From 376d0414d8cc05eecd629e2481a2a5ec04056ecb Mon Sep 17 00:00:00 2001 From: Sherif Eldeeb Date: Sun, 28 Jan 2018 16:16:00 +0300 Subject: [PATCH 01/99] Condition is a `str`, not a `list` To be consistent with schema and all the other rules: - `condition` should be a `str` - if an `or` condition needs to be applied, use parentheses and literal `or` instead of a `list` --- rules/network/net_susp_network_scan.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index c0de5d6fa..64eaa8621 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -7,9 +7,7 @@ detection: selection: action: denied timeframe: 24h - condition: - - selection | count(dst_port) by src_ip > 10 - - selection | count(dst_ip) by src_ip > 10 + condition: ( selection | count(dst_port) by src_ip > 10 ) or ( selection | count(dst_ip) by src_ip > 10 ) fields: - src_ip - dst_ip From cd5950749ebde49b7c6a3c3e3641dc15da34c5a2 Mon Sep 17 00:00:00 2001 From: Sherif Eldeeb Date: Thu, 15 Nov 2018 08:45:25 +0300 Subject: [PATCH 02/99] revert to upstream --- rules/network/net_susp_network_scan.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index 64eaa8621..c0de5d6fa 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -7,7 +7,9 @@ detection: selection: action: denied timeframe: 24h - condition: ( selection | count(dst_port) by src_ip > 10 ) or ( selection | count(dst_ip) by src_ip > 10 ) + condition: + - selection | count(dst_port) by src_ip > 10 + - selection | count(dst_ip) by src_ip > 10 fields: - src_ip - dst_ip From 23eddafb39ebf47388c42c9a6500dff061b95089 Mon Sep 17 00:00:00 2001 From: Sherif Eldeeb Date: Thu, 15 Nov 2018 09:00:06 +0300 Subject: [PATCH 03/99] Replace "logsource: description" with "definition" to match the specs --- rules/apt/apt_dragonfly.yml | 2 +- rules/apt/apt_equationgroup_dll_u_load.yml | 2 +- rules/apt/apt_hurricane_panda.yml | 2 +- rules/apt/apt_slingshot.yml | 4 ++-- rules/apt/apt_sofacy.yml | 2 +- rules/apt/apt_turla_namedpipes.yml | 2 +- rules/windows/builtin/win_admin_rdp_login.yml | 2 +- rules/windows/builtin/win_admin_share_access.yml | 2 +- .../builtin/win_alert_active_directory_user_control.yml | 2 +- rules/windows/builtin/win_alert_ad_user_backdoors.yml | 4 ++-- rules/windows/builtin/win_alert_enable_weak_encryption.yml | 2 +- rules/windows/builtin/win_alert_lsass_access.yml | 2 +- rules/windows/builtin/win_disable_event_logging.yml | 2 +- rules/windows/builtin/win_multiple_suspicious_cli.yml | 2 +- rules/windows/builtin/win_net_ntlm_downgrade.yml | 2 +- rules/windows/builtin/win_pass_the_hash.yml | 2 +- rules/windows/builtin/win_possible_applocker_bypass.yml | 2 +- rules/windows/builtin/win_psexesvc_start.yml | 2 +- rules/windows/builtin/win_rare_schtasks_creations.yml | 2 +- rules/windows/builtin/win_susp_cli_escape.yml | 2 +- rules/windows/builtin/win_susp_commands_recon_activity.yml | 2 +- rules/windows/builtin/win_susp_iss_module_install.yml | 2 +- rules/windows/builtin/win_susp_msiexec_web_install.yml | 2 +- rules/windows/builtin/win_susp_net_recon_activity.yml | 2 +- rules/windows/builtin/win_susp_ntdsutil.yml | 2 +- rules/windows/builtin/win_susp_ntlm_auth.yml | 2 +- rules/windows/builtin/win_susp_powershell_enc_cmd.yml | 2 +- rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml | 2 +- rules/windows/builtin/win_susp_procdump.yml | 2 +- rules/windows/builtin/win_susp_process_creations.yml | 2 +- rules/windows/builtin/win_susp_rasdial_activity.yml | 2 +- rules/windows/builtin/win_susp_run_locations.yml | 2 +- rules/windows/builtin/win_susp_rundll32_activity.yml | 2 +- rules/windows/builtin/win_susp_sam_dump.yml | 2 +- rules/windows/builtin/win_susp_svchost.yml | 2 +- rules/windows/builtin/win_susp_sysprep_appdata.yml | 2 +- rules/windows/builtin/win_susp_sysvol_access.yml | 2 +- rules/windows/builtin/win_susp_whoami.yml | 2 +- .../builtin/win_wmi_persistence_script_event_consumer.yml | 2 +- rules/windows/malware/win_mal_adwind.yml | 2 +- rules/windows/malware/win_mal_wannacry.yml | 2 +- rules/windows/powershell/powershell_malicious_commandlets.yml | 2 +- rules/windows/powershell/powershell_malicious_keywords.yml | 2 +- rules/windows/powershell/powershell_ntfs_ads_access.yaml | 2 +- rules/windows/powershell/powershell_prompt_credentials.yml | 2 +- rules/windows/powershell/powershell_psattack.yml | 2 +- rules/windows/powershell/powershell_xor_commandline.yml | 2 +- rules/windows/sysmon/sysmon_ads_executable.yml | 2 +- rules/windows/sysmon/sysmon_mal_namedpipes.yml | 2 +- rules/windows/sysmon/sysmon_malware_backconnect_ports.yml | 2 +- rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml | 2 +- .../sysmon/sysmon_susp_prog_location_network_connection.yml | 2 +- rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml | 2 +- 53 files changed, 55 insertions(+), 55 deletions(-) diff --git a/rules/apt/apt_dragonfly.yml b/rules/apt/apt_dragonfly.yml index 94ace27b0..fc05d96e0 100755 --- a/rules/apt/apt_dragonfly.yml +++ b/rules/apt/apt_dragonfly.yml @@ -18,7 +18,7 @@ level: critical logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection1: # Does not require group policy 'Audit Process Creation' > Include command line in process creation events diff --git a/rules/apt/apt_equationgroup_dll_u_load.yml b/rules/apt/apt_equationgroup_dll_u_load.yml index fe0c12039..9b77094b1 100755 --- a/rules/apt/apt_equationgroup_dll_u_load.yml +++ b/rules/apt/apt_equationgroup_dll_u_load.yml @@ -35,7 +35,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection1: EventID: 4688 diff --git a/rules/apt/apt_hurricane_panda.yml b/rules/apt/apt_hurricane_panda.yml index 45fbd4026..75064bcf3 100755 --- a/rules/apt/apt_hurricane_panda.yml +++ b/rules/apt/apt_hurricane_panda.yml @@ -31,7 +31,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/apt/apt_slingshot.yml b/rules/apt/apt_slingshot.yml index becd04823..6e462f79b 100755 --- a/rules/apt/apt_slingshot.yml +++ b/rules/apt/apt_slingshot.yml @@ -11,7 +11,7 @@ date: 2018/03/10 logsource: product: windows service: security - description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' + definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' detection: condition: selection falsepositives: @@ -30,7 +30,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' + definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' detection: selection: EventID: 4701 diff --git a/rules/apt/apt_sofacy.yml b/rules/apt/apt_sofacy.yml index 5ddfa902d..9e3e66daa 100755 --- a/rules/apt/apt_sofacy.yml +++ b/rules/apt/apt_sofacy.yml @@ -32,7 +32,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 \ No newline at end of file diff --git a/rules/apt/apt_turla_namedpipes.yml b/rules/apt/apt_turla_namedpipes.yml index d66fc99f1..e0636bf0a 100755 --- a/rules/apt/apt_turla_namedpipes.yml +++ b/rules/apt/apt_turla_namedpipes.yml @@ -10,7 +10,7 @@ author: Markus Neis logsource: product: windows service: sysmon - description: 'Note that you have to configure logging for PipeEvents in Symson config' + definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: selection: EventID: diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/win_admin_rdp_login.yml index 5ddc65b12..768a5b4bc 100644 --- a/rules/windows/builtin/win_admin_rdp_login.yml +++ b/rules/windows/builtin/win_admin_rdp_login.yml @@ -10,7 +10,7 @@ author: juju4 logsource: product: windows service: security - description: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account' + definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account' detection: selection: EventID: 4624 diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml index 64caf0ccd..277c77a46 100644 --- a/rules/windows/builtin/win_admin_share_access.yml +++ b/rules/windows/builtin/win_admin_share_access.yml @@ -8,7 +8,7 @@ author: Florian Roth logsource: product: windows service: security - description: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' + definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' detection: selection: EventID: 5140 diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 0f473ea30..cb39ccfb1 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -9,7 +9,7 @@ author: '@neu5ron' logsource: product: windows service: security - description: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' + definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' detection: selection: EventID: 4704 diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml index 6d3edb08d..29ef903d7 100644 --- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml @@ -11,8 +11,8 @@ tags: logsource: product: windows service: security - description1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' - description2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' + definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' + definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' detection: selection1: EventID: 4738 diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index a8e2be3bd..ef822fcdd 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -7,7 +7,7 @@ author: '@neu5ron' logsource: product: windows service: security - description: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' + definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' detection: selection: EventID: 4738 diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml index e92ac0577..33c3c948f 100644 --- a/rules/windows/builtin/win_alert_lsass_access.yml +++ b/rules/windows/builtin/win_alert_lsass_access.yml @@ -11,7 +11,7 @@ tags: # Defender Attack Surface Reduction logsource: product: windows_defender - description: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' + definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' detection: selection: EventID: 1121 diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index 16645f28d..a8ac854ad 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -15,7 +15,7 @@ author: '@neu5ron' logsource: product: windows service: security - description: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change' + definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change' detection: selection: EventID: 4719 diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml index edecf0bfd..021d02ced 100644 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ b/rules/windows/builtin/win_multiple_suspicious_cli.yml @@ -57,7 +57,7 @@ level: low logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index e045818d9..36e2b0576 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -30,7 +30,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)' + definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)' detection: selection2: EventID: 4657 diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index f40997e00..8ead5dab9 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -10,7 +10,7 @@ tags: logsource: product: windows service: security - description: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 + definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 detection: selection: - EventID: 4624 diff --git a/rules/windows/builtin/win_possible_applocker_bypass.yml b/rules/windows/builtin/win_possible_applocker_bypass.yml index 2bc84cfe4..894a5e1f7 100644 --- a/rules/windows/builtin/win_possible_applocker_bypass.yml +++ b/rules/windows/builtin/win_possible_applocker_bypass.yml @@ -30,7 +30,7 @@ level: low logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_psexesvc_start.yml b/rules/windows/builtin/win_psexesvc_start.yml index 40a49418f..b076f7c94 100644 --- a/rules/windows/builtin/win_psexesvc_start.yml +++ b/rules/windows/builtin/win_psexesvc_start.yml @@ -9,7 +9,7 @@ tags: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/win_rare_schtasks_creations.yml index 537527f50..2cdb3facb 100644 --- a/rules/windows/builtin/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/win_rare_schtasks_creations.yml @@ -10,7 +10,7 @@ tags: logsource: product: windows service: security - description: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.' + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.' detection: selection: EventID: 4698 diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml index 6060f76a8..9040d82c1 100644 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ b/rules/windows/builtin/win_susp_cli_escape.yml @@ -33,7 +33,7 @@ level: low logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml index 76c044e24..d3291236c 100644 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml @@ -49,7 +49,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/builtin/win_susp_iss_module_install.yml index 21854e469..376935e36 100644 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ b/rules/windows/builtin/win_susp_iss_module_install.yml @@ -28,7 +28,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_msiexec_web_install.yml b/rules/windows/builtin/win_susp_msiexec_web_install.yml index 880591fc6..8efe51e7e 100644 --- a/rules/windows/builtin/win_susp_msiexec_web_install.yml +++ b/rules/windows/builtin/win_susp_msiexec_web_install.yml @@ -26,7 +26,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index ac3c34f34..5e403a053 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: security - description: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems + definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems detection: selection: - EventID: 4661 diff --git a/rules/windows/builtin/win_susp_ntdsutil.yml b/rules/windows/builtin/win_susp_ntdsutil.yml index 5163fd12e..0dd7b2051 100644 --- a/rules/windows/builtin/win_susp_ntdsutil.yml +++ b/rules/windows/builtin/win_susp_ntdsutil.yml @@ -27,7 +27,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml index f33dfc7bf..f5d465980 100644 --- a/rules/windows/builtin/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/win_susp_ntlm_auth.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: ntlm - description: Reqiures events from Microsoft-Windows-NTLM/Operational + definition: Reqiures events from Microsoft-Windows-NTLM/Operational detection: selection: EventID: 8002 diff --git a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml index 0e1fdcbbd..1e54ec971 100644 --- a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml @@ -36,7 +36,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml index aa7fa26fe..39d664d44 100644 --- a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml @@ -10,7 +10,7 @@ author: John Lambert (rule) logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: encoded: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_procdump.yml b/rules/windows/builtin/win_susp_procdump.yml index 88b29e1da..a138ad973 100644 --- a/rules/windows/builtin/win_susp_procdump.yml +++ b/rules/windows/builtin/win_susp_procdump.yml @@ -29,7 +29,7 @@ level: medium logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index b6274a288..1be8c84f3 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -81,7 +81,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_rasdial_activity.yml b/rules/windows/builtin/win_susp_rasdial_activity.yml index bad621d16..76676cfbf 100644 --- a/rules/windows/builtin/win_susp_rasdial_activity.yml +++ b/rules/windows/builtin/win_susp_rasdial_activity.yml @@ -18,7 +18,7 @@ level: medium logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml index b75d2f336..11a26b524 100644 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ b/rules/windows/builtin/win_susp_run_locations.yml @@ -24,7 +24,7 @@ level: medium logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/builtin/win_susp_rundll32_activity.yml index 485c72100..872f40557 100644 --- a/rules/windows/builtin/win_susp_rundll32_activity.yml +++ b/rules/windows/builtin/win_susp_rundll32_activity.yml @@ -36,7 +36,7 @@ falsepositives: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index 8f94ae691..0f71f622b 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -8,7 +8,7 @@ author: Florian Roth logsource: product: windows service: system - description: The source of this type of event is Kernel-General + definition: The source of this type of event is Kernel-General detection: selection: EventID: 16 diff --git a/rules/windows/builtin/win_susp_svchost.yml b/rules/windows/builtin/win_susp_svchost.yml index 306c43a60..9405f77d7 100644 --- a/rules/windows/builtin/win_susp_svchost.yml +++ b/rules/windows/builtin/win_susp_svchost.yml @@ -32,7 +32,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_sysprep_appdata.yml b/rules/windows/builtin/win_susp_sysprep_appdata.yml index b688a77c1..051c8605b 100644 --- a/rules/windows/builtin/win_susp_sysprep_appdata.yml +++ b/rules/windows/builtin/win_susp_sysprep_appdata.yml @@ -28,7 +28,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_sysvol_access.yml b/rules/windows/builtin/win_susp_sysvol_access.yml index 32032b9e7..c413497a8 100644 --- a/rules/windows/builtin/win_susp_sysvol_access.yml +++ b/rules/windows/builtin/win_susp_sysvol_access.yml @@ -29,7 +29,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_susp_whoami.yml b/rules/windows/builtin/win_susp_whoami.yml index b0a3f29cc..3d8ab3d4d 100644 --- a/rules/windows/builtin/win_susp_whoami.yml +++ b/rules/windows/builtin/win_susp_whoami.yml @@ -29,7 +29,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml b/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml index 927476c12..ecedd03fd 100644 --- a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml +++ b/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml @@ -30,7 +30,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/malware/win_mal_adwind.yml index 5c0e8c77e..07e8269e7 100644 --- a/rules/windows/malware/win_mal_adwind.yml +++ b/rules/windows/malware/win_mal_adwind.yml @@ -16,7 +16,7 @@ level: high logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/malware/win_mal_wannacry.yml b/rules/windows/malware/win_mal_wannacry.yml index 3624f5076..89a95be39 100644 --- a/rules/windows/malware/win_mal_wannacry.yml +++ b/rules/windows/malware/win_mal_wannacry.yml @@ -21,7 +21,7 @@ level: critical logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection1: # Requires group policy 'Audit Process Creation' > Include command line in process creation events diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 23cbfa154..2105d06bf 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -10,7 +10,7 @@ author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows service: powershell - description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - Invoke-DllInjection diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 4a5a6ba98..63c08a3d8 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -10,7 +10,7 @@ author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows service: powershell - description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - AdjustTokenPrivileges diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yaml b/rules/windows/powershell/powershell_ntfs_ads_access.yaml index 3deedb29d..965df78f7 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yaml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yaml @@ -10,7 +10,7 @@ author: Sami Ruohonen logsource: product: windows service: powershell - description: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keyword1: - "set-content" diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index c86db1cf5..6203a5d23 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -12,7 +12,7 @@ author: John Lambert (idea), Florian Roth (rule) logsource: product: windows service: powershell - description: 'Script block logging must be enabled' + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index d2eb7ece7..5872f70a3 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -10,7 +10,7 @@ author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows service: powershell - description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_xor_commandline.yml index 7b5d38980..f82da8670 100644 --- a/rules/windows/powershell/powershell_xor_commandline.yml +++ b/rules/windows/powershell/powershell_xor_commandline.yml @@ -23,7 +23,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml index 53d369dc2..94b86c382 100644 --- a/rules/windows/sysmon/sysmon_ads_executable.yml +++ b/rules/windows/sysmon/sysmon_ads_executable.yml @@ -12,7 +12,7 @@ date: 2018/06/03 logsource: product: windows service: sysmon - description: 'Requirements: Sysmon config with Imphash logging activated' + definition: 'Requirements: Sysmon config with Imphash logging activated' detection: selection: EventID: 15 diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/sysmon/sysmon_mal_namedpipes.yml index ef1800a80..27b56e74c 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/sysmon/sysmon_mal_namedpipes.yml @@ -8,7 +8,7 @@ author: Florian Roth logsource: product: windows service: sysmon - description: 'Note that you have to configure logging for PipeEvents in Symson config' + definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: selection: EventID: diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index d3b6f33a0..505a601c3 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -8,7 +8,7 @@ date: 2017/03/19 logsource: product: windows service: sysmon - description: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' + definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: selection: EventID: 3 diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml index fff40b72f..42ba71450 100644 --- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml @@ -8,7 +8,7 @@ date: 2017/03/04 logsource: product: windows service: sysmon - description: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' + definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: selection: EventID: 10 diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml index d7febde9c..741083516 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml @@ -8,7 +8,7 @@ date: 2017/03/19 logsource: product: windows service: sysmon - description: 'Use the following config to generate the necessary Event ID 3 Network Connection events' + definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' detection: selection: EventID: 3 diff --git a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml b/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml index b173a5c85..eb5fde7bc 100644 --- a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml +++ b/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml @@ -26,7 +26,7 @@ detection: logsource: product: windows service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 \ No newline at end of file From 49d464f97959c14051e1e7364a360da01eec460e Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 20 Nov 2018 23:23:54 +0100 Subject: [PATCH 04/99] Fixed wildcards in es-qs backend --- tools/sigma/backends/elasticsearch.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index c15d5a3ce..1ac6f4bb8 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -26,7 +26,7 @@ class ElasticsearchQuerystringBackend(SingleTextQueryBackend): identifier = "es-qs" active = True - reEscape = re.compile("([+\\-=!(){}\\[\\]^\"~:/]|\\\\(?![*?])|\\\\u|&&|\\|\\|)") + reEscape = re.compile("([\\s+\\-=!(){}\\[\\]^\"~:/]|\\\\(?![*?])|\\\\u|&&|\\|\\|)") reClear = re.compile("[<>]") andToken = " AND " orToken = " OR " @@ -34,7 +34,7 @@ class ElasticsearchQuerystringBackend(SingleTextQueryBackend): subExpression = "(%s)" listExpression = "(%s)" listSeparator = " " - valueExpression = "\"%s\"" + valueExpression = "%s" nullExpression = "NOT _exists_:%s" notNullExpression = "_exists_:%s" mapExpression = "%s:%s" From 60538e2e12cb1bcd7e1e587beb29db51c7803d90 Mon Sep 17 00:00:00 2001 From: Kyle Polley Date: Tue, 20 Nov 2018 21:07:36 -0800 Subject: [PATCH 05/99] changed .yaml files to .yml for consistency --- ...rshell_ntfs_ads_access.yaml => powershell_ntfs_ads_access.yml} | 0 ...on_win_reg_persistence.yaml => sysmon_win_reg_persistence.yml} | 0 sigma-schema.rx.yaml => sigma-schema.rx.yml | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/{powershell_ntfs_ads_access.yaml => powershell_ntfs_ads_access.yml} (100%) rename rules/windows/sysmon/{sysmon_win_reg_persistence.yaml => sysmon_win_reg_persistence.yml} (100%) rename sigma-schema.rx.yaml => sigma-schema.rx.yml (100%) diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yaml b/rules/windows/powershell/powershell_ntfs_ads_access.yml similarity index 100% rename from rules/windows/powershell/powershell_ntfs_ads_access.yaml rename to rules/windows/powershell/powershell_ntfs_ads_access.yml diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yaml b/rules/windows/sysmon/sysmon_win_reg_persistence.yml similarity index 100% rename from rules/windows/sysmon/sysmon_win_reg_persistence.yaml rename to rules/windows/sysmon/sysmon_win_reg_persistence.yml diff --git a/sigma-schema.rx.yaml b/sigma-schema.rx.yml similarity index 100% rename from sigma-schema.rx.yaml rename to sigma-schema.rx.yml From 9e28669c339e13bd7771e81002c04577021b92b9 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 21 Nov 2018 22:29:12 +0100 Subject: [PATCH 06/99] Backend es-qs return quotes on empty or whitespace-only string --- tools/sigma/backends/elasticsearch.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 1ac6f4bb8..dbb51d105 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -40,6 +40,13 @@ class ElasticsearchQuerystringBackend(SingleTextQueryBackend): mapExpression = "%s:%s" mapListsSpecialHandling = False + def generateValueNode(self, node): + result = super().generateValueNode(node) + if result == "" or result.isspace(): + return '""' + else: + return result + class ElasticsearchDSLBackend(RulenameCommentMixin, BaseBackend): """ElasticSearch DSL backend""" identifier = 'es-dsl' From a1940c6eaae56de7edd4ade1778e444ac786ae47 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 21 Nov 2018 22:34:04 +0100 Subject: [PATCH 07/99] Simplified rule --- rules/proxy/proxy_empty_ua.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/proxy/proxy_empty_ua.yml b/rules/proxy/proxy_empty_ua.yml index faac0f93b..da28473a1 100644 --- a/rules/proxy/proxy_empty_ua.yml +++ b/rules/proxy/proxy_empty_ua.yml @@ -8,9 +8,8 @@ logsource: category: proxy detection: selection: - UserAgent: - # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString - - '' + # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString + UserAgent: '' condition: selection fields: - ClientIP From 26d888aec3a473d56ee5ea35c6ca8b26ac3bd07b Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 21 Nov 2018 22:56:48 +0100 Subject: [PATCH 08/99] Removed "not null" handling code Feature was removed some time ago. --- tools/sigma/parser/rule.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tools/sigma/parser/rule.py b/tools/sigma/parser/rule.py index 6560aaa33..565562405 100644 --- a/tools/sigma/parser/rule.py +++ b/tools/sigma/parser/rule.py @@ -87,12 +87,6 @@ class SigmaParser: fields = [ fields ] for field in fields: cond.add(ConditionNULLValue(val=field)) - elif value == "not null": - fields = mapping.resolve_fieldname(key) - if type(fields) == str: - fields = [ fields ] - for field in fields: - cond.add(ConditionNotNULLValue(val=field)) else: cond.add(mapping.resolve(key, value, self)) From aa1a953a6556f0504fde9f04b23335cd4a8ca916 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 21 Nov 2018 23:22:38 +0100 Subject: [PATCH 09/99] Moved node dumping code to generic location --- tools/sigma/parser/condition.py | 35 +++++++++++++++++---------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index 16e4d5675..ef697e90b 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -24,6 +24,24 @@ COND_OR = 2 COND_NOT = 3 COND_NULL = 4 +# Debugging code +def dumpNode(node, indent=''): # pragma: no cover + """ + Recursively print the AST rooted at *node* for debugging. + """ + if hasattr(node, 'items'): + print("%s%s<%s>" % (indent, type(node).__name__, + type(node.items).__name__)) + if type(node.items) != list: + dumpNode(node.items, indent + ' ') + else: + for item in node.items: + dumpNode(item, indent + ' ') + else: + print("%s%s=%s" % (indent, type(node).__name__, + repr(node))) + return node + # Condition Tokenizer class SigmaConditionToken: """Token of a Sigma condition expression""" @@ -271,23 +289,6 @@ class SigmaConditionOptimizer: """ Optimizer for the parsed AST. """ - def _dumpNode(self, node, indent=''): # pragma: no cover - """ - Recursively print the AST rooted at *node* for debugging. - """ - if hasattr(node, 'items'): - print("%s%s<%s>" % (indent, type(node).__name__, - type(node.items).__name__)) - if type(node.items) != list: - self._dumpNode(node.items, indent + ' ') - else: - for item in node.items: - self._dumpNode(item, indent + ' ') - else: - print("%s%s=%s" % (indent, type(node).__name__, - repr(node))) - return node - def _stripSubexpressionNode(self, node): """ Recursively strips all subexpressions (i.e. brackets) from the AST. From ec83ab5e13146d39f950000e9866e18dbf12a8be Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 22 Nov 2018 19:14:07 +0100 Subject: [PATCH 10/99] APT28 Zebrocy rule https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d --- rules/apt/apt_sofacy_zebrocy.yml | 34 ++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/apt/apt_sofacy_zebrocy.yml diff --git a/rules/apt/apt_sofacy_zebrocy.yml b/rules/apt/apt_sofacy_zebrocy.yml new file mode 100644 index 000000000..24ccd52bd --- /dev/null +++ b/rules/apt/apt_sofacy_zebrocy.yml @@ -0,0 +1,34 @@ +--- +action: global +title: Sofacy Zebrocy +description: Detects Sofacy's Zebrocy malware execution +references: + - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d +tags: + - attack.execution + - attack.g0020 + - attack.t1059 +author: Florian Roth +date: 2018/03/10 +detection: + condition: selection +falsepositives: + - Unknown +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST' +--- +logsource: + product: windows + service: security + description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST' From 7ba1fe4309c0be037f82926bdb41630c6cece1d5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Nov 2018 08:46:20 +0100 Subject: [PATCH 11/99] Turla PNG Dropper Service Name --- rules/apt/apt_turla_service_png.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/apt/apt_turla_service_png.yml diff --git a/rules/apt/apt_turla_service_png.yml b/rules/apt/apt_turla_service_png.yml new file mode 100644 index 000000000..0a6735f21 --- /dev/null +++ b/rules/apt/apt_turla_service_png.yml @@ -0,0 +1,21 @@ +title: Turla PNG Dropper Service +description: 'This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018' +references: + - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ +author: Florian Roth +date: 2018/11/23 +tags: + - attack.command_and_control + - attack.g0016 + - attack.t1172 +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 + ServiceName: 'WerFaultSvc' + condition: selection +falsepositives: + - unlikely +level: critical From c2eb87133d6bf438a113fec6734399fc46ce0de5 Mon Sep 17 00:00:00 2001 From: sisecbe <31284407+sisecbe@users.noreply.github.com> Date: Fri, 23 Nov 2018 15:04:08 +0100 Subject: [PATCH 12/99] Distinct count in aggragation function Added dc() instead of count() when group-by field is present. Because count() doesn't do a distinct count in Splunk. Must be the dc() function instead. --- tools/sigma/backends/splunk.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index eb6ae5ed3..500969810 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -53,6 +53,8 @@ class SplunkBackend(SingleTextQueryBackend): if agg.groupfield == None: return " | stats %s(%s) as val | search val %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.cond_op, agg.condition) else: + if agg.aggfunc_notrans == 'count': + agg.aggfunc_notrans = 'dc' return " | stats %s(%s) as val by %s | search val %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.groupfield or "", agg.cond_op, agg.condition) class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin): From e43909678ed77a6f7a94257fe3a72a8894d9aea5 Mon Sep 17 00:00:00 2001 From: sisecbe <31284407+sisecbe@users.noreply.github.com> Date: Fri, 23 Nov 2018 15:11:12 +0100 Subject: [PATCH 13/99] Added the fields attribute parser Make a table with the fields present in the fields attribute --- tools/sigma/backends/splunk.py | 38 ++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index 500969810..097a8cc1c 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -57,6 +57,44 @@ class SplunkBackend(SingleTextQueryBackend): agg.aggfunc_notrans = 'dc' return " | stats %s(%s) as val by %s | search val %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.groupfield or "", agg.cond_op, agg.condition) + + def generate(self, sigmaparser): + """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + + columns = list() + try: + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field) + if type(mapped) == str: + columns.append(mapped) + elif type(mapped) == list: + columns.extend(mapped) + else: + raise TypeError("Field mapping must return string or list") + + fields = ",".join(str(x) for x in columns) + fields = " | table " + fields + + except KeyError: # no 'fields' attribute + pass + + for parsed in sigmaparser.condparsed: + query = self.generateQuery(parsed) + before = self.generateBefore(parsed) + after = self.generateAfter(parsed) + + result = "" + if before is not None: + result = before + if query is not None: + result += query + if after is not None: + result += after + if mapped is not None: + result += fields + + return result + class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin): """Converts Sigma rule into XML used for Splunk Dashboard Panels""" identifier = "splunkxml" From 31eae25756500f1b5b4876566c1d246d9f370213 Mon Sep 17 00:00:00 2001 From: sisecbe <31284407+sisecbe@users.noreply.github.com> Date: Fri, 23 Nov 2018 15:20:17 +0100 Subject: [PATCH 14/99] Indentation error --- tools/sigma/backends/splunk.py | 59 +++++++++++++++++----------------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index 097a8cc1c..63f07bb7f 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -59,41 +59,40 @@ class SplunkBackend(SingleTextQueryBackend): def generate(self, sigmaparser): - """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + columns = list() + try: + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field) + if type(mapped) == str: + columns.append(mapped) + elif type(mapped) == list: + columns.extend(mapped) + else: + raise TypeError("Field mapping must return string or list") - columns = list() - try: - for field in sigmaparser.parsedyaml["fields"]: - mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field) - if type(mapped) == str: - columns.append(mapped) - elif type(mapped) == list: - columns.extend(mapped) - else: - raise TypeError("Field mapping must return string or list") + fields = ",".join(str(x) for x in columns) + fields = " | table " + fields - fields = ",".join(str(x) for x in columns) - fields = " | table " + fields + except KeyError: # no 'fields' attribute + pass - except KeyError: # no 'fields' attribute - pass + for parsed in sigmaparser.condparsed: + query = self.generateQuery(parsed) + before = self.generateBefore(parsed) + after = self.generateAfter(parsed) - for parsed in sigmaparser.condparsed: - query = self.generateQuery(parsed) - before = self.generateBefore(parsed) - after = self.generateAfter(parsed) + result = "" + if before is not None: + result = before + if query is not None: + result += query + if after is not None: + result += after + if mapped is not None: + result += fields - result = "" - if before is not None: - result = before - if query is not None: - result += query - if after is not None: - result += after - if mapped is not None: - result += fields - - return result + return result class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin): """Converts Sigma rule into XML used for Splunk Dashboard Panels""" From c848c473a30e7642ce305962e48dfc928f9a1baa Mon Sep 17 00:00:00 2001 From: sisecbe <31284407+sisecbe@users.noreply.github.com> Date: Fri, 23 Nov 2018 15:37:42 +0100 Subject: [PATCH 15/99] Error when empty fields attribute --- tools/sigma/backends/splunk.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py index 63f07bb7f..1172f461a 100644 --- a/tools/sigma/backends/splunk.py +++ b/tools/sigma/backends/splunk.py @@ -75,6 +75,7 @@ class SplunkBackend(SingleTextQueryBackend): fields = " | table " + fields except KeyError: # no 'fields' attribute + mapped = None pass for parsed in sigmaparser.condparsed: From 50c74b94bc3741ba70e9e31b49ebf56c7b4bafed Mon Sep 17 00:00:00 2001 From: lsoumille Date: Fri, 23 Nov 2018 20:39:15 +0100 Subject: [PATCH 16/99] add elastalert backend support --- tools/sigma/backends/elasticsearch.py | 159 ++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index dbb51d105..0c9a42ec6 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -17,6 +17,7 @@ import json import re import sigma +import yaml from .base import BaseBackend, SingleTextQueryBackend from .mixins import RulenameCommentMixin, MultiRuleOutputMixin from .exceptions import NotSupportedError @@ -497,3 +498,161 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin) else: raise NotImplementedError("Output type '%s' not supported" % self.output_type) return result + +class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend): + """Elastalert backend""" + identifier = 'elastalert' + active = True + options = ( + ("emails", None, "Email addresses for Elastalert notification, if you want to alert several email addresses put them coma separated", None), + ("smtp_host", None, "SMTP server address", None), + ("from_addr", None, "Email sender address", None), + ("smtp_auth_file", None, "Local path with login info", None), + ("realert_time", "0m", "Ignore repeating alerts for a period of time", None), + ("expo_realert_time", "60m", "This option causes the value of realert to exponentially increase while alerts continue to fire", None) + ) + interval = None + title = None + + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.elastalert_alerts = dict() + self.fields = [] + + def generate(self, sigmaparser): + rulename = self.getRuleName(sigmaparser) + title = sigmaparser.parsedyaml.setdefault("title", "") + description = sigmaparser.parsedyaml.setdefault("description", "") + false_positives = sigmaparser.parsedyaml.setdefault("falsepositives", "") + level = sigmaparser.parsedyaml.setdefault("level", "") + rule_tag = sigmaparser.parsedyaml.setdefault("tags", ["NOT-DEF"]) + # Get time frame if exists + interval = self.generateTimeframe(sigmaparser.parsedyaml["detection"].setdefault("timeframe", "30m")) + # creating condition + index = sigmaparser.get_logsource().index + if len(index) == 0: # fallback if no index is given + index = "logstash-*" + elif len(index) > 0: + index = index[0] + #Init a rule number cpt in case there are several elastalert rules generated fron one Sigma rule + rule_number = 0 + for parsed in sigmaparser.condparsed: + #Static data + rule_object = { + "name": rulename + "_" + str(rule_number), + "description": description, + "index": index, + "priority": self.convertLevel(level), + "realert": self.generateTimeframe(self.realert_time), + #"exponential_realert": self.generateTimeframe(self.expo_realert_time) + } + rule_object['filter'] = self.generateQuery(parsed) + + #Handle aggregation + if parsed.parsedAgg: + if parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_COUNT or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MIN or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MAX or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_AVG or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_SUM: + rule_object['query_key'] = parsed.parsedAgg.groupfield + rule_object['type'] = "metric_aggregation" + rule_object['buffer_time'] = interval + rule_object['doc_type'] = "doc" + + if parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_COUNT: + rule_object['metric_agg_type'] = "cardinality" + else: + rule_object['metric_agg_type'] = parsed.parsedAgg.aggfunc_notrans + + if parsed.parsedAgg.aggfield: + rule_object['metric_agg_key'] = parsed.parsedAgg.aggfield + else: + rule_object['metric_agg_key'] = "_id" + + condition_value = int(parsed.parsedAgg.condition) + if parsed.parsedAgg.cond_op == ">": + rule_object['max_threshold'] = condition_value + elif parsed.parsedAgg.cond_op == ">=": + rule_object['max_threshold'] = condition_value - 1 + elif parsed.parsedAgg.cond_op == "<": + rule_object['min_threshold'] = condition_value + elif parsed.parsedAgg.cond_op == "<=": + rule_object['min_threshold'] = condition_value - 1 + else: + rule_object['max_threshold'] = condition_value - 1 + rule_object['min_threshold'] = condition_value + 1 + else: + rule_object['type'] = "any" + + #Handle alert action + rule_object['alert'] = [] + if self.emails: + rule_object['alert'].append('email') + rule_object['email'] = [] + for address in self.emails.split(','): + rule_object['email'].append(address) + if self.smtp_host: + rule_object['smtp_host'] = self.smtp_host + if self.from_addr: + rule_object['from_addr'] = self.from_addr + if self.smtp_auth_file: + rule_object['smtp_auth_file'] = self.smtp_auth_file + #If alert is not define put debug as default + if len(rule_object['alert']) == 0: + rule_object['alert'].append('debug') + + #Increment rule number + rule_number += 1 + self.elastalert_alerts[rule_object['name']] = rule_object + #Clear fields + self.fields = [] + + def generateQuery(self, parsed): + #Generate ES QS Query + return [{ 'query' : { 'query_string' : { 'query' : super().generateQuery(parsed) } } }] + + def generateNode(self, node): + #Save fields for adding them in query_key + #if type(node) == sigma.parser.NodeSubexpression: + # for k,v in node.items.items: + # self.fields.append(k) + return super().generateNode(node) + + def generateTimeframe(self, timeframe): + time_unit = timeframe[-1:] + duration = timeframe[:-1] + timeframe_object = {} + if time_unit == "s": + timeframe_object['seconds'] = int(duration) + elif time_unit == "m": + timeframe_object['minutes'] = int(duration) + elif time_unit == "h": + timeframe_object['hours'] = int(duration) + elif time_unit == "d": + timeframe_object['days'] = int(duration) + else: + timeframe_object['months'] = int(duration) + return timeframe_object + + def generateAggregation(self, agg): + if agg: + if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_COUNT or agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MIN or agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MAX or agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_AVG or agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_SUM: + return "" + else: + for name, idx in agg.aggfuncmap.items(): + if idx == agg.aggfunc: + funcname = name + break + raise NotImplementedError("%s : The '%s' aggregation operator is not yet implemented for this backend"%(self.title, funcname)) + + def convertLevel(self, level): + return { + 'critical': 1, + 'high': 2, + 'medium': 3, + 'low': 4 + }.get(level, 2) + + def finalize(self): + result = "" + for rulename, rule in self.elastalert_alerts.items(): + result += yaml.dump(rule, default_flow_style=False) + result += '\n' + return result From 99e0a4defbf2858e3a8d8c436c452cb94b08ba01 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Nov 2018 14:05:13 +0100 Subject: [PATCH 17/99] fix: SPARK config duplicate identifier --- tools/config/spark.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/config/spark.yml b/tools/config/spark.yml index 7d39bff59..4c11e10ed 100644 --- a/tools/config/spark.yml +++ b/tools/config/spark.yml @@ -9,7 +9,7 @@ logsources: service: security sources: - 'WinEventLog:Security' - windows-security: + windows-system: product: windows service: system sources: @@ -24,7 +24,7 @@ logsources: service: powershell sources: - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' - windows-powershell: + windows-taskscheduler: product: windows service: taskscheduler sources: From 1118b8028865048b121900e67f8d0cea30a091e9 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Thu, 29 Nov 2018 00:00:00 +0100 Subject: [PATCH 18/99] Added elastalert backend to CI testing --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 6eefdab32..d8d547586 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,7 @@ test-sigmac: coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null From f6ad36f530debdea40afa5ec6e3bbd0ddebe22f2 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Thu, 29 Nov 2018 00:00:18 +0100 Subject: [PATCH 19/99] Fixed rule --- rules/windows/builtin/win_multiple_suspicious_cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml index edecf0bfd..1d058b202 100644 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ b/rules/windows/builtin/win_multiple_suspicious_cli.yml @@ -47,7 +47,7 @@ detection: - wbadmin.exe - icacls.exe - diskpart.exe - timeframe: 5min + timeframe: 5m condition: selection | count() by MachineName > 5 falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 2ebbdebe46f4c29ddd80c26a1be7efd6932ecd68 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 30 Nov 2018 10:25:05 +0100 Subject: [PATCH 20/99] rule: Cobalt Strike beacon detection via Remote Threat Creation https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f --- .../sysmon_cobaltstrike_process_injection.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml new file mode 100644 index 000000000..7224ffceb --- /dev/null +++ b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml @@ -0,0 +1,21 @@ +title: CobaltStrike Process Injection +description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons +references: + - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f +status: experimental +author: Olaf Hartong, Florian Roth +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 8 + TargetProcessAddress: '*0B80' + condition: selection +tags: + - attack.process_injection + - attack.t1055 +falsepositives: + - unknown +level: high + From 9f1df6164b4309d791e717548622ec073eb527ed Mon Sep 17 00:00:00 2001 From: AL <45491991+41thexplorer@users.noreply.github.com> Date: Mon, 3 Dec 2018 09:42:29 +0200 Subject: [PATCH 21/99] adding new rules detecting recently active APTs --- rules/apt/apt_tropictrooper.yml | 34 +++++++++++++++++++++ rules/apt/apt_unidentified_nov_18.yml | 44 +++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 rules/apt/apt_tropictrooper.yml create mode 100644 rules/apt/apt_unidentified_nov_18.yml diff --git a/rules/apt/apt_tropictrooper.yml b/rules/apt/apt_tropictrooper.yml new file mode 100644 index 000000000..a430542b5 --- /dev/null +++ b/rules/apt/apt_tropictrooper.yml @@ -0,0 +1,34 @@ +action: global +title: TropicTrooper Campaign November 2018 +status: stable +description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia +references: + - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ +author: + - "@41thexplorer, Windows Defender ATP" +date: 2018/11/30 +tags: + - attack.execution + - attack.t1085 +detection: + condition: selection +level: high +--- +# Windows Security Eventlog: Process Creation with Full Command Line +logsource: + product: windows + service: security + description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*' +--- +# Sysmon: Process Creation (ID 1) +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*' \ No newline at end of file diff --git a/rules/apt/apt_unidentified_nov_18.yml b/rules/apt/apt_unidentified_nov_18.yml new file mode 100644 index 000000000..4eba43a8f --- /dev/null +++ b/rules/apt/apt_unidentified_nov_18.yml @@ -0,0 +1,44 @@ +action: global +title: Unidentified Attacker November 2018 +status: stable +description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. +references: + - https://twitter.com/DrunkBinary/status/1063075530180886529 +author: + - "@41thexplorer, Windows Defender ATP" +date: 2018/11/20 +tags: + - attack.execution + - attack.t1085 +detection: + condition: selection +level: high +--- +# Windows Security Eventlog: Process Creation with Full Command Line +logsource: + product: windows + service: security + description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + CommandLine: '*cyzfc.dat, PointFunctionCall' +--- +# Sysmon: Process Creation (ID 1) +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: '*cyzfc.dat, PointFunctionCall' +--- +# Sysmon: File Creation (ID 11) +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 11 + TargetFilename: + - '*ds7002.lnk*' \ No newline at end of file From 2c5c92ab0a7872124d9ba1738b90aa24444c7f82 Mon Sep 17 00:00:00 2001 From: tuckner Date: Mon, 3 Dec 2018 15:09:29 -0600 Subject: [PATCH 22/99] fixed backslash escape --- tools/sigma/backends/netwitness.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/sigma/backends/netwitness.py b/tools/sigma/backends/netwitness.py index c998016fc..252c1fd69 100644 --- a/tools/sigma/backends/netwitness.py +++ b/tools/sigma/backends/netwitness.py @@ -98,6 +98,7 @@ class NetWitnessBackend(SingleTextQueryBackend): item = re.sub('\\?', '.', item) regexlist.append(self.generateValueNode(item, True)) elif type(item) == str and (item.endswith("*") or item.startswith("*")): + item = re.sub('([".^$]|\\\\(?![*?]))', '\\\\\g<1>', item) item = re.sub("(\*\\\\)|(\*)", "", item) containlist.append(self.generateValueNode(item, True)) else: From 3861dd59124656feea8fde71fb3dd1abc5a17c4c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 4 Dec 2018 17:04:03 +0100 Subject: [PATCH 23/99] Rule: APT29 campaign against US think tanks https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ --- rules/apt/apt_apt29_thinktanks.yml | 32 ++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/apt/apt_apt29_thinktanks.yml diff --git a/rules/apt/apt_apt29_thinktanks.yml b/rules/apt/apt_apt29_thinktanks.yml new file mode 100644 index 000000000..4cc456be1 --- /dev/null +++ b/rules/apt/apt_apt29_thinktanks.yml @@ -0,0 +1,32 @@ +--- +action: global +title: APT29 +description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' +references: + - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ +logsource: + product: windows +author: Florian Roth +date: 2018/12/04 +detection: + condition: selection +falsepositives: + - unknown +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: '*-noni -ep bypass $*' +--- +logsource: + product: windows + service: security + description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: '*-noni -ep bypass $*' From f0b23af10dccd5b1d9bcc4b1aac283eb7858beeb Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 5 Dec 2018 05:10:08 +0300 Subject: [PATCH 24/99] Update win_rare_schtasks_creations.yml Count(taskName) not being taken by elastalert integration with Sigmac --- rules/windows/builtin/win_rare_schtasks_creations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/win_rare_schtasks_creations.yml index 2cdb3facb..89173c797 100644 --- a/rules/windows/builtin/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/win_rare_schtasks_creations.yml @@ -15,7 +15,7 @@ detection: selection: EventID: 4698 timeframe: 7d - condition: selection | count(TaskName) < 5 + condition: selection | count() by TaskName < 5 falsepositives: - Software installation - Software updates From c8990962d2c1eb400ca4b3b6d958e73acf0970dd Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 5 Dec 2018 05:33:56 +0300 Subject: [PATCH 25/99] Update win_rare_service_installs.yml same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration --- rules/windows/builtin/win_rare_service_installs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/win_rare_service_installs.yml index 429306430..99b8b29e8 100644 --- a/rules/windows/builtin/win_rare_service_installs.yml +++ b/rules/windows/builtin/win_rare_service_installs.yml @@ -13,8 +13,8 @@ detection: selection: EventID: 7045 timeframe: 7d - condition: selection | count(ServiceFileName) < 5 + condition: selection | count() by ServiceFileName < 5 falsepositives: - Software installation - Software updates -level: low +level: low \ No newline at end of file From 6dc36c874976629935e7148d3e3d26c2a426d9b5 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 5 Dec 2018 05:40:00 +0300 Subject: [PATCH 26/99] Update win_eventlog_cleared.yml Experimental Rule is a duplicate of https://github.com/Neo23x0/sigma/blob/bfc7012043317632265a897c8a4901f266cda992/rules/windows/builtin/win_susp_eventlog_cleared.yml. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format --- rules/windows/builtin/win_eventlog_cleared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_eventlog_cleared.yml b/rules/windows/builtin/win_eventlog_cleared.yml index d33582144..ea6dcc592 100644 --- a/rules/windows/builtin/win_eventlog_cleared.yml +++ b/rules/windows/builtin/win_eventlog_cleared.yml @@ -1,4 +1,4 @@ -title: Eventlog Cleared +title: Eventlog Cleared Experimental status: experimental description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution author: Florian Roth From 328762ed679fc292905e81cfa3eac3254ab5540f Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 5 Dec 2018 05:51:41 +0300 Subject: [PATCH 27/99] Update powershell_xor_commandline.yml Ducplicate names again for https://github.com/Neo23x0/sigma/search?q=Suspicious+Encoded+PowerShell+Command+Line&unscoped_q=Suspicious+Encoded+PowerShell+Command+Line . This brakes elastalert integration since each rule needs to have its own unique name. --- rules/windows/powershell/powershell_xor_commandline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_xor_commandline.yml index f82da8670..57e4c60ec 100644 --- a/rules/windows/powershell/powershell_xor_commandline.yml +++ b/rules/windows/powershell/powershell_xor_commandline.yml @@ -1,5 +1,5 @@ action: global -title: Suspicious Encoded PowerShell Command Line +title: Suspicious XOR Encoded PowerShell Command Line description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. status: experimental author: Sami Ruohonen From 104ee6c33be10b67facc9f1ab0e6d3603b046de4 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 5 Dec 2018 05:55:36 +0300 Subject: [PATCH 28/99] Update win_susp_commands_recon_activity.yml Rule missing "by CommandLine" which marchs the query_key value of the elastalert format to NULL. --- rules/windows/builtin/win_susp_commands_recon_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml index d3291236c..e20cb86a4 100644 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml @@ -34,7 +34,7 @@ detection: - '*\net1 user net localgroup administrators' - 'netstat -an' timeframe: 15s - condition: selection | count() > 4 + condition: selection | count() by CommandLine > 4 falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: medium From bff7ec52db57e21099211d56c0f9c2c16a232c1e Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 5 Dec 2018 07:53:53 +0300 Subject: [PATCH 29/99] Update av_relevant_files.yml Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Antivirus+Exploitation+Framework+Detection&unscoped_q=Antivirus+Exploitation+Framework+Detection This affetcs Elastalert integration --- rules/windows/malware/av_relevant_files.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 1dfa5d40e..b183b4b20 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -1,4 +1,4 @@ -title: Antivirus Exploitation Framework Detection +title: Antivirus Relevant File Paths Alerts description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name date: 2018/09/09 author: Florian Roth From 87ce07088f5b095e5bc7a2197b95dde22ca8b832 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 5 Dec 2018 07:58:13 +0300 Subject: [PATCH 30/99] Update sysmon_plugx_susp_exe_locations.yml Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Executable+used+by+PlugX+in+Uncommon+Location&unscoped_q=Executable+used+by+PlugX+in+Uncommon+Location This impats Elastalert integration since you cannot have two rules with the same name --- rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index 9271116db..7071de23c 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -1,4 +1,4 @@ -title: Executable used by PlugX in Uncommon Location +title: Executable used by PlugX in Uncommon Location - Sysmon Version status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location references: From 246ad7c59a39a9adb809f172e7568f52c478d184 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 5 Dec 2018 09:07:07 +0100 Subject: [PATCH 31/99] Revert "Fixed wildcards in es-qs backend" This reverts commit 49d464f97959c14051e1e7364a360da01eec460e. The partial fix for issue #194 broke the generation of many other rules, see #203. --- tools/sigma/backends/elasticsearch.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 0c9a42ec6..8e734d749 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -27,7 +27,7 @@ class ElasticsearchQuerystringBackend(SingleTextQueryBackend): identifier = "es-qs" active = True - reEscape = re.compile("([\\s+\\-=!(){}\\[\\]^\"~:/]|\\\\(?![*?])|\\\\u|&&|\\|\\|)") + reEscape = re.compile("([+\\-=!(){}\\[\\]^\"~:/]|\\\\(?![*?])|\\\\u|&&|\\|\\|)") reClear = re.compile("[<>]") andToken = " AND " orToken = " OR " @@ -35,7 +35,7 @@ class ElasticsearchQuerystringBackend(SingleTextQueryBackend): subExpression = "(%s)" listExpression = "(%s)" listSeparator = " " - valueExpression = "%s" + valueExpression = "\"%s\"" nullExpression = "NOT _exists_:%s" notNullExpression = "_exists_:%s" mapExpression = "%s:%s" From 9b15b64a9ab6b71651c88712a17ad94862cddd41 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 5 Dec 2018 11:44:14 +0100 Subject: [PATCH 32/99] fix: fixed author string (cannot be list according to sigma specs) --- rules/apt/apt_unidentified_nov_18.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/apt/apt_unidentified_nov_18.yml b/rules/apt/apt_unidentified_nov_18.yml index 4eba43a8f..aab42be66 100644 --- a/rules/apt/apt_unidentified_nov_18.yml +++ b/rules/apt/apt_unidentified_nov_18.yml @@ -4,8 +4,7 @@ status: stable description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. references: - https://twitter.com/DrunkBinary/status/1063075530180886529 -author: - - "@41thexplorer, Windows Defender ATP" +author: "@41thexplorer, Windows Defender ATP" date: 2018/11/20 tags: - attack.execution From 2e5a739c6c8dc061e0f34529917e6346d787d2da Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 5 Dec 2018 11:59:10 +0100 Subject: [PATCH 33/99] fix: fixed author string (cannot be list according to sigma specs) --- rules/apt/apt_tropictrooper.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/apt/apt_tropictrooper.yml b/rules/apt/apt_tropictrooper.yml index a430542b5..6fc3cab83 100644 --- a/rules/apt/apt_tropictrooper.yml +++ b/rules/apt/apt_tropictrooper.yml @@ -4,8 +4,7 @@ status: stable description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia references: - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ -author: - - "@41thexplorer, Windows Defender ATP" +author: "@41thexplorer, Windows Defender ATP" date: 2018/11/30 tags: - attack.execution From a35f945c71a57660081a0a7885536e943de377a5 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Thu, 6 Dec 2018 05:09:41 +0300 Subject: [PATCH 34/99] Update win_disable_event_logging.yml Description value breaking SIGMA Elastalert Backend --- rules/windows/builtin/win_disable_event_logging.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index a8ac854ad..fbda6b0c1 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -1,11 +1,10 @@ title: Disabling Windows Event Auditing -description: > - Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario +description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off - specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. + specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.' references: - https://bit.ly/WinLogsZero2Hero tags: From 8c577a329fc7494b9529c658cc8222047995550b Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Sat, 8 Dec 2018 11:30:21 +0300 Subject: [PATCH 35/99] Improve Rule & Updated HELK SIGMA Standardization Config Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe. SIGMA HELK standardization config updated to match latest HELK Common Information Model --- ...ershell_suspicious_parameter_variation.yml | 92 +++++++++--------- tools/config/helk.yml | 96 +++++++++++++++---- 2 files changed, 122 insertions(+), 66 deletions(-) diff --git a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml index 38fcdcd9f..ed6d68eeb 100644 --- a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml @@ -6,55 +6,57 @@ references: tags: - attack.execution - attack.t1086 -author: Florian Roth (rule), Daniel Bohannon (idea) +author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) logsource: product: windows service: sysmon detection: - keywords: - Image: '*\powershell.exe' - substrings: - - ' -windowstyle h ' - - ' -windowstyl h' - - ' -windowsty h' - - ' -windowst h' - - ' -windows h' - - ' -windo h' - - ' -wind h' - - ' -win h' - - ' -wi h' - - ' -win h ' - - ' -win hi ' - - ' -win hid ' - - ' -win hidd ' - - ' -win hidde ' - - ' -NoPr ' - - ' -NoPro ' - - ' -NoProf ' - - ' -NoProfi ' - - ' -NoProfil ' - - ' -nonin ' - - ' -nonint ' - - ' -noninte ' - - ' -noninter ' - - ' -nonintera ' - - ' -noninterac ' - - ' -noninteract ' - - ' -noninteracti ' - - ' -noninteractiv ' - - ' -ec ' - - ' -encodedComman ' - - ' -encodedComma ' - - ' -encodedComm ' - - ' -encodedCom ' - - ' -encodedCo ' - - ' -encodedC ' - - ' -encoded ' - - ' -encode ' - - ' -encod ' - - ' -enco ' - - ' -en ' - condition: all of them + selection: + Image: + - '*\Powershell.exe' + EventID: 1 + CommandLine: + - ' -windowstyle h ' + - ' -windowstyl h' + - ' -windowsty h' + - ' -windowst h' + - ' -windows h' + - ' -windo h' + - ' -wind h' + - ' -win h' + - ' -wi h' + - ' -win h ' + - ' -win hi ' + - ' -win hid ' + - ' -win hidd ' + - ' -win hidde ' + - ' -NoPr ' + - ' -NoPro ' + - ' -NoProf ' + - ' -NoProfi ' + - ' -NoProfil ' + - ' -nonin ' + - ' -nonint ' + - ' -noninte ' + - ' -noninter ' + - ' -nonintera ' + - ' -noninterac ' + - ' -noninteract ' + - ' -noninteracti ' + - ' -noninteractiv ' + - ' -ec ' + - ' -encodedComman ' + - ' -encodedComma ' + - ' -encodedComm ' + - ' -encodedCom ' + - ' -encodedCo ' + - ' -encodedC ' + - ' -encoded ' + - ' -encode ' + - ' -encod ' + - ' -enco ' + - ' -en ' + condition: selection falsepositives: - Penetration tests level: high diff --git a/tools/config/helk.yml b/tools/config/helk.yml index 9a0e245b7..3d66e8c84 100644 --- a/tools/config/helk.yml +++ b/tools/config/helk.yml @@ -30,64 +30,118 @@ logsources: defaultindex: logs-* fieldmappings: AccessMask: object_access_mask_requested - AccountName: service_account_name + AccountName: + EventID=7045: service_account_name + EventID=4624: user_name AllowedToDelegateTo: user_attribute_allowed_todelegate AttributeLDAPDisplayName: dsobject_attribute_name AuditPolicyChanges: policy_changes AuthenticationPackageName: logon_authentication_package - CallTrace: process_calltrace - CommandLine: command_line + CallTrace: process_call_trace + CommandLine: process_command_line + Company: file_company ComputerName: host_name + Configuration: + EventID=16: sysmon_configuration CurrentDirectory: process_current_directory - DestinationHostname: dst_host + Description: file_description + Destination: + EventID=20: wmi_consumer_destination + DestinationHostname: dst_host_name DestinationIp: dst_ip DestinationIsIpv6: dst_isipv6 - DestinationPort: dst_port_number - Details: registry_details + DestinationPort: dst_port + DestinationPortName: dst_port_name + Details: + EventID=13: registry_key_value + Device: device_name EngineVersion: powershell.engine.version EventID: event_id - EventType: - EventID=12: registry_event_type - EventID=13: registry_event_type - EventID=14: registry_event_type - EventID=19: wmi_event_type - EventID=20: wmi_event_type - EventID=21: wmi_event_type + EventType: event_type + EventNamespace: + EventID=19: wmi_namespace + Filter: + EventID=21: wmi_filter_path FailureCode: ticket_failure_code + FileVersion: file_version GrantedAccess: process_granted_access GroupName: group_name HiveName: hive_name HostVersion: powershell.host.version Image: process_path - ImageLoaded: image_loaded + ImageLoaded: + EventID=6: driver_loaded + EventID=7: module_loaded + Imphash: hash_imphash + Initiated: + EventID=3: network_initiated" + IntegrityLevel: + EventID=1: process_integrity_level LogonProcessName: logon_process_name LogonType: logon_type + MachineName: host_name + Name: + EventID=19: wmi_name + EventID=20: wmi_name NewProcessName: process_path + NewName: + EventID=14: registry_key_new_name ObjectClass: dsobject_class ObjectName: object_name ObjectType: object_type ObjectValueName: object_value_name + Operation: + EventID=19: wmi_operation + EventID=20: wmi_operation + EventID=21: wmi_operation OperationType: object_operation_type ParentImage: process_parent_path + ParentCommandLine: process_parent_command_line PipeName: pipe_name ProcessName: process_path + ProcesssCommandLine: process_command_line + Product: file_product + Properties: object_properties + Protocol: + EventID=3: network_protocol + Query: + EventID=19: wmi_query RelativeTargetName: share_relative_target_name + SchemaVersion: + EventID=4: sysmon_schema_version ServiceFileName: service_image_path ServiceName: service_name ShareName: share_name + Signature: signature + SignatureStatus: signature_status + Signed: signed Source: source_name + SourceHostname: src_host_name SourceImage: process_path - StartModule: thread_startmodule - Status: logon_failure_status - SubjectUserName: user_name + SourcePort: src_port + SourcePortName: src_port_name + StartAddress: thread_start_address + StartFunction: thread_start_function + StartModule: thread_start_module + Status: event_status + State: + EventID=4: service_state + EventID=16: sysmon_configuration_state + SubjectUserName: + EventID=4624: user_reporter_name + EventID=5140: user_name TargetFilename: file_name - TargetImage: process_target_path - TargetObject: registry_target_object + TargetImage: target_process_path + TargetObject: registry_key_path TargetImage: target_process_path TaskName: task_name TicketEncryptionType: ticket_encryption_type TicketOptions: ticket_options + Type: + EventID=20: wmi_consumer_type User: user UserName: user_name - Workstation: src_host - WorkstationName: src_host + Version: + EventID=4: sysmon_version + Workstation: source_host_name + WorkstationName: source_host_name \ No newline at end of file From 2091c90538e83b2563e9bba3f2246bf8cbeedc6c Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 9 Dec 2018 22:33:23 +0100 Subject: [PATCH 36/99] Fixed ElastAlert *_key options * Always use .keyword field instead of analyzed one * Fixed 'null' value if group field was not set --- tools/sigma/backends/elasticsearch.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 8e734d749..65319550b 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -551,7 +551,8 @@ class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend): #Handle aggregation if parsed.parsedAgg: if parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_COUNT or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MIN or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MAX or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_AVG or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_SUM: - rule_object['query_key'] = parsed.parsedAgg.groupfield + if parsed.parsedAgg.groupfield is not None: + rule_object['query_key'] = parsed.parsedAgg.groupfield + ".keyword" rule_object['type'] = "metric_aggregation" rule_object['buffer_time'] = interval rule_object['doc_type'] = "doc" @@ -562,7 +563,7 @@ class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend): rule_object['metric_agg_type'] = parsed.parsedAgg.aggfunc_notrans if parsed.parsedAgg.aggfield: - rule_object['metric_agg_key'] = parsed.parsedAgg.aggfield + rule_object['metric_agg_key'] = parsed.parsedAgg.aggfield + ".keyword" else: rule_object['metric_agg_key'] = "_id" From 1f707cb37caa91d5203d55831e19cf0bc8caefce Mon Sep 17 00:00:00 2001 From: juju4 Date: Sun, 9 Dec 2018 17:55:51 -0500 Subject: [PATCH 37/99] Adding Sumologic backend --- tools/config/sumologic.yml | 68 +++++++++++++++++++++++++++++++ tools/setup.py | 1 + tools/sigma/backends/sumologic.py | 63 ++++++++++++++++++++++++++++ 3 files changed, 132 insertions(+) create mode 100644 tools/config/sumologic.yml create mode 100644 tools/sigma/backends/sumologic.py diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml new file mode 100644 index 000000000..833b387cc --- /dev/null +++ b/tools/config/sumologic.yml @@ -0,0 +1,68 @@ +# Sumulogic mapping depends on customer configuration. Adapt to your context! +# typically rule on _sourceCategory, _index or Field Extraction Rules (FER) +# supposing existing FER for service, EventChannel, EventID +logsources: + linux: + product: linux + index: + - _index=LINUX + linux-sshd: + product: linux + service: sshd + index: + - _index=LINUX + linux-auth: + product: linux + service: auth + index: + - _index=LINUX + linux-clamav: + product: linux + service: clamav + index: + - _index=LINUX + windows: + product: windows + index: + - _index=WINDOWS + windows-sysmon: + product: windows + service: sysmon + conditions: + EventChannel: Microsoft-Windows-Sysmon + index: + - _index=WINDOWS + windows-security: + product: windows + service: security + conditions: + EventChannel: Security + index: + - _index=WINDOWS + windows-powershell: + product: windows + service: powershell + conditions: + EventChannel: Microsoft-Windows-Powershell + index: + - _index=WINDOWS + windows-system: + product: windows + service: system + conditions: + EventChannel: System + index: + - _index=WINDOWS + apache: + product: apache + service: apache + index: + - _index=WEBSERVER + firewall: + product: firewall + index: + - _index=FIREWALL +# if no index, search in all indexes +defaultindex: +# all mappings depends either on FER or on query parsing +fieldmappings: diff --git a/tools/setup.py b/tools/setup.py index 281e82cb8..c8dbc0689 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -54,6 +54,7 @@ setup( 'config/spark.yml', 'config/netwitness.yml', 'config/splunk-windows-all.yml', + 'config/sumologic.yml', ])], scripts=[ 'sigmac', diff --git a/tools/sigma/backends/sumologic.py b/tools/sigma/backends/sumologic.py new file mode 100644 index 000000000..4b430fd57 --- /dev/null +++ b/tools/sigma/backends/sumologic.py @@ -0,0 +1,63 @@ +# Output backends for sigmac +# Copyright 2016-2018 Thomas Patzke, Florian Roth, juju4 + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +import re +import sigma +from .base import SingleTextQueryBackend + +# Sumo specifics +# https://help.sumologic.com/05Search/Search-Query-Language +# want _index or _sourceCategory for performance +# try to get most string match on first line for performance +# further sorting can be done with extra parsing +# No regex match, must use 'parse regex' https://help.sumologic.com/05Search/Search-Query-Language/01-Parse-Operators/02-Parse-Variable-Patterns-Using-Regex +# For some strings like Windows ProcessCmdline or LogonProcess, it might be good to force case lower and upper as Windows is inconsistent in logs + +class SumoLogicBackend(SingleTextQueryBackend): + """Converts Sigma rule into SumoLogic query""" + identifier = "sumologic" + active = True + + reEscape = re.compile('("|\\\\(?![*?]))') + reClear = None + andToken = " AND " + orToken = " OR " + notToken = "!" + subExpression = "(%s)" + listExpression = "(%s)" + listSeparator = ", " + valueExpression = "\"%s\"" + nullExpression = "isEmpty(%s)" + notNullExpression = "!isEmpty(%s)" + mapExpression = "%s=%s" + mapListsSpecialHandling = True + mapListValueExpression = "%s IN %s" + + def generateAggregation(self, agg): + if agg == None: + return "" + if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR: + raise NotImplementedError("The 'near' aggregation operator is not yet implemented for this backend") + if agg.groupfield == None: + #return " | %s(%s) | when _count %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.cond_op, agg.condition) + return " | %s(%s) as val | when val %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.cond_op, agg.condition) + else: + return " | %s(%s) as val by %s | when val %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.groupfield or "", agg.cond_op, agg.condition) + +# TimeFrame condition / within timeframe +# condition | timeslice 5m | count_distinct(f1) as val by f2 | where val > 5 +# Near condition => how near... like timeframe? + From b5208971761d3610ed53334534badace6a376860 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 10 Dec 2018 22:36:08 +0100 Subject: [PATCH 38/99] Added CI testing for SumoLogic backend --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index d8d547586..d6dfa49f5 100644 --- a/Makefile +++ b/Makefile @@ -31,6 +31,7 @@ test-sigmac: coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -c tools/config/sumologic.yml rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null From 4175d0cdd5896231017a6ea0d3e2660b0bcda3dc Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 10 Dec 2018 22:37:39 +0100 Subject: [PATCH 39/99] Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config --- tools/config/sumologic.yml | 36 ++++++++++--------------------- tools/sigma/backends/sumologic.py | 1 + 2 files changed, 12 insertions(+), 25 deletions(-) diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 833b387cc..a09c10a7b 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -4,65 +4,51 @@ logsources: linux: product: linux - index: - - _index=LINUX + index: LINUX linux-sshd: product: linux service: sshd - index: - - _index=LINUX + index: LINUX linux-auth: product: linux service: auth - index: - - _index=LINUX + index: LINUX linux-clamav: product: linux service: clamav - index: - - _index=LINUX + index: LINUX windows: product: windows - index: - - _index=WINDOWS + index: WINDOWS windows-sysmon: product: windows service: sysmon conditions: EventChannel: Microsoft-Windows-Sysmon - index: - - _index=WINDOWS + index: WINDOWS windows-security: product: windows service: security conditions: EventChannel: Security - index: - - _index=WINDOWS + index: WINDOWS windows-powershell: product: windows service: powershell conditions: EventChannel: Microsoft-Windows-Powershell - index: - - _index=WINDOWS + index: WINDOWS windows-system: product: windows service: system conditions: EventChannel: System - index: - - _index=WINDOWS + index: WINDOWS apache: product: apache service: apache - index: - - _index=WEBSERVER + index: WEBSERVER firewall: product: firewall - index: - - _index=FIREWALL + index: FIREWALL # if no index, search in all indexes -defaultindex: -# all mappings depends either on FER or on query parsing -fieldmappings: diff --git a/tools/sigma/backends/sumologic.py b/tools/sigma/backends/sumologic.py index 4b430fd57..cf9532da2 100644 --- a/tools/sigma/backends/sumologic.py +++ b/tools/sigma/backends/sumologic.py @@ -31,6 +31,7 @@ class SumoLogicBackend(SingleTextQueryBackend): identifier = "sumologic" active = True + index_field = "_index" reEscape = re.compile('("|\\\\(?![*?]))') reClear = None andToken = " AND " From a0486edeeaf8b1710c7d692dc85969bf027b426e Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Tue, 11 Dec 2018 09:27:26 +0300 Subject: [PATCH 40/99] Field-Index Mapping File & SIGMA Rules Field names fix + Updated HELK field-index mapping file + After going through all the fields with 'fieldlist' output, I found a few rules that fixed. --- .../builtin/win_powershell_b64_shellcode.yml | 4 ++-- .../builtin/win_susp_powershell_enc_cmd.yml | 2 +- tools/config/helk.yml | 19 +++++++++++-------- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/win_powershell_b64_shellcode.yml b/rules/windows/builtin/win_powershell_b64_shellcode.yml index 898c73b59..7ccb1bffe 100644 --- a/rules/windows/builtin/win_powershell_b64_shellcode.yml +++ b/rules/windows/builtin/win_powershell_b64_shellcode.yml @@ -23,9 +23,9 @@ logsource: detection: selection1: EventID: 4688 - ProcesssCommandLine: '*AAAAYInlM*' + ProcessCommandLine: '*AAAAYInlM*' selection2: - ProcesssCommandLine: + ProcessCommandLine: - '*OiCAAAAYInlM*' - '*OiJAAAAYInlM*' --- diff --git a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml index 1e54ec971..1a6b9d7f0 100644 --- a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml @@ -16,7 +16,7 @@ detection: - '* -encodedcommand JAB*' # Google Rapid Response falsepositive1: - ImagePath: '*\GRR\*' + Image: '*\GRR\*' # PowerSponse deployments falsepositive2: CommandLine: '* -ExecutionPolicy remotesigned *' diff --git a/tools/config/helk.yml b/tools/config/helk.yml index 3d66e8c84..60423a454 100644 --- a/tools/config/helk.yml +++ b/tools/config/helk.yml @@ -30,13 +30,12 @@ logsources: defaultindex: logs-* fieldmappings: AccessMask: object_access_mask_requested - AccountName: - EventID=7045: service_account_name - EventID=4624: user_name + AccountName: user_name AllowedToDelegateTo: user_attribute_allowed_todelegate AttributeLDAPDisplayName: dsobject_attribute_name AuditPolicyChanges: policy_changes AuthenticationPackageName: logon_authentication_package + CallingProcessName: process_path CallTrace: process_call_trace CommandLine: process_command_line Company: file_company @@ -49,7 +48,7 @@ fieldmappings: EventID=20: wmi_consumer_destination DestinationHostname: dst_host_name DestinationIp: dst_ip - DestinationIsIpv6: dst_isipv6 + DestinationIsIpv6: dst_is_ipv6 DestinationPort: dst_port DestinationPortName: dst_port_name Details: @@ -63,6 +62,7 @@ fieldmappings: Filter: EventID=21: wmi_filter_path FailureCode: ticket_failure_code + FileName: file_name FileVersion: file_version GrantedAccess: process_granted_access GroupName: group_name @@ -96,6 +96,8 @@ fieldmappings: EventID=21: wmi_operation OperationType: object_operation_type ParentImage: process_parent_path + PasswordLastSet: user_attribute_password_lastset + Path: process_path ParentCommandLine: process_parent_command_line PipeName: pipe_name ProcessName: process_path @@ -129,19 +131,20 @@ fieldmappings: EventID=16: sysmon_configuration_state SubjectUserName: EventID=4624: user_reporter_name + EventId=4648: user_name EventID=5140: user_name TargetFilename: file_name TargetImage: target_process_path + TargetProcessAddress: thread_start_address TargetObject: registry_key_path - TargetImage: target_process_path TaskName: task_name TicketEncryptionType: ticket_encryption_type TicketOptions: ticket_options Type: EventID=20: wmi_consumer_type - User: user + User: user_account UserName: user_name Version: EventID=4: sysmon_version - Workstation: source_host_name - WorkstationName: source_host_name \ No newline at end of file + Workstation: src_host_name + WorkstationName: src_host_name \ No newline at end of file From b5d78835b6f37ba1a74f996bd34e47706ed8bf41 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 11 Dec 2018 13:37:39 +0100 Subject: [PATCH 41/99] Removed overlapping rule with sysmon_office_shell.yml --- .../sysmon/sysmon_office_macro_cmd.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_office_macro_cmd.yml diff --git a/rules/windows/sysmon/sysmon_office_macro_cmd.yml b/rules/windows/sysmon/sysmon_office_macro_cmd.yml deleted file mode 100644 index ad9f87e4a..000000000 --- a/rules/windows/sysmon/sysmon_office_macro_cmd.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Office Macro Starts Cmd -status: experimental -description: Detects a Windows command line executable started from Microsoft Word or Excel -references: - - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - Image: '*\cmd.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: high - From b0cb0abc01953c2c4879faf2a2a696294d2dbacb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 11 Dec 2018 16:10:15 +0100 Subject: [PATCH 42/99] Bugfix: wrong field for 4688 process creation events --- rules/apt/apt_equationgroup_dll_u_load.yml | 14 ++-- rules/apt/apt_hurricane_panda.yml | 11 +-- rules/apt/apt_sofacy.yml | 14 ++-- rules/apt/apt_sofacy_zebrocy.yml | 2 +- rules/apt/apt_tropictrooper.yml | 3 +- rules/apt/apt_unidentified_nov_18.yml | 3 +- .../builtin/win_multiple_suspicious_cli.yml | 67 +++++++++++++---- rules/windows/builtin/win_psexesvc_start.yml | 3 +- rules/windows/builtin/win_susp_cli_escape.yml | 32 ++++++--- .../win_susp_commands_recon_activity.yml | 42 +++++++---- .../builtin/win_susp_iss_module_install.yml | 8 ++- .../builtin/win_susp_msiexec_web_install.yml | 8 ++- .../builtin/win_susp_process_creations.yml | 71 ++++++++++++++++--- .../builtin/win_susp_sysprep_appdata.yml | 11 +-- .../builtin/win_susp_sysvol_access.yml | 5 +- rules/windows/malware/win_mal_adwind.yml | 3 +- .../sysmon/sysmon_susp_certutil_command.yml | 52 ++++++++++---- .../sysmon/sysmon_susp_tscon_rdp_redirect.yml | 7 +- 18 files changed, 259 insertions(+), 97 deletions(-) diff --git a/rules/apt/apt_equationgroup_dll_u_load.yml b/rules/apt/apt_equationgroup_dll_u_load.yml index 9b77094b1..d38d963ca 100755 --- a/rules/apt/apt_equationgroup_dll_u_load.yml +++ b/rules/apt/apt_equationgroup_dll_u_load.yml @@ -12,12 +12,8 @@ tags: - attack.t1059 author: Florian Roth date: 2018/03/10 +modified: 2018/12/11 detection: - selection1: - Image: '*\rundll32.exe' - CommandLine: '*,dll_u' - selection2: - CommandLine: '* -export dll_u *' condition: 1 of them falsepositives: - Unknown @@ -29,8 +25,11 @@ logsource: detection: selection1: EventID: 1 + Image: '*\rundll32.exe' + CommandLine: '*,dll_u' selection2: EventID: 1 + CommandLine: '* -export dll_u *' --- logsource: product: windows @@ -39,5 +38,8 @@ logsource: detection: selection1: EventID: 4688 + Image: '*\rundll32.exe' + ProcessCommandLine: '*,dll_u' selection2: - EventID: 4688 \ No newline at end of file + EventID: 4688 + ProcessCommandLine: '* -export dll_u *' \ No newline at end of file diff --git a/rules/apt/apt_hurricane_panda.yml b/rules/apt/apt_hurricane_panda.yml index 75064bcf3..369f6f7c7 100755 --- a/rules/apt/apt_hurricane_panda.yml +++ b/rules/apt/apt_hurricane_panda.yml @@ -11,11 +11,8 @@ tags: - attack.t1068 author: Florian Roth date: 2018/02/25 +modified: 2018/12/11 detection: - selection: - CommandLine: - - '* localgroup administrators admin /add' - - '*\Win64.exe*' condition: selection falsepositives: - Unknown @@ -27,6 +24,9 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - '* localgroup administrators admin /add' + - '*\Win64.exe*' --- logsource: product: windows @@ -35,5 +35,8 @@ logsource: detection: selection: EventID: 4688 + ProcessCommandLine: + - '* localgroup administrators admin /add' + - '*\Win64.exe*' diff --git a/rules/apt/apt_sofacy.yml b/rules/apt/apt_sofacy.yml index 9e3e66daa..443b7ae65 100755 --- a/rules/apt/apt_sofacy.yml +++ b/rules/apt/apt_sofacy.yml @@ -1,4 +1,3 @@ - --- action: global title: Sofacy Trojan Loader Activity @@ -12,11 +11,8 @@ tags: - attack.g0007 author: Florian Roth date: 2018/03/01 +modified: 2018/12/11 detection: - selection: - CommandLine: - - 'rundll32.exe %APPDATA%\*.dat",*' - - 'rundll32.exe %APPDATA%\*.dll",#1' condition: selection falsepositives: - Unknown @@ -28,6 +24,9 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - 'rundll32.exe %APPDATA%\*.dat",*' + - 'rundll32.exe %APPDATA%\*.dll",#1' --- logsource: product: windows @@ -35,4 +34,7 @@ logsource: definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: - EventID: 4688 \ No newline at end of file + EventID: 4688 + ProcessCommandLine: + - 'rundll32.exe %APPDATA%\*.dat",*' + - 'rundll32.exe %APPDATA%\*.dll",#1' \ No newline at end of file diff --git a/rules/apt/apt_sofacy_zebrocy.yml b/rules/apt/apt_sofacy_zebrocy.yml index 24ccd52bd..195ef6f06 100644 --- a/rules/apt/apt_sofacy_zebrocy.yml +++ b/rules/apt/apt_sofacy_zebrocy.yml @@ -9,7 +9,7 @@ tags: - attack.g0020 - attack.t1059 author: Florian Roth -date: 2018/03/10 +date: 2018/03/10 detection: condition: selection falsepositives: diff --git a/rules/apt/apt_tropictrooper.yml b/rules/apt/apt_tropictrooper.yml index 6fc3cab83..0fc2d0e8d 100644 --- a/rules/apt/apt_tropictrooper.yml +++ b/rules/apt/apt_tropictrooper.yml @@ -6,6 +6,7 @@ references: - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ author: "@41thexplorer, Windows Defender ATP" date: 2018/11/30 +modified: 2018/12/11 tags: - attack.execution - attack.t1085 @@ -21,7 +22,7 @@ logsource: detection: selection: EventID: 4688 - CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*' + ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*' --- # Sysmon: Process Creation (ID 1) logsource: diff --git a/rules/apt/apt_unidentified_nov_18.yml b/rules/apt/apt_unidentified_nov_18.yml index aab42be66..b870d498f 100644 --- a/rules/apt/apt_unidentified_nov_18.yml +++ b/rules/apt/apt_unidentified_nov_18.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/DrunkBinary/status/1063075530180886529 author: "@41thexplorer, Windows Defender ATP" date: 2018/11/20 +modified: 2018/12/11 tags: - attack.execution - attack.t1085 @@ -21,7 +22,7 @@ logsource: detection: selection: EventID: 4688 - CommandLine: '*cyzfc.dat, PointFunctionCall' + ProcessCommandLine: '*cyzfc.dat, PointFunctionCall' --- # Sysmon: Process Creation (ID 1) logsource: diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml index 389856b03..3065dad27 100644 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ b/rules/windows/builtin/win_multiple_suspicious_cli.yml @@ -5,9 +5,20 @@ status: experimental references: - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 +modified: 2012/12/11 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: low +--- +# Windows Audit Log +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: - CommandLine: + EventID: 4688 + ProcessCommandLine: - arp.exe - at.exe - attrib.exe @@ -49,18 +60,6 @@ detection: - diskpart.exe timeframe: 5m condition: selection | count() by MachineName > 5 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: low ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 --- # Sysmon logsource: @@ -69,3 +68,45 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - arp.exe + - at.exe + - attrib.exe + - cscript.exe + - dsquery.exe + - hostname.exe + - ipconfig.exe + - mimikatz.exe + - nbstat.exe + - net.exe + - netsh.exe + - nslookup.exe + - ping.exe + - quser.exe + - qwinsta.exe + - reg.exe + - runas.exe + - sc.exe + - schtasks.exe + - ssh.exe + - systeminfo.exe + - taskkill.exe + - telnet.exe + - tracert.exe + - wscript.exe + - xcopy.exe +# others + - pscp.exe + - copy.exe + - robocopy.exe + - certutil.exe + - vssadmin.exe + - powershell.exe + - wevtutil.exe + - psexec.exe + - bcedit.exe + - wbadmin.exe + - icacls.exe + - diskpart.exe + timeframe: 5m + condition: selection | count() by MachineName > 5 \ No newline at end of file diff --git a/rules/windows/builtin/win_psexesvc_start.yml b/rules/windows/builtin/win_psexesvc_start.yml index b076f7c94..08e517099 100644 --- a/rules/windows/builtin/win_psexesvc_start.yml +++ b/rules/windows/builtin/win_psexesvc_start.yml @@ -2,6 +2,7 @@ title: PsExec Service Start description: Detects a PsExec service start author: Florian Roth date: 2018/03/13 +modified: 2012/12/11 tags: - attack.execution - attack.t1035 @@ -13,7 +14,7 @@ logsource: detection: selection: EventID: 4688 - CommandLine: 'C:\Windows\PSEXESVC.exe' + ProcessCommandLine: 'C:\Windows\PSEXESVC.exe' condition: 1 of them falsepositives: - Administrative activity diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml index 9040d82c1..47b6ad7c0 100644 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ b/rules/windows/builtin/win_susp_cli_escape.yml @@ -9,21 +9,11 @@ references: - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ author: juju4 +modified: 2018/12/11 tags: - attack.defense_evasion - attack.t1140 detection: - selection: - CommandLine: - #- '^' - #- '@' -# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? - # - '-' - # - '―' - #- 'c:/' - - '' - - '^h^t^t^p' - - 'h"t"t"p' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment @@ -37,6 +27,16 @@ logsource: detection: selection: EventID: 4688 + ProcessCommandLine: + #- '^' + #- '@' +# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? + # - '-' + # - '―' + #- 'c:/' + - '' + - '^h^t^t^p' + - 'h"t"t"p' --- # Sysmon logsource: @@ -45,3 +45,13 @@ logsource: detection: selection: EventID: 1 + CommandLine: + #- '^' + #- '@' +# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? + # - '-' + # - '―' + #- 'c:/' + - '' + - '^h^t^t^p' + - 'h"t"t"p' \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml index e20cb86a4..c1710d867 100644 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml @@ -9,12 +9,24 @@ references: - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html author: Florian Roth, Markus Neis date: 2018/08/22 +modified: 2018/12/11 tags: - attack.discovery - attack.t1073 - attack.t1012 +detection: + timeframe: 15s + condition: selection | count() by CommandLine > 4 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium +--- +logsource: + product: windows + service: sysmon detection: selection: + EventID: 1 CommandLine: - 'tasklist' - 'net time' @@ -33,18 +45,6 @@ detection: - '*\net1 accounts /domain' - '*\net1 user net localgroup administrators' - 'netstat -an' - timeframe: 15s - condition: selection | count() by CommandLine > 4 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 --- logsource: product: windows @@ -53,3 +53,21 @@ logsource: detection: selection: EventID: 4688 + ProcessCommandLine: + - 'tasklist' + - 'net time' + - 'systeminfo' + - 'whoami' + - 'nbtstat' + - 'net start' + - '*\net1 start' + - 'qprocess' + - 'nslookup' + - 'hostname.exe' + - '*\net1 user /domain' + - '*\net1 group /domain' + - '*\net1 group "domain admins" /domain' + - '*\net1 group "Exchange Trusted Subsystem" /domain' + - '*\net1 accounts /domain' + - '*\net1 user net localgroup administrators' + - 'netstat -an' diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/builtin/win_susp_iss_module_install.yml index 376935e36..061265531 100644 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ b/rules/windows/builtin/win_susp_iss_module_install.yml @@ -6,13 +6,11 @@ status: experimental references: - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth +modified: 2012/12/11 tags: - attack.persistence - attack.t1100 detection: - selection: - CommandLine: - - '*\APPCMD.EXE install module /name:*' condition: selection falsepositives: - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules @@ -24,6 +22,8 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - '*\APPCMD.EXE install module /name:*' --- logsource: product: windows @@ -32,3 +32,5 @@ logsource: detection: selection: EventID: 4688 + ProcessCommandLine: + - '*\APPCMD.EXE install module /name:*' diff --git a/rules/windows/builtin/win_susp_msiexec_web_install.yml b/rules/windows/builtin/win_susp_msiexec_web_install.yml index 8efe51e7e..3fd59bd01 100644 --- a/rules/windows/builtin/win_susp_msiexec_web_install.yml +++ b/rules/windows/builtin/win_susp_msiexec_web_install.yml @@ -7,10 +7,8 @@ references: - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ author: Florian Roth date: 2018/02/09 +modified: 2012/12/11 detection: - selection: - CommandLine: - - '* msiexec*:\/\/*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment @@ -22,6 +20,8 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - '* msiexec*:\/\/*' --- logsource: product: windows @@ -30,3 +30,5 @@ logsource: detection: selection: EventID: 4688 + ProcessCommandLine: + - '* msiexec*:\/\/*' diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index 1be8c84f3..10512e5ca 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -15,8 +15,19 @@ references: - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat - https://twitter.com/vector_sec/status/896049052642533376 author: Florian Roth +modified: 2012/12/11 +detection: + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium +--- +logsource: + product: windows + service: sysmon detection: selection: + EventID: 1 CommandLine: # Hacking activity - 'vssadmin.exe delete shadows*' @@ -66,17 +77,6 @@ detection: - '*AddInProcess*' # NotPowershell (nps) attack # - '*msbuild*' # too many false positives - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 --- logsource: product: windows @@ -85,3 +85,52 @@ logsource: detection: selection: EventID: 4688 + ProcessCommandLine: + # Hacking activity + - 'vssadmin.exe delete shadows*' + - 'vssadmin delete shadows*' + - 'vssadmin create shadow /for=C:*' + - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*' + - 'copy \\?\GLOBALROOT\Device\*\config\SAM*' + - 'reg SAVE HKLM\SYSTEM *' + - '* sekurlsa:*' + - 'net localgroup adminstrators * /add' + - 'net group "Domain Admins" * /ADD /DOMAIN' + - 'certutil.exe *-urlcache* http*' + - 'certutil.exe *-urlcache* ftp*' + # Malware + - 'netsh advfirewall firewall *\AppData\*' + - 'attrib +S +H +R *\AppData\*' + - 'schtasks* /create *\AppData\*' + - 'schtasks* /sc minute*' + - '*\Regasm.exe *\AppData\*' + - '*\Regasm *\AppData\*' + - '*\bitsadmin* /transfer*' + - '*\certutil.exe * -decode *' + - '*\certutil.exe * -decodehex *' + - '*\certutil.exe -ping *' + - 'icacls * /grant Everyone:F /T /C /Q' + - '* wmic shadowcopy delete *' + - '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html + # Scripts + - '*\wscript.exe *.jse' + - '*\wscript.exe *.js' + - '*\wscript.exe *.vba' + - '*\wscript.exe *.vbe' + - '*\cscript.exe *.jse' + - '*\cscript.exe *.js' + - '*\cscript.exe *.vba' + - '*\cscript.exe *.vbe' + # UAC bypass + - '*\fodhelper.exe' + # persistence + - '*waitfor*/s*' + - '*waitfor*/si persist*' + # remote + - '*remote*/s*' + - '*remote*/c*' + - '*remote*/q*' + # AddInProcess + - '*AddInProcess*' + # NotPowershell (nps) attack + # - '*msbuild*' # too many false positives \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_sysprep_appdata.yml b/rules/windows/builtin/win_susp_sysprep_appdata.yml index 051c8605b..236c690b6 100644 --- a/rules/windows/builtin/win_susp_sysprep_appdata.yml +++ b/rules/windows/builtin/win_susp_sysprep_appdata.yml @@ -8,11 +8,8 @@ references: - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b author: Florian Roth date: 2018/06/22 +modified: 2018/12/11 detection: - selection: - CommandLine: - - '*\sysprep.exe *\AppData\*' - - 'sysprep.exe *\AppData\*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment @@ -24,6 +21,9 @@ logsource: detection: selection: EventID: 1 + CommandLine: + - '*\sysprep.exe *\AppData\*' + - 'sysprep.exe *\AppData\*' --- logsource: product: windows @@ -32,3 +32,6 @@ logsource: detection: selection: EventID: 4688 + ProcessCommandLine: + - '*\sysprep.exe *\AppData\*' + - 'sysprep.exe *\AppData\*' diff --git a/rules/windows/builtin/win_susp_sysvol_access.yml b/rules/windows/builtin/win_susp_sysvol_access.yml index c413497a8..f79a58cd3 100644 --- a/rules/windows/builtin/win_susp_sysvol_access.yml +++ b/rules/windows/builtin/win_susp_sysvol_access.yml @@ -8,12 +8,11 @@ references: - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 author: Markus Neis date: 2018/04/09 +modified: 2018/12/11 tags: - attack.credential_access - attack.t1003 detection: - selection: - CommandLine: '*\SYSVOL\*\policies\*' condition: selection falsepositives: - administrative activity @@ -25,6 +24,7 @@ logsource: detection: selection: EventID: 1 + CommandLine: '*\SYSVOL\*\policies\*' --- logsource: product: windows @@ -33,3 +33,4 @@ logsource: detection: selection: EventID: 4688 + ProcessCommandLine: '*\SYSVOL\*\policies\*' diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/malware/win_mal_adwind.yml index 07e8269e7..e75b3094b 100644 --- a/rules/windows/malware/win_mal_adwind.yml +++ b/rules/windows/malware/win_mal_adwind.yml @@ -8,6 +8,7 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi date: 2017/11/10 +modified: 2018/12/11 detection: condition: selection level: high @@ -20,7 +21,7 @@ logsource: detection: selection: EventID: 4688 - CommandLine: + ProcessCommandLine: - '*\AppData\Roaming\Oracle*\java*.exe *' - '*cscript.exe *Retrive*.vbs *' --- diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml index d6919fb13..b6cdcfab4 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml @@ -1,13 +1,30 @@ +--- +action: global title: Suspicious Certutil Command status: experimental description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility author: Florian Roth, juju4 +modified: 2018/12/11 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 - https://twitter.com/subTee/status/888071631528235010 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ +detection: + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.defense_evasion + - attack.t1140 + - attack.s0189 + - attack.g0007 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: high +--- logsource: product: windows service: sysmon @@ -27,17 +44,24 @@ detection: - '*certutil.exe *-urlcache* ftp*' - '*certutil.exe *-URL*' - '*certutil.exe *-ping*' - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion - - attack.t1140 - - attack.s0189 - - attack.g0007 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: high - - +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: + - '*certutil * -decode *' + - '*certutil * -decodehex *' + - '*certutil *-urlcache* http*' + - '*certutil *-urlcache* ftp*' + - '*certutil *-URL*' + - '*certutil *-ping*' + - '*certutil.exe * -decode *' + - '*certutil.exe * -decodehex *' + - '*certutil.exe *-urlcache* http*' + - '*certutil.exe *-urlcache* ftp*' + - '*certutil.exe *-URL*' + - '*certutil.exe *-ping*' diff --git a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml b/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml index eb5fde7bc..6daa48766 100644 --- a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml +++ b/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml @@ -8,9 +8,8 @@ reference: - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth date: 2018/03/17 +modified: 2018/12/11 detection: - selection: - CommandLine: '* /dest:rdp-tcp:*' condition: selection falsepositives: - Unknown @@ -22,6 +21,7 @@ logsource: detection: selection: EventID: 1 + CommandLine: '* /dest:rdp-tcp:*' --- logsource: product: windows @@ -29,4 +29,5 @@ logsource: definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: - EventID: 4688 \ No newline at end of file + EventID: 4688 + ProcessCommandLine: '* /dest:rdp-tcp:*' \ No newline at end of file From 49eb03cda8e6589c628e166588bc8fc1f6b2f88d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 12 Dec 2018 08:18:43 +0100 Subject: [PATCH 43/99] Rule: MavInject process injection --- .../builtin/win_mavinject_proc_inj.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/builtin/win_mavinject_proc_inj.yml diff --git a/rules/windows/builtin/win_mavinject_proc_inj.yml b/rules/windows/builtin/win_mavinject_proc_inj.yml new file mode 100644 index 000000000..29ced40ec --- /dev/null +++ b/rules/windows/builtin/win_mavinject_proc_inj.yml @@ -0,0 +1,34 @@ +--- +action: global +title: MavInject Process Injection +status: experimental +description: Detects process injection using the signed Windows tool Mavinject32.exe +references: + - https://twitter.com/gN3mes1s/status/941315826107510784 +author: Florian Roth +date: 2018/12/12 +tags: + - attack.process_injection + - attack.t1055 +detection: + condition: selection +falsepositives: + - unknown +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: '* /INJECTRUNNING *' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: '* /INJECTRUNNING *' From 188d3a83b84028e9ca021f89bb558643ec7d76e4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 12 Dec 2018 08:37:00 +0100 Subject: [PATCH 44/99] Rule: docs: reference update in MavInject rule --- rules/windows/builtin/win_mavinject_proc_inj.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/builtin/win_mavinject_proc_inj.yml b/rules/windows/builtin/win_mavinject_proc_inj.yml index 29ced40ec..00b16dbbc 100644 --- a/rules/windows/builtin/win_mavinject_proc_inj.yml +++ b/rules/windows/builtin/win_mavinject_proc_inj.yml @@ -5,6 +5,8 @@ status: experimental description: Detects process injection using the signed Windows tool Mavinject32.exe references: - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 author: Florian Roth date: 2018/12/12 tags: From 172236e1304e4b26bdbe713d499d61beb2c8428e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 12 Dec 2018 09:17:58 +0100 Subject: [PATCH 45/99] Rule: updated ATT&CK tags in MavInject rule --- rules/windows/builtin/win_mavinject_proc_inj.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/builtin/win_mavinject_proc_inj.yml b/rules/windows/builtin/win_mavinject_proc_inj.yml index 00b16dbbc..4b2757140 100644 --- a/rules/windows/builtin/win_mavinject_proc_inj.yml +++ b/rules/windows/builtin/win_mavinject_proc_inj.yml @@ -12,6 +12,8 @@ date: 2018/12/12 tags: - attack.process_injection - attack.t1055 + - attack.signed_binary_proxy_execution + - attack.t1218 detection: condition: selection falsepositives: From 99f773dcf609867df281381c1bdd7d1de3336716 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 17 Dec 2018 10:02:55 +0100 Subject: [PATCH 46/99] Rule: false positive reduction in rule --- .../sysmon/sysmon_susp_prog_location_network_connection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml index 741083516..c97aad22d 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml @@ -13,7 +13,7 @@ detection: selection: EventID: 3 Image: - - '*\ProgramData\*' + # - '*\ProgramData\*' # too many false positives, e.g. with Webex for Windows - '*\$Recycle.bin' - '*\Users\All Users\*' - '*\Users\Default\*' From a7fa20546afda96923e79a09cbdb3f094a9a7535 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 17 Dec 2018 14:18:03 +0100 Subject: [PATCH 47/99] Rule: proxy user agents updated with MacControl user agent --- rules/proxy/proxy_ua_malware.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index 82b8fa1a2..93a5d8268 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -49,6 +49,7 @@ detection: - '*(Charon; Inferno)' # Loki Bot - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs + - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again # Others - '* pxyscand*' From ffd43823cf4a7417883c5a489738e5e2bc99c011 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 19 Dec 2018 00:33:12 +0100 Subject: [PATCH 48/99] Fixed wildcard issue in es-qs backend and depending See GitHub issue #194. Fix for es-dsl is pending. --- tools/sigma/backends/base.py | 22 ++++++++---- tools/sigma/backends/elasticsearch.py | 50 +++++++++++++++++++++++---- 2 files changed, 60 insertions(+), 12 deletions(-) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 4b6a5e1ef..2b6cab3cb 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -166,7 +166,7 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): valueExpression = None # Expression of values, %s represents value nullExpression = None # Expression of queries for null values or non-existing fields. %s is field name notNullExpression = None # Expression of queries for not null values. %s is field name - mapExpression = None # Syntax for field/value conditions. First %s is key, second is value + mapExpression = None # Syntax for field/value conditions. First %s is fieldname, second is value mapListsSpecialHandling = False # Same handling for map items with list values as for normal values (strings, integers) if True, generateMapItemListNode method is called with node mapListValueExpression = None # Syntax for field/value condititons where map value is a list @@ -206,16 +206,18 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): return self.listExpression % (self.listSeparator.join([self.generateNode(value) for value in node])) def generateMapItemNode(self, node): - key, value = node + fieldname, value = node + + transformed_fieldname = self.fieldNameMapping(fieldname, value) if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): - return self.mapExpression % (key, self.generateNode(value)) + return self.mapExpression % (transformed_fieldname, self.generateNode(value)) elif type(value) == list: - return self.generateMapItemListNode(key, value) + return self.generateMapItemListNode(transformed_fieldname, value) else: raise TypeError("Backend does not support map values of type " + str(type(value))) - def generateMapItemListNode(self, key, value): - return self.mapListValueExpression % (key, self.generateNode(value)) + def generateMapItemListNode(self, fieldname, value): + return self.mapListValueExpression % (fieldname, self.generateNode(value)) def generateValueNode(self, node): return self.valueExpression % (self.cleanValue(str(node))) @@ -225,3 +227,11 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin): def generateNotNULLValueNode(self, node): return self.notNullExpression % (node.item) + + def fieldNameMapping(self, fieldname, value): + """ + Alter field names depending on the value(s). Backends may use this method to perform a final transformation of the field name + in addition to the field mapping defined in the conversion configuration. The field name passed to this method was already + transformed from the original name given in the Sigma rule. + """ + return fieldname diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 65319550b..9182a3bbc 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -26,8 +26,12 @@ class ElasticsearchQuerystringBackend(SingleTextQueryBackend): """Converts Sigma rule into Elasticsearch query string. Only searches, no aggregations.""" identifier = "es-qs" active = True + options = SingleTextQueryBackend.options + ( + ("keyword_field", "keyword", "Keyword sub-field name", None), + ("keyword_blacklist", None, "Fields that don't have a keyword subfield", None) + ) - reEscape = re.compile("([+\\-=!(){}\\[\\]^\"~:/]|\\\\(?![*?])|\\\\u|&&|\\|\\|)") + reEscape = re.compile("([\s+\\-=!(){}\\[\\]^\"~:/]|\\\\(?![*?])|\\\\u|&&|\\|\\|)") reClear = re.compile("[<>]") andToken = " AND " orToken = " OR " @@ -35,18 +39,52 @@ class ElasticsearchQuerystringBackend(SingleTextQueryBackend): subExpression = "(%s)" listExpression = "(%s)" listSeparator = " " - valueExpression = "\"%s\"" + valueExpression = "%s" nullExpression = "NOT _exists_:%s" notNullExpression = "_exists_:%s" mapExpression = "%s:%s" mapListsSpecialHandling = False + reContainsWildcard = re.compile("(? Date: Wed, 19 Dec 2018 09:31:13 +0100 Subject: [PATCH 49/99] Rule: Hacktool Rubeus --- rules/windows/builtin/win_hack_rubeus.yml | 52 +++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 rules/windows/builtin/win_hack_rubeus.yml diff --git a/rules/windows/builtin/win_hack_rubeus.yml b/rules/windows/builtin/win_hack_rubeus.yml new file mode 100644 index 000000000..daeeace07 --- /dev/null +++ b/rules/windows/builtin/win_hack_rubeus.yml @@ -0,0 +1,52 @@ +--- +action: global +title: Rubeus Hack Tool +description: Detects command line parameters used by Rubeus hack tool +author: Florian Roth +reference: + - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ +date: 2018/12/19 +tags: + - attack.credential_access + - attack.t1003 + - attack.s0005 +detection: + condition: selection +falsepositives: + - unlikely +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: + - '* asreproast *' + - '* dump /service:krbtgt *' + - '* kerberoast *' + - '* createnetonly /program:*' + - '* ptt /ticket:*' + - '* /impersonateuser:*' + - '* renew /ticket:*' + - '* asktgt /user:*' + - '* harvest /interval:*' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: + - '* asreproast *' + - '* dump /service:krbtgt *' + - '* kerberoast *' + - '* createnetonly /program:*' + - '* ptt /ticket:*' + - '* /impersonateuser:*' + - '* renew /ticket:*' + - '* asktgt /user:*' + - '* harvest /interval:*' \ No newline at end of file From 73b0c3a25be6034838e1b41c0a3870543984b1b6 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 21 Dec 2018 14:10:45 +0100 Subject: [PATCH 50/99] Fixed wildcard issue for es-dsl backend Moved field mapping code into mixin shared by es-qs and es-dsl. --- tools/sigma/backends/elasticsearch.py | 102 +++++++++++++++----------- 1 file changed, 59 insertions(+), 43 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 9182a3bbc..a54eb7082 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -22,14 +22,51 @@ from .base import BaseBackend, SingleTextQueryBackend from .mixins import RulenameCommentMixin, MultiRuleOutputMixin from .exceptions import NotSupportedError -class ElasticsearchQuerystringBackend(SingleTextQueryBackend): - """Converts Sigma rule into Elasticsearch query string. Only searches, no aggregations.""" - identifier = "es-qs" - active = True +class ElasticsearchWildcardHandlingMixin(object): + """ + Determine field mapping to keyword subfields depending on existence of wildcards in search values. Further, + provide configurability with backend parameters. + """ options = SingleTextQueryBackend.options + ( ("keyword_field", "keyword", "Keyword sub-field name", None), ("keyword_blacklist", None, "Fields that don't have a keyword subfield", None) ) + reContainsWildcard = re.compile("(?]") @@ -45,52 +82,21 @@ class ElasticsearchQuerystringBackend(SingleTextQueryBackend): mapExpression = "%s:%s" mapListsSpecialHandling = False - reContainsWildcard = re.compile("(? Date: Fri, 21 Dec 2018 14:17:02 +0100 Subject: [PATCH 51/99] Added Python 3.7 to CI testing --- .travis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.travis.yml b/.travis.yml index 2012f343d..7204a263a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,10 @@ language: python +dist: xenial python: - 3.5 - 3.6 + - 3.7 +sudo: true services: - elasticsearch cache: pip From f318f328d61a32666593330962ef29be7d5afeeb Mon Sep 17 00:00:00 2001 From: Tareq AlKhatib Date: Tue, 25 Dec 2018 16:25:12 +0300 Subject: [PATCH 52/99] Corrected reference to references as per Sigma's standard --- rules/windows/builtin/win_hack_rubeus.yml | 2 +- rules/windows/builtin/win_net_ntlm_downgrade.yml | 2 +- rules/windows/sysmon/sysmon_cmdkey_recon.yml | 2 +- rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml | 2 +- rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml | 2 +- rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/win_hack_rubeus.yml b/rules/windows/builtin/win_hack_rubeus.yml index daeeace07..1d03d7836 100644 --- a/rules/windows/builtin/win_hack_rubeus.yml +++ b/rules/windows/builtin/win_hack_rubeus.yml @@ -3,7 +3,7 @@ action: global title: Rubeus Hack Tool description: Detects command line parameters used by Rubeus hack tool author: Florian Roth -reference: +references: - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ date: 2018/12/19 tags: diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 36e2b0576..1742289d7 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -2,7 +2,7 @@ action: global title: NetNTLM Downgrade Attack description: Detects post exploitation using NetNTLM downgrade attacks -reference: +references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth date: 2018/03/20 diff --git a/rules/windows/sysmon/sysmon_cmdkey_recon.yml b/rules/windows/sysmon/sysmon_cmdkey_recon.yml index 050884aaa..6f1e4c664 100644 --- a/rules/windows/sysmon/sysmon_cmdkey_recon.yml +++ b/rules/windows/sysmon/sysmon_cmdkey_recon.yml @@ -1,7 +1,7 @@ title: Cmdkey Cached Credentials Recon status: experimental description: Detects usage of cmdkey to look for cached credentials -reference: +references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx author: jmallette diff --git a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml index cb6406258..398ca9b3d 100644 --- a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml @@ -3,7 +3,7 @@ status: experimental description: Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder author: Florian Roth date: 2018/07/18 -reference: +references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml b/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml index 0336ebb38..d700b9324 100644 --- a/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml +++ b/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml @@ -1,7 +1,7 @@ title: Suspicious TSCON Start status: experimental description: Detects a tscon.exe start as LOCAL SYSTEM -reference: +references: - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml b/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml index 6daa48766..ec7b0788d 100644 --- a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml +++ b/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml @@ -3,7 +3,7 @@ action: global title: Suspicious RDP Redirect Using TSCON status: experimental description: Detects a suspicious RDP session redirect using tscon.exe -reference: +references: - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth From 0a5e79b1e0dded17972781f694ff8f681e4b364c Mon Sep 17 00:00:00 2001 From: Tareq AlKhatib Date: Tue, 1 Jan 2019 13:30:26 +0300 Subject: [PATCH 53/99] Fixed the RC section to use rc.exe instead of oleview.exe --- rules/windows/builtin/win_plugx_susp_exe_locations.yml | 2 +- rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml index 6295abc41..b2520542e 100644 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ b/rules/windows/builtin/win_plugx_susp_exe_locations.yml @@ -117,7 +117,7 @@ detection: # RC selection_rc: EventID: 4688 - CommandLine: '*\OleView.exe' + CommandLine: '*\rc.exe' filter_rc: EventID: 4688 CommandLine: diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index 7071de23c..59f5821a2 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -115,7 +115,7 @@ detection: # RC selection_rc: EventID: 1 - Image: '*\OleView.exe' + Image: '*\rc.exe' filter_rc: EventID: 1 Image: From 925ffae9b86c4ab5878505b9b86432e3be313fb6 Mon Sep 17 00:00:00 2001 From: Tareq AlKhatib Date: Wed, 2 Jan 2019 07:47:44 +0300 Subject: [PATCH 54/99] Removed Outlook detection which is a subset of the Office one --- rules/windows/sysmon/sysmon_office_shell.yml | 1 + rules/windows/sysmon/sysmon_outlook_shell.yml | 31 ------------------- 2 files changed, 1 insertion(+), 31 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_outlook_shell.yml diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index f3d23d7c3..c226ffe44 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -4,6 +4,7 @@ description: Detects a Windows command line executable started from Microsoft Wo references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html + - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle tags: - attack.execution - attack.defense_evasion diff --git a/rules/windows/sysmon/sysmon_outlook_shell.yml b/rules/windows/sysmon/sysmon_outlook_shell.yml deleted file mode 100644 index 507a6d07c..000000000 --- a/rules/windows/sysmon/sysmon_outlook_shell.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Microsoft Outlook Spawning Windows Shell -status: experimental -description: Detects a Windows command line executable started from Microsoft Outlook -references: - - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle -author: Florian Roth -date: 2018/03/06 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\OUTLOOK.EXE' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\schtasks.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - False positives are possible, depends on organisation and processes -level: high - From 8b94860ee60e86380d99bce4b876e00970793e44 Mon Sep 17 00:00:00 2001 From: Tareq AlKhatib Date: Fri, 4 Jan 2019 12:50:41 +0300 Subject: [PATCH 55/99] Corrected class B private IP range to prevent false negatives --- .../sysmon_powershell_network_connection.yml | 17 ++++++++++++++++- .../sysmon/sysmon_rundll32_net_connections.yml | 18 +++++++++++++++++- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index 56e22b647..019c15839 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -18,7 +18,22 @@ detection: DestinationIp: - '10.*' - '192.168.*' - - '172.*' + - '172.16.*' + - '172.17.*' + - '172.18.*' + - '172.19.*' + - '172.20.*' + - '172.21.*' + - '172.22.*' + - '172.23.*' + - '172.24.*' + - '172.25.*' + - '172.26.*' + - '172.27.*' + - '172.28.*' + - '172.29.*' + - '172.30.*' + - '172.31.*' - '127.0.0.1' DestinationIsIpv6: 'false' User: 'NT AUTHORITY\SYSTEM' diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index 3c55b45c7..1a6129d49 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -20,7 +20,23 @@ detection: DestinationIp: - '10.*' - '192.168.*' - - '172.*' + - '172.16.*' + - '172.17.*' + - '172.18.*' + - '172.19.*' + - '172.20.*' + - '172.21.*' + - '172.22.*' + - '172.23.*' + - '172.24.*' + - '172.25.*' + - '172.26.*' + - '172.27.*' + - '172.28.*' + - '172.29.*' + - '172.30.*' + - '172.31.*' + - '127.0.0.1' condition: selection and not filter falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces From b5531be4bf8d7b63bda8d8df369c6c99e1985604 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrien=20Verg=C3=A9?= Date: Thu, 10 Jan 2019 09:43:08 +0100 Subject: [PATCH 56/99] Really run yamllint (it wasn't checking any rule) Fix the yamllint config in `.yamllint` to "extend" the default rule. Previously, it didn't extend anything and only disabled a rule, which means no rule at all were checked. Also disable some rules in this file, because they report many errors in the Sigma code base. In the future, I suggest fixing these errors and re-enabling standard rules like `trailing-spaces` or `indentation`. Fixes #220. --- .yamllint | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.yamllint b/.yamllint index 2de34c440..d1641eedc 100644 --- a/.yamllint +++ b/.yamllint @@ -1,4 +1,12 @@ --- # https://yamllint.readthedocs.io/en/latest/configuration.html +extends: default rules: + comments: disable + comments-indentation: disable document-start: disable + empty-lines: {max: 2, max-start: 2, max-end: 2} + indentation: disable + line-length: disable + new-line-at-end-of-file: disable + trailing-spaces: disable From 44f18db80de6cf4debff164616241dac00cea151 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrien=20Verg=C3=A9?= Date: Thu, 10 Jan 2019 09:47:33 +0100 Subject: [PATCH 57/99] Fix YAML errors reported by yamllint Especially the config for ArcSight, that was invalid: tools/config/arcsight.yml 89:5 error duplication of key "product" in mapping (key-duplicates) 90:5 error duplication of key "conditions" in mapping (key-duplicates) rules/windows/builtin/win_susp_commands_recon_activity.yml 10:9 error too many spaces after colon (colons) --- rules/windows/builtin/win_susp_commands_recon_activity.yml | 2 +- tools/config/arcsight.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml index c1710d867..3710465fd 100644 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/haroonmeer/status/939099379834658817 - https://twitter.com/c_APT_ure/status/939475433711722497 - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html -author: Florian Roth, Markus Neis +author: Florian Roth, Markus Neis date: 2018/08/22 modified: 2018/12/11 tags: diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml index 7e6a15fff..d66a227f8 100644 --- a/tools/config/arcsight.yml +++ b/tools/config/arcsight.yml @@ -85,7 +85,7 @@ logsources: conditions: deviceProduct: Apache categoryDeviceGroup: /Application - firewall: + firewall: product: firewall conditions: categoryDeviceGroup: /Firewall From aa37ef25593f2ff58d48dd446b8396bdec71392c Mon Sep 17 00:00:00 2001 From: Mo Amiri Date: Fri, 11 Jan 2019 03:33:49 +0000 Subject: [PATCH 58/99] extending the qradar backend to allow for timeframe query --- tools/config/qradar.yml | 19 ++++++++++------- tools/sigma/backends/qradar.py | 39 ++++++++++++++++++++++++++++++++-- 2 files changed, 48 insertions(+), 10 deletions(-) diff --git a/tools/config/qradar.yml b/tools/config/qradar.yml index 0a56c7caa..d86bbd186 100644 --- a/tools/config/qradar.yml +++ b/tools/config/qradar.yml @@ -26,11 +26,14 @@ logsources: index: flows fieldmappings: - dst: - - destinationIP - dst_ip: - - destinationIP - src: - - sourceIP - src_ip: - - sourceIP + EventID: + - Event ID Code + dst: + - destinationIP + dst_ip: + - destinationIP + src: + - sourceIP + src_ip: + - sourceIP + ServiceFileName: Service Name diff --git a/tools/sigma/backends/qradar.py b/tools/sigma/backends/qradar.py index 4d20376c8..ac13e6eba 100644 --- a/tools/sigma/backends/qradar.py +++ b/tools/sigma/backends/qradar.py @@ -108,7 +108,7 @@ class QRadarBackend(SingleTextQueryBackend): def generateNotNULLValueNode(self, node): return self.notNullExpression % (node.item) - def generateAggregation(self, agg): + def generateAggregation(self, agg, timeframe='00'): if agg == None: return "" if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR: @@ -117,11 +117,36 @@ class QRadarBackend(SingleTextQueryBackend): self.qradarPrefixAgg = "SELECT %s(%s) as agg_val from %s where" % (agg.aggfunc_notrans, agg.aggfield, self.aql_database) self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.aggfield, agg.cond_op, agg.condition) return self.qradarPrefixAgg, self.qradarSuffixAgg + elif agg.groupfield != None and timeframe == '00': + self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database) + self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition) + return self.qradarPrefixAgg, self.qradarSuffixAgg + elif agg.groupfield != None and timeframe != None: + for key, duration in self.generateTimeframe(timeframe).items(): + self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database) + self.qradarSuffixAgg = " group by %s having agg_val %s %s LAST %s %s" % (agg.groupfield, agg.cond_op, agg.condition, duration, key) + return self.qradarPrefixAgg, self.qradarSuffixAgg else: self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database) self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition) return self.qradarPrefixAgg, self.qradarSuffixAgg + def generateTimeframe(self, timeframe): + time_unit = timeframe[-1:] + duration = timeframe[:-1] + timeframe_object = {} + if time_unit == "s": + timeframe_object['seconds'] = int(duration) + elif time_unit == "m": + timeframe_object['minutes'] = int(duration) + elif time_unit == "h": + timeframe_object['hours'] = int(duration) + elif time_unit == "d": + timeframe_object['days'] = int(duration) + else: + timeframe_object['months'] = int(duration) + return timeframe_object + def generate(self, sigmaparser): """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" for parsed in sigmaparser.condparsed: @@ -147,10 +172,20 @@ class QRadarBackend(SingleTextQueryBackend): else: aql_database = "events" qradarPrefix = "SELECT UTF8(payload) as search_payload from %s where " % (aql_database) - if parsed.parsedAgg: + + try: + timeframe = sigmaparser.parsedyaml['detection']['timeframe'] + except: + timeframe = None + + if parsed.parsedAgg and timeframe == None: (qradarPrefix, qradarSuffixAgg) = self.generateAggregation(parsed.parsedAgg) result = qradarPrefix + result result += qradarSuffixAgg + elif parsed.parsedAgg != None and timeframe != None: + (qradarPrefix, qradarSuffixAgg) = self.generateAggregation(parsed.parsedAgg, timeframe) + result = qradarPrefix + result + result += qradarSuffixAgg else: result = qradarPrefix + result return result From d4a1fe786a54e70bef8f337c6e98283f721c18d2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 12 Jan 2019 12:00:28 +0100 Subject: [PATCH 59/99] Rule: Dridex pattern --- .../windows/malware/sysmon_malware_dridex.yml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 rules/windows/malware/sysmon_malware_dridex.yml diff --git a/rules/windows/malware/sysmon_malware_dridex.yml b/rules/windows/malware/sysmon_malware_dridex.yml new file mode 100644 index 000000000..9f351c5e7 --- /dev/null +++ b/rules/windows/malware/sysmon_malware_dridex.yml @@ -0,0 +1,40 @@ +--- +action: global +title: Dridex Process Pattern +status: experimental +description: Detects typical Dridex process patterns +references: + - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 +author: Florian Roth +date: 2019/01/10 +logsource: + product: windows + service: sysmon +detection: + condition: 1 of them +falsepositives: + - Unlikely +level: critical +--- +logsource: + product: windows + service: sysmon +detection: + selection1: + EventID: 1 + CommandLine: '*\svchost.exe C:\Users\*\Desktop\*' + selection2: + EventID: 1 + ParentImage: '*\svchost.exe*' + CommandLine: + - '*whoami.exe /all' + - '*net.exe view' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: '*\svchost.exe C:\Users\*\Desktop\*' \ No newline at end of file From b7eb79f8daf09dcb99608f82e08d3e13038a5bbc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 12 Jan 2019 12:01:03 +0100 Subject: [PATCH 60/99] Rule: UserInitMprLogonScript persistence method --- ...n_logon_scripts_userinitmprlogonscript.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml new file mode 100644 index 000000000..c965486d2 --- /dev/null +++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml @@ -0,0 +1,34 @@ +title: Logon Scripts (UserInitMprLogonScript) +status: experimental +description: Detects creation or execution of UserInitMprLogonScript persistence method +references: + - https://attack.mitre.org/techniques/T1037/ +tags: + - attack.t1037 + - attack.persistence + - attack.lateral_movement +author: Tom Ueltschi (@c_APT_ure) +logsource: + product: windows + service: sysmon +detection: + exec_selection: + EventID: 1 + ParentImage: userinit.exe + exec_exclusion: + Image: explorer.exe + CommandLine: netlogon.bat + create_selection: + EventID: + - 1 + - 11 + - 12 + - 13 + - 14 + create_keywords: + - UserInitMprLogonScript + condition: (exec_selection and not exec_exclusion) or (create_selection and create_keywords) +falsepositives: + - exclude legitimate logon scripts + - penetration tests, red teaming +level: high From 63f96d58b4980caafbb73574d1b2579b31e7fabf Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 12 Jan 2019 12:02:00 +0100 Subject: [PATCH 61/99] Rule: Renamed PowerShell.exe --- .../sysmon/sysmon_powershell_renamed_ps.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_powershell_renamed_ps.yml diff --git a/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml b/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml new file mode 100644 index 000000000..dce9e3751 --- /dev/null +++ b/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml @@ -0,0 +1,27 @@ +title: Renamed Powershell.exe +status: experimental +description: Detects copying and renaming of powershell.exe before execution (RETEFE malware DOC/macro starting Sept 2018) +references: + - https://attack.mitre.org/techniques/T1086/ + - https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/ +tags: + - attack.t1086 + - attack.execution +author: Tom Ueltschi (@c_APT_ure) +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Description: Windows PowerShell + exclusion_1: + Image: + - powershell.exe + - powershell_ise.exe + exclusion_2: + Description: Windows PowerShell ISE + condition: all of selection and not (1 of exclusion_*) +falsepositives: + - penetration tests, red teaming +level: high From 604d88cf1ef2ab0a2f55555061e4e18f33c2c151 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 12 Jan 2019 12:02:26 +0100 Subject: [PATCH 62/99] Rule: WMI Event Subscription --- .../sysmon/sysmon_wmi_event_subscription.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_wmi_event_subscription.yml diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml new file mode 100644 index 000000000..95177ba63 --- /dev/null +++ b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml @@ -0,0 +1,22 @@ +title: WMI Event Subscription +status: experimental +description: Detects creation of WMI event subscription persistence method +references: + - https://attack.mitre.org/techniques/T1084/ +tags: + - attack.t1084 + - attack.persistence +author: Tom Ueltschi (@c_APT_ure) +logsource: + product: windows + service: sysmon +detection: + selector: + EventID: + - 19 + - 20 + - 21 + condition: selector +falsepositives: + - exclude legitimate (vetted) use of WMI event subscription in your network +level: high From 9a6b3b53894d8b83a959f76bc91ef07ee48ffc0f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 12 Jan 2019 12:03:30 +0100 Subject: [PATCH 63/99] Rule: PowerShell script run in AppData folders --- rules/windows/builtin/win_susp_ps_appdata.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/windows/builtin/win_susp_ps_appdata.yml diff --git a/rules/windows/builtin/win_susp_ps_appdata.yml b/rules/windows/builtin/win_susp_ps_appdata.yml new file mode 100644 index 000000000..c7f1354e0 --- /dev/null +++ b/rules/windows/builtin/win_susp_ps_appdata.yml @@ -0,0 +1,39 @@ +--- +action: global +title: PowerShell Script Run in AppData +status: experimental +description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder +references: + - https://twitter.com/JohnLaTwC/status/1082851155481288706 + - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 +author: Florian Roth +date: 2019/01/09 +logsource: + product: windows + service: sysmon +detection: + condition: selection +falsepositives: + - Administrative scripts +level: medium +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: + - '* /c powershell*\AppData\Local\*' + - '* /c powershell*\AppData\Roaming\*' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: + - '* /c powershell*\AppData\Local\*' + - '* /c powershell*\AppData\Roaming\*' \ No newline at end of file From cc4b806b949107208d4907349b0f51afcca2a8e3 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 14 Jan 2019 00:26:03 +0100 Subject: [PATCH 64/99] Sigma tools release 0.7.1 --- tools/setup.py | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/tools/setup.py b/tools/setup.py index c8dbc0689..866bc5844 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -13,7 +13,7 @@ with open(path.join(here, 'README.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.6', + version='0.7.1', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, url='https://github.com/Neo23x0/sigma', @@ -30,34 +30,38 @@ setup( 'License :: OSI Approved :: GNU Lesser General Public License v3 (LGPLv3)', 'Programming Language :: Python :: 3.5', 'Programming Language :: Python :: 3.6', + 'Programming Language :: Python :: 3.7', 'Environment :: Console', ], keywords='security monitoring siem logging signatures elasticsearch splunk ids sysmon', - packages=['sigma'], + packages=['sigma', 'sigma.backends', 'sigma.config', 'sigma.parser'], python_requires='~=3.5', - install_requires=['PyYAML'], + install_requires=['PyYAML', 'pymisp'], extras_require={ 'test': ['coverage', 'yamllint'], }, data_files=[ ('etc/sigma', [ - 'config/arcsight.yml', - 'config/elk-defaultindex-filebeat.yml', - 'config/elk-defaultindex-logstash.yml', + 'config/qualys.yml', 'config/elk-defaultindex.yml', - 'config/elk-linux.yml', + 'config/arcsight.yml', + 'config/sumologic.yml', + 'config/netwitness.yml', 'config/elk-windows.yml', 'config/helk.yml', + 'config/elk-defaultindex-logstash.yml', + 'config/elk-linux.yml', 'config/logpoint-windows-all.yml', - 'config/qualys.yml', - 'config/qradar.yml', 'config/spark.yml', - 'config/netwitness.yml', + 'config/elk-winlogbeat.yml', + 'config/elk-defaultindex-filebeat.yml', 'config/splunk-windows-all.yml', - 'config/sumologic.yml', + 'config/qradar.yml', + 'config/powershell-windows-all.yml', ])], scripts=[ 'sigmac', - 'merge_sigma' + 'merge_sigma', + 'sigma2misp', ] ) From f759e8b07c4b602a1038caf4d04ee73c61d929c9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 15 Jan 2019 15:40:40 +0100 Subject: [PATCH 65/99] Rule: Suspicious Program Location Process Starts --- ...smon_susp_prog_location_process_starts.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml b/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml new file mode 100644 index 000000000..d842586ac --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml @@ -0,0 +1,26 @@ +title: Suspicious Program Location Process Starts +status: experimental +description: Detects programs running in suspicious files system locations +references: + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +author: Florian Roth +date: 2019/01/15 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Image: + # - '*\ProgramData\*' # too many false positives, e.g. with Webex for Windows + - '*\$Recycle.bin' + - '*\Users\Public\*' + - 'C:\Perflogs\*' + - '*\Windows\Fonts\*' + - '*\Windows\IME\*' + - '*\Windows\addins\*' + - '*\Windows\debug\*' + condition: selection +falsepositives: + - unknown +level: high \ No newline at end of file From 5645c75576453e988c7f5817073f7c8eb6bba0c1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 16 Jan 2019 18:43:28 +0100 Subject: [PATCH 66/99] Rule: updated relevant AV signatures - exploiting https://twitter.com/haroldogden/status/1085556071891173376 --- rules/windows/malware/av_exploiting.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index 1748364c6..045b2af98 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -1,6 +1,7 @@ title: Antivirus Exploitation Framework Detection description: Detects a highly relevant Antivirus alert that reports an exploitation framework date: 2018/09/09 +modified: 2019/01/16 author: Florian Roth references: - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ @@ -19,6 +20,7 @@ detection: - "*Metasploit*" - "*PowerSploit*" - "*CobaltSrike*" + - "*Swrort*" condition: selection fields: - FileName From 8c4b21f06398a576ec8ad4cc607a17e2c0d65abf Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 22 Jan 2019 08:49:10 +0100 Subject: [PATCH 67/99] Rule: Apache threading errors --- rules/web/web_apache_threading_error.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 rules/web/web_apache_threading_error.yml diff --git a/rules/web/web_apache_threading_error.yml b/rules/web/web_apache_threading_error.yml new file mode 100644 index 000000000..492e7ce72 --- /dev/null +++ b/rules/web/web_apache_threading_error.yml @@ -0,0 +1,16 @@ +title: Apache Threading Error +status: experimental +description: Detects an issue in apache logs that reports threading related errors +author: Florian Roth +date: 2019/01/22 +references: + - https://github.com/hannob/apache-uaf/blob/master/README.md +logsource: + product: apache +detection: + keywords: + - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' + condition: keywords +falsepositives: + - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 +level: medium From b1ea976f66d31c91d8364323bda41391ba563253 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 22 Jan 2019 16:18:43 +0100 Subject: [PATCH 68/99] fix: fixed bug inntdsutil rule that included a white space --- rules/windows/builtin/win_susp_ntdsutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_ntdsutil.yml b/rules/windows/builtin/win_susp_ntdsutil.yml index 0dd7b2051..fcbc9bbcc 100644 --- a/rules/windows/builtin/win_susp_ntdsutil.yml +++ b/rules/windows/builtin/win_susp_ntdsutil.yml @@ -11,7 +11,7 @@ tags: - attack.t1003 detection: selection: - CommandLine: '*\ntdsutil.exe *' + CommandLine: '*\ntdsutil*' condition: selection falsepositives: - NTDS maintenance From cc6e0baef19d473ef7f175e6221cf743e1f7be0f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 22 Jan 2019 16:20:06 +0100 Subject: [PATCH 69/99] rule: extended certutil rule to include verifyctl and allows renamed certutil https://twitter.com/egre55/status/1087685529016193025 --- .../sysmon/sysmon_susp_certutil_command.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml index b6cdcfab4..6f2161012 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml @@ -4,13 +4,14 @@ title: Suspicious Certutil Command status: experimental description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility author: Florian Roth, juju4 -modified: 2018/12/11 +modified: 2019/01/22 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 - https://twitter.com/subTee/status/888071631528235010 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ + - https://twitter.com/egre55/status/1087685529016193025 detection: condition: selection fields: @@ -34,14 +35,14 @@ detection: CommandLine: - '*certutil * -decode *' - '*certutil * -decodehex *' - - '*certutil *-urlcache* http*' - - '*certutil *-urlcache* ftp*' + - '* -urlcache * http*' + - '* -urlcache * ftp*' + - '* -verifyctl * http*' + - '* -verifyctl * ftp*' - '*certutil *-URL*' - '*certutil *-ping*' - '*certutil.exe * -decode *' - '*certutil.exe * -decodehex *' - - '*certutil.exe *-urlcache* http*' - - '*certutil.exe *-urlcache* ftp*' - '*certutil.exe *-URL*' - '*certutil.exe *-ping*' --- @@ -55,13 +56,13 @@ detection: ProcessCommandLine: - '*certutil * -decode *' - '*certutil * -decodehex *' - - '*certutil *-urlcache* http*' - - '*certutil *-urlcache* ftp*' + - '* -urlcache * http*' + - '* -urlcache * ftp*' + - '* -verifyctl * http*' + - '* -verifyctl * ftp*' - '*certutil *-URL*' - '*certutil *-ping*' - '*certutil.exe * -decode *' - '*certutil.exe * -decodehex *' - - '*certutil.exe *-urlcache* http*' - - '*certutil.exe *-urlcache* ftp*' - '*certutil.exe *-URL*' - '*certutil.exe *-ping*' From 90e8eba530c6d64bb3f8bc74501d7f54df3d2971 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 22 Jan 2019 16:37:36 +0100 Subject: [PATCH 70/99] rule: false positive reduction in PowerShell rules --- .../powershell/powershell_malicious_commandlets.yml | 2 +- rules/windows/powershell/powershell_malicious_keywords.yml | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 2105d06bf..7b741ebfb 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -1,6 +1,7 @@ title: Malicious PowerShell Commandlets status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks +modified: 2019/01/22 references: - https://adsecurity.org/?p=2921 tags: @@ -40,7 +41,6 @@ detection: - Get-VulnAutoRun - Get-VulnSchTask - Get-UnattendedInstallFile - - Get-WebConfig - Get-ApplicationHost - Get-RegAlwaysInstallElevated - Get-Unconstrained diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 63c08a3d8..0323a1dcd 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -1,6 +1,7 @@ title: Malicious PowerShell Keywords status: experimental description: Detects keywords from well-known PowerShell exploitation frameworks +modified: 2019/01/22 references: - https://adsecurity.org/?p=2921 tags: @@ -15,18 +16,12 @@ detection: keywords: - AdjustTokenPrivileges - IMAGE_NT_OPTIONAL_HDR64_MAGIC - - Management.Automation.RuntimeException - Microsoft.Win32.UnsafeNativeMethods - ReadProcessMemory.Invoke - - Runtime.InteropServices - SE_PRIVILEGE_ENABLED - - System.Security.Cryptography - - System.Runtime.InteropServices - LSA_UNICODE_STRING - MiniDumpWriteDump - PAGE_EXECUTE_READ - - Net.Sockets.SocketFlags - - Reflection.Assembly - SECURITY_DELEGATION - TOKEN_ADJUST_PRIVILEGES - TOKEN_ALL_ACCESS From e3d61047bbb02c143d8058727bf71a48a627396c Mon Sep 17 00:00:00 2001 From: Tareq AlKhatib Date: Tue, 22 Jan 2019 21:25:13 +0300 Subject: [PATCH 71/99] Added two tests. One for MITRE and another for file extension. --- tests/test_rules.py | 83 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 tests/test_rules.py diff --git a/tests/test_rules.py b/tests/test_rules.py new file mode 100644 index 000000000..7e20f4e2c --- /dev/null +++ b/tests/test_rules.py @@ -0,0 +1,83 @@ +#!/usr/bin/env python3 +""" +Checks for noncompliance or common errors on all rules + +Run using the command +# python -m unittest test_rules.py +""" + +import os +import unittest +import yaml + +class TestRules(unittest.TestCase): + MITRE_TECHNIQUES = ["t1075", "t1189", "t1190", "t1200", "t1091", "t1193", "t1192", "t1194", "t1195", "t1199", "t1078", "t1155", "t1191", "t1059", "t1223", "t1196", "t1173", "t1106", "t1129", "t1203", "t1061", "t1118", "t1152", "t1168", "t1177", "t1170", "t1086", "t1121", "t1117", "t1085", "t1053", "t1064", "t1035", "t1218", "t1216", "t1153", "t1151", "t1072", "t1154", "t1127", "t1204", "t1047", "t1028", "t1220", "t1156", "t1015", "t1098", "t1182", "t1103", "t1138", "t1131", "t1197", "t1067", "t1176", "t1042", "t1109", "t1122", "t1136", "t1038", "t1157", "t1133", "t1044", "t1158", "t1179", "t1062", "t1183", "t1215", "t1159", "t1160", "t1152", "t1161", "t1168", "t1162", "t1037", "t1031", "t1128", "t1050", "t1137", "t1034", "t1150", "t1205", "t1013", "t1163", "t1164", "t1108", "t1060", "t1053", "t1180", "t1101", "t1058", "t1166", "t1023", "t1198", "t1165", "t1019", "t1209", "t1154", "t1078", "t1100", "t1084", "t1004", "t1134", "t1015", "t1182", "t1103", "t1138", "t1088", "t1038", "t1157", "t1068", "t1181", "t1044", "t1179", "t1183", "t1160", "t1050", "t1034", "t1150", "t1013", "t1055", "t1053", "t1058", "t1166", "t1178", "t1165", "t1169", "t1206", "t1078", "t1100", "t1134", "t1009", "t1197", "t1088", "t1146", "t1191", "t1116", "t1223", "t1109", "t1122", "t1196", "t1207", "t1140", "t1089", "t1038", "t1073", "t1211", "t1181", "t1107", "t1222", "t1006", "t1144", "t1158", "t1147", "t1143", "t1148", "t1183", "t1054", "t1066", "t1070", "t1202", "t1130", "t1118", "t1152", "t1149", "t1036", "t1112", "t1170", "t1126", "t1096", "t1027", "t1150", "t1205", "t1186", "t1093", "t1055", "t1108", "t1121", "t1117", "t1014", "t1085", "t1064", "t1218", "t1216", "t1198", "t1045", "t1151", "t1221", "t1099", "t1127", "t1078", "t1102", "t1220", "t1098", "t1139", "t1110", "t1003", "t1081", "t1214", "t1212", "t1187", "t1179", "t1056", "t1141", "t1208", "t1142", "t1171", "t1040", "t1174", "t1145", "t1167", "t1111", "t1087", "t1010", "t1217", "t1083", "t1046", "t1135", "t1040", "t1201", "t1120", "t1069", "t1057", "t1012", "t1018", "t1063", "t1082", "t1016", "t1049", "t1033", "t1124", "t1155", "t1017", "t1175", "t1210", "t1037", "t1097", "t1076", "t1105", "t1021", "t1091", "t1051", "t1184", "t1080", "t1072", "t1077", "t1028", "t1123", "t1119", "t1115", "t1213", "t1005", "t1039", "t1025", "t1074", "t1114", "t1056", "t1185", "t1113", "t1125", "t1020", "t1002", "t1022", "t1030", "t1048", "t1041", "t1011", "t1052", "t1029", "t1043", "t1092", "t1090", "t1094", "t1024", "t1132", "t1001", "t1172", "t1008", "t1188", "t1104", "t1026", "t1079", "t1205", "t1219", "t1105", "t1071", "t1032", "t1095", "t1065", "t1102"] + MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list + MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control"] + MITRE_GROUPS = ["g0018", "g0006", "g0005", "g0023", "g0025", "g0026", "g0073", "g0007", "g0016", "g0022", "g0013", "g0050", "g0064", "g0067", "g0001", "g0063", "g0060", "g0008", "g0058", "g0003", "g0080", "g0052", "g0070", "g0012", "g0079", "g0009", "g0035", "g0074", "g0017", "g0031", "g0066", "g0020", "g0051", "g0053", "g0037", "g0046", "g0061", "g0047", "g0036", "g0078", "g0043", "g0072", "g0004", "g0032", "g0077", "g0065", "g0030", "g0059", "g0045", "g0002", "g0021", "g0069", "g0019", "g0055", "g0014", "g0049", "g0071", "g0040", "g0011", "g0068", "g0033", "g0056", "g0024", "g0075", "g0048", "g0034", "g0029", "g0054", "g0038", "g0041", "g0039", "g0062", "g0015", "g0028", "g0027", "g0076", "g0010", "g0044"] + MITRE_SOFTWARE = ["s0066", "s0065", "s0202", "s0309", "s0045", "s0092", "s0319", "s0296", "s0304", "s0310", "s0292", "s0099", "s0073", "s0110", "s0129", "s0093", "s0031", "s0245", "s0128", "s0234", "s0239", "s0127", "s0017", "s0268", "s0190", "s0069", "s0089", "s0114", "s0293", "s0252", "s0204", "s0014", "s0043", "s0119", "s0025", "s0274", "s0077", "s0030", "s0261", "s0222", "s0160", "s0220", "s0323", "s0144", "s0107", "s0020", "s0023", "s0054", "s0106", "s0154", "s0244", "s0126", "s0212", "s0137", "s0050", "s0046", "s0115", "s0235", "s0187", "s0255", "s0243", "s0301", "s0021", "s0200", "s0213", "s0281", "s0134", "s0186", "s0300", "s0320", "s0105", "s0315", "s0038", "s0062", "s0024", "s0081", "s0064", "s0082", "s0091", "s0152", "s0076", "s0181", "s0171", "s0267", "s0120", "s0182", "s0143", "s0036", "s0173", "s0193", "s0277", "s0095", "s0168", "s0049", "s0032", "s0026", "s0249", "s0290", "s0237", "s0008", "s0132", "s0047", "s0151", "s0037", "s0214", "s0246", "s0224", "s0071", "s0061", "s0170", "s0087", "s0135", "s0009", "s0232", "s0040", "s0070", "s0068", "s0322", "s0321", "s0203", "s0101", "s0278", "s0259", "s0260", "s0231", "s0100", "s0189", "s0015", "s0163", "s0044", "s0201", "s0283", "s0325", "s0215", "s0088", "s0265", "s0276", "s0271", "s0288", "s0250", "s0162", "s0156", "s0236", "s0211", "s0042", "s0121", "s0010", "s0282", "s0317", "s0167", "s0303", "s0175", "s0002", "s0179", "s0133", "s0051", "s0280", "s0084", "s0083", "s0080", "s0079", "s0149", "s0284", "s0256", "s0233", "s0205", "s0228", "s0247", "s0102", "s0272", "s0210", "s0039", "s0056", "s0034", "s0108", "s0104", "s0033", "s0198", "s0118", "s0299", "s0286", "s0138", "s0285", "s0052", "s0264", "s0229", "s0165", "s0072", "s0016", "s0208", "s0122", "s0316", "s0289", "s0158", "s0048", "s0097", "s0124", "s0291", "s0254", "s0013", "s0067", "s0012", "s0216", "s0150", "s0177", "s0139", "s0145", "s0194", "s0223", "s0184", "s0113", "s0279", "s0238", "s0029", "s0078", "s0147", "s0196", "s0197", "s0192", "s0006", "s0269", "s0262", "s0055", "s0241", "s0169", "s0295", "s0172", "s0326", "s0153", "s0075", "s0019", "s0166", "s0125", "s0174", "s0258", "s0003", "s0112", "s0270", "s0240", "s0103", "s0090", "s0148", "s0313", "s0253", "s0085", "s0074", "s0111", "s0195", "s0053", "s0185", "s0140", "s0294", "s0028", "s0063", "s0217", "s0007", "s0327", "s0218", "s0226", "s0159", "s0273", "s0157", "s0035", "s0227", "s0324", "s0305", "s0225", "s0058", "s0188", "s0328", "s0142", "s0018", "s0242", "s0060", "s0096", "s0098", "s0011", "s0329", "s0057", "s0164", "s0146", "s0131", "s0004", "s0183", "s0266", "s0307", "s0306", "s0308", "s0094", "s0001", "s0178", "s0199", "s0302", "s0263", "s0116", "s0221", "s0130", "s0275", "s0022", "s0136", "s0207", "s0257", "s0180", "s0109", "s0206", "s0005", "s0155", "s0219", "s0191", "s0176", "s0059", "s0141", "s0041", "s0312", "s0314", "s0161", "s0298", "s0123", "s0297", "s0318", "s0117", "s0311", "s0248", "s0251", "s0287", "s0027", "s0230", "s0086"] + MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE] + + path_to_rules = os.path.join("..", "rules") + + + # Helper functions + def yield_next_rule_file_path(self, path_to_rules:str) -> str: + for root, _, files in os.walk(path_to_rules): + for file in files: + yield os.path.join(root, file) + + + def get_rule_part(self, file_path:str, part_name:str): + yaml_dicts = self.get_rule_yaml(file_path) + for yaml_part in yaml_dicts: + if part_name in yaml_part.keys(): + return yaml_part[part_name] + + return None + + + def get_rule_yaml(self, file_path:str) -> dict: + data = [] + + with open(file_path) as f: + yaml_parts = yaml.load_all(f) + for part in yaml_parts: + data.append(part) + + return data + + + # Tests + def test_confirm_extension_is_yml(self): + files_with_incorrect_extensions = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + file_name_and_extension = os.path.splitext(file) + if len(file_name_and_extension) == 2: + extension = file_name_and_extension[1] + if extension != ".yml": + files_with_incorrect_extensions.append(file) + + self.assertEqual(files_with_incorrect_extensions, [], + "There are rule files with extensions other than .yml") + + + def test_confirm_correct_mitre_tags(self): + files_with_incorrect_mitre_tags = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + tags = self.get_rule_part(file_path=file, part_name="tags") + if tags: + for tag in tags: + if tag not in self.MITRE_ALL and tag.startswith("attack."): + print("Rule {} has the following incorrect tag {}".format(file, tag)) + files_with_incorrect_mitre_tags.append(file) + + self.assertEqual(files_with_incorrect_mitre_tags, [], + "There are rules with incorrect MITRE Tags") + + + +if __name__ == "__main__": + unittest.main() \ No newline at end of file From ecffe28933f19e6b4cd1bd1c26fec35f7d2ab97e Mon Sep 17 00:00:00 2001 From: Tareq AlKhatib Date: Tue, 22 Jan 2019 21:26:07 +0300 Subject: [PATCH 72/99] Correct MITRE tag --- rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml | 2 +- rules/windows/sysmon/sysmon_mal_namedpipes.yml | 2 +- rules/windows/sysmon/sysmon_office_shell.yml | 2 +- rules/windows/sysmon/sysmon_powersploit_schtasks.yml | 2 +- rules/windows/sysmon/sysmon_susp_schtask_creation.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml index 5bec5a7db..09ee432b1 100644 --- a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml @@ -5,7 +5,7 @@ references: - https://github.com/GhostPack/SafetyKatz tags: - attack.credential_access - - attack.T1003 + - attack.t1003 author: Markus Neis date: 2018/24/07 logsource: diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/sysmon/sysmon_mal_namedpipes.yml index 27b56e74c..b3026ab6e 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/sysmon/sysmon_mal_namedpipes.yml @@ -31,7 +31,7 @@ detection: condition: selection tags: - attack.defense_evasion - - attack.privelege_escalation + - attack.privilege_escalation - attack.t1055 falsepositives: - Unkown diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index c226ffe44..dce5d9e8c 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -9,7 +9,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1059 - - attack.T1202 + - attack.t1202 author: Michael Haag, Florian Roth, Markus Neis date: 2018/04/06 logsource: diff --git a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml b/rules/windows/sysmon/sysmon_powersploit_schtasks.yml index 86a14c219..b0574753c 100644 --- a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml +++ b/rules/windows/sysmon/sysmon_powersploit_schtasks.yml @@ -21,7 +21,7 @@ detection: tags: - attack.execution - attack.persistence - - attack.privelege_escalation + - attack.privilege_escalation - attack.t1053 - attack.t1086 - attack.s0111 diff --git a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml index 0183aeca7..3855cb81c 100644 --- a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml +++ b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml @@ -19,7 +19,7 @@ fields: tags: - attack.execution - attack.persistence - - attack.privelege_escalation + - attack.privilege_escalation - attack.t1053 - attack.s0111 falsepositives: From 3c7f46a6cda80acc326ee246d802b0a26b3caf98 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 23 Jan 2019 23:31:36 +0100 Subject: [PATCH 73/99] Added rule test to CI testing --- Makefile | 7 ++++--- tests/test_rules.py | 4 ++-- 2 files changed, 6 insertions(+), 5 deletions(-) mode change 100644 => 100755 tests/test_rules.py diff --git a/Makefile b/Makefile index d6dfa49f5..f1f04174d 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ -.PHONY: test test-yaml test-sigmac +.PHONY: test test-rules test-sigmac TMPOUT = $(shell tempfile||mktemp) COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma -test: clearcov test-yaml test-sigmac test-merge build finish +test: clearcov test-rules test-sigmac test-merge build finish clearcov: rm -f .coverage @@ -10,8 +10,9 @@ finish: coverage report --fail-under=90 rm -f $(TMPOUT) -test-yaml: +test-rules: yamllint rules + tests/test_rules.py test-sigmac: coverage run -a --include=$(COVSCOPE) tools/sigmac -l diff --git a/tests/test_rules.py b/tests/test_rules.py old mode 100644 new mode 100755 index 7e20f4e2c..5ee0aad6e --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -18,7 +18,7 @@ class TestRules(unittest.TestCase): MITRE_SOFTWARE = ["s0066", "s0065", "s0202", "s0309", "s0045", "s0092", "s0319", "s0296", "s0304", "s0310", "s0292", "s0099", "s0073", "s0110", "s0129", "s0093", "s0031", "s0245", "s0128", "s0234", "s0239", "s0127", "s0017", "s0268", "s0190", "s0069", "s0089", "s0114", "s0293", "s0252", "s0204", "s0014", "s0043", "s0119", "s0025", "s0274", "s0077", "s0030", "s0261", "s0222", "s0160", "s0220", "s0323", "s0144", "s0107", "s0020", "s0023", "s0054", "s0106", "s0154", "s0244", "s0126", "s0212", "s0137", "s0050", "s0046", "s0115", "s0235", "s0187", "s0255", "s0243", "s0301", "s0021", "s0200", "s0213", "s0281", "s0134", "s0186", "s0300", "s0320", "s0105", "s0315", "s0038", "s0062", "s0024", "s0081", "s0064", "s0082", "s0091", "s0152", "s0076", "s0181", "s0171", "s0267", "s0120", "s0182", "s0143", "s0036", "s0173", "s0193", "s0277", "s0095", "s0168", "s0049", "s0032", "s0026", "s0249", "s0290", "s0237", "s0008", "s0132", "s0047", "s0151", "s0037", "s0214", "s0246", "s0224", "s0071", "s0061", "s0170", "s0087", "s0135", "s0009", "s0232", "s0040", "s0070", "s0068", "s0322", "s0321", "s0203", "s0101", "s0278", "s0259", "s0260", "s0231", "s0100", "s0189", "s0015", "s0163", "s0044", "s0201", "s0283", "s0325", "s0215", "s0088", "s0265", "s0276", "s0271", "s0288", "s0250", "s0162", "s0156", "s0236", "s0211", "s0042", "s0121", "s0010", "s0282", "s0317", "s0167", "s0303", "s0175", "s0002", "s0179", "s0133", "s0051", "s0280", "s0084", "s0083", "s0080", "s0079", "s0149", "s0284", "s0256", "s0233", "s0205", "s0228", "s0247", "s0102", "s0272", "s0210", "s0039", "s0056", "s0034", "s0108", "s0104", "s0033", "s0198", "s0118", "s0299", "s0286", "s0138", "s0285", "s0052", "s0264", "s0229", "s0165", "s0072", "s0016", "s0208", "s0122", "s0316", "s0289", "s0158", "s0048", "s0097", "s0124", "s0291", "s0254", "s0013", "s0067", "s0012", "s0216", "s0150", "s0177", "s0139", "s0145", "s0194", "s0223", "s0184", "s0113", "s0279", "s0238", "s0029", "s0078", "s0147", "s0196", "s0197", "s0192", "s0006", "s0269", "s0262", "s0055", "s0241", "s0169", "s0295", "s0172", "s0326", "s0153", "s0075", "s0019", "s0166", "s0125", "s0174", "s0258", "s0003", "s0112", "s0270", "s0240", "s0103", "s0090", "s0148", "s0313", "s0253", "s0085", "s0074", "s0111", "s0195", "s0053", "s0185", "s0140", "s0294", "s0028", "s0063", "s0217", "s0007", "s0327", "s0218", "s0226", "s0159", "s0273", "s0157", "s0035", "s0227", "s0324", "s0305", "s0225", "s0058", "s0188", "s0328", "s0142", "s0018", "s0242", "s0060", "s0096", "s0098", "s0011", "s0329", "s0057", "s0164", "s0146", "s0131", "s0004", "s0183", "s0266", "s0307", "s0306", "s0308", "s0094", "s0001", "s0178", "s0199", "s0302", "s0263", "s0116", "s0221", "s0130", "s0275", "s0022", "s0136", "s0207", "s0257", "s0180", "s0109", "s0206", "s0005", "s0155", "s0219", "s0191", "s0176", "s0059", "s0141", "s0041", "s0312", "s0314", "s0161", "s0298", "s0123", "s0297", "s0318", "s0117", "s0311", "s0248", "s0251", "s0287", "s0027", "s0230", "s0086"] MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE] - path_to_rules = os.path.join("..", "rules") + path_to_rules = "rules" # Helper functions @@ -80,4 +80,4 @@ class TestRules(unittest.TestCase): if __name__ == "__main__": - unittest.main() \ No newline at end of file + unittest.main() From 516bfc88fff483a860b74d48627bd6b750db3d18 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 28 Jan 2019 22:43:22 +0100 Subject: [PATCH 74/99] Added rule: RDP login from localhost --- .../builtin/win_rdp_localhost_login.yml | 22 +++++++++++++++++++ tools/config/elk-winlogbeat.yml | 1 + 2 files changed, 23 insertions(+) create mode 100644 rules/windows/builtin/win_rdp_localhost_login.yml diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/win_rdp_localhost_login.yml new file mode 100644 index 000000000..b7d2b9c9c --- /dev/null +++ b/rules/windows/builtin/win_rdp_localhost_login.yml @@ -0,0 +1,22 @@ +title: RDP Login from localhost +description: RDP login with localhost source address may be a tunnelled login +references: + - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html +tags: + - attack.lateral_movement +status: experimental +author: Thomas Patzke +logsource: + product: windows + service: security +detection: + selection: + EventID: 4624 + LogonType: 10 + IpAddress: + - "::1" + - "127.0.0.1" + condition: selection +falsepositives: + - Legitimate administration +level: low diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 20bf500fc..d220a94a5 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -63,6 +63,7 @@ fieldmappings: ImageLoaded: event_data.ImageLoaded ImagePath: event_data.ImagePath Imphash: event_data.Imphash + IpAddress: event_data.IpAddress LogonProcessName: event_data.LogonProcessName LogonType: event_data.LogonType NewProcessName: event_data.NewProcessName From c9ec4691801e4de541761b677e7d530754aed8cb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 29 Jan 2019 12:53:59 +0100 Subject: [PATCH 75/99] style: cosmetics - removed empty lines at file end --- rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index 5d861b40a..e4c493f34 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -28,5 +28,3 @@ tags: falsepositives: - unknown level: critical - - From a2eac623a6c39c7bbdac4c40ddba43fbd345f3c0 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 29 Jan 2019 14:04:10 +0100 Subject: [PATCH 76/99] Rule: Adjusted RDP login from localhost rule level --- rules/windows/builtin/win_rdp_localhost_login.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/win_rdp_localhost_login.yml index b7d2b9c9c..4aa7a465e 100644 --- a/rules/windows/builtin/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/win_rdp_localhost_login.yml @@ -2,6 +2,8 @@ title: RDP Login from localhost description: RDP login with localhost source address may be a tunnelled login references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html +date: 2019/01/28 +modified: 2019/01/29 tags: - attack.lateral_movement status: experimental @@ -18,5 +20,5 @@ detection: - "127.0.0.1" condition: selection falsepositives: - - Legitimate administration -level: low + - Unknown +level: high From 086e62a4956d0e02df1745723761448048b2c559 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 29 Jan 2019 14:04:28 +0100 Subject: [PATCH 77/99] Rule: Netsh RDP port forwarding rule --- .../builtin/win_netsh_port_fwd_3389.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/builtin/win_netsh_port_fwd_3389.yml diff --git a/rules/windows/builtin/win_netsh_port_fwd_3389.yml b/rules/windows/builtin/win_netsh_port_fwd_3389.yml new file mode 100644 index 000000000..66e9c81ee --- /dev/null +++ b/rules/windows/builtin/win_netsh_port_fwd_3389.yml @@ -0,0 +1,33 @@ +--- +action: global +title: Netsh RDP Port Forwarding +description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP +references: + - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html +date: 2019/01/29 +tags: + - attack.lateral_movement +status: experimental +author: Florian Roth +falsepositives: + - Legitimate administration +level: high +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: + - 'netsh i* p*=3389 c*' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: + - 'netsh i* p*=3389 c*' From f61b44efa8c5440bd611e1c37e635141dd78f714 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 29 Jan 2019 14:04:48 +0100 Subject: [PATCH 78/99] Rule: Netsh port forwarding --- rules/windows/builtin/win_netsh_port_fwd.yml | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/builtin/win_netsh_port_fwd.yml diff --git a/rules/windows/builtin/win_netsh_port_fwd.yml b/rules/windows/builtin/win_netsh_port_fwd.yml new file mode 100644 index 000000000..3cdfd2e46 --- /dev/null +++ b/rules/windows/builtin/win_netsh_port_fwd.yml @@ -0,0 +1,33 @@ +--- +action: global +title: Netsh Port Forwarding +description: Detects netsh commands that configure a port forwarding +references: + - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html +date: 2019/01/29 +tags: + - attack.lateral_movement +status: experimental +author: Florian Roth +falsepositives: + - Legitimate administration +level: medium +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + CommandLine: + - 'netsh interface portproxy add v4tov4 *' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + ProcessCommandLine: + - 'netsh interface portproxy add v4tov4 *' From 6c8d08942e50999365898d4a2c9616894f29bc35 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 29 Jan 2019 15:17:29 +0100 Subject: [PATCH 79/99] Rule: Fixed field in RDP rule --- rules/windows/builtin/win_rdp_localhost_login.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/win_rdp_localhost_login.yml index 4aa7a465e..24b128e11 100644 --- a/rules/windows/builtin/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/win_rdp_localhost_login.yml @@ -15,7 +15,7 @@ detection: selection: EventID: 4624 LogonType: 10 - IpAddress: + SourceNetworkAddress: - "::1" - "127.0.0.1" condition: selection From a8d1e7c62bf941d98f91776d650f5abfa4017ac4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 29 Jan 2019 15:59:39 +0100 Subject: [PATCH 80/99] Rule: Fixed ntdsutil rule field in 4688 events --- rules/windows/builtin/win_susp_ntdsutil.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_susp_ntdsutil.yml b/rules/windows/builtin/win_susp_ntdsutil.yml index fcbc9bbcc..434f20911 100644 --- a/rules/windows/builtin/win_susp_ntdsutil.yml +++ b/rules/windows/builtin/win_susp_ntdsutil.yml @@ -10,8 +10,6 @@ tags: - attack.credential_access - attack.t1003 detection: - selection: - CommandLine: '*\ntdsutil*' condition: selection falsepositives: - NTDS maintenance @@ -23,6 +21,7 @@ logsource: detection: selection: EventID: 1 + CommandLine: '*\ntdsutil*' --- logsource: product: windows @@ -31,4 +30,4 @@ logsource: detection: selection: EventID: 4688 - + ProcessCommandLine: '*\ntdsutil*' From 27c2684a0f9286115dd404f225e972d4858d4f1f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 31 Jan 2019 12:31:48 +0100 Subject: [PATCH 81/99] Rule: Chafer malware proxy pattern --- rules/proxy/proxy_chafer_malware.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/proxy/proxy_chafer_malware.yml diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml new file mode 100644 index 000000000..fe665381e --- /dev/null +++ b/rules/proxy/proxy_chafer_malware.yml @@ -0,0 +1,20 @@ +title: Chafer Malware URL Pattern +status: experimental +description: Detects HTTP requests used by Chafer malware +references: + - https://securelist.com/chafer-used-remexi-malware/89538/ +author: Florian Roth +date: 2019/01/31 +logsource: + category: proxy +detection: + selection: + c-uri-query: '*/asp.asp?ui=*' + condition: selection +fields: + - ClientIP + - URL + - UserAgent +falsepositives: + - Unknown +level: critical From 6436cb3ae1f0d786d6e04b1314bd0f768937ad72 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 1 Feb 2019 23:02:03 +0100 Subject: [PATCH 82/99] Added missing conditions --- rules/windows/builtin/win_netsh_port_fwd.yml | 2 ++ rules/windows/builtin/win_netsh_port_fwd_3389.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/rules/windows/builtin/win_netsh_port_fwd.yml b/rules/windows/builtin/win_netsh_port_fwd.yml index 3cdfd2e46..ac05d5dec 100644 --- a/rules/windows/builtin/win_netsh_port_fwd.yml +++ b/rules/windows/builtin/win_netsh_port_fwd.yml @@ -9,6 +9,8 @@ tags: - attack.lateral_movement status: experimental author: Florian Roth +detection: + condition: selection falsepositives: - Legitimate administration level: medium diff --git a/rules/windows/builtin/win_netsh_port_fwd_3389.yml b/rules/windows/builtin/win_netsh_port_fwd_3389.yml index 66e9c81ee..67aff58f6 100644 --- a/rules/windows/builtin/win_netsh_port_fwd_3389.yml +++ b/rules/windows/builtin/win_netsh_port_fwd_3389.yml @@ -9,6 +9,8 @@ tags: - attack.lateral_movement status: experimental author: Florian Roth +detection: + condition: selection falsepositives: - Legitimate administration level: high From 6440bc962be845b6f2f7bce26e3b231943d60e97 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 1 Feb 2019 23:27:53 +0100 Subject: [PATCH 83/99] CACTUSTORCH detection --- rules/windows/sysmon/sysmon_cactustorch.yml | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_cactustorch.yml diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml new file mode 100644 index 000000000..f74754e6f --- /dev/null +++ b/rules/windows/sysmon/sysmon_cactustorch.yml @@ -0,0 +1,29 @@ +title: CACTUSTORCH Remote Thread Creation +description: Detects remote thread creation from CACTUSTORCH as described in references. +references: + - https://twitter.com/SBousseaden/status/1090588499517079552 + - https://github.com/mdsecactivebreach/CACTUSTORCH +status: experimental +author: "@SBousseaden (detection), Thomas Patzke (rule)" +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 8 + SourceImage: + - '*\System32\cscript.exe' + - '*\System32\wscript.exe' + - '*\System32\mshta.exe' + - '*\winword.exe' + - '*\excel.exe' + TargetImage: '*\SysWOW64\*' + StartModule: null + condition: selection +tags: + - attack.execution + - attack.t1055 + - attack.t1064 +falsepositives: + - unknown +level: high From 8a0784ad3371d30209250809553b7656c95a0da2 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 2 Feb 2019 00:18:58 +0100 Subject: [PATCH 84/99] Fixed escaping of \\* --- tools/sigma/backends/elasticsearch.py | 2 +- tools/sigma/backends/graylog.py | 2 +- tools/sigma/backends/logpoint.py | 5 ++++- tools/sigma/backends/powershell.py | 2 +- tools/sigma/backends/splunk.py | 7 +++++-- tools/sigma/backends/sumologic.py | 2 +- tools/sigma/backends/wdatp.py | 5 ++++- 7 files changed, 17 insertions(+), 8 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index a54eb7082..d2391bb8e 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -68,7 +68,7 @@ class ElasticsearchQuerystringBackend(ElasticsearchWildcardHandlingMixin, Single identifier = "es-qs" active = True - reEscape = re.compile("([\s+\\-=!(){}\\[\\]^\"~:/]|\\\\(?![*?])|\\\\u|&&|\\|\\|)") + reEscape = re.compile("([\s+\\-=!(){}\\[\\]^\"~:/]|(?]") andToken = " AND " orToken = " OR " diff --git a/tools/sigma/backends/graylog.py b/tools/sigma/backends/graylog.py index 632abfa52..bc20f06d0 100644 --- a/tools/sigma/backends/graylog.py +++ b/tools/sigma/backends/graylog.py @@ -22,7 +22,7 @@ class GraylogQuerystringBackend(SingleTextQueryBackend): identifier = "graylog" active = True - reEscape = re.compile("([+\\-!(){}\\[\\]^\"~:/]|\\\\(?![*?])|&&|\\|\\|)") + reEscape = re.compile("([+\\-!(){}\\[\\]^\"~:/]|(? \\ + # \* -> \* + # \\* -> \\* + reEscape = re.compile('("|(? \\ + # \* -> \* + # \\* -> \\* + reEscape = re.compile('("|(? \\ + # \* -> \* + # \\* -> \\* + reEscape = re.compile('("|(? Date: Sat, 2 Feb 2019 08:56:00 +0100 Subject: [PATCH 85/99] Notify me --- .travis.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.travis.yml b/.travis.yml index 7204a263a..383c96a03 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,3 +15,9 @@ install: script: - make test - make test-backend-es-qs +notifications: + email: + recipients: + - venom14@gmail.com + on_success: change + on_failure: always From 6215a694a8f2aee44367e3496af1522510c3afec Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 2 Feb 2019 23:51:11 +0100 Subject: [PATCH 86/99] Remove escaping from '\\*' in es-dsl backend --- tools/sigma/backends/elasticsearch.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index d2391bb8e..2cf4ed0fc 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -156,6 +156,12 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin def generateListNode(self, node): raise NotImplementedError("%s : (%s) Node type not implemented for this backend"%(self.title, 'generateListNode')) + def cleanValue(self, value): + """ + Remove Sigma quoting from value. Currently, this appears only in one case: \\\\* + """ + return value.replace("\\\\*", "\\*") + def generateMapItemNode(self, node): key, value = node if type(value) not in (str, int, list): @@ -169,7 +175,7 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin else: queryType = 'match_phrase' - res['bool']['should'].append({queryType: {key_mapped: v}}) + res['bool']['should'].append({queryType: {key_mapped: self.cleanValue(str(v))}}) return res else: key_mapped = self.fieldNameMapping(key, value) @@ -177,7 +183,7 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin queryType = 'wildcard' else: queryType = 'match_phrase' - return {queryType: {key_mapped: value}} + return {queryType: {key_mapped: self.cleanValue(str(value))}} def generateValueNode(self, node): return {'multi_match': {'query': node, 'fields': [], 'type': 'phrase'}} From 9c44bb04a72936410025079e1bf3c3f6b3234c09 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 2 Feb 2019 23:52:54 +0100 Subject: [PATCH 87/99] Added mail address to CI fail notification --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 383c96a03..840f2d20b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -19,5 +19,6 @@ notifications: email: recipients: - venom14@gmail.com + - thomas@patzke.org on_success: change on_failure: always From 3ef930b0943eae586144513fe9732604946843bc Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 3 Feb 2019 00:24:57 +0100 Subject: [PATCH 88/99] Escaped '\*' to '\\*' where required --- rules/apt/apt_chafer_mar18.yml | 4 +-- rules/apt/apt_sofacy.yml | 8 ++--- rules/apt/apt_turla_commands.yml | 4 +-- .../builtin/win_net_ntlm_downgrade.yml | 8 ++--- .../builtin/win_plugx_susp_exe_locations.yml | 32 +++++++++---------- .../builtin/win_susp_powershell_enc_cmd.yml | 2 +- .../builtin/win_susp_process_creations.yml | 30 ++++++++--------- rules/windows/builtin/win_susp_ps_appdata.yml | 8 ++--- .../builtin/win_susp_run_locations.yml | 8 ++--- .../builtin/win_susp_sysprep_appdata.yml | 8 ++--- .../builtin/win_susp_sysvol_access.yml | 4 +-- rules/windows/malware/av_relevant_files.yml | 12 +++---- .../windows/malware/sysmon_malware_dridex.yml | 4 +-- .../malware/sysmon_malware_notpetya.yml | 2 +- rules/windows/malware/win_mal_adwind.yml | 2 +- .../sysmon/sysmon_attrib_hiding_files.yml | 2 +- rules/windows/sysmon/sysmon_cactustorch.yml | 2 +- .../sysmon/sysmon_malware_script_dropper.yml | 20 ++++++------ .../sysmon_malware_verclsid_shellcode.yml | 2 +- .../sysmon_plugx_susp_exe_locations.yml | 32 +++++++++---------- .../sysmon_sdbinst_shim_persistence.yml | 2 +- .../sysmon/sysmon_susp_driver_load.yml | 2 +- .../sysmon/sysmon_susp_exec_folder.yml | 30 ++++++++--------- .../sysmon/sysmon_susp_execution_path.yml | 16 +++++----- .../sysmon_susp_execution_path_webserver.yml | 12 +++---- .../sysmon_susp_powershell_parent_combo.yml | 2 +- ..._susp_prog_location_network_connection.yml | 20 ++++++------ ...smon_susp_prog_location_process_starts.yml | 16 +++++----- .../sysmon_susp_reg_persist_explorer_run.yml | 14 ++++---- .../sysmon/sysmon_susp_regsvr32_anomalies.yml | 2 +- .../sysmon/sysmon_susp_run_key_img_folder.yml | 18 +++++------ .../sysmon_susp_vssadmin_ntds_activity.yml | 4 +-- .../sysmon/sysmon_system_exe_anomaly.yml | 4 +-- .../sysmon/sysmon_uac_bypass_eventvwr.yml | 2 +- .../sysmon/sysmon_uac_bypass_sdclt.yml | 2 +- .../sysmon/sysmon_win_binary_github_com.yml | 2 +- .../sysmon/sysmon_win_binary_susp_com.yml | 2 +- .../sysmon/sysmon_win_reg_persistence.yml | 6 ++-- 38 files changed, 175 insertions(+), 175 deletions(-) diff --git a/rules/apt/apt_chafer_mar18.yml b/rules/apt/apt_chafer_mar18.yml index 635d0678c..1ca41150a 100755 --- a/rules/apt/apt_chafer_mar18.yml +++ b/rules/apt/apt_chafer_mar18.yml @@ -48,8 +48,8 @@ detection: - 'C:\wsc.exe*' selection_process2: EventID: 1 - Image: '*\Windows\Temp\DB\*.exe' + Image: '*\Windows\Temp\DB\\*.exe' selection_process3: EventID: 1 CommandLine: '*\nslookup.exe -q=TXT*' - ParentImage: '*\Autoit*' \ No newline at end of file + ParentImage: '*\Autoit*' diff --git a/rules/apt/apt_sofacy.yml b/rules/apt/apt_sofacy.yml index 443b7ae65..10758cb4c 100755 --- a/rules/apt/apt_sofacy.yml +++ b/rules/apt/apt_sofacy.yml @@ -25,8 +25,8 @@ detection: selection: EventID: 1 CommandLine: - - 'rundll32.exe %APPDATA%\*.dat",*' - - 'rundll32.exe %APPDATA%\*.dll",#1' + - 'rundll32.exe %APPDATA%\\*.dat",*' + - 'rundll32.exe %APPDATA%\\*.dll",#1' --- logsource: product: windows @@ -36,5 +36,5 @@ detection: selection: EventID: 4688 ProcessCommandLine: - - 'rundll32.exe %APPDATA%\*.dat",*' - - 'rundll32.exe %APPDATA%\*.dll",#1' \ No newline at end of file + - 'rundll32.exe %APPDATA%\\*.dat",*' + - 'rundll32.exe %APPDATA%\\*.dll",#1' diff --git a/rules/apt/apt_turla_commands.yml b/rules/apt/apt_turla_commands.yml index 7384ab160..3c4b68280 100755 --- a/rules/apt/apt_turla_commands.yml +++ b/rules/apt/apt_turla_commands.yml @@ -21,8 +21,8 @@ detection: EventID: 1 CommandLine: - 'net use \\%DomainController%\C$ "P@ssw0rd" *' - - 'dir c:\*.doc* /s' - - 'dir %TEMP%\*.exe' + - 'dir c:\\*.doc* /s' + - 'dir %TEMP%\\*.exe' condition: selection level: critical --- diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 1742289d7..2eea5b614 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -22,9 +22,9 @@ detection: selection1: EventID: 13 TargetObject: - - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel' - - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec' - - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic' + - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel' + - '*SYSTEM\\*ControlSet*\Control\Lsa\NtlmMinClientSec' + - '*SYSTEM\\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic' --- # Windows Security Eventlog: Process Creation with Full Command Line logsource: @@ -34,7 +34,7 @@ logsource: detection: selection2: EventID: 4657 - ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa' + ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa' ObjectValueName: - 'LmCompatibilityLevel' - 'NtlmMinClientSec' diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml index b2520542e..847eb7663 100644 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ b/rules/windows/builtin/win_plugx_susp_exe_locations.yml @@ -19,7 +19,7 @@ detection: CommandLine: '*\CamMute.exe' filter_cammute: EventID: 4688 - CommandLine: '*\Lenovo\Communication Utility\*' + CommandLine: '*\Lenovo\Communication Utility\\*' # Chrome Frame Helper selection_chrome_frame: @@ -27,7 +27,7 @@ detection: CommandLine: '*\chrome_frame_helper.exe' filter_chrome_frame: EventID: 4688 - CommandLine: '*\Google\Chrome\application\*' + CommandLine: '*\Google\Chrome\application\\*' # Microsoft Device Emulator selection_devemu: @@ -35,7 +35,7 @@ detection: CommandLine: '*\dvcemumanager.exe' filter_devemu: EventID: 4688 - CommandLine: '*\Microsoft Device Emulator\*' + CommandLine: '*\Microsoft Device Emulator\\*' # Windows Media Player Gadget selection_gadget: @@ -43,7 +43,7 @@ detection: CommandLine: '*\Gadget.exe' filter_gadget: EventID: 4688 - CommandLine: '*\Windows Media Player\*' + CommandLine: '*\Windows Media Player\\*' # HTML Help Workshop selection_hcc: @@ -51,7 +51,7 @@ detection: CommandLine: '*\hcc.exe' filter_hcc: EventID: 4688 - CommandLine: '*\HTML Help Workshop\*' + CommandLine: '*\HTML Help Workshop\\*' # Hotkey Command Module for Intel Graphics Contollers selection_hkcmd: @@ -60,9 +60,9 @@ detection: filter_hkcmd: EventID: 4688 CommandLine: - - '*\System32\*' - - '*\SysNative\*' - - '*\SysWowo64\*' + - '*\System32\\*' + - '*\SysNative\\*' + - '*\SysWowo64\\*' # McAfee component selection_mc: @@ -82,9 +82,9 @@ detection: filter_msmpeng: EventID: 4688 CommandLine: - - '*\Microsoft Security Client\*' - - '*\Windows Defender\*' - - '*\AntiMalware\*' + - '*\Microsoft Security Client\\*' + - '*\Windows Defender\\*' + - '*\AntiMalware\\*' # Microsoft Security Center selection_msseces: @@ -92,7 +92,7 @@ detection: CommandLine: '*\msseces.exe' filter_msseces: EventID: 4688 - CommandLine: '*\Microsoft Security Center\*' + CommandLine: '*\Microsoft Security Center\\*' # Microsoft Office 2003 OInfo selection_oinfo: @@ -100,7 +100,7 @@ detection: CommandLine: '*\OInfoP11.exe' filter_oinfo: EventID: 4688 - CommandLine: '*\Common Files\Microsoft Shared\*' + CommandLine: '*\Common Files\Microsoft Shared\\*' # OLE View selection_oleview: @@ -112,7 +112,7 @@ detection: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' + - '*\Windows Resource Kit\\*' # RC selection_rc: @@ -124,8 +124,8 @@ detection: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - '*\Microsoft.NET\*' + - '*\Windows Resource Kit\\*' + - '*\Microsoft.NET\\*' condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or diff --git a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml index 1a6b9d7f0..38e7c9657 100644 --- a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml @@ -16,7 +16,7 @@ detection: - '* -encodedcommand JAB*' # Google Rapid Response falsepositive1: - Image: '*\GRR\*' + Image: '*\GRR\\*' # PowerSponse deployments falsepositive2: CommandLine: '* -ExecutionPolicy remotesigned *' diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index 10512e5ca..dc0483671 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -33,8 +33,8 @@ detection: - 'vssadmin.exe delete shadows*' - 'vssadmin delete shadows*' - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM*' + - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*' + - 'copy \\?\GLOBALROOT\Device\\*\config\SAM*' - 'reg SAVE HKLM\SYSTEM *' - '* sekurlsa:*' - 'net localgroup adminstrators * /add' @@ -42,12 +42,12 @@ detection: - 'certutil.exe *-urlcache* http*' - 'certutil.exe *-urlcache* ftp*' # Malware - - 'netsh advfirewall firewall *\AppData\*' - - 'attrib +S +H +R *\AppData\*' - - 'schtasks* /create *\AppData\*' + - 'netsh advfirewall firewall *\AppData\\*' + - 'attrib +S +H +R *\AppData\\*' + - 'schtasks* /create *\AppData\\*' - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\*' - - '*\Regasm *\AppData\*' + - '*\Regasm.exe *\AppData\\*' + - '*\Regasm *\AppData\\*' - '*\bitsadmin* /transfer*' - '*\certutil.exe * -decode *' - '*\certutil.exe * -decodehex *' @@ -90,8 +90,8 @@ detection: - 'vssadmin.exe delete shadows*' - 'vssadmin delete shadows*' - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM*' + - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*' + - 'copy \\?\GLOBALROOT\Device\\*\config\SAM*' - 'reg SAVE HKLM\SYSTEM *' - '* sekurlsa:*' - 'net localgroup adminstrators * /add' @@ -99,12 +99,12 @@ detection: - 'certutil.exe *-urlcache* http*' - 'certutil.exe *-urlcache* ftp*' # Malware - - 'netsh advfirewall firewall *\AppData\*' - - 'attrib +S +H +R *\AppData\*' - - 'schtasks* /create *\AppData\*' + - 'netsh advfirewall firewall *\AppData\\*' + - 'attrib +S +H +R *\AppData\\*' + - 'schtasks* /create *\AppData\\*' - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\*' - - '*\Regasm *\AppData\*' + - '*\Regasm.exe *\AppData\\*' + - '*\Regasm *\AppData\\*' - '*\bitsadmin* /transfer*' - '*\certutil.exe * -decode *' - '*\certutil.exe * -decodehex *' @@ -133,4 +133,4 @@ detection: # AddInProcess - '*AddInProcess*' # NotPowershell (nps) attack - # - '*msbuild*' # too many false positives \ No newline at end of file + # - '*msbuild*' # too many false positives diff --git a/rules/windows/builtin/win_susp_ps_appdata.yml b/rules/windows/builtin/win_susp_ps_appdata.yml index c7f1354e0..ef8200a82 100644 --- a/rules/windows/builtin/win_susp_ps_appdata.yml +++ b/rules/windows/builtin/win_susp_ps_appdata.yml @@ -24,8 +24,8 @@ detection: selection: EventID: 1 CommandLine: - - '* /c powershell*\AppData\Local\*' - - '* /c powershell*\AppData\Roaming\*' + - '* /c powershell*\AppData\Local\\*' + - '* /c powershell*\AppData\Roaming\\*' --- logsource: product: windows @@ -35,5 +35,5 @@ detection: selection: EventID: 4688 ProcessCommandLine: - - '* /c powershell*\AppData\Local\*' - - '* /c powershell*\AppData\Roaming\*' \ No newline at end of file + - '* /c powershell*\AppData\Local\\*' + - '* /c powershell*\AppData\Roaming\\*' diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml index 11a26b524..8426baa32 100644 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ b/rules/windows/builtin/win_susp_run_locations.yml @@ -11,10 +11,10 @@ tags: detection: selection: CommandLine: - - "*:\\RECYCLER\\*" - - "*:\\SystemVolumeInformation\\*" - - "%windir%\\Tasks\\*" - - "%systemroot%\\debug\\*" + - '*:\RECYCLER\\*' + - '*:\SystemVolumeInformation\\*' + - '%windir%\Tasks\\*' + - '%systemroot%\debug\\*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/builtin/win_susp_sysprep_appdata.yml b/rules/windows/builtin/win_susp_sysprep_appdata.yml index 236c690b6..76b238856 100644 --- a/rules/windows/builtin/win_susp_sysprep_appdata.yml +++ b/rules/windows/builtin/win_susp_sysprep_appdata.yml @@ -22,8 +22,8 @@ detection: selection: EventID: 1 CommandLine: - - '*\sysprep.exe *\AppData\*' - - 'sysprep.exe *\AppData\*' + - '*\sysprep.exe *\AppData\\*' + - 'sysprep.exe *\AppData\\*' --- logsource: product: windows @@ -33,5 +33,5 @@ detection: selection: EventID: 4688 ProcessCommandLine: - - '*\sysprep.exe *\AppData\*' - - 'sysprep.exe *\AppData\*' + - '*\sysprep.exe *\AppData\\*' + - 'sysprep.exe *\AppData\\*' diff --git a/rules/windows/builtin/win_susp_sysvol_access.yml b/rules/windows/builtin/win_susp_sysvol_access.yml index f79a58cd3..f3b128ddf 100644 --- a/rules/windows/builtin/win_susp_sysvol_access.yml +++ b/rules/windows/builtin/win_susp_sysvol_access.yml @@ -24,7 +24,7 @@ logsource: detection: selection: EventID: 1 - CommandLine: '*\SYSVOL\*\policies\*' + CommandLine: '*\SYSVOL\\*\policies\\*' --- logsource: product: windows @@ -33,4 +33,4 @@ logsource: detection: selection: EventID: 4688 - ProcessCommandLine: '*\SYSVOL\*\policies\*' + ProcessCommandLine: '*\SYSVOL\\*\policies\\*' diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index b183b4b20..a0249867a 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -9,12 +9,12 @@ logsource: detection: selection: FileName: - - 'C:\Windows\Temp\*' - - 'C:\Temp\*' - - '*\\Client\*' - - 'C:\PerfLogs\*' - - 'C:\Users\Public\*' - - 'C:\Users\Default\*' + - 'C:\Windows\Temp\\*' + - 'C:\Temp\\*' + - '*\\Client\\*' + - 'C:\PerfLogs\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\Default\\*' - '*.ps1' - '*.vbs' - '*.bat' diff --git a/rules/windows/malware/sysmon_malware_dridex.yml b/rules/windows/malware/sysmon_malware_dridex.yml index 9f351c5e7..f7388e994 100644 --- a/rules/windows/malware/sysmon_malware_dridex.yml +++ b/rules/windows/malware/sysmon_malware_dridex.yml @@ -22,7 +22,7 @@ logsource: detection: selection1: EventID: 1 - CommandLine: '*\svchost.exe C:\Users\*\Desktop\*' + CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' selection2: EventID: 1 ParentImage: '*\svchost.exe*' @@ -37,4 +37,4 @@ logsource: detection: selection: EventID: 4688 - ProcessCommandLine: '*\svchost.exe C:\Users\*\Desktop\*' \ No newline at end of file + ProcessCommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml index b6d8e50d0..aa7a816e9 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/malware/sysmon_malware_notpetya.yml @@ -22,7 +22,7 @@ detection: CommandLine: '* deletejournal *' pipe_com: EventID: 1 - CommandLine: '*\AppData\Local\Temp\* \\.\pipe\*' + CommandLine: '*\AppData\Local\Temp\* \\.\pipe\\*' event_clean: EventID: 1 Image: '*\wevtutil.exe' diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/malware/win_mal_adwind.yml index e75b3094b..20a5ea749 100644 --- a/rules/windows/malware/win_mal_adwind.yml +++ b/rules/windows/malware/win_mal_adwind.yml @@ -53,4 +53,4 @@ detection: selection: EventID: 13 TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*' - Details: '%AppData%\Roaming\Oracle\bin\*' + Details: '%AppData%\Roaming\Oracle\bin\\*' diff --git a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml b/rules/windows/sysmon/sysmon_attrib_hiding_files.yml index 8bba17482..1a9c8274e 100644 --- a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml +++ b/rules/windows/sysmon/sysmon_attrib_hiding_files.yml @@ -14,7 +14,7 @@ detection: CommandLine: '*\desktop.ini *' intel: ParentImage: '*\cmd.exe' - CommandLine: '+R +H +S +A \*.cui' + CommandLine: '+R +H +S +A \\*.cui' ParentCommandLine: 'C:\WINDOWS\system32\\*.bat' condition: selection and not (ini or intel) fields: diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml index f74754e6f..b972de848 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/sysmon/sysmon_cactustorch.yml @@ -17,7 +17,7 @@ detection: - '*\System32\mshta.exe' - '*\winword.exe' - '*\excel.exe' - TargetImage: '*\SysWOW64\*' + TargetImage: '*\SysWOW64\\*' StartModule: null condition: selection tags: diff --git a/rules/windows/sysmon/sysmon_malware_script_dropper.yml b/rules/windows/sysmon/sysmon_malware_script_dropper.yml index 95b29fd80..b08eabd72 100644 --- a/rules/windows/sysmon/sysmon_malware_script_dropper.yml +++ b/rules/windows/sysmon/sysmon_malware_script_dropper.yml @@ -12,16 +12,16 @@ detection: - '*\wscript.exe' - '*\cscript.exe' CommandLine: - - '* C:\Users\*.jse *' - - '* C:\Users\*.vbe *' - - '* C:\Users\*.js *' - - '* C:\Users\*.vba *' - - '* C:\Users\*.vbs *' - - '* C:\ProgramData\*.jse *' - - '* C:\ProgramData\*.vbe *' - - '* C:\ProgramData\*.js *' - - '* C:\ProgramData\*.vba *' - - '* C:\ProgramData\*.vbs *' + - '* C:\Users\\*.jse *' + - '* C:\Users\\*.vbe *' + - '* C:\Users\\*.js *' + - '* C:\Users\\*.vba *' + - '* C:\Users\\*.vbs *' + - '* C:\ProgramData\\*.jse *' + - '* C:\ProgramData\\*.vbe *' + - '* C:\ProgramData\\*.js *' + - '* C:\ProgramData\\*.vba *' + - '* C:\ProgramData\\*.vbs *' falsepositive: ParentImage: '*\winzip*' condition: selection diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml index 42ba71450..0bf65b856 100644 --- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml @@ -17,7 +17,7 @@ detection: combination1: CallTrace: '*|UNKNOWN(*VBE7.DLL*' combination2: - SourceImage: '*\Microsoft Office\*' + SourceImage: '*\Microsoft Office\\*' CallTrace: '*|UNKNOWN*' condition: selection and 1 of combination* falsepositives: diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index 59f5821a2..6a2416dc8 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -17,7 +17,7 @@ detection: Image: '*\CamMute.exe' filter_cammute: EventID: 1 - Image: '*\Lenovo\Communication Utility\*' + Image: '*\Lenovo\Communication Utility\\*' # Chrome Frame Helper selection_chrome_frame: @@ -25,7 +25,7 @@ detection: Image: '*\chrome_frame_helper.exe' filter_chrome_frame: EventID: 1 - Image: '*\Google\Chrome\application\*' + Image: '*\Google\Chrome\application\\*' # Microsoft Device Emulator selection_devemu: @@ -33,7 +33,7 @@ detection: Image: '*\dvcemumanager.exe' filter_devemu: EventID: 1 - Image: '*\Microsoft Device Emulator\*' + Image: '*\Microsoft Device Emulator\\*' # Windows Media Player Gadget selection_gadget: @@ -41,7 +41,7 @@ detection: Image: '*\Gadget.exe' filter_gadget: EventID: 1 - Image: '*\Windows Media Player\*' + Image: '*\Windows Media Player\\*' # HTML Help Workshop selection_hcc: @@ -49,7 +49,7 @@ detection: Image: '*\hcc.exe' filter_hcc: EventID: 1 - Image: '*\HTML Help Workshop\*' + Image: '*\HTML Help Workshop\\*' # Hotkey Command Module for Intel Graphics Contollers selection_hkcmd: @@ -58,9 +58,9 @@ detection: filter_hkcmd: EventID: 1 Image: - - '*\System32\*' - - '*\SysNative\*' - - '*\SysWowo64\*' + - '*\System32\\*' + - '*\SysNative\\*' + - '*\SysWowo64\\*' # McAfee component selection_mc: @@ -80,9 +80,9 @@ detection: filter_msmpeng: EventID: 1 Image: - - '*\Microsoft Security Client\*' - - '*\Windows Defender\*' - - '*\AntiMalware\*' + - '*\Microsoft Security Client\\*' + - '*\Windows Defender\\*' + - '*\AntiMalware\\*' # Microsoft Security Center selection_msseces: @@ -90,7 +90,7 @@ detection: Image: '*\msseces.exe' filter_msseces: EventID: 1 - Image: '*\Microsoft Security Center\*' + Image: '*\Microsoft Security Center\\*' # Microsoft Office 2003 OInfo selection_oinfo: @@ -98,7 +98,7 @@ detection: Image: '*\OInfoP11.exe' filter_oinfo: EventID: 1 - Image: '*\Common Files\Microsoft Shared\*' + Image: '*\Common Files\Microsoft Shared\\*' # OLE View selection_oleview: @@ -110,7 +110,7 @@ detection: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' + - '*\Windows Resource Kit\\*' # RC selection_rc: @@ -122,8 +122,8 @@ detection: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - '*\Microsoft.NET\*' + - '*\Windows Resource Kit\\*' + - '*\Microsoft.NET\\*' condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml index cea5c5ba8..c822885f0 100644 --- a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml +++ b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml @@ -17,7 +17,7 @@ detection: Image: - '*\sdbinst.exe' CommandLine: - - '*\AppPatch\*}.sdb*' + - '*\AppPatch\\*}.sdb*' condition: selection falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 1bd365f63..1caa95270 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -7,7 +7,7 @@ logsource: detection: selection: EventID: 6 - ImageLoaded: '*\Temp\*' + ImageLoaded: '*\Temp\\*' condition: selection falsepositives: - there is a relevant set of false positives depending on applications in the environment diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml index 02a9eb35e..bd57cb816 100644 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_exec_folder.yml @@ -13,21 +13,21 @@ detection: selection: EventID: 1 Image: - - 'C:\PerfLogs\*' - - 'C:\$Recycle.bin\*' - - 'C:\Intel\Logs\*' - - 'C:\Users\Default\*' - - 'C:\Users\Public\*' - - 'C:\Users\NetworkService\*' - - 'C:\Windows\Fonts\*' - - 'C:\Windows\Debug\*' - - 'C:\Windows\Media\*' - - 'C:\Windows\Help\*' - - 'C:\Windows\addins\*' - - 'C:\Windows\repair\*' - - 'C:\Windows\security\*' - - '*\RSA\MachineKeys\*' - - 'C:\Windows\system32\config\systemprofile\*' + - 'C:\PerfLogs\\*' + - 'C:\$Recycle.bin\\*' + - 'C:\Intel\Logs\\*' + - 'C:\Users\Default\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\NetworkService\\*' + - 'C:\Windows\Fonts\\*' + - 'C:\Windows\Debug\\*' + - 'C:\Windows\Media\\*' + - 'C:\Windows\Help\\*' + - 'C:\Windows\addins\\*' + - 'C:\Windows\repair\\*' + - 'C:\Windows\security\\*' + - '*\RSA\MachineKeys\\*' + - 'C:\Windows\system32\config\systemprofile\\*' condition: selection falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_susp_execution_path.yml b/rules/windows/sysmon/sysmon_susp_execution_path.yml index d1f06b220..82d22d4d6 100644 --- a/rules/windows/sysmon/sysmon_susp_execution_path.yml +++ b/rules/windows/sysmon/sysmon_susp_execution_path.yml @@ -10,14 +10,14 @@ detection: EventID: 1 Image: - '*\$Recycle.bin' - - '*\Users\All Users\*' - - '*\Users\Default\*' - - '*\Users\Public\*' - - 'C:\Perflogs\*' - - '*\config\systemprofile\*' - - '*\Windows\Fonts\*' - - '*\Windows\IME\*' - - '*\Windows\addins\*' + - '*\Users\All Users\\*' + - '*\Users\Default\\*' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\config\systemprofile\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' condition: selection fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml b/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml index 017d726cf..b50d8960d 100644 --- a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml +++ b/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml @@ -9,14 +9,14 @@ detection: selection: EventID: 1 Image: - - '*\wwwroot\*' - - '*\wmpub\*' - - '*\htdocs\*' + - '*\wwwroot\\*' + - '*\wmpub\\*' + - '*\htdocs\\*' filter: Image: - - '*bin\*' - - '*\Tools\*' - - '*\SMSComponent\*' + - '*bin\\*' + - '*\Tools\\*' + - '*\SMSComponent\\*' ParentImage: - '*\services.exe' condition: selection and not filter diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml index 6c6c893d9..c33ee2f04 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml @@ -19,7 +19,7 @@ detection: Image: - '*\powershell.exe' falsepositive: - CurrentDirectory: '*\Health Service State\*' + CurrentDirectory: '*\Health Service State\\*' condition: selection and not falsepositive fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml index c97aad22d..5008aca29 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml @@ -13,17 +13,17 @@ detection: selection: EventID: 3 Image: - # - '*\ProgramData\*' # too many false positives, e.g. with Webex for Windows + # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows - '*\$Recycle.bin' - - '*\Users\All Users\*' - - '*\Users\Default\*' - - '*\Users\Public\*' - - 'C:\Perflogs\*' - - '*\config\systemprofile\*' - - '*\Windows\Fonts\*' - - '*\Windows\IME\*' - - '*\Windows\addins\*' + - '*\Users\All Users\\*' + - '*\Users\Default\\*' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\config\systemprofile\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' condition: selection falsepositives: - unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml b/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml index d842586ac..b8d3f7ad7 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml @@ -12,15 +12,15 @@ detection: selection: EventID: 1 Image: - # - '*\ProgramData\*' # too many false positives, e.g. with Webex for Windows + # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows - '*\$Recycle.bin' - - '*\Users\Public\*' - - 'C:\Perflogs\*' - - '*\Windows\Fonts\*' - - '*\Windows\IME\*' - - '*\Windows\addins\*' - - '*\Windows\debug\*' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' + - '*\Windows\debug\\*' condition: selection falsepositives: - unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml index 398ca9b3d..7de64276f 100644 --- a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml @@ -13,13 +13,13 @@ detection: EventID: 13 TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' Details: - - 'C:\Windows\Temp\*' - - 'C:\ProgramData\*' - - '*\AppData\*' - - 'C:\$Recycle.bin\*' - - 'C:\Temp\*' - - 'C:\Users\Public\*' - - 'C:\Users\Default\*' + - 'C:\Windows\Temp\\*' + - 'C:\ProgramData\\*' + - '*\AppData\\*' + - 'C:\$Recycle.bin\\*' + - 'C:\Temp\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\Default\\*' condition: selection tags: - attack.persistence diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml index 2ed6e2de2..778d147e5 100644 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml @@ -16,7 +16,7 @@ detection: selection1: EventID: 1 Image: '*\regsvr32.exe' - CommandLine: '*\Temp\*' + CommandLine: '*\Temp\\*' # Loaded by powershell selection2: EventID: 1 diff --git a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml index 449e98ecc..de69f0985 100644 --- a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml @@ -15,16 +15,16 @@ detection: selection: EventID: 13 TargetObject: - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*' - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*' + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' Details: - - 'C:\Windows\Temp\*' - - '*\AppData\*' - - 'C:\$Recycle.bin\*' - - 'C:\Temp\*' - - 'C:\Users\Public\*' - - 'C:\Users\Default\*' - - 'C:\Users\Desktop\*' + - 'C:\Windows\Temp\\*' + - '*\AppData\\*' + - 'C:\$Recycle.bin\\*' + - 'C:\Temp\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\Default\\*' + - 'C:\Users\Desktop\\*' condition: selection fields: - Image diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml index ad4a0db3c..396378da1 100644 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml @@ -18,8 +18,8 @@ detection: - 'vssadmin.exe Delete Shadows' # Hacking - 'vssadmin create shadow /for=C:' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM' + - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit' + - 'copy \\?\GLOBALROOT\Device\\*\config\SAM' - 'vssadmin delete shadows /for=C:' - 'reg SAVE HKLM\SYSTEM ' condition: selection diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml index 4a568ec4f..92f738444 100644 --- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml +++ b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml @@ -24,8 +24,8 @@ detection: - '*\conhost.exe' filter: Image: - - '*\System32\*' - - '*\SysWow64\*' + - '*\System32\\*' + - '*\SysWow64\\*' condition: selection and not filter tags: - attack.defense_evasion diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index e4c493f34..0a812ad5d 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -11,7 +11,7 @@ logsource: detection: methregistry: EventID: 13 - TargetObject: 'HKEY_USERS\*\mscfile\shell\open\command' + TargetObject: 'HKEY_USERS\\*\mscfile\shell\open\command' methprocess: EventID: 1 ParentImage: '*\eventvwr.exe' diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 152fc12ea..dbb12c818 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -10,7 +10,7 @@ logsource: detection: selection: EventID: 13 - TargetObject: 'HKEY_USERS\*\Classes\exefile\shell\runas\command\isolatedCommand' + TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand' condition: selection tags: - attack.defense_evasion diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 50cc23973..39fead4b2 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -14,7 +14,7 @@ detection: DestinationHostname: - '*.github.com' - '*.githubusercontent.com' - Image: 'C:\Windows\*' + Image: 'C:\Windows\\*' condition: selection falsepositives: - 'Unknown' diff --git a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml index d2013361a..f0eea3c8c 100644 --- a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml @@ -15,7 +15,7 @@ detection: DestinationHostname: - '*dl.dropboxusercontent.com' - '*.pastebin.com' - Image: 'C:\Windows\*' + Image: 'C:\Windows\\*' condition: selection falsepositives: - 'Unknown' diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yml b/rules/windows/sysmon/sysmon_win_reg_persistence.yml index db0502f9b..27dd71e66 100644 --- a/rules/windows/sysmon/sysmon_win_reg_persistence.yml +++ b/rules/windows/sysmon/sysmon_win_reg_persistence.yml @@ -11,9 +11,9 @@ detection: selection_reg1: EventID: 13 TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\GlobalFlag' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\ReportingMode' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess' + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag' + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode' + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess' EventType: 'SetValue' condition: 1 of them tags: From abf5a5088efb3b16eeafe6d525d052dec69c699b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Feb 2019 14:32:29 +0100 Subject: [PATCH 89/99] Rule: more malicious UAs --- rules/proxy/proxy_ua_apt.yml | 1 + rules/proxy/proxy_ua_frameworks.yml | 1 + rules/proxy/proxy_ua_suspicious.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index fcf36f0b9..961475e2d 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -39,6 +39,7 @@ detection: - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details + - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA https://goo.gl/s2WU6o condition: selection fields: - ClientIP diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index 7a6d4fd6a..e9ff51c46 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -33,6 +33,7 @@ detection: - 'X-FORWARDED-FOR' - 'DotDotPwn v2.1' - 'SIPDROID' + - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ # Exploits - '*wordpress hash grabber*' diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index ac400a36b..6f98e681f 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -21,6 +21,7 @@ detection: - 'Mozila/*' # single 'l' - '_' - 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912 + - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ falsepositives: UserAgent: - 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content From 5b92790e3f25cce60c82d3a9fbf8bd780bc506dc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Feb 2019 14:32:51 +0100 Subject: [PATCH 90/99] Rule: WMI Persistence - FPs --- rules/windows/other/win_wmi_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 6372e2524..58bf3033d 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -19,7 +19,7 @@ detection: - 'ActiveScriptEventConsumer' - 'CommandLineEventConsumer' - 'CommandLineTemplate' - - 'Binding EventFilter' + # - 'Binding EventFilter' # too many false positive with HP Health Driver selection2: EventID: 5859 condition: selection and 1 of keywords or selection2 From dfd4ce878fd1989a58f1369cf117f6173b5d8297 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Feb 2019 14:33:16 +0100 Subject: [PATCH 91/99] Rule: limiting rule to DHCP log --- rules/windows/builtin/win_susp_dhcp_config_failed.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/win_susp_dhcp_config_failed.yml index 85b00bacd..f29b153f9 100644 --- a/rules/windows/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/win_susp_dhcp_config_failed.yml @@ -9,10 +9,10 @@ date: 2017/05/15 author: Dimitrios Slamaris logsource: product: windows - service: system + service: dhcp detection: selection: - EventID: + EventID: - 1031 - 1032 - 1034 From a276d3083d94539a4e92c30bb9756483a166a3e3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Feb 2019 14:35:16 +0100 Subject: [PATCH 92/99] DHCP log source in sigmac configs --- tools/config/arcsight.yml | 5 +++++ tools/config/elk-windows.yml | 5 +++++ tools/config/elk-winlogbeat.yml | 5 +++++ tools/config/helk.yml | 1 + tools/config/logpoint-windows-all.yml | 6 ++++++ tools/config/netwitness.yml | 6 ++++++ tools/config/powershell-windows-all.yml | 5 +++++ tools/config/spark.yml | 5 +++++ tools/config/splunk-windows-all.yml | 5 +++++ tools/config/sumologic.yml | 6 ++++++ 10 files changed, 49 insertions(+) diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml index d66a227f8..f40ca3781 100644 --- a/tools/config/arcsight.yml +++ b/tools/config/arcsight.yml @@ -46,6 +46,11 @@ logsources: service: powershell conditions: deviceVendor: Microsoft + windows-dhcp: + product: windows + service: dhcp + conditions: + deviceVendor: Microsoft windows-system: product: windows service: system diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index a408123c8..10b477ba6 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -27,4 +27,9 @@ logsources: service: driver-framework conditions: source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index d220a94a5..c485831a1 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -27,6 +27,11 @@ logsources: service: driver-framework conditions: source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/helk.yml b/tools/config/helk.yml index 60423a454..6a52294c8 100644 --- a/tools/config/helk.yml +++ b/tools/config/helk.yml @@ -27,6 +27,7 @@ logsources: product: windows service: powershell-classic index: logs-endpoint-winevent-powershell-* + defaultindex: logs-* fieldmappings: AccessMask: object_access_mask_requested diff --git a/tools/config/logpoint-windows-all.yml b/tools/config/logpoint-windows-all.yml index ec6bb3cac..60965fc60 100644 --- a/tools/config/logpoint-windows-all.yml +++ b/tools/config/logpoint-windows-all.yml @@ -19,6 +19,12 @@ logsources: service: driver-framework conditions: source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' + fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/netwitness.yml b/tools/config/netwitness.yml index fe86921b4..beffc181e 100644 --- a/tools/config/netwitness.yml +++ b/tools/config/netwitness.yml @@ -30,6 +30,12 @@ logsources: service: powershell conditions: device.type: winevent_nic + windows-dhcp: + product: windows + service: dhcp + conditions: + device.type: winevent_nic + event.source: microsoft-windows-dhcp-server windows-sec: product: windows service: security diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml index 8464ade07..beec09237 100644 --- a/tools/config/powershell-windows-all.yml +++ b/tools/config/powershell-windows-all.yml @@ -60,3 +60,8 @@ logsources: service: ntlm conditions: LogName: 'Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + LogName: 'Microsoft-Windows-DHCP-Server/Operational' diff --git a/tools/config/spark.yml b/tools/config/spark.yml index 4c11e10ed..943f29fa6 100644 --- a/tools/config/spark.yml +++ b/tools/config/spark.yml @@ -34,6 +34,11 @@ logsources: service: wmi sources: - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' + windows-dhcp: + product: windows + service: dhcp + sources: + - 'Microsoft-Windows-DHCP-Server' apache: category: webserver sources: diff --git a/tools/config/splunk-windows-all.yml b/tools/config/splunk-windows-all.yml index dad385ae2..15f768e1d 100644 --- a/tools/config/splunk-windows-all.yml +++ b/tools/config/splunk-windows-all.yml @@ -60,5 +60,10 @@ logsources: service: ntlm conditions: source: 'Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'Microsoft-Windows-DHCP-Server/Operational' fieldmappings: EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index a09c10a7b..d1467b984 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -44,6 +44,12 @@ logsources: conditions: EventChannel: System index: WINDOWS + windows-dhcp: + product: windows + service: dhcp + conditions: + EventChannel: Microsoft-Windows-DHCP-Server + index: WINDOWS apache: product: apache service: apache From 8f684ddd0642df46078d1499e0433a072a2b5d3b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Feb 2019 15:57:54 +0100 Subject: [PATCH 93/99] Rule: FP in WMI persistence with SCCM --- rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml index d1af4a536..cf8698f94 100644 --- a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml +++ b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml @@ -5,6 +5,7 @@ references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth date: 2018/04/06 +modified: 2019/02/05 logsource: product: windows service: sysmon @@ -25,11 +26,14 @@ detection: - '*\certutil.exe' - '*\bitsadmin.exe' - '*\mshta.exe' - condition: selection + falsepositives: + CurrentDirectory: '*\ccmcache\*' + condition: selection and not falsepositives fields: - CommandLine - ParentCommandLine falsepositives: - Administrative scripts + - Microsoft SCCM level: high From 32c098294ffa09129a981ed8117d56ef18ebdc3c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Feb 2019 15:58:15 +0100 Subject: [PATCH 94/99] Rule: extended suspicious command lines --- rules/linux/lnx_shell_susp_commands.yml | 46 +++++++++++++++---------- 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml index 1a2d40702..ee10e9107 100644 --- a/rules/linux/lnx_shell_susp_commands.yml +++ b/rules/linux/lnx_shell_susp_commands.yml @@ -6,6 +6,8 @@ references: - http://pastebin.com/FtygZ1cg - https://artkond.com/2017/03/23/pivoting-guide/ author: Florian Roth +date: 2017/08/21 +modified: 2019/02/05 logsource: product: linux detection: @@ -15,30 +17,38 @@ detection: - 'wget * - http* | sh' - 'wget * - http* | bash' - 'python -m SimpleHTTPServer' - - 'import pty; pty.spawn' + - '-m http.server' # Python 3 + - 'import pty; pty.spawn*' + - 'socat exec:*' + - 'socat -O /tmp/*' + - 'socat tcp-connect*' + - '*echo binary >>*' # Malware - '*wget *; chmod +x*' - '*wget *; chmod 777 *' - '*cd /tmp || cd /var/run || cd /mnt*' # Apache Struts in-the-wild exploit codes - - 'stop;service iptables stop;' - - 'stop;SuSEfirewall2 stop;' - - 'chmod 777 2020' - - '">>/etc/rc.local;' - - 'wget -c *;chmod 777' + - '*stop;service iptables stop;*' + - '*stop;SuSEfirewall2 stop;*' + - 'chmod 777 2020*' + - '*>>/etc/rc.local' + - '*wget -c *;chmod 777*' # Metasploit framework exploit codes - - 'base64 -d /tmp/' - - ' | base64 -d' - - '/bin/chmod u+s' - - 'chmod +s /tmp/' - - 'chmod u+s /tmp/' - - '/tmp/haxhax' - - '/tmp/ns_sploit' - - 'nc -l -p ' - - 'cp /bin/ksh ' - - 'cp /bin/sh ' - - ' /tmp/*.b64 ' - - '/tmp/ysocereal.jar' + - '*base64 -d /tmp/*' + - '* | base64 -d *' + - '*/chmod u+s *' + - '*chmod +s /tmp/*' + - '*chmod u+s /tmp/*' + - '* /tmp/haxhax*' + - '* /tmp/ns_sploit*' + - 'nc -l -p *' + - 'cp /bin/ksh *' + - 'cp /bin/sh *' + - '* /tmp/*.b64 *' + - '*/tmp/ysocereal.jar*' + - '*/tmp/x *' + - '*; chmod +x /tmp/*' + - '*;chmod +x /tmp/*' condition: keywords falsepositives: - Unknown From 5092b1e60307d6b0908381e7a4488eaf53fee7c5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Feb 2019 16:12:07 +0100 Subject: [PATCH 95/99] Rule: removed overlapping strings in Linux rule --- rules/linux/lnx_shell_susp_commands.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml index ee10e9107..8f691c218 100644 --- a/rules/linux/lnx_shell_susp_commands.yml +++ b/rules/linux/lnx_shell_susp_commands.yml @@ -32,7 +32,6 @@ detection: - '*stop;SuSEfirewall2 stop;*' - 'chmod 777 2020*' - '*>>/etc/rc.local' - - '*wget -c *;chmod 777*' # Metasploit framework exploit codes - '*base64 -d /tmp/*' - '* | base64 -d *' From 046510f0218c40caa282b8233200456584c8de76 Mon Sep 17 00:00:00 2001 From: neu5ron Date: Tue, 5 Feb 2019 13:11:06 -0500 Subject: [PATCH 96/99] updated HELK Destination IP name --- tools/config/helk.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/config/helk.yml b/tools/config/helk.yml index 6a52294c8..196f01dd7 100644 --- a/tools/config/helk.yml +++ b/tools/config/helk.yml @@ -48,11 +48,11 @@ fieldmappings: Destination: EventID=20: wmi_consumer_destination DestinationHostname: dst_host_name - DestinationIp: dst_ip + DestinationIp: dst_ip_addr DestinationIsIpv6: dst_is_ipv6 DestinationPort: dst_port DestinationPortName: dst_port_name - Details: + Details: EventID=13: registry_key_value Device: device_name EngineVersion: powershell.engine.version @@ -130,7 +130,7 @@ fieldmappings: State: EventID=4: service_state EventID=16: sysmon_configuration_state - SubjectUserName: + SubjectUserName: EventID=4624: user_reporter_name EventId=4648: user_name EventID=5140: user_name From e6217928f3898919b900fb6b218acc0cf88b3e2a Mon Sep 17 00:00:00 2001 From: keepwatch Date: Wed, 6 Feb 2019 10:45:32 -0500 Subject: [PATCH 97/99] Added '/' prefix, -encode switch, better renamed certutil coverage --- .../sysmon/sysmon_susp_certutil_command.yml | 56 ++++++++++--------- 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml index 6f2161012..749d6f852 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml @@ -3,7 +3,7 @@ action: global title: Suspicious Certutil Command status: experimental description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility -author: Florian Roth, juju4 +author: Florian Roth, juju4, keepwatch modified: 2019/01/22 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 @@ -12,6 +12,7 @@ references: - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - https://twitter.com/egre55/status/1087685529016193025 + - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ detection: condition: selection fields: @@ -20,6 +21,7 @@ fields: tags: - attack.defense_evasion - attack.t1140 + - attack.t1105 - attack.s0189 - attack.g0007 falsepositives: @@ -33,18 +35,20 @@ detection: selection: EventID: 1 CommandLine: - - '*certutil * -decode *' - - '*certutil * -decodehex *' - - '* -urlcache * http*' - - '* -urlcache * ftp*' - - '* -verifyctl * http*' - - '* -verifyctl * ftp*' - - '*certutil *-URL*' - - '*certutil *-ping*' - - '*certutil.exe * -decode *' - - '*certutil.exe * -decodehex *' - - '*certutil.exe *-URL*' - - '*certutil.exe *-ping*' + - '* -decode *' + - '* /decode *' + - '* -decodehex *' + - '* /decodehex *' + - '* -urlcache *' + - '* /urlcache *' + - '* -verifyctl *' + - '* /verifyctl *' + - '* -encode *' + - '* /encode *' + - '*certutil* -URL*' + - '*certutil* /URL*' + - '*certutil* -ping*' + - '*certutil* /ping*' --- logsource: product: windows @@ -54,15 +58,17 @@ detection: selection: EventID: 4688 ProcessCommandLine: - - '*certutil * -decode *' - - '*certutil * -decodehex *' - - '* -urlcache * http*' - - '* -urlcache * ftp*' - - '* -verifyctl * http*' - - '* -verifyctl * ftp*' - - '*certutil *-URL*' - - '*certutil *-ping*' - - '*certutil.exe * -decode *' - - '*certutil.exe * -decodehex *' - - '*certutil.exe *-URL*' - - '*certutil.exe *-ping*' + - '* -decode *' + - '* /decode *' + - '* -decodehex *' + - '* /decodehex *' + - '* -urlcache *' + - '* /urlcache *' + - '* -verifyctl *' + - '* /verifyctl *' + - '* -encode *' + - '* /encode *' + - '*certutil* -URL*' + - '*certutil* /URL*' + - '*certutil* -ping*' + - '*certutil* /ping*' From f0f0bdae40456a9f98fb7efbe923f5b620789f6f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 6 Feb 2019 19:20:52 +0100 Subject: [PATCH 98/99] Rule: fixed date - wrong year --- rules/windows/builtin/win_susp_process_creations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index dc0483671..91da05841 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -15,7 +15,7 @@ references: - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat - https://twitter.com/vector_sec/status/896049052642533376 author: Florian Roth -modified: 2012/12/11 +modified: 2018/12/11 detection: condition: selection falsepositives: From adb6690c80c6488ee4da65920e0bb25649b6edc6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 6 Feb 2019 19:21:07 +0100 Subject: [PATCH 99/99] Rule: Suspicious GUP.exe usage --- rules/windows/builtin/win_susp_gup.yml | 35 ++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/builtin/win_susp_gup.yml diff --git a/rules/windows/builtin/win_susp_gup.yml b/rules/windows/builtin/win_susp_gup.yml new file mode 100644 index 000000000..e934b3711 --- /dev/null +++ b/rules/windows/builtin/win_susp_gup.yml @@ -0,0 +1,35 @@ +--- +action: global +title: Suspicious GUP Usage +description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks +status: experimental +references: + - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html +author: Florian Roth +date: 2019/02/06 +detection: + condition: selection and not filter +falsepositives: + - 'Execution of tools named GUP.exe and located in folders different than Notepad++\updater' +level: high +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Image: '*\GUP.exe' + filter: + Image: '*\updater\*' +--- +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' +detection: + selection: + EventID: 4688 + NewProcessName: '*\GUP.exe' + filter: + NewProcessName: '*\updater\*'