diff --git a/.travis.yml b/.travis.yml index 2012f343d..840f2d20b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,10 @@ language: python +dist: xenial python: - 3.5 - 3.6 + - 3.7 +sudo: true services: - elasticsearch cache: pip @@ -12,3 +15,10 @@ install: script: - make test - make test-backend-es-qs +notifications: + email: + recipients: + - venom14@gmail.com + - thomas@patzke.org + on_success: change + on_failure: always diff --git a/.yamllint b/.yamllint index 2de34c440..d1641eedc 100644 --- a/.yamllint +++ b/.yamllint @@ -1,4 +1,12 @@ --- # https://yamllint.readthedocs.io/en/latest/configuration.html +extends: default rules: + comments: disable + comments-indentation: disable document-start: disable + empty-lines: {max: 2, max-start: 2, max-end: 2} + indentation: disable + line-length: disable + new-line-at-end-of-file: disable + trailing-spaces: disable diff --git a/Makefile b/Makefile index 6eefdab32..f1f04174d 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ -.PHONY: test test-yaml test-sigmac +.PHONY: test test-rules test-sigmac TMPOUT = $(shell tempfile||mktemp) COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma -test: clearcov test-yaml test-sigmac test-merge build finish +test: clearcov test-rules test-sigmac test-merge build finish clearcov: rm -f .coverage @@ -10,8 +10,9 @@ finish: coverage report --fail-under=90 rm -f $(TMPOUT) -test-yaml: +test-rules: yamllint rules + tests/test_rules.py test-sigmac: coverage run -a --include=$(COVSCOPE) tools/sigmac -l @@ -20,6 +21,7 @@ test-sigmac: coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null @@ -30,6 +32,7 @@ test-sigmac: coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -c tools/config/sumologic.yml rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null diff --git a/rules/apt/apt_apt29_thinktanks.yml b/rules/apt/apt_apt29_thinktanks.yml new file mode 100644 index 000000000..4cc456be1 --- /dev/null +++ b/rules/apt/apt_apt29_thinktanks.yml @@ -0,0 +1,32 @@ +--- +action: global +title: APT29 +description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' +references: + - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ +logsource: + product: windows +author: Florian Roth +date: 2018/12/04 +detection: + condition: selection +falsepositives: + - unknown +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: '*-noni -ep bypass $*' +--- +logsource: + product: windows + service: security + description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: '*-noni -ep bypass $*' diff --git a/rules/apt/apt_chafer_mar18.yml b/rules/apt/apt_chafer_mar18.yml index 635d0678c..1ca41150a 100755 --- a/rules/apt/apt_chafer_mar18.yml +++ b/rules/apt/apt_chafer_mar18.yml @@ -48,8 +48,8 @@ detection: - 'C:\wsc.exe*' selection_process2: EventID: 1 - Image: '*\Windows\Temp\DB\*.exe' + Image: '*\Windows\Temp\DB\\*.exe' selection_process3: EventID: 1 CommandLine: '*\nslookup.exe -q=TXT*' - ParentImage: '*\Autoit*' \ No newline at end of file + ParentImage: '*\Autoit*' diff --git a/rules/apt/apt_dragonfly.yml b/rules/apt/apt_dragonfly.yml index 94ace27b0..fc05d96e0 100755 --- a/rules/apt/apt_dragonfly.yml +++ b/rules/apt/apt_dragonfly.yml @@ -18,7 +18,7 @@ level: critical logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection1: # Does not require group policy 'Audit Process Creation' > Include command line in process creation events diff --git a/rules/apt/apt_equationgroup_dll_u_load.yml b/rules/apt/apt_equationgroup_dll_u_load.yml index fe0c12039..d38d963ca 100755 --- a/rules/apt/apt_equationgroup_dll_u_load.yml +++ b/rules/apt/apt_equationgroup_dll_u_load.yml @@ -12,12 +12,8 @@ tags: - attack.t1059 author: Florian Roth date: 2018/03/10 +modified: 2018/12/11 detection: - selection1: - Image: '*\rundll32.exe' - CommandLine: '*,dll_u' - selection2: - CommandLine: '* -export dll_u *' condition: 1 of them falsepositives: - Unknown @@ -29,15 +25,21 @@ logsource: detection: selection1: EventID: 1 + Image: '*\rundll32.exe' + CommandLine: '*,dll_u' selection2: EventID: 1 + CommandLine: '* -export dll_u *' --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection1: EventID: 4688 + Image: '*\rundll32.exe' + ProcessCommandLine: '*,dll_u' selection2: - EventID: 4688 \ No newline at end of file + EventID: 4688 + ProcessCommandLine: '* -export dll_u *' \ No newline at end of file diff --git a/rules/apt/apt_hurricane_panda.yml b/rules/apt/apt_hurricane_panda.yml index 45fbd4026..369f6f7c7 100755 --- a/rules/apt/apt_hurricane_panda.yml +++ b/rules/apt/apt_hurricane_panda.yml @@ -11,11 +11,8 @@ tags: - attack.t1068 author: Florian Roth date: 2018/02/25 +modified: 2018/12/11 detection: - selection: - CommandLine: - - '* localgroup administrators admin /add' - - '*\Win64.exe*' condition: selection falsepositives: - Unknown @@ -27,13 +24,19 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - '* localgroup administrators admin /add' + - '*\Win64.exe*' --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 + ProcessCommandLine: + - '* localgroup administrators admin /add' + - '*\Win64.exe*' diff --git a/rules/apt/apt_slingshot.yml b/rules/apt/apt_slingshot.yml index becd04823..6e462f79b 100755 --- a/rules/apt/apt_slingshot.yml +++ b/rules/apt/apt_slingshot.yml @@ -11,7 +11,7 @@ date: 2018/03/10 logsource: product: windows service: security - description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' + definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' detection: condition: selection falsepositives: @@ -30,7 +30,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' + definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' detection: selection: EventID: 4701 diff --git a/rules/apt/apt_sofacy.yml b/rules/apt/apt_sofacy.yml index 5ddfa902d..10758cb4c 100755 --- a/rules/apt/apt_sofacy.yml +++ b/rules/apt/apt_sofacy.yml @@ -1,4 +1,3 @@ - --- action: global title: Sofacy Trojan Loader Activity @@ -12,11 +11,8 @@ tags: - attack.g0007 author: Florian Roth date: 2018/03/01 +modified: 2018/12/11 detection: - selection: - CommandLine: - - 'rundll32.exe %APPDATA%\*.dat",*' - - 'rundll32.exe %APPDATA%\*.dll",#1' condition: selection falsepositives: - Unknown @@ -28,11 +24,17 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - 'rundll32.exe %APPDATA%\\*.dat",*' + - 'rundll32.exe %APPDATA%\\*.dll",#1' --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: - EventID: 4688 \ No newline at end of file + EventID: 4688 + ProcessCommandLine: + - 'rundll32.exe %APPDATA%\\*.dat",*' + - 'rundll32.exe %APPDATA%\\*.dll",#1' diff --git a/rules/apt/apt_sofacy_zebrocy.yml b/rules/apt/apt_sofacy_zebrocy.yml new file mode 100644 index 000000000..195ef6f06 --- /dev/null +++ b/rules/apt/apt_sofacy_zebrocy.yml @@ -0,0 +1,34 @@ +--- +action: global +title: Sofacy Zebrocy +description: Detects Sofacy's Zebrocy malware execution +references: + - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d +tags: + - attack.execution + - attack.g0020 + - attack.t1059 +author: Florian Roth +date: 2018/03/10 +detection: + condition: selection +falsepositives: + - Unknown +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST' +--- +logsource: + product: windows + service: security + description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST' diff --git a/rules/apt/apt_tropictrooper.yml b/rules/apt/apt_tropictrooper.yml new file mode 100644 index 000000000..0fc2d0e8d --- /dev/null +++ b/rules/apt/apt_tropictrooper.yml @@ -0,0 +1,34 @@ +action: global +title: TropicTrooper Campaign November 2018 +status: stable +description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia +references: + - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ +author: "@41thexplorer, Windows Defender ATP" +date: 2018/11/30 +modified: 2018/12/11 +tags: + - attack.execution + - attack.t1085 +detection: + condition: selection +level: high +--- +# Windows Security Eventlog: Process Creation with Full Command Line +logsource: + product: windows + service: security + description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*' +--- +# Sysmon: Process Creation (ID 1) +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*' \ No newline at end of file diff --git a/rules/apt/apt_turla_commands.yml b/rules/apt/apt_turla_commands.yml index 7384ab160..3c4b68280 100755 --- a/rules/apt/apt_turla_commands.yml +++ b/rules/apt/apt_turla_commands.yml @@ -21,8 +21,8 @@ detection: EventID: 1 CommandLine: - 'net use \\%DomainController%\C$ "P@ssw0rd" *' - - 'dir c:\*.doc* /s' - - 'dir %TEMP%\*.exe' + - 'dir c:\\*.doc* /s' + - 'dir %TEMP%\\*.exe' condition: selection level: critical --- diff --git a/rules/apt/apt_turla_namedpipes.yml b/rules/apt/apt_turla_namedpipes.yml index d66fc99f1..e0636bf0a 100755 --- a/rules/apt/apt_turla_namedpipes.yml +++ b/rules/apt/apt_turla_namedpipes.yml @@ -10,7 +10,7 @@ author: Markus Neis logsource: product: windows service: sysmon - description: 'Note that you have to configure logging for PipeEvents in Symson config' + definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: selection: EventID: diff --git a/rules/apt/apt_turla_service_png.yml b/rules/apt/apt_turla_service_png.yml new file mode 100644 index 000000000..0a6735f21 --- /dev/null +++ b/rules/apt/apt_turla_service_png.yml @@ -0,0 +1,21 @@ +title: Turla PNG Dropper Service +description: 'This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018' +references: + - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ +author: Florian Roth +date: 2018/11/23 +tags: + - attack.command_and_control + - attack.g0016 + - attack.t1172 +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 + ServiceName: 'WerFaultSvc' + condition: selection +falsepositives: + - unlikely +level: critical diff --git a/rules/apt/apt_unidentified_nov_18.yml b/rules/apt/apt_unidentified_nov_18.yml new file mode 100644 index 000000000..b870d498f --- /dev/null +++ b/rules/apt/apt_unidentified_nov_18.yml @@ -0,0 +1,44 @@ +action: global +title: Unidentified Attacker November 2018 +status: stable +description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. +references: + - https://twitter.com/DrunkBinary/status/1063075530180886529 +author: "@41thexplorer, Windows Defender ATP" +date: 2018/11/20 +modified: 2018/12/11 +tags: + - attack.execution + - attack.t1085 +detection: + condition: selection +level: high +--- +# Windows Security Eventlog: Process Creation with Full Command Line +logsource: + product: windows + service: security + description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: '*cyzfc.dat, PointFunctionCall' +--- +# Sysmon: Process Creation (ID 1) +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: '*cyzfc.dat, PointFunctionCall' +--- +# Sysmon: File Creation (ID 11) +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 11 + TargetFilename: + - '*ds7002.lnk*' \ No newline at end of file diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml index 1a2d40702..8f691c218 100644 --- a/rules/linux/lnx_shell_susp_commands.yml +++ b/rules/linux/lnx_shell_susp_commands.yml @@ -6,6 +6,8 @@ references: - http://pastebin.com/FtygZ1cg - https://artkond.com/2017/03/23/pivoting-guide/ author: Florian Roth +date: 2017/08/21 +modified: 2019/02/05 logsource: product: linux detection: @@ -15,30 +17,37 @@ detection: - 'wget * - http* | sh' - 'wget * - http* | bash' - 'python -m SimpleHTTPServer' - - 'import pty; pty.spawn' + - '-m http.server' # Python 3 + - 'import pty; pty.spawn*' + - 'socat exec:*' + - 'socat -O /tmp/*' + - 'socat tcp-connect*' + - '*echo binary >>*' # Malware - '*wget *; chmod +x*' - '*wget *; chmod 777 *' - '*cd /tmp || cd /var/run || cd /mnt*' # Apache Struts in-the-wild exploit codes - - 'stop;service iptables stop;' - - 'stop;SuSEfirewall2 stop;' - - 'chmod 777 2020' - - '">>/etc/rc.local;' - - 'wget -c *;chmod 777' + - '*stop;service iptables stop;*' + - '*stop;SuSEfirewall2 stop;*' + - 'chmod 777 2020*' + - '*>>/etc/rc.local' # Metasploit framework exploit codes - - 'base64 -d /tmp/' - - ' | base64 -d' - - '/bin/chmod u+s' - - 'chmod +s /tmp/' - - 'chmod u+s /tmp/' - - '/tmp/haxhax' - - '/tmp/ns_sploit' - - 'nc -l -p ' - - 'cp /bin/ksh ' - - 'cp /bin/sh ' - - ' /tmp/*.b64 ' - - '/tmp/ysocereal.jar' + - '*base64 -d /tmp/*' + - '* | base64 -d *' + - '*/chmod u+s *' + - '*chmod +s /tmp/*' + - '*chmod u+s /tmp/*' + - '* /tmp/haxhax*' + - '* /tmp/ns_sploit*' + - 'nc -l -p *' + - 'cp /bin/ksh *' + - 'cp /bin/sh *' + - '* /tmp/*.b64 *' + - '*/tmp/ysocereal.jar*' + - '*/tmp/x *' + - '*; chmod +x /tmp/*' + - '*;chmod +x /tmp/*' condition: keywords falsepositives: - Unknown diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml new file mode 100644 index 000000000..fe665381e --- /dev/null +++ b/rules/proxy/proxy_chafer_malware.yml @@ -0,0 +1,20 @@ +title: Chafer Malware URL Pattern +status: experimental +description: Detects HTTP requests used by Chafer malware +references: + - https://securelist.com/chafer-used-remexi-malware/89538/ +author: Florian Roth +date: 2019/01/31 +logsource: + category: proxy +detection: + selection: + c-uri-query: '*/asp.asp?ui=*' + condition: selection +fields: + - ClientIP + - URL + - UserAgent +falsepositives: + - Unknown +level: critical diff --git a/rules/proxy/proxy_empty_ua.yml b/rules/proxy/proxy_empty_ua.yml index faac0f93b..da28473a1 100644 --- a/rules/proxy/proxy_empty_ua.yml +++ b/rules/proxy/proxy_empty_ua.yml @@ -8,9 +8,8 @@ logsource: category: proxy detection: selection: - UserAgent: - # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString - - '' + # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString + UserAgent: '' condition: selection fields: - ClientIP diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index fcf36f0b9..961475e2d 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -39,6 +39,7 @@ detection: - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details + - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA https://goo.gl/s2WU6o condition: selection fields: - ClientIP diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index 7a6d4fd6a..e9ff51c46 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -33,6 +33,7 @@ detection: - 'X-FORWARDED-FOR' - 'DotDotPwn v2.1' - 'SIPDROID' + - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ # Exploits - '*wordpress hash grabber*' diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index 82b8fa1a2..93a5d8268 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -49,6 +49,7 @@ detection: - '*(Charon; Inferno)' # Loki Bot - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs + - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again # Others - '* pxyscand*' diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index ac400a36b..6f98e681f 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -21,6 +21,7 @@ detection: - 'Mozila/*' # single 'l' - '_' - 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912 + - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ falsepositives: UserAgent: - 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content diff --git a/rules/web/web_apache_threading_error.yml b/rules/web/web_apache_threading_error.yml new file mode 100644 index 000000000..492e7ce72 --- /dev/null +++ b/rules/web/web_apache_threading_error.yml @@ -0,0 +1,16 @@ +title: Apache Threading Error +status: experimental +description: Detects an issue in apache logs that reports threading related errors +author: Florian Roth +date: 2019/01/22 +references: + - https://github.com/hannob/apache-uaf/blob/master/README.md +logsource: + product: apache +detection: + keywords: + - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' + condition: keywords +falsepositives: + - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 +level: medium diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/win_admin_rdp_login.yml index 5ddc65b12..768a5b4bc 100644 --- a/rules/windows/builtin/win_admin_rdp_login.yml +++ b/rules/windows/builtin/win_admin_rdp_login.yml @@ -10,7 +10,7 @@ author: juju4 logsource: product: windows service: security - description: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account' + definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account' detection: selection: EventID: 4624 diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml index 64caf0ccd..277c77a46 100644 --- a/rules/windows/builtin/win_admin_share_access.yml +++ b/rules/windows/builtin/win_admin_share_access.yml @@ -8,7 +8,7 @@ author: Florian Roth logsource: product: windows service: security - description: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' + definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' detection: selection: EventID: 5140 diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 0f473ea30..cb39ccfb1 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -9,7 +9,7 @@ author: '@neu5ron' logsource: product: windows service: security - description: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' + definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' detection: selection: EventID: 4704 diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml index 6d3edb08d..29ef903d7 100644 --- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml @@ -11,8 +11,8 @@ tags: logsource: product: windows service: security - description1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' - description2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' + definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' + definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' detection: selection1: EventID: 4738 diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index a8e2be3bd..ef822fcdd 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -7,7 +7,7 @@ author: '@neu5ron' logsource: product: windows service: security - description: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' + definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' detection: selection: EventID: 4738 diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml index e92ac0577..33c3c948f 100644 --- a/rules/windows/builtin/win_alert_lsass_access.yml +++ b/rules/windows/builtin/win_alert_lsass_access.yml @@ -11,7 +11,7 @@ tags: # Defender Attack Surface Reduction logsource: product: windows_defender - description: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' + definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' detection: selection: EventID: 1121 diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index 16645f28d..fbda6b0c1 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -1,11 +1,10 @@ title: Disabling Windows Event Auditing -description: > - Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario +description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off - specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. + specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.' references: - https://bit.ly/WinLogsZero2Hero tags: @@ -15,7 +14,7 @@ author: '@neu5ron' logsource: product: windows service: security - description: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change' + definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change' detection: selection: EventID: 4719 diff --git a/rules/windows/builtin/win_eventlog_cleared.yml b/rules/windows/builtin/win_eventlog_cleared.yml index d33582144..ea6dcc592 100644 --- a/rules/windows/builtin/win_eventlog_cleared.yml +++ b/rules/windows/builtin/win_eventlog_cleared.yml @@ -1,4 +1,4 @@ -title: Eventlog Cleared +title: Eventlog Cleared Experimental status: experimental description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution author: Florian Roth diff --git a/rules/windows/builtin/win_hack_rubeus.yml b/rules/windows/builtin/win_hack_rubeus.yml new file mode 100644 index 000000000..1d03d7836 --- /dev/null +++ b/rules/windows/builtin/win_hack_rubeus.yml @@ -0,0 +1,52 @@ +--- +action: global +title: Rubeus Hack Tool +description: Detects command line parameters used by Rubeus hack tool +author: Florian Roth +references: + - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ +date: 2018/12/19 +tags: + - attack.credential_access + - attack.t1003 + - attack.s0005 +detection: + condition: selection +falsepositives: + - unlikely +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: + - '* asreproast *' + - '* dump /service:krbtgt *' + - '* kerberoast *' + - '* createnetonly /program:*' + - '* ptt /ticket:*' + - '* /impersonateuser:*' + - '* renew /ticket:*' + - '* asktgt /user:*' + - '* harvest /interval:*' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: + - '* asreproast *' + - '* dump /service:krbtgt *' + - '* kerberoast *' + - '* createnetonly /program:*' + - '* ptt /ticket:*' + - '* /impersonateuser:*' + - '* renew /ticket:*' + - '* asktgt /user:*' + - '* harvest /interval:*' \ No newline at end of file diff --git a/rules/windows/builtin/win_mavinject_proc_inj.yml b/rules/windows/builtin/win_mavinject_proc_inj.yml new file mode 100644 index 000000000..4b2757140 --- /dev/null +++ b/rules/windows/builtin/win_mavinject_proc_inj.yml @@ -0,0 +1,38 @@ +--- +action: global +title: MavInject Process Injection +status: experimental +description: Detects process injection using the signed Windows tool Mavinject32.exe +references: + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 +author: Florian Roth +date: 2018/12/12 +tags: + - attack.process_injection + - attack.t1055 + - attack.signed_binary_proxy_execution + - attack.t1218 +detection: + condition: selection +falsepositives: + - unknown +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: '* /INJECTRUNNING *' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: '* /INJECTRUNNING *' diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml index edecf0bfd..3065dad27 100644 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ b/rules/windows/builtin/win_multiple_suspicious_cli.yml @@ -5,8 +5,69 @@ status: experimental references: - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 +modified: 2012/12/11 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: low +--- +# Windows Audit Log +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: + EventID: 4688 + ProcessCommandLine: + - arp.exe + - at.exe + - attrib.exe + - cscript.exe + - dsquery.exe + - hostname.exe + - ipconfig.exe + - mimikatz.exe + - nbstat.exe + - net.exe + - netsh.exe + - nslookup.exe + - ping.exe + - quser.exe + - qwinsta.exe + - reg.exe + - runas.exe + - sc.exe + - schtasks.exe + - ssh.exe + - systeminfo.exe + - taskkill.exe + - telnet.exe + - tracert.exe + - wscript.exe + - xcopy.exe +# others + - pscp.exe + - copy.exe + - robocopy.exe + - certutil.exe + - vssadmin.exe + - powershell.exe + - wevtutil.exe + - psexec.exe + - bcedit.exe + - wbadmin.exe + - icacls.exe + - diskpart.exe + timeframe: 5m + condition: selection | count() by MachineName > 5 +--- +# Sysmon +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 CommandLine: - arp.exe - at.exe @@ -47,25 +108,5 @@ detection: - wbadmin.exe - icacls.exe - diskpart.exe - timeframe: 5min - condition: selection | count() by MachineName > 5 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: low ---- -# Windows Audit Log -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 + timeframe: 5m + condition: selection | count() by MachineName > 5 \ No newline at end of file diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index e045818d9..2eea5b614 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -2,7 +2,7 @@ action: global title: NetNTLM Downgrade Attack description: Detects post exploitation using NetNTLM downgrade attacks -reference: +references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth date: 2018/03/20 @@ -22,19 +22,19 @@ detection: selection1: EventID: 13 TargetObject: - - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel' - - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec' - - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic' + - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel' + - '*SYSTEM\\*ControlSet*\Control\Lsa\NtlmMinClientSec' + - '*SYSTEM\\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic' --- # Windows Security Eventlog: Process Creation with Full Command Line logsource: product: windows service: security - description: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)' + definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)' detection: selection2: EventID: 4657 - ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa' + ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa' ObjectValueName: - 'LmCompatibilityLevel' - 'NtlmMinClientSec' diff --git a/rules/windows/builtin/win_netsh_port_fwd.yml b/rules/windows/builtin/win_netsh_port_fwd.yml new file mode 100644 index 000000000..ac05d5dec --- /dev/null +++ b/rules/windows/builtin/win_netsh_port_fwd.yml @@ -0,0 +1,35 @@ +--- +action: global +title: Netsh Port Forwarding +description: Detects netsh commands that configure a port forwarding +references: + - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html +date: 2019/01/29 +tags: + - attack.lateral_movement +status: experimental +author: Florian Roth +detection: + condition: selection +falsepositives: + - Legitimate administration +level: medium +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: + - 'netsh interface portproxy add v4tov4 *' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: + - 'netsh interface portproxy add v4tov4 *' diff --git a/rules/windows/builtin/win_netsh_port_fwd_3389.yml b/rules/windows/builtin/win_netsh_port_fwd_3389.yml new file mode 100644 index 000000000..67aff58f6 --- /dev/null +++ b/rules/windows/builtin/win_netsh_port_fwd_3389.yml @@ -0,0 +1,35 @@ +--- +action: global +title: Netsh RDP Port Forwarding +description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP +references: + - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html +date: 2019/01/29 +tags: + - attack.lateral_movement +status: experimental +author: Florian Roth +detection: + condition: selection +falsepositives: + - Legitimate administration +level: high +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: + - 'netsh i* p*=3389 c*' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: + - 'netsh i* p*=3389 c*' diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index f40997e00..8ead5dab9 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -10,7 +10,7 @@ tags: logsource: product: windows service: security - description: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 + definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 detection: selection: - EventID: 4624 diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml index 6295abc41..847eb7663 100644 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ b/rules/windows/builtin/win_plugx_susp_exe_locations.yml @@ -19,7 +19,7 @@ detection: CommandLine: '*\CamMute.exe' filter_cammute: EventID: 4688 - CommandLine: '*\Lenovo\Communication Utility\*' + CommandLine: '*\Lenovo\Communication Utility\\*' # Chrome Frame Helper selection_chrome_frame: @@ -27,7 +27,7 @@ detection: CommandLine: '*\chrome_frame_helper.exe' filter_chrome_frame: EventID: 4688 - CommandLine: '*\Google\Chrome\application\*' + CommandLine: '*\Google\Chrome\application\\*' # Microsoft Device Emulator selection_devemu: @@ -35,7 +35,7 @@ detection: CommandLine: '*\dvcemumanager.exe' filter_devemu: EventID: 4688 - CommandLine: '*\Microsoft Device Emulator\*' + CommandLine: '*\Microsoft Device Emulator\\*' # Windows Media Player Gadget selection_gadget: @@ -43,7 +43,7 @@ detection: CommandLine: '*\Gadget.exe' filter_gadget: EventID: 4688 - CommandLine: '*\Windows Media Player\*' + CommandLine: '*\Windows Media Player\\*' # HTML Help Workshop selection_hcc: @@ -51,7 +51,7 @@ detection: CommandLine: '*\hcc.exe' filter_hcc: EventID: 4688 - CommandLine: '*\HTML Help Workshop\*' + CommandLine: '*\HTML Help Workshop\\*' # Hotkey Command Module for Intel Graphics Contollers selection_hkcmd: @@ -60,9 +60,9 @@ detection: filter_hkcmd: EventID: 4688 CommandLine: - - '*\System32\*' - - '*\SysNative\*' - - '*\SysWowo64\*' + - '*\System32\\*' + - '*\SysNative\\*' + - '*\SysWowo64\\*' # McAfee component selection_mc: @@ -82,9 +82,9 @@ detection: filter_msmpeng: EventID: 4688 CommandLine: - - '*\Microsoft Security Client\*' - - '*\Windows Defender\*' - - '*\AntiMalware\*' + - '*\Microsoft Security Client\\*' + - '*\Windows Defender\\*' + - '*\AntiMalware\\*' # Microsoft Security Center selection_msseces: @@ -92,7 +92,7 @@ detection: CommandLine: '*\msseces.exe' filter_msseces: EventID: 4688 - CommandLine: '*\Microsoft Security Center\*' + CommandLine: '*\Microsoft Security Center\\*' # Microsoft Office 2003 OInfo selection_oinfo: @@ -100,7 +100,7 @@ detection: CommandLine: '*\OInfoP11.exe' filter_oinfo: EventID: 4688 - CommandLine: '*\Common Files\Microsoft Shared\*' + CommandLine: '*\Common Files\Microsoft Shared\\*' # OLE View selection_oleview: @@ -112,20 +112,20 @@ detection: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' + - '*\Windows Resource Kit\\*' # RC selection_rc: EventID: 4688 - CommandLine: '*\OleView.exe' + CommandLine: '*\rc.exe' filter_rc: EventID: 4688 CommandLine: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - '*\Microsoft.NET\*' + - '*\Windows Resource Kit\\*' + - '*\Microsoft.NET\\*' condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or diff --git a/rules/windows/builtin/win_possible_applocker_bypass.yml b/rules/windows/builtin/win_possible_applocker_bypass.yml index 2bc84cfe4..894a5e1f7 100644 --- a/rules/windows/builtin/win_possible_applocker_bypass.yml +++ b/rules/windows/builtin/win_possible_applocker_bypass.yml @@ -30,7 +30,7 @@ level: low logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_powershell_b64_shellcode.yml b/rules/windows/builtin/win_powershell_b64_shellcode.yml index 898c73b59..7ccb1bffe 100644 --- a/rules/windows/builtin/win_powershell_b64_shellcode.yml +++ b/rules/windows/builtin/win_powershell_b64_shellcode.yml @@ -23,9 +23,9 @@ logsource: detection: selection1: EventID: 4688 - ProcesssCommandLine: '*AAAAYInlM*' + ProcessCommandLine: '*AAAAYInlM*' selection2: - ProcesssCommandLine: + ProcessCommandLine: - '*OiCAAAAYInlM*' - '*OiJAAAAYInlM*' --- diff --git a/rules/windows/builtin/win_psexesvc_start.yml b/rules/windows/builtin/win_psexesvc_start.yml index 40a49418f..08e517099 100644 --- a/rules/windows/builtin/win_psexesvc_start.yml +++ b/rules/windows/builtin/win_psexesvc_start.yml @@ -2,6 +2,7 @@ title: PsExec Service Start description: Detects a PsExec service start author: Florian Roth date: 2018/03/13 +modified: 2012/12/11 tags: - attack.execution - attack.t1035 @@ -9,11 +10,11 @@ tags: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 - CommandLine: 'C:\Windows\PSEXESVC.exe' + ProcessCommandLine: 'C:\Windows\PSEXESVC.exe' condition: 1 of them falsepositives: - Administrative activity diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/win_rare_schtasks_creations.yml index 537527f50..89173c797 100644 --- a/rules/windows/builtin/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/win_rare_schtasks_creations.yml @@ -10,12 +10,12 @@ tags: logsource: product: windows service: security - description: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.' + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.' detection: selection: EventID: 4698 timeframe: 7d - condition: selection | count(TaskName) < 5 + condition: selection | count() by TaskName < 5 falsepositives: - Software installation - Software updates diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/win_rare_service_installs.yml index 429306430..99b8b29e8 100644 --- a/rules/windows/builtin/win_rare_service_installs.yml +++ b/rules/windows/builtin/win_rare_service_installs.yml @@ -13,8 +13,8 @@ detection: selection: EventID: 7045 timeframe: 7d - condition: selection | count(ServiceFileName) < 5 + condition: selection | count() by ServiceFileName < 5 falsepositives: - Software installation - Software updates -level: low +level: low \ No newline at end of file diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/win_rdp_localhost_login.yml new file mode 100644 index 000000000..24b128e11 --- /dev/null +++ b/rules/windows/builtin/win_rdp_localhost_login.yml @@ -0,0 +1,24 @@ +title: RDP Login from localhost +description: RDP login with localhost source address may be a tunnelled login +references: + - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html +date: 2019/01/28 +modified: 2019/01/29 +tags: + - attack.lateral_movement +status: experimental +author: Thomas Patzke +logsource: + product: windows + service: security +detection: + selection: + EventID: 4624 + LogonType: 10 + SourceNetworkAddress: + - "::1" + - "127.0.0.1" + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml index 6060f76a8..47b6ad7c0 100644 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ b/rules/windows/builtin/win_susp_cli_escape.yml @@ -9,21 +9,11 @@ references: - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ author: juju4 +modified: 2018/12/11 tags: - attack.defense_evasion - attack.t1140 detection: - selection: - CommandLine: - #- '^' - #- '@' -# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? - # - '-' - # - '―' - #- 'c:/' - - '' - - '^h^t^t^p' - - 'h"t"t"p' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment @@ -33,10 +23,20 @@ level: low logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 + ProcessCommandLine: + #- '^' + #- '@' +# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? + # - '-' + # - '―' + #- 'c:/' + - '' + - '^h^t^t^p' + - 'h"t"t"p' --- # Sysmon logsource: @@ -45,3 +45,13 @@ logsource: detection: selection: EventID: 1 + CommandLine: + #- '^' + #- '@' +# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? + # - '-' + # - '―' + #- 'c:/' + - '' + - '^h^t^t^p' + - 'h"t"t"p' \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml index 76c044e24..3710465fd 100644 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml @@ -7,14 +7,26 @@ references: - https://twitter.com/haroonmeer/status/939099379834658817 - https://twitter.com/c_APT_ure/status/939475433711722497 - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html -author: Florian Roth, Markus Neis +author: Florian Roth, Markus Neis date: 2018/08/22 +modified: 2018/12/11 tags: - attack.discovery - attack.t1073 - attack.t1012 +detection: + timeframe: 15s + condition: selection | count() by CommandLine > 4 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium +--- +logsource: + product: windows + service: sysmon detection: selection: + EventID: 1 CommandLine: - 'tasklist' - 'net time' @@ -33,23 +45,29 @@ detection: - '*\net1 accounts /domain' - '*\net1 user net localgroup administrators' - 'netstat -an' - timeframe: 15s - condition: selection | count() > 4 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 + ProcessCommandLine: + - 'tasklist' + - 'net time' + - 'systeminfo' + - 'whoami' + - 'nbtstat' + - 'net start' + - '*\net1 start' + - 'qprocess' + - 'nslookup' + - 'hostname.exe' + - '*\net1 user /domain' + - '*\net1 group /domain' + - '*\net1 group "domain admins" /domain' + - '*\net1 group "Exchange Trusted Subsystem" /domain' + - '*\net1 accounts /domain' + - '*\net1 user net localgroup administrators' + - 'netstat -an' diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/win_susp_dhcp_config_failed.yml index 85b00bacd..f29b153f9 100644 --- a/rules/windows/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/win_susp_dhcp_config_failed.yml @@ -9,10 +9,10 @@ date: 2017/05/15 author: Dimitrios Slamaris logsource: product: windows - service: system + service: dhcp detection: selection: - EventID: + EventID: - 1031 - 1032 - 1034 diff --git a/rules/windows/builtin/win_susp_gup.yml b/rules/windows/builtin/win_susp_gup.yml new file mode 100644 index 000000000..e934b3711 --- /dev/null +++ b/rules/windows/builtin/win_susp_gup.yml @@ -0,0 +1,35 @@ +--- +action: global +title: Suspicious GUP Usage +description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks +status: experimental +references: + - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html +author: Florian Roth +date: 2019/02/06 +detection: + condition: selection and not filter +falsepositives: + - 'Execution of tools named GUP.exe and located in folders different than Notepad++\updater' +level: high +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Image: '*\GUP.exe' + filter: + Image: '*\updater\*' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + NewProcessName: '*\GUP.exe' + filter: + NewProcessName: '*\updater\*' diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/builtin/win_susp_iss_module_install.yml index 21854e469..061265531 100644 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ b/rules/windows/builtin/win_susp_iss_module_install.yml @@ -6,13 +6,11 @@ status: experimental references: - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth +modified: 2012/12/11 tags: - attack.persistence - attack.t1100 detection: - selection: - CommandLine: - - '*\APPCMD.EXE install module /name:*' condition: selection falsepositives: - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules @@ -24,11 +22,15 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - '*\APPCMD.EXE install module /name:*' --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 + ProcessCommandLine: + - '*\APPCMD.EXE install module /name:*' diff --git a/rules/windows/builtin/win_susp_msiexec_web_install.yml b/rules/windows/builtin/win_susp_msiexec_web_install.yml index 880591fc6..3fd59bd01 100644 --- a/rules/windows/builtin/win_susp_msiexec_web_install.yml +++ b/rules/windows/builtin/win_susp_msiexec_web_install.yml @@ -7,10 +7,8 @@ references: - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ author: Florian Roth date: 2018/02/09 +modified: 2012/12/11 detection: - selection: - CommandLine: - - '* msiexec*:\/\/*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment @@ -22,11 +20,15 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - '* msiexec*:\/\/*' --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 + ProcessCommandLine: + - '* msiexec*:\/\/*' diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index ac3c34f34..5e403a053 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: security - description: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems + definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems detection: selection: - EventID: 4661 diff --git a/rules/windows/builtin/win_susp_ntdsutil.yml b/rules/windows/builtin/win_susp_ntdsutil.yml index 5163fd12e..434f20911 100644 --- a/rules/windows/builtin/win_susp_ntdsutil.yml +++ b/rules/windows/builtin/win_susp_ntdsutil.yml @@ -10,8 +10,6 @@ tags: - attack.credential_access - attack.t1003 detection: - selection: - CommandLine: '*\ntdsutil.exe *' condition: selection falsepositives: - NTDS maintenance @@ -23,12 +21,13 @@ logsource: detection: selection: EventID: 1 + CommandLine: '*\ntdsutil*' --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 - + ProcessCommandLine: '*\ntdsutil*' diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml index f33dfc7bf..f5d465980 100644 --- a/rules/windows/builtin/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/win_susp_ntlm_auth.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: ntlm - description: Reqiures events from Microsoft-Windows-NTLM/Operational + definition: Reqiures events from Microsoft-Windows-NTLM/Operational detection: selection: EventID: 8002 diff --git a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml index 0e1fdcbbd..38e7c9657 100644 --- a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml @@ -16,7 +16,7 @@ detection: - '* -encodedcommand JAB*' # Google Rapid Response falsepositive1: - ImagePath: '*\GRR\*' + Image: '*\GRR\\*' # PowerSponse deployments falsepositive2: CommandLine: '* -ExecutionPolicy remotesigned *' @@ -36,7 +36,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml index aa7fa26fe..39d664d44 100644 --- a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml @@ -10,7 +10,7 @@ author: John Lambert (rule) logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: encoded: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_procdump.yml b/rules/windows/builtin/win_susp_procdump.yml index ab90cccb8..6909f423d 100644 --- a/rules/windows/builtin/win_susp_procdump.yml +++ b/rules/windows/builtin/win_susp_procdump.yml @@ -22,7 +22,7 @@ level: medium logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index b6274a288..91da05841 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -15,15 +15,26 @@ references: - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat - https://twitter.com/vector_sec/status/896049052642533376 author: Florian Roth +modified: 2018/12/11 +detection: + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium +--- +logsource: + product: windows + service: sysmon detection: selection: + EventID: 1 CommandLine: # Hacking activity - 'vssadmin.exe delete shadows*' - 'vssadmin delete shadows*' - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM*' + - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*' + - 'copy \\?\GLOBALROOT\Device\\*\config\SAM*' - 'reg SAVE HKLM\SYSTEM *' - '* sekurlsa:*' - 'net localgroup adminstrators * /add' @@ -31,12 +42,12 @@ detection: - 'certutil.exe *-urlcache* http*' - 'certutil.exe *-urlcache* ftp*' # Malware - - 'netsh advfirewall firewall *\AppData\*' - - 'attrib +S +H +R *\AppData\*' - - 'schtasks* /create *\AppData\*' + - 'netsh advfirewall firewall *\AppData\\*' + - 'attrib +S +H +R *\AppData\\*' + - 'schtasks* /create *\AppData\\*' - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\*' - - '*\Regasm *\AppData\*' + - '*\Regasm.exe *\AppData\\*' + - '*\Regasm *\AppData\\*' - '*\bitsadmin* /transfer*' - '*\certutil.exe * -decode *' - '*\certutil.exe * -decodehex *' @@ -66,22 +77,60 @@ detection: - '*AddInProcess*' # NotPowershell (nps) attack # - '*msbuild*' # too many false positives - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 + ProcessCommandLine: + # Hacking activity + - 'vssadmin.exe delete shadows*' + - 'vssadmin delete shadows*' + - 'vssadmin create shadow /for=C:*' + - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*' + - 'copy \\?\GLOBALROOT\Device\\*\config\SAM*' + - 'reg SAVE HKLM\SYSTEM *' + - '* sekurlsa:*' + - 'net localgroup adminstrators * /add' + - 'net group "Domain Admins" * /ADD /DOMAIN' + - 'certutil.exe *-urlcache* http*' + - 'certutil.exe *-urlcache* ftp*' + # Malware + - 'netsh advfirewall firewall *\AppData\\*' + - 'attrib +S +H +R *\AppData\\*' + - 'schtasks* /create *\AppData\\*' + - 'schtasks* /sc minute*' + - '*\Regasm.exe *\AppData\\*' + - '*\Regasm *\AppData\\*' + - '*\bitsadmin* /transfer*' + - '*\certutil.exe * -decode *' + - '*\certutil.exe * -decodehex *' + - '*\certutil.exe -ping *' + - 'icacls * /grant Everyone:F /T /C /Q' + - '* wmic shadowcopy delete *' + - '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html + # Scripts + - '*\wscript.exe *.jse' + - '*\wscript.exe *.js' + - '*\wscript.exe *.vba' + - '*\wscript.exe *.vbe' + - '*\cscript.exe *.jse' + - '*\cscript.exe *.js' + - '*\cscript.exe *.vba' + - '*\cscript.exe *.vbe' + # UAC bypass + - '*\fodhelper.exe' + # persistence + - '*waitfor*/s*' + - '*waitfor*/si persist*' + # remote + - '*remote*/s*' + - '*remote*/c*' + - '*remote*/q*' + # AddInProcess + - '*AddInProcess*' + # NotPowershell (nps) attack + # - '*msbuild*' # too many false positives diff --git a/rules/windows/builtin/win_susp_ps_appdata.yml b/rules/windows/builtin/win_susp_ps_appdata.yml new file mode 100644 index 000000000..ef8200a82 --- /dev/null +++ b/rules/windows/builtin/win_susp_ps_appdata.yml @@ -0,0 +1,39 @@ +--- +action: global +title: PowerShell Script Run in AppData +status: experimental +description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder +references: + - https://twitter.com/JohnLaTwC/status/1082851155481288706 + - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 +author: Florian Roth +date: 2019/01/09 +logsource: + product: windows + service: sysmon +detection: + condition: selection +falsepositives: + - Administrative scripts +level: medium +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: + - '* /c powershell*\AppData\Local\\*' + - '* /c powershell*\AppData\Roaming\\*' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: + - '* /c powershell*\AppData\Local\\*' + - '* /c powershell*\AppData\Roaming\\*' diff --git a/rules/windows/builtin/win_susp_rasdial_activity.yml b/rules/windows/builtin/win_susp_rasdial_activity.yml index bad621d16..76676cfbf 100644 --- a/rules/windows/builtin/win_susp_rasdial_activity.yml +++ b/rules/windows/builtin/win_susp_rasdial_activity.yml @@ -18,7 +18,7 @@ level: medium logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml index b75d2f336..8426baa32 100644 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ b/rules/windows/builtin/win_susp_run_locations.yml @@ -11,10 +11,10 @@ tags: detection: selection: CommandLine: - - "*:\\RECYCLER\\*" - - "*:\\SystemVolumeInformation\\*" - - "%windir%\\Tasks\\*" - - "%systemroot%\\debug\\*" + - '*:\RECYCLER\\*' + - '*:\SystemVolumeInformation\\*' + - '%windir%\Tasks\\*' + - '%systemroot%\debug\\*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment @@ -24,7 +24,7 @@ level: medium logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/builtin/win_susp_rundll32_activity.yml index 485c72100..872f40557 100644 --- a/rules/windows/builtin/win_susp_rundll32_activity.yml +++ b/rules/windows/builtin/win_susp_rundll32_activity.yml @@ -36,7 +36,7 @@ falsepositives: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index 8f94ae691..0f71f622b 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -8,7 +8,7 @@ author: Florian Roth logsource: product: windows service: system - description: The source of this type of event is Kernel-General + definition: The source of this type of event is Kernel-General detection: selection: EventID: 16 diff --git a/rules/windows/builtin/win_susp_svchost.yml b/rules/windows/builtin/win_susp_svchost.yml index 306c43a60..9405f77d7 100644 --- a/rules/windows/builtin/win_susp_svchost.yml +++ b/rules/windows/builtin/win_susp_svchost.yml @@ -32,7 +32,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_sysprep_appdata.yml b/rules/windows/builtin/win_susp_sysprep_appdata.yml index b688a77c1..76b238856 100644 --- a/rules/windows/builtin/win_susp_sysprep_appdata.yml +++ b/rules/windows/builtin/win_susp_sysprep_appdata.yml @@ -8,11 +8,8 @@ references: - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b author: Florian Roth date: 2018/06/22 +modified: 2018/12/11 detection: - selection: - CommandLine: - - '*\sysprep.exe *\AppData\*' - - 'sysprep.exe *\AppData\*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment @@ -24,11 +21,17 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - '*\sysprep.exe *\AppData\\*' + - 'sysprep.exe *\AppData\\*' --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 + ProcessCommandLine: + - '*\sysprep.exe *\AppData\\*' + - 'sysprep.exe *\AppData\\*' diff --git a/rules/windows/builtin/win_susp_sysvol_access.yml b/rules/windows/builtin/win_susp_sysvol_access.yml index 32032b9e7..f3b128ddf 100644 --- a/rules/windows/builtin/win_susp_sysvol_access.yml +++ b/rules/windows/builtin/win_susp_sysvol_access.yml @@ -8,12 +8,11 @@ references: - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 author: Markus Neis date: 2018/04/09 +modified: 2018/12/11 tags: - attack.credential_access - attack.t1003 detection: - selection: - CommandLine: '*\SYSVOL\*\policies\*' condition: selection falsepositives: - administrative activity @@ -25,11 +24,13 @@ logsource: detection: selection: EventID: 1 + CommandLine: '*\SYSVOL\\*\policies\\*' --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 + ProcessCommandLine: '*\SYSVOL\\*\policies\\*' diff --git a/rules/windows/builtin/win_susp_whoami.yml b/rules/windows/builtin/win_susp_whoami.yml index b0a3f29cc..3d8ab3d4d 100644 --- a/rules/windows/builtin/win_susp_whoami.yml +++ b/rules/windows/builtin/win_susp_whoami.yml @@ -29,7 +29,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml b/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml index 927476c12..ecedd03fd 100644 --- a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml +++ b/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml @@ -30,7 +30,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index 1748364c6..045b2af98 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -1,6 +1,7 @@ title: Antivirus Exploitation Framework Detection description: Detects a highly relevant Antivirus alert that reports an exploitation framework date: 2018/09/09 +modified: 2019/01/16 author: Florian Roth references: - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ @@ -19,6 +20,7 @@ detection: - "*Metasploit*" - "*PowerSploit*" - "*CobaltSrike*" + - "*Swrort*" condition: selection fields: - FileName diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 1dfa5d40e..a0249867a 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -1,4 +1,4 @@ -title: Antivirus Exploitation Framework Detection +title: Antivirus Relevant File Paths Alerts description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name date: 2018/09/09 author: Florian Roth @@ -9,12 +9,12 @@ logsource: detection: selection: FileName: - - 'C:\Windows\Temp\*' - - 'C:\Temp\*' - - '*\\Client\*' - - 'C:\PerfLogs\*' - - 'C:\Users\Public\*' - - 'C:\Users\Default\*' + - 'C:\Windows\Temp\\*' + - 'C:\Temp\\*' + - '*\\Client\\*' + - 'C:\PerfLogs\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\Default\\*' - '*.ps1' - '*.vbs' - '*.bat' diff --git a/rules/windows/malware/sysmon_malware_dridex.yml b/rules/windows/malware/sysmon_malware_dridex.yml new file mode 100644 index 000000000..f7388e994 --- /dev/null +++ b/rules/windows/malware/sysmon_malware_dridex.yml @@ -0,0 +1,40 @@ +--- +action: global +title: Dridex Process Pattern +status: experimental +description: Detects typical Dridex process patterns +references: + - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 +author: Florian Roth +date: 2019/01/10 +logsource: + product: windows + service: sysmon +detection: + condition: 1 of them +falsepositives: + - Unlikely +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection1: + EventID: 1 + CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' + selection2: + EventID: 1 + ParentImage: '*\svchost.exe*' + CommandLine: + - '*whoami.exe /all' + - '*net.exe view' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml index b6d8e50d0..aa7a816e9 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/malware/sysmon_malware_notpetya.yml @@ -22,7 +22,7 @@ detection: CommandLine: '* deletejournal *' pipe_com: EventID: 1 - CommandLine: '*\AppData\Local\Temp\* \\.\pipe\*' + CommandLine: '*\AppData\Local\Temp\* \\.\pipe\\*' event_clean: EventID: 1 Image: '*\wevtutil.exe' diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/malware/win_mal_adwind.yml index 5c0e8c77e..20a5ea749 100644 --- a/rules/windows/malware/win_mal_adwind.yml +++ b/rules/windows/malware/win_mal_adwind.yml @@ -8,6 +8,7 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi date: 2017/11/10 +modified: 2018/12/11 detection: condition: selection level: high @@ -16,11 +17,11 @@ level: high logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 - CommandLine: + ProcessCommandLine: - '*\AppData\Roaming\Oracle*\java*.exe *' - '*cscript.exe *Retrive*.vbs *' --- @@ -52,4 +53,4 @@ detection: selection: EventID: 13 TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*' - Details: '%AppData%\Roaming\Oracle\bin\*' + Details: '%AppData%\Roaming\Oracle\bin\\*' diff --git a/rules/windows/malware/win_mal_wannacry.yml b/rules/windows/malware/win_mal_wannacry.yml index 3624f5076..89a95be39 100644 --- a/rules/windows/malware/win_mal_wannacry.yml +++ b/rules/windows/malware/win_mal_wannacry.yml @@ -21,7 +21,7 @@ level: critical logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection1: # Requires group policy 'Audit Process Creation' > Include command line in process creation events diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 6372e2524..58bf3033d 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -19,7 +19,7 @@ detection: - 'ActiveScriptEventConsumer' - 'CommandLineEventConsumer' - 'CommandLineTemplate' - - 'Binding EventFilter' + # - 'Binding EventFilter' # too many false positive with HP Health Driver selection2: EventID: 5859 condition: selection and 1 of keywords or selection2 diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 23cbfa154..7b741ebfb 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -1,6 +1,7 @@ title: Malicious PowerShell Commandlets status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks +modified: 2019/01/22 references: - https://adsecurity.org/?p=2921 tags: @@ -10,7 +11,7 @@ author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows service: powershell - description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - Invoke-DllInjection @@ -40,7 +41,6 @@ detection: - Get-VulnAutoRun - Get-VulnSchTask - Get-UnattendedInstallFile - - Get-WebConfig - Get-ApplicationHost - Get-RegAlwaysInstallElevated - Get-Unconstrained diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 4a5a6ba98..0323a1dcd 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -1,6 +1,7 @@ title: Malicious PowerShell Keywords status: experimental description: Detects keywords from well-known PowerShell exploitation frameworks +modified: 2019/01/22 references: - https://adsecurity.org/?p=2921 tags: @@ -10,23 +11,17 @@ author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows service: powershell - description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - AdjustTokenPrivileges - IMAGE_NT_OPTIONAL_HDR64_MAGIC - - Management.Automation.RuntimeException - Microsoft.Win32.UnsafeNativeMethods - ReadProcessMemory.Invoke - - Runtime.InteropServices - SE_PRIVILEGE_ENABLED - - System.Security.Cryptography - - System.Runtime.InteropServices - LSA_UNICODE_STRING - MiniDumpWriteDump - PAGE_EXECUTE_READ - - Net.Sockets.SocketFlags - - Reflection.Assembly - SECURITY_DELEGATION - TOKEN_ADJUST_PRIVILEGES - TOKEN_ALL_ACCESS diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yaml b/rules/windows/powershell/powershell_ntfs_ads_access.yml similarity index 80% rename from rules/windows/powershell/powershell_ntfs_ads_access.yaml rename to rules/windows/powershell/powershell_ntfs_ads_access.yml index 3deedb29d..965df78f7 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yaml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -10,7 +10,7 @@ author: Sami Ruohonen logsource: product: windows service: powershell - description: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keyword1: - "set-content" diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index c86db1cf5..6203a5d23 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -12,7 +12,7 @@ author: John Lambert (idea), Florian Roth (rule) logsource: product: windows service: powershell - description: 'Script block logging must be enabled' + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index d2eb7ece7..5872f70a3 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -10,7 +10,7 @@ author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows service: powershell - description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_xor_commandline.yml index 7b5d38980..57e4c60ec 100644 --- a/rules/windows/powershell/powershell_xor_commandline.yml +++ b/rules/windows/powershell/powershell_xor_commandline.yml @@ -1,5 +1,5 @@ action: global -title: Suspicious Encoded PowerShell Command Line +title: Suspicious XOR Encoded PowerShell Command Line description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. status: experimental author: Sami Ruohonen @@ -23,7 +23,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml index 53d369dc2..94b86c382 100644 --- a/rules/windows/sysmon/sysmon_ads_executable.yml +++ b/rules/windows/sysmon/sysmon_ads_executable.yml @@ -12,7 +12,7 @@ date: 2018/06/03 logsource: product: windows service: sysmon - description: 'Requirements: Sysmon config with Imphash logging activated' + definition: 'Requirements: Sysmon config with Imphash logging activated' detection: selection: EventID: 15 diff --git a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml b/rules/windows/sysmon/sysmon_attrib_hiding_files.yml index 8bba17482..1a9c8274e 100644 --- a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml +++ b/rules/windows/sysmon/sysmon_attrib_hiding_files.yml @@ -14,7 +14,7 @@ detection: CommandLine: '*\desktop.ini *' intel: ParentImage: '*\cmd.exe' - CommandLine: '+R +H +S +A \*.cui' + CommandLine: '+R +H +S +A \\*.cui' ParentCommandLine: 'C:\WINDOWS\system32\\*.bat' condition: selection and not (ini or intel) fields: diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml new file mode 100644 index 000000000..b972de848 --- /dev/null +++ b/rules/windows/sysmon/sysmon_cactustorch.yml @@ -0,0 +1,29 @@ +title: CACTUSTORCH Remote Thread Creation +description: Detects remote thread creation from CACTUSTORCH as described in references. +references: + - https://twitter.com/SBousseaden/status/1090588499517079552 + - https://github.com/mdsecactivebreach/CACTUSTORCH +status: experimental +author: "@SBousseaden (detection), Thomas Patzke (rule)" +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 8 + SourceImage: + - '*\System32\cscript.exe' + - '*\System32\wscript.exe' + - '*\System32\mshta.exe' + - '*\winword.exe' + - '*\excel.exe' + TargetImage: '*\SysWOW64\\*' + StartModule: null + condition: selection +tags: + - attack.execution + - attack.t1055 + - attack.t1064 +falsepositives: + - unknown +level: high diff --git a/rules/windows/sysmon/sysmon_cmdkey_recon.yml b/rules/windows/sysmon/sysmon_cmdkey_recon.yml index 050884aaa..6f1e4c664 100644 --- a/rules/windows/sysmon/sysmon_cmdkey_recon.yml +++ b/rules/windows/sysmon/sysmon_cmdkey_recon.yml @@ -1,7 +1,7 @@ title: Cmdkey Cached Credentials Recon status: experimental description: Detects usage of cmdkey to look for cached credentials -reference: +references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx author: jmallette diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml new file mode 100644 index 000000000..7224ffceb --- /dev/null +++ b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml @@ -0,0 +1,21 @@ +title: CobaltStrike Process Injection +description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons +references: + - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f +status: experimental +author: Olaf Hartong, Florian Roth +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 8 + TargetProcessAddress: '*0B80' + condition: selection +tags: + - attack.process_injection + - attack.t1055 +falsepositives: + - unknown +level: high + diff --git a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml index 5bec5a7db..09ee432b1 100644 --- a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml @@ -5,7 +5,7 @@ references: - https://github.com/GhostPack/SafetyKatz tags: - attack.credential_access - - attack.T1003 + - attack.t1003 author: Markus Neis date: 2018/24/07 logsource: diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml new file mode 100644 index 000000000..c965486d2 --- /dev/null +++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml @@ -0,0 +1,34 @@ +title: Logon Scripts (UserInitMprLogonScript) +status: experimental +description: Detects creation or execution of UserInitMprLogonScript persistence method +references: + - https://attack.mitre.org/techniques/T1037/ +tags: + - attack.t1037 + - attack.persistence + - attack.lateral_movement +author: Tom Ueltschi (@c_APT_ure) +logsource: + product: windows + service: sysmon +detection: + exec_selection: + EventID: 1 + ParentImage: userinit.exe + exec_exclusion: + Image: explorer.exe + CommandLine: netlogon.bat + create_selection: + EventID: + - 1 + - 11 + - 12 + - 13 + - 14 + create_keywords: + - UserInitMprLogonScript + condition: (exec_selection and not exec_exclusion) or (create_selection and create_keywords) +falsepositives: + - exclude legitimate logon scripts + - penetration tests, red teaming +level: high diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/sysmon/sysmon_mal_namedpipes.yml index ef1800a80..b3026ab6e 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/sysmon/sysmon_mal_namedpipes.yml @@ -8,7 +8,7 @@ author: Florian Roth logsource: product: windows service: sysmon - description: 'Note that you have to configure logging for PipeEvents in Symson config' + definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: selection: EventID: @@ -31,7 +31,7 @@ detection: condition: selection tags: - attack.defense_evasion - - attack.privelege_escalation + - attack.privilege_escalation - attack.t1055 falsepositives: - Unkown diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index d3b6f33a0..505a601c3 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -8,7 +8,7 @@ date: 2017/03/19 logsource: product: windows service: sysmon - description: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' + definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: selection: EventID: 3 diff --git a/rules/windows/sysmon/sysmon_malware_script_dropper.yml b/rules/windows/sysmon/sysmon_malware_script_dropper.yml index 95b29fd80..b08eabd72 100644 --- a/rules/windows/sysmon/sysmon_malware_script_dropper.yml +++ b/rules/windows/sysmon/sysmon_malware_script_dropper.yml @@ -12,16 +12,16 @@ detection: - '*\wscript.exe' - '*\cscript.exe' CommandLine: - - '* C:\Users\*.jse *' - - '* C:\Users\*.vbe *' - - '* C:\Users\*.js *' - - '* C:\Users\*.vba *' - - '* C:\Users\*.vbs *' - - '* C:\ProgramData\*.jse *' - - '* C:\ProgramData\*.vbe *' - - '* C:\ProgramData\*.js *' - - '* C:\ProgramData\*.vba *' - - '* C:\ProgramData\*.vbs *' + - '* C:\Users\\*.jse *' + - '* C:\Users\\*.vbe *' + - '* C:\Users\\*.js *' + - '* C:\Users\\*.vba *' + - '* C:\Users\\*.vbs *' + - '* C:\ProgramData\\*.jse *' + - '* C:\ProgramData\\*.vbe *' + - '* C:\ProgramData\\*.js *' + - '* C:\ProgramData\\*.vba *' + - '* C:\ProgramData\\*.vbs *' falsepositive: ParentImage: '*\winzip*' condition: selection diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml index fff40b72f..0bf65b856 100644 --- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml @@ -8,7 +8,7 @@ date: 2017/03/04 logsource: product: windows service: sysmon - description: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' + definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: selection: EventID: 10 @@ -17,7 +17,7 @@ detection: combination1: CallTrace: '*|UNKNOWN(*VBE7.DLL*' combination2: - SourceImage: '*\Microsoft Office\*' + SourceImage: '*\Microsoft Office\\*' CallTrace: '*|UNKNOWN*' condition: selection and 1 of combination* falsepositives: diff --git a/rules/windows/sysmon/sysmon_office_macro_cmd.yml b/rules/windows/sysmon/sysmon_office_macro_cmd.yml deleted file mode 100644 index ad9f87e4a..000000000 --- a/rules/windows/sysmon/sysmon_office_macro_cmd.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Office Macro Starts Cmd -status: experimental -description: Detects a Windows command line executable started from Microsoft Word or Excel -references: - - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - Image: '*\cmd.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: high - diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index f3d23d7c3..dce5d9e8c 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -4,11 +4,12 @@ description: Detects a Windows command line executable started from Microsoft Wo references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html + - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle tags: - attack.execution - attack.defense_evasion - attack.t1059 - - attack.T1202 + - attack.t1202 author: Michael Haag, Florian Roth, Markus Neis date: 2018/04/06 logsource: diff --git a/rules/windows/sysmon/sysmon_outlook_shell.yml b/rules/windows/sysmon/sysmon_outlook_shell.yml deleted file mode 100644 index 507a6d07c..000000000 --- a/rules/windows/sysmon/sysmon_outlook_shell.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Microsoft Outlook Spawning Windows Shell -status: experimental -description: Detects a Windows command line executable started from Microsoft Outlook -references: - - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle -author: Florian Roth -date: 2018/03/06 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\OUTLOOK.EXE' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\schtasks.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - False positives are possible, depends on organisation and processes -level: high - diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index 9271116db..6a2416dc8 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -1,4 +1,4 @@ -title: Executable used by PlugX in Uncommon Location +title: Executable used by PlugX in Uncommon Location - Sysmon Version status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location references: @@ -17,7 +17,7 @@ detection: Image: '*\CamMute.exe' filter_cammute: EventID: 1 - Image: '*\Lenovo\Communication Utility\*' + Image: '*\Lenovo\Communication Utility\\*' # Chrome Frame Helper selection_chrome_frame: @@ -25,7 +25,7 @@ detection: Image: '*\chrome_frame_helper.exe' filter_chrome_frame: EventID: 1 - Image: '*\Google\Chrome\application\*' + Image: '*\Google\Chrome\application\\*' # Microsoft Device Emulator selection_devemu: @@ -33,7 +33,7 @@ detection: Image: '*\dvcemumanager.exe' filter_devemu: EventID: 1 - Image: '*\Microsoft Device Emulator\*' + Image: '*\Microsoft Device Emulator\\*' # Windows Media Player Gadget selection_gadget: @@ -41,7 +41,7 @@ detection: Image: '*\Gadget.exe' filter_gadget: EventID: 1 - Image: '*\Windows Media Player\*' + Image: '*\Windows Media Player\\*' # HTML Help Workshop selection_hcc: @@ -49,7 +49,7 @@ detection: Image: '*\hcc.exe' filter_hcc: EventID: 1 - Image: '*\HTML Help Workshop\*' + Image: '*\HTML Help Workshop\\*' # Hotkey Command Module for Intel Graphics Contollers selection_hkcmd: @@ -58,9 +58,9 @@ detection: filter_hkcmd: EventID: 1 Image: - - '*\System32\*' - - '*\SysNative\*' - - '*\SysWowo64\*' + - '*\System32\\*' + - '*\SysNative\\*' + - '*\SysWowo64\\*' # McAfee component selection_mc: @@ -80,9 +80,9 @@ detection: filter_msmpeng: EventID: 1 Image: - - '*\Microsoft Security Client\*' - - '*\Windows Defender\*' - - '*\AntiMalware\*' + - '*\Microsoft Security Client\\*' + - '*\Windows Defender\\*' + - '*\AntiMalware\\*' # Microsoft Security Center selection_msseces: @@ -90,7 +90,7 @@ detection: Image: '*\msseces.exe' filter_msseces: EventID: 1 - Image: '*\Microsoft Security Center\*' + Image: '*\Microsoft Security Center\\*' # Microsoft Office 2003 OInfo selection_oinfo: @@ -98,7 +98,7 @@ detection: Image: '*\OInfoP11.exe' filter_oinfo: EventID: 1 - Image: '*\Common Files\Microsoft Shared\*' + Image: '*\Common Files\Microsoft Shared\\*' # OLE View selection_oleview: @@ -110,20 +110,20 @@ detection: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' + - '*\Windows Resource Kit\\*' # RC selection_rc: EventID: 1 - Image: '*\OleView.exe' + Image: '*\rc.exe' filter_rc: EventID: 1 Image: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - '*\Microsoft.NET\*' + - '*\Windows Resource Kit\\*' + - '*\Microsoft.NET\\*' condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index 56e22b647..019c15839 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -18,7 +18,22 @@ detection: DestinationIp: - '10.*' - '192.168.*' - - '172.*' + - '172.16.*' + - '172.17.*' + - '172.18.*' + - '172.19.*' + - '172.20.*' + - '172.21.*' + - '172.22.*' + - '172.23.*' + - '172.24.*' + - '172.25.*' + - '172.26.*' + - '172.27.*' + - '172.28.*' + - '172.29.*' + - '172.30.*' + - '172.31.*' - '127.0.0.1' DestinationIsIpv6: 'false' User: 'NT AUTHORITY\SYSTEM' diff --git a/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml b/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml new file mode 100644 index 000000000..dce9e3751 --- /dev/null +++ b/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml @@ -0,0 +1,27 @@ +title: Renamed Powershell.exe +status: experimental +description: Detects copying and renaming of powershell.exe before execution (RETEFE malware DOC/macro starting Sept 2018) +references: + - https://attack.mitre.org/techniques/T1086/ + - https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/ +tags: + - attack.t1086 + - attack.execution +author: Tom Ueltschi (@c_APT_ure) +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Description: Windows PowerShell + exclusion_1: + Image: + - powershell.exe + - powershell_ise.exe + exclusion_2: + Description: Windows PowerShell ISE + condition: all of selection and not (1 of exclusion_*) +falsepositives: + - penetration tests, red teaming +level: high diff --git a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml index 38fcdcd9f..ed6d68eeb 100644 --- a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml @@ -6,55 +6,57 @@ references: tags: - attack.execution - attack.t1086 -author: Florian Roth (rule), Daniel Bohannon (idea) +author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) logsource: product: windows service: sysmon detection: - keywords: - Image: '*\powershell.exe' - substrings: - - ' -windowstyle h ' - - ' -windowstyl h' - - ' -windowsty h' - - ' -windowst h' - - ' -windows h' - - ' -windo h' - - ' -wind h' - - ' -win h' - - ' -wi h' - - ' -win h ' - - ' -win hi ' - - ' -win hid ' - - ' -win hidd ' - - ' -win hidde ' - - ' -NoPr ' - - ' -NoPro ' - - ' -NoProf ' - - ' -NoProfi ' - - ' -NoProfil ' - - ' -nonin ' - - ' -nonint ' - - ' -noninte ' - - ' -noninter ' - - ' -nonintera ' - - ' -noninterac ' - - ' -noninteract ' - - ' -noninteracti ' - - ' -noninteractiv ' - - ' -ec ' - - ' -encodedComman ' - - ' -encodedComma ' - - ' -encodedComm ' - - ' -encodedCom ' - - ' -encodedCo ' - - ' -encodedC ' - - ' -encoded ' - - ' -encode ' - - ' -encod ' - - ' -enco ' - - ' -en ' - condition: all of them + selection: + Image: + - '*\Powershell.exe' + EventID: 1 + CommandLine: + - ' -windowstyle h ' + - ' -windowstyl h' + - ' -windowsty h' + - ' -windowst h' + - ' -windows h' + - ' -windo h' + - ' -wind h' + - ' -win h' + - ' -wi h' + - ' -win h ' + - ' -win hi ' + - ' -win hid ' + - ' -win hidd ' + - ' -win hidde ' + - ' -NoPr ' + - ' -NoPro ' + - ' -NoProf ' + - ' -NoProfi ' + - ' -NoProfil ' + - ' -nonin ' + - ' -nonint ' + - ' -noninte ' + - ' -noninter ' + - ' -nonintera ' + - ' -noninterac ' + - ' -noninteract ' + - ' -noninteracti ' + - ' -noninteractiv ' + - ' -ec ' + - ' -encodedComman ' + - ' -encodedComma ' + - ' -encodedComm ' + - ' -encodedCom ' + - ' -encodedCo ' + - ' -encodedC ' + - ' -encoded ' + - ' -encode ' + - ' -encod ' + - ' -enco ' + - ' -en ' + condition: selection falsepositives: - Penetration tests level: high diff --git a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml b/rules/windows/sysmon/sysmon_powersploit_schtasks.yml index 86a14c219..b0574753c 100644 --- a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml +++ b/rules/windows/sysmon/sysmon_powersploit_schtasks.yml @@ -21,7 +21,7 @@ detection: tags: - attack.execution - attack.persistence - - attack.privelege_escalation + - attack.privilege_escalation - attack.t1053 - attack.t1086 - attack.s0111 diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index 3c55b45c7..1a6129d49 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -20,7 +20,23 @@ detection: DestinationIp: - '10.*' - '192.168.*' - - '172.*' + - '172.16.*' + - '172.17.*' + - '172.18.*' + - '172.19.*' + - '172.20.*' + - '172.21.*' + - '172.22.*' + - '172.23.*' + - '172.24.*' + - '172.25.*' + - '172.26.*' + - '172.27.*' + - '172.28.*' + - '172.29.*' + - '172.30.*' + - '172.31.*' + - '127.0.0.1' condition: selection and not filter falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml index cea5c5ba8..c822885f0 100644 --- a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml +++ b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml @@ -17,7 +17,7 @@ detection: Image: - '*\sdbinst.exe' CommandLine: - - '*\AppPatch\*}.sdb*' + - '*\AppPatch\\*}.sdb*' condition: selection falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml index d1af4a536..cf8698f94 100644 --- a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml +++ b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml @@ -5,6 +5,7 @@ references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth date: 2018/04/06 +modified: 2019/02/05 logsource: product: windows service: sysmon @@ -25,11 +26,14 @@ detection: - '*\certutil.exe' - '*\bitsadmin.exe' - '*\mshta.exe' - condition: selection + falsepositives: + CurrentDirectory: '*\ccmcache\*' + condition: selection and not falsepositives fields: - CommandLine - ParentCommandLine falsepositives: - Administrative scripts + - Microsoft SCCM level: high diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml index d6919fb13..749d6f852 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml @@ -1,32 +1,19 @@ +--- +action: global title: Suspicious Certutil Command status: experimental description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility -author: Florian Roth, juju4 +author: Florian Roth, juju4, keepwatch +modified: 2019/01/22 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 - https://twitter.com/subTee/status/888071631528235010 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ -logsource: - product: windows - service: sysmon + - https://twitter.com/egre55/status/1087685529016193025 + - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ detection: - selection: - EventID: 1 - CommandLine: - - '*certutil * -decode *' - - '*certutil * -decodehex *' - - '*certutil *-urlcache* http*' - - '*certutil *-urlcache* ftp*' - - '*certutil *-URL*' - - '*certutil *-ping*' - - '*certutil.exe * -decode *' - - '*certutil.exe * -decodehex *' - - '*certutil.exe *-urlcache* http*' - - '*certutil.exe *-urlcache* ftp*' - - '*certutil.exe *-URL*' - - '*certutil.exe *-ping*' condition: selection fields: - CommandLine @@ -34,10 +21,54 @@ fields: tags: - attack.defense_evasion - attack.t1140 + - attack.t1105 - attack.s0189 - attack.g0007 falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: high - - +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: + - '* -decode *' + - '* /decode *' + - '* -decodehex *' + - '* /decodehex *' + - '* -urlcache *' + - '* /urlcache *' + - '* -verifyctl *' + - '* /verifyctl *' + - '* -encode *' + - '* /encode *' + - '*certutil* -URL*' + - '*certutil* /URL*' + - '*certutil* -ping*' + - '*certutil* /ping*' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: + - '* -decode *' + - '* /decode *' + - '* -decodehex *' + - '* /decodehex *' + - '* -urlcache *' + - '* /urlcache *' + - '* -verifyctl *' + - '* /verifyctl *' + - '* -encode *' + - '* /encode *' + - '*certutil* -URL*' + - '*certutil* /URL*' + - '*certutil* -ping*' + - '*certutil* /ping*' diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 1bd365f63..1caa95270 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -7,7 +7,7 @@ logsource: detection: selection: EventID: 6 - ImageLoaded: '*\Temp\*' + ImageLoaded: '*\Temp\\*' condition: selection falsepositives: - there is a relevant set of false positives depending on applications in the environment diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml index 02a9eb35e..bd57cb816 100644 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_exec_folder.yml @@ -13,21 +13,21 @@ detection: selection: EventID: 1 Image: - - 'C:\PerfLogs\*' - - 'C:\$Recycle.bin\*' - - 'C:\Intel\Logs\*' - - 'C:\Users\Default\*' - - 'C:\Users\Public\*' - - 'C:\Users\NetworkService\*' - - 'C:\Windows\Fonts\*' - - 'C:\Windows\Debug\*' - - 'C:\Windows\Media\*' - - 'C:\Windows\Help\*' - - 'C:\Windows\addins\*' - - 'C:\Windows\repair\*' - - 'C:\Windows\security\*' - - '*\RSA\MachineKeys\*' - - 'C:\Windows\system32\config\systemprofile\*' + - 'C:\PerfLogs\\*' + - 'C:\$Recycle.bin\\*' + - 'C:\Intel\Logs\\*' + - 'C:\Users\Default\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\NetworkService\\*' + - 'C:\Windows\Fonts\\*' + - 'C:\Windows\Debug\\*' + - 'C:\Windows\Media\\*' + - 'C:\Windows\Help\\*' + - 'C:\Windows\addins\\*' + - 'C:\Windows\repair\\*' + - 'C:\Windows\security\\*' + - '*\RSA\MachineKeys\\*' + - 'C:\Windows\system32\config\systemprofile\\*' condition: selection falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_susp_execution_path.yml b/rules/windows/sysmon/sysmon_susp_execution_path.yml index d1f06b220..82d22d4d6 100644 --- a/rules/windows/sysmon/sysmon_susp_execution_path.yml +++ b/rules/windows/sysmon/sysmon_susp_execution_path.yml @@ -10,14 +10,14 @@ detection: EventID: 1 Image: - '*\$Recycle.bin' - - '*\Users\All Users\*' - - '*\Users\Default\*' - - '*\Users\Public\*' - - 'C:\Perflogs\*' - - '*\config\systemprofile\*' - - '*\Windows\Fonts\*' - - '*\Windows\IME\*' - - '*\Windows\addins\*' + - '*\Users\All Users\\*' + - '*\Users\Default\\*' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\config\systemprofile\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' condition: selection fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml b/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml index 017d726cf..b50d8960d 100644 --- a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml +++ b/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml @@ -9,14 +9,14 @@ detection: selection: EventID: 1 Image: - - '*\wwwroot\*' - - '*\wmpub\*' - - '*\htdocs\*' + - '*\wwwroot\\*' + - '*\wmpub\\*' + - '*\htdocs\\*' filter: Image: - - '*bin\*' - - '*\Tools\*' - - '*\SMSComponent\*' + - '*bin\\*' + - '*\Tools\\*' + - '*\SMSComponent\\*' ParentImage: - '*\services.exe' condition: selection and not filter diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml index 6c6c893d9..c33ee2f04 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml @@ -19,7 +19,7 @@ detection: Image: - '*\powershell.exe' falsepositive: - CurrentDirectory: '*\Health Service State\*' + CurrentDirectory: '*\Health Service State\\*' condition: selection and not falsepositive fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml index d7febde9c..5008aca29 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml @@ -8,22 +8,22 @@ date: 2017/03/19 logsource: product: windows service: sysmon - description: 'Use the following config to generate the necessary Event ID 3 Network Connection events' + definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' detection: selection: EventID: 3 Image: - - '*\ProgramData\*' + # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows - '*\$Recycle.bin' - - '*\Users\All Users\*' - - '*\Users\Default\*' - - '*\Users\Public\*' - - 'C:\Perflogs\*' - - '*\config\systemprofile\*' - - '*\Windows\Fonts\*' - - '*\Windows\IME\*' - - '*\Windows\addins\*' + - '*\Users\All Users\\*' + - '*\Users\Default\\*' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\config\systemprofile\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' condition: selection falsepositives: - unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml b/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml new file mode 100644 index 000000000..b8d3f7ad7 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml @@ -0,0 +1,26 @@ +title: Suspicious Program Location Process Starts +status: experimental +description: Detects programs running in suspicious files system locations +references: + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +author: Florian Roth +date: 2019/01/15 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Image: + # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows + - '*\$Recycle.bin' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' + - '*\Windows\debug\\*' + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml index cb6406258..7de64276f 100644 --- a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml @@ -3,7 +3,7 @@ status: experimental description: Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder author: Florian Roth date: 2018/07/18 -reference: +references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ logsource: product: windows @@ -13,13 +13,13 @@ detection: EventID: 13 TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' Details: - - 'C:\Windows\Temp\*' - - 'C:\ProgramData\*' - - '*\AppData\*' - - 'C:\$Recycle.bin\*' - - 'C:\Temp\*' - - 'C:\Users\Public\*' - - 'C:\Users\Default\*' + - 'C:\Windows\Temp\\*' + - 'C:\ProgramData\\*' + - '*\AppData\\*' + - 'C:\$Recycle.bin\\*' + - 'C:\Temp\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\Default\\*' condition: selection tags: - attack.persistence diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml index 2ed6e2de2..778d147e5 100644 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml @@ -16,7 +16,7 @@ detection: selection1: EventID: 1 Image: '*\regsvr32.exe' - CommandLine: '*\Temp\*' + CommandLine: '*\Temp\\*' # Loaded by powershell selection2: EventID: 1 diff --git a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml index 449e98ecc..de69f0985 100644 --- a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml @@ -15,16 +15,16 @@ detection: selection: EventID: 13 TargetObject: - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*' - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*' + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' Details: - - 'C:\Windows\Temp\*' - - '*\AppData\*' - - 'C:\$Recycle.bin\*' - - 'C:\Temp\*' - - 'C:\Users\Public\*' - - 'C:\Users\Default\*' - - 'C:\Users\Desktop\*' + - 'C:\Windows\Temp\\*' + - '*\AppData\\*' + - 'C:\$Recycle.bin\\*' + - 'C:\Temp\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\Default\\*' + - 'C:\Users\Desktop\\*' condition: selection fields: - Image diff --git a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml index 0183aeca7..3855cb81c 100644 --- a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml +++ b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml @@ -19,7 +19,7 @@ fields: tags: - attack.execution - attack.persistence - - attack.privelege_escalation + - attack.privilege_escalation - attack.t1053 - attack.s0111 falsepositives: diff --git a/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml b/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml index 0336ebb38..d700b9324 100644 --- a/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml +++ b/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml @@ -1,7 +1,7 @@ title: Suspicious TSCON Start status: experimental description: Detects a tscon.exe start as LOCAL SYSTEM -reference: +references: - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml b/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml index b173a5c85..ec7b0788d 100644 --- a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml +++ b/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml @@ -3,14 +3,13 @@ action: global title: Suspicious RDP Redirect Using TSCON status: experimental description: Detects a suspicious RDP session redirect using tscon.exe -reference: +references: - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth date: 2018/03/17 +modified: 2018/12/11 detection: - selection: - CommandLine: '* /dest:rdp-tcp:*' condition: selection falsepositives: - Unknown @@ -22,11 +21,13 @@ logsource: detection: selection: EventID: 1 + CommandLine: '* /dest:rdp-tcp:*' --- logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: - EventID: 4688 \ No newline at end of file + EventID: 4688 + ProcessCommandLine: '* /dest:rdp-tcp:*' \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml index ad4a0db3c..396378da1 100644 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml @@ -18,8 +18,8 @@ detection: - 'vssadmin.exe Delete Shadows' # Hacking - 'vssadmin create shadow /for=C:' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM' + - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit' + - 'copy \\?\GLOBALROOT\Device\\*\config\SAM' - 'vssadmin delete shadows /for=C:' - 'reg SAVE HKLM\SYSTEM ' condition: selection diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml index 4a568ec4f..92f738444 100644 --- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml +++ b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml @@ -24,8 +24,8 @@ detection: - '*\conhost.exe' filter: Image: - - '*\System32\*' - - '*\SysWow64\*' + - '*\System32\\*' + - '*\SysWow64\\*' condition: selection and not filter tags: - attack.defense_evasion diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index 5d861b40a..0a812ad5d 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -11,7 +11,7 @@ logsource: detection: methregistry: EventID: 13 - TargetObject: 'HKEY_USERS\*\mscfile\shell\open\command' + TargetObject: 'HKEY_USERS\\*\mscfile\shell\open\command' methprocess: EventID: 1 ParentImage: '*\eventvwr.exe' @@ -28,5 +28,3 @@ tags: falsepositives: - unknown level: critical - - diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 152fc12ea..dbb12c818 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -10,7 +10,7 @@ logsource: detection: selection: EventID: 13 - TargetObject: 'HKEY_USERS\*\Classes\exefile\shell\runas\command\isolatedCommand' + TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand' condition: selection tags: - attack.defense_evasion diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 50cc23973..39fead4b2 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -14,7 +14,7 @@ detection: DestinationHostname: - '*.github.com' - '*.githubusercontent.com' - Image: 'C:\Windows\*' + Image: 'C:\Windows\\*' condition: selection falsepositives: - 'Unknown' diff --git a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml index d2013361a..f0eea3c8c 100644 --- a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml @@ -15,7 +15,7 @@ detection: DestinationHostname: - '*dl.dropboxusercontent.com' - '*.pastebin.com' - Image: 'C:\Windows\*' + Image: 'C:\Windows\\*' condition: selection falsepositives: - 'Unknown' diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yaml b/rules/windows/sysmon/sysmon_win_reg_persistence.yml similarity index 87% rename from rules/windows/sysmon/sysmon_win_reg_persistence.yaml rename to rules/windows/sysmon/sysmon_win_reg_persistence.yml index db0502f9b..27dd71e66 100644 --- a/rules/windows/sysmon/sysmon_win_reg_persistence.yaml +++ b/rules/windows/sysmon/sysmon_win_reg_persistence.yml @@ -11,9 +11,9 @@ detection: selection_reg1: EventID: 13 TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\GlobalFlag' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\ReportingMode' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess' + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag' + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode' + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess' EventType: 'SetValue' condition: 1 of them tags: diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml new file mode 100644 index 000000000..95177ba63 --- /dev/null +++ b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml @@ -0,0 +1,22 @@ +title: WMI Event Subscription +status: experimental +description: Detects creation of WMI event subscription persistence method +references: + - https://attack.mitre.org/techniques/T1084/ +tags: + - attack.t1084 + - attack.persistence +author: Tom Ueltschi (@c_APT_ure) +logsource: + product: windows + service: sysmon +detection: + selector: + EventID: + - 19 + - 20 + - 21 + condition: selector +falsepositives: + - exclude legitimate (vetted) use of WMI event subscription in your network +level: high diff --git a/sigma-schema.rx.yaml b/sigma-schema.rx.yml similarity index 100% rename from sigma-schema.rx.yaml rename to sigma-schema.rx.yml diff --git a/tests/test_rules.py b/tests/test_rules.py new file mode 100755 index 000000000..5ee0aad6e --- /dev/null +++ b/tests/test_rules.py @@ -0,0 +1,83 @@ +#!/usr/bin/env python3 +""" +Checks for noncompliance or common errors on all rules + +Run using the command +# python -m unittest test_rules.py +""" + +import os +import unittest +import yaml + +class TestRules(unittest.TestCase): + MITRE_TECHNIQUES = ["t1075", "t1189", "t1190", "t1200", "t1091", "t1193", "t1192", "t1194", "t1195", "t1199", "t1078", "t1155", "t1191", "t1059", "t1223", "t1196", "t1173", "t1106", "t1129", "t1203", "t1061", "t1118", "t1152", "t1168", "t1177", "t1170", "t1086", "t1121", "t1117", "t1085", "t1053", "t1064", "t1035", "t1218", "t1216", "t1153", "t1151", "t1072", "t1154", "t1127", "t1204", "t1047", "t1028", "t1220", "t1156", "t1015", "t1098", "t1182", "t1103", "t1138", "t1131", "t1197", "t1067", "t1176", "t1042", "t1109", "t1122", "t1136", "t1038", "t1157", "t1133", "t1044", "t1158", "t1179", "t1062", "t1183", "t1215", "t1159", "t1160", "t1152", "t1161", "t1168", "t1162", "t1037", "t1031", "t1128", "t1050", "t1137", "t1034", "t1150", "t1205", "t1013", "t1163", "t1164", "t1108", "t1060", "t1053", "t1180", "t1101", "t1058", "t1166", "t1023", "t1198", "t1165", "t1019", "t1209", "t1154", "t1078", "t1100", "t1084", "t1004", "t1134", "t1015", "t1182", "t1103", "t1138", "t1088", "t1038", "t1157", "t1068", "t1181", "t1044", "t1179", "t1183", "t1160", "t1050", "t1034", "t1150", "t1013", "t1055", "t1053", "t1058", "t1166", "t1178", "t1165", "t1169", "t1206", "t1078", "t1100", "t1134", "t1009", "t1197", "t1088", "t1146", "t1191", "t1116", "t1223", "t1109", "t1122", "t1196", "t1207", "t1140", "t1089", "t1038", "t1073", "t1211", "t1181", "t1107", "t1222", "t1006", "t1144", "t1158", "t1147", "t1143", "t1148", "t1183", "t1054", "t1066", "t1070", "t1202", "t1130", "t1118", "t1152", "t1149", "t1036", "t1112", "t1170", "t1126", "t1096", "t1027", "t1150", "t1205", "t1186", "t1093", "t1055", "t1108", "t1121", "t1117", "t1014", "t1085", "t1064", "t1218", "t1216", "t1198", "t1045", "t1151", "t1221", "t1099", "t1127", "t1078", "t1102", "t1220", "t1098", "t1139", "t1110", "t1003", "t1081", "t1214", "t1212", "t1187", "t1179", "t1056", "t1141", "t1208", "t1142", "t1171", "t1040", "t1174", "t1145", "t1167", "t1111", "t1087", "t1010", "t1217", "t1083", "t1046", "t1135", "t1040", "t1201", "t1120", "t1069", "t1057", "t1012", "t1018", "t1063", "t1082", "t1016", "t1049", "t1033", "t1124", "t1155", "t1017", "t1175", "t1210", "t1037", "t1097", "t1076", "t1105", "t1021", "t1091", "t1051", "t1184", "t1080", "t1072", "t1077", "t1028", "t1123", "t1119", "t1115", "t1213", "t1005", "t1039", "t1025", "t1074", "t1114", "t1056", "t1185", "t1113", "t1125", "t1020", "t1002", "t1022", "t1030", "t1048", "t1041", "t1011", "t1052", "t1029", "t1043", "t1092", "t1090", "t1094", "t1024", "t1132", "t1001", "t1172", "t1008", "t1188", "t1104", "t1026", "t1079", "t1205", "t1219", "t1105", "t1071", "t1032", "t1095", "t1065", "t1102"] + MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list + MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control"] + MITRE_GROUPS = ["g0018", "g0006", "g0005", "g0023", "g0025", "g0026", "g0073", "g0007", "g0016", "g0022", "g0013", "g0050", "g0064", "g0067", "g0001", "g0063", "g0060", "g0008", "g0058", "g0003", "g0080", "g0052", "g0070", "g0012", "g0079", "g0009", "g0035", "g0074", "g0017", "g0031", "g0066", "g0020", "g0051", "g0053", "g0037", "g0046", "g0061", "g0047", "g0036", "g0078", "g0043", "g0072", "g0004", "g0032", "g0077", "g0065", "g0030", "g0059", "g0045", "g0002", "g0021", "g0069", "g0019", "g0055", "g0014", "g0049", "g0071", "g0040", "g0011", "g0068", "g0033", "g0056", "g0024", "g0075", "g0048", "g0034", "g0029", "g0054", "g0038", "g0041", "g0039", "g0062", "g0015", "g0028", "g0027", "g0076", "g0010", "g0044"] + MITRE_SOFTWARE = ["s0066", "s0065", "s0202", "s0309", "s0045", "s0092", "s0319", "s0296", "s0304", "s0310", "s0292", "s0099", "s0073", "s0110", "s0129", "s0093", "s0031", "s0245", "s0128", "s0234", "s0239", "s0127", "s0017", "s0268", "s0190", "s0069", "s0089", "s0114", "s0293", "s0252", "s0204", "s0014", "s0043", "s0119", "s0025", "s0274", "s0077", "s0030", "s0261", "s0222", "s0160", "s0220", "s0323", "s0144", "s0107", "s0020", "s0023", "s0054", "s0106", "s0154", "s0244", "s0126", "s0212", "s0137", "s0050", "s0046", "s0115", "s0235", "s0187", "s0255", "s0243", "s0301", "s0021", "s0200", "s0213", "s0281", "s0134", "s0186", "s0300", "s0320", "s0105", "s0315", "s0038", "s0062", "s0024", "s0081", "s0064", "s0082", "s0091", "s0152", "s0076", "s0181", "s0171", "s0267", "s0120", "s0182", "s0143", "s0036", "s0173", "s0193", "s0277", "s0095", "s0168", "s0049", "s0032", "s0026", "s0249", "s0290", "s0237", "s0008", "s0132", "s0047", "s0151", "s0037", "s0214", "s0246", "s0224", "s0071", "s0061", "s0170", "s0087", "s0135", "s0009", "s0232", "s0040", "s0070", "s0068", "s0322", "s0321", "s0203", "s0101", "s0278", "s0259", "s0260", "s0231", "s0100", "s0189", "s0015", "s0163", "s0044", "s0201", "s0283", "s0325", "s0215", "s0088", "s0265", "s0276", "s0271", "s0288", "s0250", "s0162", "s0156", "s0236", "s0211", "s0042", "s0121", "s0010", "s0282", "s0317", "s0167", "s0303", "s0175", "s0002", "s0179", "s0133", "s0051", "s0280", "s0084", "s0083", "s0080", "s0079", "s0149", "s0284", "s0256", "s0233", "s0205", "s0228", "s0247", "s0102", "s0272", "s0210", "s0039", "s0056", "s0034", "s0108", "s0104", "s0033", "s0198", "s0118", "s0299", "s0286", "s0138", "s0285", "s0052", "s0264", "s0229", "s0165", "s0072", "s0016", "s0208", "s0122", "s0316", "s0289", "s0158", "s0048", "s0097", "s0124", "s0291", "s0254", "s0013", "s0067", "s0012", "s0216", "s0150", "s0177", "s0139", "s0145", "s0194", "s0223", "s0184", "s0113", "s0279", "s0238", "s0029", "s0078", "s0147", "s0196", "s0197", "s0192", "s0006", "s0269", "s0262", "s0055", "s0241", "s0169", "s0295", "s0172", "s0326", "s0153", "s0075", "s0019", "s0166", "s0125", "s0174", "s0258", "s0003", "s0112", "s0270", "s0240", "s0103", "s0090", "s0148", "s0313", "s0253", "s0085", "s0074", "s0111", "s0195", "s0053", "s0185", "s0140", "s0294", "s0028", "s0063", "s0217", "s0007", "s0327", "s0218", "s0226", "s0159", "s0273", "s0157", "s0035", "s0227", "s0324", "s0305", "s0225", "s0058", "s0188", "s0328", "s0142", "s0018", "s0242", "s0060", "s0096", "s0098", "s0011", "s0329", "s0057", "s0164", "s0146", "s0131", "s0004", "s0183", "s0266", "s0307", "s0306", "s0308", "s0094", "s0001", "s0178", "s0199", "s0302", "s0263", "s0116", "s0221", "s0130", "s0275", "s0022", "s0136", "s0207", "s0257", "s0180", "s0109", "s0206", "s0005", "s0155", "s0219", "s0191", "s0176", "s0059", "s0141", "s0041", "s0312", "s0314", "s0161", "s0298", "s0123", "s0297", "s0318", "s0117", "s0311", "s0248", "s0251", "s0287", "s0027", "s0230", "s0086"] + MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE] + + path_to_rules = "rules" + + + # Helper functions + def yield_next_rule_file_path(self, path_to_rules:str) -> str: + for root, _, files in os.walk(path_to_rules): + for file in files: + yield os.path.join(root, file) + + + def get_rule_part(self, file_path:str, part_name:str): + yaml_dicts = self.get_rule_yaml(file_path) + for yaml_part in yaml_dicts: + if part_name in yaml_part.keys(): + return yaml_part[part_name] + + return None + + + def get_rule_yaml(self, file_path:str) -> dict: + data = [] + + with open(file_path) as f: + yaml_parts = yaml.load_all(f) + for part in yaml_parts: + data.append(part) + + return data + + + # Tests + def test_confirm_extension_is_yml(self): + files_with_incorrect_extensions = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + file_name_and_extension = os.path.splitext(file) + if len(file_name_and_extension) == 2: + extension = file_name_and_extension[1] + if extension != ".yml": + files_with_incorrect_extensions.append(file) + + self.assertEqual(files_with_incorrect_extensions, [], + "There are rule files with extensions other than .yml") + + + def test_confirm_correct_mitre_tags(self): + files_with_incorrect_mitre_tags = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + tags = self.get_rule_part(file_path=file, part_name="tags") + if tags: + for tag in tags: + if tag not in self.MITRE_ALL and tag.startswith("attack."): + print("Rule {} has the following incorrect tag {}".format(file, tag)) + files_with_incorrect_mitre_tags.append(file) + + self.assertEqual(files_with_incorrect_mitre_tags, [], + "There are rules with incorrect MITRE Tags") + + + +if __name__ == "__main__": + unittest.main() diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml index 7e6a15fff..f40ca3781 100644 --- a/tools/config/arcsight.yml +++ b/tools/config/arcsight.yml @@ -46,6 +46,11 @@ logsources: service: powershell conditions: deviceVendor: Microsoft + windows-dhcp: + product: windows + service: dhcp + conditions: + deviceVendor: Microsoft windows-system: product: windows service: system @@ -85,7 +90,7 @@ logsources: conditions: deviceProduct: Apache categoryDeviceGroup: /Application - firewall: + firewall: product: firewall conditions: categoryDeviceGroup: /Firewall diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index a408123c8..10b477ba6 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -27,4 +27,9 @@ logsources: service: driver-framework conditions: source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 20bf500fc..c485831a1 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -27,6 +27,11 @@ logsources: service: driver-framework conditions: source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' @@ -63,6 +68,7 @@ fieldmappings: ImageLoaded: event_data.ImageLoaded ImagePath: event_data.ImagePath Imphash: event_data.Imphash + IpAddress: event_data.IpAddress LogonProcessName: event_data.LogonProcessName LogonType: event_data.LogonType NewProcessName: event_data.NewProcessName diff --git a/tools/config/helk.yml b/tools/config/helk.yml index 9a0e245b7..196f01dd7 100644 --- a/tools/config/helk.yml +++ b/tools/config/helk.yml @@ -27,67 +27,125 @@ logsources: product: windows service: powershell-classic index: logs-endpoint-winevent-powershell-* + defaultindex: logs-* fieldmappings: AccessMask: object_access_mask_requested - AccountName: service_account_name + AccountName: user_name AllowedToDelegateTo: user_attribute_allowed_todelegate AttributeLDAPDisplayName: dsobject_attribute_name AuditPolicyChanges: policy_changes AuthenticationPackageName: logon_authentication_package - CallTrace: process_calltrace - CommandLine: command_line + CallingProcessName: process_path + CallTrace: process_call_trace + CommandLine: process_command_line + Company: file_company ComputerName: host_name + Configuration: + EventID=16: sysmon_configuration CurrentDirectory: process_current_directory - DestinationHostname: dst_host - DestinationIp: dst_ip - DestinationIsIpv6: dst_isipv6 - DestinationPort: dst_port_number - Details: registry_details + Description: file_description + Destination: + EventID=20: wmi_consumer_destination + DestinationHostname: dst_host_name + DestinationIp: dst_ip_addr + DestinationIsIpv6: dst_is_ipv6 + DestinationPort: dst_port + DestinationPortName: dst_port_name + Details: + EventID=13: registry_key_value + Device: device_name EngineVersion: powershell.engine.version EventID: event_id - EventType: - EventID=12: registry_event_type - EventID=13: registry_event_type - EventID=14: registry_event_type - EventID=19: wmi_event_type - EventID=20: wmi_event_type - EventID=21: wmi_event_type + EventType: event_type + EventNamespace: + EventID=19: wmi_namespace + Filter: + EventID=21: wmi_filter_path FailureCode: ticket_failure_code + FileName: file_name + FileVersion: file_version GrantedAccess: process_granted_access GroupName: group_name HiveName: hive_name HostVersion: powershell.host.version Image: process_path - ImageLoaded: image_loaded + ImageLoaded: + EventID=6: driver_loaded + EventID=7: module_loaded + Imphash: hash_imphash + Initiated: + EventID=3: network_initiated" + IntegrityLevel: + EventID=1: process_integrity_level LogonProcessName: logon_process_name LogonType: logon_type + MachineName: host_name + Name: + EventID=19: wmi_name + EventID=20: wmi_name NewProcessName: process_path + NewName: + EventID=14: registry_key_new_name ObjectClass: dsobject_class ObjectName: object_name ObjectType: object_type ObjectValueName: object_value_name + Operation: + EventID=19: wmi_operation + EventID=20: wmi_operation + EventID=21: wmi_operation OperationType: object_operation_type ParentImage: process_parent_path + PasswordLastSet: user_attribute_password_lastset + Path: process_path + ParentCommandLine: process_parent_command_line PipeName: pipe_name ProcessName: process_path + ProcesssCommandLine: process_command_line + Product: file_product + Properties: object_properties + Protocol: + EventID=3: network_protocol + Query: + EventID=19: wmi_query RelativeTargetName: share_relative_target_name + SchemaVersion: + EventID=4: sysmon_schema_version ServiceFileName: service_image_path ServiceName: service_name ShareName: share_name + Signature: signature + SignatureStatus: signature_status + Signed: signed Source: source_name + SourceHostname: src_host_name SourceImage: process_path - StartModule: thread_startmodule - Status: logon_failure_status - SubjectUserName: user_name + SourcePort: src_port + SourcePortName: src_port_name + StartAddress: thread_start_address + StartFunction: thread_start_function + StartModule: thread_start_module + Status: event_status + State: + EventID=4: service_state + EventID=16: sysmon_configuration_state + SubjectUserName: + EventID=4624: user_reporter_name + EventId=4648: user_name + EventID=5140: user_name TargetFilename: file_name - TargetImage: process_target_path - TargetObject: registry_target_object TargetImage: target_process_path + TargetProcessAddress: thread_start_address + TargetObject: registry_key_path TaskName: task_name TicketEncryptionType: ticket_encryption_type TicketOptions: ticket_options - User: user + Type: + EventID=20: wmi_consumer_type + User: user_account UserName: user_name - Workstation: src_host - WorkstationName: src_host + Version: + EventID=4: sysmon_version + Workstation: src_host_name + WorkstationName: src_host_name \ No newline at end of file diff --git a/tools/config/logpoint-windows-all.yml b/tools/config/logpoint-windows-all.yml index ec6bb3cac..60965fc60 100644 --- a/tools/config/logpoint-windows-all.yml +++ b/tools/config/logpoint-windows-all.yml @@ -19,6 +19,12 @@ logsources: service: driver-framework conditions: source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' + fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/netwitness.yml b/tools/config/netwitness.yml index fe86921b4..beffc181e 100644 --- a/tools/config/netwitness.yml +++ b/tools/config/netwitness.yml @@ -30,6 +30,12 @@ logsources: service: powershell conditions: device.type: winevent_nic + windows-dhcp: + product: windows + service: dhcp + conditions: + device.type: winevent_nic + event.source: microsoft-windows-dhcp-server windows-sec: product: windows service: security diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml index 8464ade07..beec09237 100644 --- a/tools/config/powershell-windows-all.yml +++ b/tools/config/powershell-windows-all.yml @@ -60,3 +60,8 @@ logsources: service: ntlm conditions: LogName: 'Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + LogName: 'Microsoft-Windows-DHCP-Server/Operational' diff --git a/tools/config/qradar.yml b/tools/config/qradar.yml index 0a56c7caa..d86bbd186 100644 --- a/tools/config/qradar.yml +++ b/tools/config/qradar.yml @@ -26,11 +26,14 @@ logsources: index: flows fieldmappings: - dst: - - destinationIP - dst_ip: - - destinationIP - src: - - sourceIP - src_ip: - - sourceIP + EventID: + - Event ID Code + dst: + - destinationIP + dst_ip: + - destinationIP + src: + - sourceIP + src_ip: + - sourceIP + ServiceFileName: Service Name diff --git a/tools/config/spark.yml b/tools/config/spark.yml index 7d39bff59..943f29fa6 100644 --- a/tools/config/spark.yml +++ b/tools/config/spark.yml @@ -9,7 +9,7 @@ logsources: service: security sources: - 'WinEventLog:Security' - windows-security: + windows-system: product: windows service: system sources: @@ -24,7 +24,7 @@ logsources: service: powershell sources: - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' - windows-powershell: + windows-taskscheduler: product: windows service: taskscheduler sources: @@ -34,6 +34,11 @@ logsources: service: wmi sources: - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' + windows-dhcp: + product: windows + service: dhcp + sources: + - 'Microsoft-Windows-DHCP-Server' apache: category: webserver sources: diff --git a/tools/config/splunk-windows-all.yml b/tools/config/splunk-windows-all.yml index dad385ae2..15f768e1d 100644 --- a/tools/config/splunk-windows-all.yml +++ b/tools/config/splunk-windows-all.yml @@ -60,5 +60,10 @@ logsources: service: ntlm conditions: source: 'Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' fieldmappings: EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml new file mode 100644 index 000000000..d1467b984 --- /dev/null +++ b/tools/config/sumologic.yml @@ -0,0 +1,60 @@ +# Sumulogic mapping depends on customer configuration. Adapt to your context! +# typically rule on _sourceCategory, _index or Field Extraction Rules (FER) +# supposing existing FER for service, EventChannel, EventID +logsources: + linux: + product: linux + index: LINUX + linux-sshd: + product: linux + service: sshd + index: LINUX + linux-auth: + product: linux + service: auth + index: LINUX + linux-clamav: + product: linux + service: clamav + index: LINUX + windows: + product: windows + index: WINDOWS + windows-sysmon: + product: windows + service: sysmon + conditions: + EventChannel: Microsoft-Windows-Sysmon + index: WINDOWS + windows-security: + product: windows + service: security + conditions: + EventChannel: Security + index: WINDOWS + windows-powershell: + product: windows + service: powershell + conditions: + EventChannel: Microsoft-Windows-Powershell + index: WINDOWS + windows-system: + product: windows + service: system + conditions: + EventChannel: System + index: WINDOWS + windows-dhcp: + product: windows + service: dhcp + conditions: + EventChannel: Microsoft-Windows-DHCP-Server + index: WINDOWS + apache: + product: apache + service: apache + index: WEBSERVER + firewall: + product: firewall + index: FIREWALL +# if no index, search in all indexes diff --git a/tools/setup.py b/tools/setup.py index 281e82cb8..866bc5844 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -13,7 +13,7 @@ with open(path.join(here, 'README.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.6', + version='0.7.1', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, url='https://github.com/Neo23x0/sigma', @@ -30,33 +30,38 @@ setup( 'License :: OSI Approved :: GNU Lesser General Public License v3 (LGPLv3)', 'Programming Language :: Python :: 3.5', 'Programming Language :: Python :: 3.6', + 'Programming Language :: Python :: 3.7', 'Environment :: Console', ], keywords='security monitoring siem logging signatures elasticsearch splunk ids sysmon', - packages=['sigma'], + packages=['sigma', 'sigma.backends', 'sigma.config', 'sigma.parser'], python_requires='~=3.5', - install_requires=['PyYAML'], + install_requires=['PyYAML', 'pymisp'], extras_require={ 'test': ['coverage', 'yamllint'], }, data_files=[ ('etc/sigma', [ - 'config/arcsight.yml', - 'config/elk-defaultindex-filebeat.yml', - 'config/elk-defaultindex-logstash.yml', + 'config/qualys.yml', 'config/elk-defaultindex.yml', - 'config/elk-linux.yml', + 'config/arcsight.yml', + 'config/sumologic.yml', + 'config/netwitness.yml', 'config/elk-windows.yml', 'config/helk.yml', + 'config/elk-defaultindex-logstash.yml', + 'config/elk-linux.yml', 'config/logpoint-windows-all.yml', - 'config/qualys.yml', - 'config/qradar.yml', 'config/spark.yml', - 'config/netwitness.yml', + 'config/elk-winlogbeat.yml', + 'config/elk-defaultindex-filebeat.yml', 'config/splunk-windows-all.yml', + 'config/qradar.yml', + 'config/powershell-windows-all.yml', ])], scripts=[ 'sigmac', - 'merge_sigma' + 'merge_sigma', + 'sigma2misp', ] ) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 4b6a5e1ef..2b6cab3cb 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -166,7 +166,7 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): valueExpression = None # Expression of values, %s represents value nullExpression = None # Expression of queries for null values or non-existing fields. %s is field name notNullExpression = None # Expression of queries for not null values. %s is field name - mapExpression = None # Syntax for field/value conditions. First %s is key, second is value + mapExpression = None # Syntax for field/value conditions. First %s is fieldname, second is value mapListsSpecialHandling = False # Same handling for map items with list values as for normal values (strings, integers) if True, generateMapItemListNode method is called with node mapListValueExpression = None # Syntax for field/value condititons where map value is a list @@ -206,16 +206,18 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): return self.listExpression % (self.listSeparator.join([self.generateNode(value) for value in node])) def generateMapItemNode(self, node): - key, value = node + fieldname, value = node + + transformed_fieldname = self.fieldNameMapping(fieldname, value) if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): - return self.mapExpression % (key, self.generateNode(value)) + return self.mapExpression % (transformed_fieldname, self.generateNode(value)) elif type(value) == list: - return self.generateMapItemListNode(key, value) + return self.generateMapItemListNode(transformed_fieldname, value) else: raise TypeError("Backend does not support map values of type " + str(type(value))) - def generateMapItemListNode(self, key, value): - return self.mapListValueExpression % (key, self.generateNode(value)) + def generateMapItemListNode(self, fieldname, value): + return self.mapListValueExpression % (fieldname, self.generateNode(value)) def generateValueNode(self, node): return self.valueExpression % (self.cleanValue(str(node))) @@ -225,3 +227,11 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): def generateNotNULLValueNode(self, node): return self.notNullExpression % (node.item) + + def fieldNameMapping(self, fieldname, value): + """ + Alter field names depending on the value(s). Backends may use this method to perform a final transformation of the field name + in addition to the field mapping defined in the conversion configuration. The field name passed to this method was already + transformed from the original name given in the Sigma rule. + """ + return fieldname diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index c15d5a3ce..2cf4ed0fc 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -17,16 +17,58 @@ import json import re import sigma +import yaml from .base import BaseBackend, SingleTextQueryBackend from .mixins import RulenameCommentMixin, MultiRuleOutputMixin from .exceptions import NotSupportedError -class ElasticsearchQuerystringBackend(SingleTextQueryBackend): +class ElasticsearchWildcardHandlingMixin(object): + """ + Determine field mapping to keyword subfields depending on existence of wildcards in search values. Further, + provide configurability with backend parameters. + """ + options = SingleTextQueryBackend.options + ( + ("keyword_field", "keyword", "Keyword sub-field name", None), + ("keyword_blacklist", None, "Fields that don't have a keyword subfield", None) + ) + reContainsWildcard = re.compile("(?]") andToken = " AND " orToken = " OR " @@ -34,17 +76,27 @@ class ElasticsearchQuerystringBackend(SingleTextQueryBackend): subExpression = "(%s)" listExpression = "(%s)" listSeparator = " " - valueExpression = "\"%s\"" + valueExpression = "%s" nullExpression = "NOT _exists_:%s" notNullExpression = "_exists_:%s" mapExpression = "%s:%s" mapListsSpecialHandling = False -class ElasticsearchDSLBackend(RulenameCommentMixin, BaseBackend): + def generateValueNode(self, node): + result = super().generateValueNode(node) + if result == "" or result.isspace(): + return '""' + else: + if self.matchKeyword: # don't quote search value on keyword field + return result + else: + return "\"%s\"" % result + +class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend): """ElasticSearch DSL backend""" identifier = 'es-dsl' active = True - options = ( + options = RulenameCommentMixin.options + ElasticsearchWildcardHandlingMixin.options + ( ("es", "http://localhost:9200", "Host and port of Elasticsearch instance", None), ("output", "import", "Output format: import = JSON search request, curl = Shell script that do the search queries via curl", "output_type"), ) @@ -104,6 +156,12 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, BaseBackend): def generateListNode(self, node): raise NotImplementedError("%s : (%s) Node type not implemented for this backend"%(self.title, 'generateListNode')) + def cleanValue(self, value): + """ + Remove Sigma quoting from value. Currently, this appears only in one case: \\\\* + """ + return value.replace("\\\\*", "\\*") + def generateMapItemNode(self, node): key, value = node if type(value) not in (str, int, list): @@ -111,10 +169,21 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, BaseBackend): if type(value) is list: res = {'bool': {'should': []}} for v in value: - res['bool']['should'].append({'match_phrase': {key: v}}) + key_mapped = self.fieldNameMapping(key, v) + if self.matchKeyword: # searches against keyowrd fields are wildcard searches, phrases otherwise + queryType = 'wildcard' + else: + queryType = 'match_phrase' + + res['bool']['should'].append({queryType: {key_mapped: self.cleanValue(str(v))}}) return res else: - return {'match_phrase': {key: value}} + key_mapped = self.fieldNameMapping(key, value) + if self.matchKeyword: # searches against keyowrd fields are wildcard searches, phrases otherwise + queryType = 'wildcard' + else: + queryType = 'match_phrase' + return {queryType: {key_mapped: self.cleanValue(str(value))}} def generateValueNode(self, node): return {'multi_match': {'query': node, 'fields': [], 'type': 'phrase'}} @@ -153,7 +222,6 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, BaseBackend): break raise NotImplementedError("%s : The '%s' aggregation operator is not yet implemented for this backend"%(self.title, funcname)) - def generateBefore(self, parsed): self.queries.append({'query': {'constant_score': {'filter': {}}}}) @@ -191,7 +259,7 @@ class KibanaBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin): """Converts Sigma rule into Kibana JSON Configuration files (searches only).""" identifier = "kibana" active = True - options = ( + options = ElasticsearchQuerystringBackend.options + ( ("output", "import", "Output format: import = JSON file manually imported in Kibana, curl = Shell script that imports queries in Kibana via curl (jq is additionally required)", "output_type"), ("es", "localhost:9200", "Host and port of Elasticsearch instance", None), ("index", ".kibana", "Kibana index", None), @@ -305,7 +373,7 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin) """Converts Sigma Rule into X-Pack Watcher JSON for alerting""" identifier = "xpack-watcher" active = True - options = ( + options = ElasticsearchQuerystringBackend.options + ( ("output", "curl", "Output format: curl = Shell script that imports queries in Watcher index with curl", "output_type"), ("es", "localhost:9200", "Host and port of Elasticsearch instance", None), ("mail", None, "Mail address for Watcher notification (only logging if not set)", None), @@ -490,3 +558,162 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin) else: raise NotImplementedError("Output type '%s' not supported" % self.output_type) return result + +class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend): + """Elastalert backend""" + identifier = 'elastalert' + active = True + options = ElasticsearchQuerystringBackend.options + ( + ("emails", None, "Email addresses for Elastalert notification, if you want to alert several email addresses put them coma separated", None), + ("smtp_host", None, "SMTP server address", None), + ("from_addr", None, "Email sender address", None), + ("smtp_auth_file", None, "Local path with login info", None), + ("realert_time", "0m", "Ignore repeating alerts for a period of time", None), + ("expo_realert_time", "60m", "This option causes the value of realert to exponentially increase while alerts continue to fire", None) + ) + interval = None + title = None + + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.elastalert_alerts = dict() + self.fields = [] + + def generate(self, sigmaparser): + rulename = self.getRuleName(sigmaparser) + title = sigmaparser.parsedyaml.setdefault("title", "") + description = sigmaparser.parsedyaml.setdefault("description", "") + false_positives = sigmaparser.parsedyaml.setdefault("falsepositives", "") + level = sigmaparser.parsedyaml.setdefault("level", "") + rule_tag = sigmaparser.parsedyaml.setdefault("tags", ["NOT-DEF"]) + # Get time frame if exists + interval = self.generateTimeframe(sigmaparser.parsedyaml["detection"].setdefault("timeframe", "30m")) + # creating condition + index = sigmaparser.get_logsource().index + if len(index) == 0: # fallback if no index is given + index = "logstash-*" + elif len(index) > 0: + index = index[0] + #Init a rule number cpt in case there are several elastalert rules generated fron one Sigma rule + rule_number = 0 + for parsed in sigmaparser.condparsed: + #Static data + rule_object = { + "name": rulename + "_" + str(rule_number), + "description": description, + "index": index, + "priority": self.convertLevel(level), + "realert": self.generateTimeframe(self.realert_time), + #"exponential_realert": self.generateTimeframe(self.expo_realert_time) + } + rule_object['filter'] = self.generateQuery(parsed) + + #Handle aggregation + if parsed.parsedAgg: + if parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_COUNT or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MIN or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MAX or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_AVG or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_SUM: + if parsed.parsedAgg.groupfield is not None: + rule_object['query_key'] = parsed.parsedAgg.groupfield + ".keyword" + rule_object['type'] = "metric_aggregation" + rule_object['buffer_time'] = interval + rule_object['doc_type'] = "doc" + + if parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_COUNT: + rule_object['metric_agg_type'] = "cardinality" + else: + rule_object['metric_agg_type'] = parsed.parsedAgg.aggfunc_notrans + + if parsed.parsedAgg.aggfield: + rule_object['metric_agg_key'] = parsed.parsedAgg.aggfield + ".keyword" + else: + rule_object['metric_agg_key'] = "_id" + + condition_value = int(parsed.parsedAgg.condition) + if parsed.parsedAgg.cond_op == ">": + rule_object['max_threshold'] = condition_value + elif parsed.parsedAgg.cond_op == ">=": + rule_object['max_threshold'] = condition_value - 1 + elif parsed.parsedAgg.cond_op == "<": + rule_object['min_threshold'] = condition_value + elif parsed.parsedAgg.cond_op == "<=": + rule_object['min_threshold'] = condition_value - 1 + else: + rule_object['max_threshold'] = condition_value - 1 + rule_object['min_threshold'] = condition_value + 1 + else: + rule_object['type'] = "any" + + #Handle alert action + rule_object['alert'] = [] + if self.emails: + rule_object['alert'].append('email') + rule_object['email'] = [] + for address in self.emails.split(','): + rule_object['email'].append(address) + if self.smtp_host: + rule_object['smtp_host'] = self.smtp_host + if self.from_addr: + rule_object['from_addr'] = self.from_addr + if self.smtp_auth_file: + rule_object['smtp_auth_file'] = self.smtp_auth_file + #If alert is not define put debug as default + if len(rule_object['alert']) == 0: + rule_object['alert'].append('debug') + + #Increment rule number + rule_number += 1 + self.elastalert_alerts[rule_object['name']] = rule_object + #Clear fields + self.fields = [] + + def generateQuery(self, parsed): + #Generate ES QS Query + return [{ 'query' : { 'query_string' : { 'query' : super().generateQuery(parsed) } } }] + + def generateNode(self, node): + #Save fields for adding them in query_key + #if type(node) == sigma.parser.NodeSubexpression: + # for k,v in node.items.items: + # self.fields.append(k) + return super().generateNode(node) + + def generateTimeframe(self, timeframe): + time_unit = timeframe[-1:] + duration = timeframe[:-1] + timeframe_object = {} + if time_unit == "s": + timeframe_object['seconds'] = int(duration) + elif time_unit == "m": + timeframe_object['minutes'] = int(duration) + elif time_unit == "h": + timeframe_object['hours'] = int(duration) + elif time_unit == "d": + timeframe_object['days'] = int(duration) + else: + timeframe_object['months'] = int(duration) + return timeframe_object + + def generateAggregation(self, agg): + if agg: + if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_COUNT or agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MIN or agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MAX or agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_AVG or agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_SUM: + return "" + else: + for name, idx in agg.aggfuncmap.items(): + if idx == agg.aggfunc: + funcname = name + break + raise NotImplementedError("%s : The '%s' aggregation operator is not yet implemented for this backend"%(self.title, funcname)) + + def convertLevel(self, level): + return { + 'critical': 1, + 'high': 2, + 'medium': 3, + 'low': 4 + }.get(level, 2) + + def finalize(self): + result = "" + for rulename, rule in self.elastalert_alerts.items(): + result += yaml.dump(rule, default_flow_style=False) + result += '\n' + return result diff --git a/tools/sigma/backends/graylog.py b/tools/sigma/backends/graylog.py index 632abfa52..bc20f06d0 100644 --- a/tools/sigma/backends/graylog.py +++ b/tools/sigma/backends/graylog.py @@ -22,7 +22,7 @@ class GraylogQuerystringBackend(SingleTextQueryBackend): identifier = "graylog" active = True - reEscape = re.compile("([+\\-!(){}\\[\\]^\"~:/]|\\\\(?![*?])|&&|\\|\\|)") + reEscape = re.compile("([+\\-!(){}\\[\\]^\"~:/]|(? \\ + # \* -> \* + # \\* -> \\* + reEscape = re.compile('("|(?', item) item = re.sub("(\*\\\\)|(\*)", "", item) containlist.append(self.generateValueNode(item)) else: diff --git a/tools/sigma/backends/powershell.py b/tools/sigma/backends/powershell.py index 28333dbab..9a6e88912 100644 --- a/tools/sigma/backends/powershell.py +++ b/tools/sigma/backends/powershell.py @@ -27,7 +27,7 @@ class PowerShellBackend(SingleTextQueryBackend): ("csv", False, "Return the results in CSV format instead of Powershell objects", None), ) - reEscape = re.compile('("|\\\\(?![*?])|\+)') + reEscape = re.compile('("|(? \\ + # \* -> \* + # \\* -> \\* + reEscape = re.compile('("|(?. + +import re +import sigma +from .base import SingleTextQueryBackend + +# Sumo specifics +# https://help.sumologic.com/05Search/Search-Query-Language +# want _index or _sourceCategory for performance +# try to get most string match on first line for performance +# further sorting can be done with extra parsing +# No regex match, must use 'parse regex' https://help.sumologic.com/05Search/Search-Query-Language/01-Parse-Operators/02-Parse-Variable-Patterns-Using-Regex +# For some strings like Windows ProcessCmdline or LogonProcess, it might be good to force case lower and upper as Windows is inconsistent in logs + +class SumoLogicBackend(SingleTextQueryBackend): + """Converts Sigma rule into SumoLogic query""" + identifier = "sumologic" + active = True + + index_field = "_index" + reEscape = re.compile('("|(? 5 +# Near condition => how near... like timeframe? + diff --git a/tools/sigma/backends/wdatp.py b/tools/sigma/backends/wdatp.py index 8d5407a28..ca1868144 100644 --- a/tools/sigma/backends/wdatp.py +++ b/tools/sigma/backends/wdatp.py @@ -23,7 +23,10 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): identifier = "wdatp" active = True - reEscape = re.compile('("|\\\\(?![*?]))') + # \ -> \\ + # \* -> \* + # \\* -> \\* + reEscape = re.compile('("|(?" % (indent, type(node).__name__, + type(node.items).__name__)) + if type(node.items) != list: + dumpNode(node.items, indent + ' ') + else: + for item in node.items: + dumpNode(item, indent + ' ') + else: + print("%s%s=%s" % (indent, type(node).__name__, + repr(node))) + return node + # Condition Tokenizer class SigmaConditionToken: """Token of a Sigma condition expression""" @@ -271,23 +289,6 @@ class SigmaConditionOptimizer: """ Optimizer for the parsed AST. """ - def _dumpNode(self, node, indent=''): # pragma: no cover - """ - Recursively print the AST rooted at *node* for debugging. - """ - if hasattr(node, 'items'): - print("%s%s<%s>" % (indent, type(node).__name__, - type(node.items).__name__)) - if type(node.items) != list: - self._dumpNode(node.items, indent + ' ') - else: - for item in node.items: - self._dumpNode(item, indent + ' ') - else: - print("%s%s=%s" % (indent, type(node).__name__, - repr(node))) - return node - def _stripSubexpressionNode(self, node): """ Recursively strips all subexpressions (i.e. brackets) from the AST. diff --git a/tools/sigma/parser/rule.py b/tools/sigma/parser/rule.py index 6560aaa33..565562405 100644 --- a/tools/sigma/parser/rule.py +++ b/tools/sigma/parser/rule.py @@ -87,12 +87,6 @@ class SigmaParser: fields = [ fields ] for field in fields: cond.add(ConditionNULLValue(val=field)) - elif value == "not null": - fields = mapping.resolve_fieldname(key) - if type(fields) == str: - fields = [ fields ] - for field in fields: - cond.add(ConditionNotNULLValue(val=field)) else: cond.add(mapping.resolve(key, value, self))