0f09-11eb-adc1-0242ac120002
 status: experimental
-description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
+description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
 references:
     - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
     - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
-author: 'Aleksandr Akhremchik, @aleqs4ndr, ocsd.community'
+author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
 date: 2020/10/15
-modified: 2021/07/07
+modified: 2023/04/25
 tags:
-    - attack.t1068
     - attack.privilege_escalation
+    - attack.t1068
 logsource:
     product: windows
     service: security
@@ -19,9 +19,9 @@ detection:
         EventID: 4742
         SubjectUserName: 'ANONYMOUS LOGON'
         TargetUserName: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$'
-    filter:
+    filter_main:
         PasswordLastSet: '-'
-    condition: selection and not filter
+    condition: selection and not filter_main
 falsepositives:
     - Automatic DC computer account password change
     - Legitimate DC computer account password change

rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml

@@ -0,0 +1,32 @@
+title: Potential Pass the Hash Activity
+id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
+status: test
+description: Detects the attack technique pass the hash which is used to move laterally inside the network
+references:
+    - https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events
+author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
+date: 2017/03/08
+modified: 2023/04/25
+tags:
+    - attack.lateral_movement
+    - attack.t1550.002
+    - car.2016-04-004
+logsource:
+    product: windows
+    service: security
+    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
+detection:
+    selection:
+        EventID:
+            - 4624
+            - 4625
+        LogonType: 3
+        LogonProcessName: 'NtLmSsp'
+        WorkstationName: '%Workstations%'
+        ComputerName: '%Workstations%'
+    filter:
+        TargetUserName: 'ANONYMOUS LOGON'
+    condition: selection and not filter
+falsepositives:
+    - Administrator activity
+level: medium

rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml

@@ -0,0 +1,30 @@
+title: Remote Registry Management Using Reg Utility
+id: 68fcba0d-73a5-475e-a915-e8b4c576827e
+status: test
+description: Remote registry management using REG utility from non-admin workstation
+references:
+    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+modified: 2023/04/25
+tags:
+    - attack.credential_access
+    - attack.defense_evasion
+    - attack.discovery
+    - attack.s0075
+    - attack.t1012
+    - attack.t1112
+    - attack.t1552.002
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 5145
+        RelativeTargetName|contains: '\winreg'
+    filter_main:
+        IpAddress: '%Admins_Workstations%'
+    condition: selection and not filter_main
+falsepositives:
+    - Legitimate usage of remote registry management by administrator
+level: medium

rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml

@@ -0,0 +1,31 @@
+title: Interactive Logon to Server Systems
+id: 3ff152b2-1388-4984-9cd9-a323323fdadf
+status: test
+description: Detects interactive console logons to Server Systems
+author: Florian Roth (Nextron Systems)
+date: 2017/03/17
+modified: 2023/04/25
+tags:
+    - attack.lateral_movement
+    - attack.t1078
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID:
+            - 528
+            - 529
+            - 4624
+            - 4625
+        LogonType: 2
+        ComputerName:
+            - '%ServerSystems%'
+            - '%DomainControllers%'
+    filter_main:
+        LogonProcessName: 'Advapi'
+        ComputerName: '%Workstations%'
+    condition: selection and not filter_main
+falsepositives:
+    - Administrative activity via KVM or ILO board
+level: medium

rules-placeholder/windows/builtin/security/win_susp_interactive_logons.yml

@@ -1,31 +0,0 @@
-title: Interactive Logon to Server Systems
-id: 3ff152b2-1388-4984-9cd9-a323323fdadf
-status: test
-description: Detects interactive console logons to Server Systems
-author: Florian Roth (Nextron Systems)
-date: 2017/03/17
-modified: 2021/11/27
-logsource:
-  product: windows
-  service: security
-detection:
-  selection:
-    EventID:
-      - 528
-      - 529
-      - 4624
-      - 4625
-    LogonType: 2
-    ComputerName:
-      - '%ServerSystems%'
-      - '%DomainControllers%'
-  filter:
-    LogonProcessName: Advapi
-    ComputerName: '%Workstations%'
-  condition: selection and not filter
-falsepositives:
-  - Administrative activity via KVM or ILO board
-level: medium
-tags:
-  - attack.lateral_movement
-  - attack.t1078

tests/test_rules.py

@@ -33,7 +33,7 @@ class TestRules(unittest.TestCase):
     # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules
     TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"}
 
-    path_to_rules_ = ["rules", "rules-emerging-threats", "rules-placeholder", "rules-threat-hunting", "rules-compliance"]
+    path_to_rules_ = ["../rules", "../rules-emerging-threats", "../rules-placeholder", "../rules-threat-hunting", "../rules-compliance"]
     path_to_rules = []
     for path_ in path_to_rules_:
         path_to_rules.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), path_))
@@ -759,7 +759,7 @@ class TestRules(unittest.TestCase):
     def test_file_names(self):
         faulty_rules = []
         name_lst = []
-        filename_pattern = re.compile(r'[a-z0-9_]{10,70}\.yml')
+        filename_pattern = re.compile(r'[a-z0-9_]{10,80}\.yml')
         for file in self.yield_next_rule_file_path(self.path_to_rules):
             filename = os.path.basename(file)
             if filename in name_lst: