diff --git a/Makefile b/Makefile index 7c42ef03a..ca904ac4d 100644 --- a/Makefile +++ b/Makefile @@ -103,11 +103,11 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/hawk.yml -t hawk rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null - $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/security/win_susp_failed_logons_single_source.yml > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null - $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/security/win_susp_failed_logons_single_source.yml > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/security/win_susp_failed_logons_single_source.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.badyml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null @@ -115,11 +115,11 @@ test-sigmac: ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_aggregation.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.badyml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/security/win_susp_failed_logons_single_source.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.badyml rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml test-merge: tests/test-merge.sh diff --git a/rules-unsupported/sysmon_process_reimaging.yml b/rules-unsupported/sysmon_process_reimaging.yml index 3caa875e8..89530befa 100644 --- a/rules-unsupported/sysmon_process_reimaging.yml +++ b/rules-unsupported/sysmon_process_reimaging.yml @@ -18,8 +18,9 @@ references: tags: - attack.defense_evasion date: 2019/10/25 +modified: 2021/12/02 detection: - condition: all of them + condition: all of selection* falsepositives: - unknown level: high diff --git a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml index 1221d88e2..26b636d99 100644 --- a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml +++ b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml @@ -4,7 +4,7 @@ description: Detects when multi-factor authentication (MFA) is disabled. author: Austin Songer status: experimental date: 2021/08/26 -modified: 2021/08/29 +modified: 2021/12/02 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION @@ -13,14 +13,14 @@ logsource: product: google_workspace service: google_workspace.admin detection: - selection: + selection_base: eventService: admin.googleapis.com eventName: - ENFORCE_STRONG_AUTHENTICATION - ALLOW_STRONG_AUTHENTICATION - eventValue: + selection_eventValue: new_value: 'false' - condition: all of them + condition: all of selection* level: medium tags: - attack.impact diff --git a/rules/linux/macos/process_creation/macos_gui_input_capture.yml b/rules/linux/macos/process_creation/macos_gui_input_capture.yml index 99a94a524..bb18b8a3a 100644 --- a/rules/linux/macos/process_creation/macos_gui_input_capture.yml +++ b/rules/linux/macos/process_creation/macos_gui_input_capture.yml @@ -4,7 +4,7 @@ status: experimental description: Detects attempts to use system dialog prompts to capture user credentials author: remotephone, oscd.community date: 2020/10/13 -modified: 2021/11/11 +modified: 2021/12/02 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ @@ -31,7 +31,7 @@ detection: - 'pass' - 'password' - 'unlock' - condition: all of them + condition: all of selection* falsepositives: - Legitimate administration tools and activities level: low diff --git a/rules/windows/builtin/win_audit_cve.yml b/rules/windows/builtin/application/win_audit_cve.yml similarity index 100% rename from rules/windows/builtin/win_audit_cve.yml rename to rules/windows/builtin/application/win_audit_cve.yml diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/application/win_av_relevant_match.yml similarity index 100% rename from rules/windows/builtin/win_av_relevant_match.yml rename to rules/windows/builtin/application/win_av_relevant_match.yml diff --git a/rules/windows/builtin/win_software_atera_rmm_agent_install.yml b/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml similarity index 100% rename from rules/windows/builtin/win_software_atera_rmm_agent_install.yml rename to rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/application/win_susp_backup_delete.yml similarity index 100% rename from rules/windows/builtin/win_susp_backup_delete.yml rename to rules/windows/builtin/application/win_susp_backup_delete.yml diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/application/win_susp_msmpeng_crash.yml similarity index 100% rename from rules/windows/builtin/win_susp_msmpeng_crash.yml rename to rules/windows/builtin/application/win_susp_msmpeng_crash.yml diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/application/win_vul_cve_2020_0688.yml similarity index 100% rename from rules/windows/builtin/win_vul_cve_2020_0688.yml rename to rules/windows/builtin/application/win_vul_cve_2020_0688.yml diff --git a/rules/windows/builtin/win_vul_cve_2021_41379.yml b/rules/windows/builtin/application/win_vul_cve_2021_41379.yml similarity index 100% rename from rules/windows/builtin/win_vul_cve_2021_41379.yml rename to rules/windows/builtin/application/win_vul_cve_2021_41379.yml diff --git a/rules/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml b/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml similarity index 100% rename from rules/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml rename to rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml diff --git a/rules/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml b/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml similarity index 100% rename from rules/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml rename to rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml diff --git a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml similarity index 100% rename from rules/windows/builtin/win_account_backdoor_dcsync_rights.yml rename to rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml diff --git a/rules/windows/builtin/win_account_discovery.yml b/rules/windows/builtin/security/win_account_discovery.yml similarity index 100% rename from rules/windows/builtin/win_account_discovery.yml rename to rules/windows/builtin/security/win_account_discovery.yml diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/security/win_ad_object_writedac_access.yml similarity index 100% rename from rules/windows/builtin/win_ad_object_writedac_access.yml rename to rules/windows/builtin/security/win_ad_object_writedac_access.yml diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml similarity index 100% rename from rules/windows/builtin/win_ad_replication_non_machine_account.yml rename to rules/windows/builtin/security/win_ad_replication_non_machine_account.yml diff --git a/rules/windows/builtin/win_ad_user_enumeration.yml b/rules/windows/builtin/security/win_ad_user_enumeration.yml similarity index 100% rename from rules/windows/builtin/win_ad_user_enumeration.yml rename to rules/windows/builtin/security/win_ad_user_enumeration.yml diff --git a/rules/windows/builtin/win_adcs_certificate_template_configuration_vulnerability.yml b/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml similarity index 100% rename from rules/windows/builtin/win_adcs_certificate_template_configuration_vulnerability.yml rename to rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml diff --git a/rules/windows/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml b/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml similarity index 100% rename from rules/windows/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml rename to rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/security/win_admin_rdp_login.yml similarity index 100% rename from rules/windows/builtin/win_admin_rdp_login.yml rename to rules/windows/builtin/security/win_admin_rdp_login.yml diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/security/win_admin_share_access.yml similarity index 100% rename from rules/windows/builtin/win_admin_share_access.yml rename to rules/windows/builtin/security/win_admin_share_access.yml diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/security/win_alert_active_directory_user_control.yml similarity index 91% rename from rules/windows/builtin/win_alert_active_directory_user_control.yml rename to rules/windows/builtin/security/win_alert_active_directory_user_control.yml index a00a6162b..aa61b3585 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/security/win_alert_active_directory_user_control.yml @@ -6,18 +6,18 @@ author: '@neu5ron' references: - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ date: 2017/07/30 -modified: 2021/11/27 +modified: 2021/12/02 logsource: product: windows service: security definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' detection: - selection: + selection_base: EventID: 4704 - keywords: + selection_keywords: PrivilegeList|contains: - 'SeEnableDelegationPrivilege' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml similarity index 100% rename from rules/windows/builtin/win_alert_ad_user_backdoors.yml rename to rules/windows/builtin/security/win_alert_ad_user_backdoors.yml diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml similarity index 100% rename from rules/windows/builtin/win_alert_enable_weak_encryption.yml rename to rules/windows/builtin/security/win_alert_enable_weak_encryption.yml diff --git a/rules/windows/builtin/win_alert_ruler.yml b/rules/windows/builtin/security/win_alert_ruler.yml similarity index 100% rename from rules/windows/builtin/win_alert_ruler.yml rename to rules/windows/builtin/security/win_alert_ruler.yml diff --git a/rules/windows/builtin/win_apt_chafer_mar18_security.yml b/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml similarity index 100% rename from rules/windows/builtin/win_apt_chafer_mar18_security.yml rename to rules/windows/builtin/security/win_apt_chafer_mar18_security.yml diff --git a/rules/windows/builtin/win_apt_slingshot.yml b/rules/windows/builtin/security/win_apt_slingshot.yml similarity index 100% rename from rules/windows/builtin/win_apt_slingshot.yml rename to rules/windows/builtin/security/win_apt_slingshot.yml diff --git a/rules/windows/builtin/win_apt_wocao.yml b/rules/windows/builtin/security/win_apt_wocao.yml similarity index 100% rename from rules/windows/builtin/win_apt_wocao.yml rename to rules/windows/builtin/security/win_apt_wocao.yml diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml similarity index 100% rename from rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml rename to rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml diff --git a/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml similarity index 100% rename from rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml rename to rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/security/win_atsvc_task.yml similarity index 100% rename from rules/windows/builtin/win_atsvc_task.yml rename to rules/windows/builtin/security/win_atsvc_task.yml diff --git a/rules/windows/builtin/win_camera_microphone_access.yml b/rules/windows/builtin/security/win_camera_microphone_access.yml similarity index 100% rename from rules/windows/builtin/win_camera_microphone_access.yml rename to rules/windows/builtin/security/win_camera_microphone_access.yml diff --git a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml similarity index 100% rename from rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml rename to rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml diff --git a/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml b/rules/windows/builtin/security/win_dcom_iertutil_dll_hijack.yml similarity index 100% rename from rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml rename to rules/windows/builtin/security/win_dcom_iertutil_dll_hijack.yml diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/security/win_dcsync.yml similarity index 100% rename from rules/windows/builtin/win_dcsync.yml rename to rules/windows/builtin/security/win_dcsync.yml diff --git a/rules/windows/other/win_defender_bypass.yml b/rules/windows/builtin/security/win_defender_bypass.yml similarity index 100% rename from rules/windows/other/win_defender_bypass.yml rename to rules/windows/builtin/security/win_defender_bypass.yml diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/security/win_disable_event_logging.yml similarity index 100% rename from rules/windows/builtin/win_disable_event_logging.yml rename to rules/windows/builtin/security/win_disable_event_logging.yml diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml similarity index 100% rename from rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml rename to rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml similarity index 100% rename from rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml rename to rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml diff --git a/rules/windows/builtin/win_etw_modification.yml b/rules/windows/builtin/security/win_etw_modification.yml similarity index 100% rename from rules/windows/builtin/win_etw_modification.yml rename to rules/windows/builtin/security/win_etw_modification.yml diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/security/win_event_log_cleared.yml similarity index 100% rename from rules/windows/builtin/win_event_log_cleared.yml rename to rules/windows/builtin/security/win_event_log_cleared.yml diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml similarity index 100% rename from rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml rename to rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml diff --git a/rules/windows/builtin/win_external_device.yml b/rules/windows/builtin/security/win_external_device.yml similarity index 100% rename from rules/windows/builtin/win_external_device.yml rename to rules/windows/builtin/security/win_external_device.yml diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/security/win_global_catalog_enumeration.yml similarity index 100% rename from rules/windows/builtin/win_global_catalog_enumeration.yml rename to rules/windows/builtin/security/win_global_catalog_enumeration.yml diff --git a/rules/windows/builtin/win_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml similarity index 100% rename from rules/windows/builtin/win_gpo_scheduledtasks.yml rename to rules/windows/builtin/security/win_gpo_scheduledtasks.yml diff --git a/rules/windows/builtin/win_hidden_user_creation.yml b/rules/windows/builtin/security/win_hidden_user_creation.yml similarity index 100% rename from rules/windows/builtin/win_hidden_user_creation.yml rename to rules/windows/builtin/security/win_hidden_user_creation.yml diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml similarity index 100% rename from rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml rename to rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml diff --git a/rules/windows/builtin/win_impacket_psexec.yml b/rules/windows/builtin/security/win_impacket_psexec.yml similarity index 100% rename from rules/windows/builtin/win_impacket_psexec.yml rename to rules/windows/builtin/security/win_impacket_psexec.yml diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/security/win_impacket_secretdump.yml similarity index 100% rename from rules/windows/builtin/win_impacket_secretdump.yml rename to rules/windows/builtin/security/win_impacket_secretdump.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_clip_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml similarity index 91% rename from rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml index 8b6aec83e..45ff52bd1 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/09/17 +modified: 2021/12/02 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -21,9 +21,9 @@ logsource: detection: selection_eventid: EventID: 4697 - selection: + selection_value: ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_var_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml diff --git a/rules/windows/builtin/win_iso_mount.yml b/rules/windows/builtin/security/win_iso_mount.yml similarity index 100% rename from rules/windows/builtin/win_iso_mount.yml rename to rules/windows/builtin/security/win_iso_mount.yml diff --git a/rules/windows/other/win_lateral_movement_condrv.yml b/rules/windows/builtin/security/win_lateral_movement_condrv.yml similarity index 100% rename from rules/windows/other/win_lateral_movement_condrv.yml rename to rules/windows/builtin/security/win_lateral_movement_condrv.yml diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/security/win_lm_namedpipe.yml similarity index 100% rename from rules/windows/builtin/win_lm_namedpipe.yml rename to rules/windows/builtin/security/win_lm_namedpipe.yml diff --git a/rules/windows/builtin/win_lolbas_execution_of_nltest.yml b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml similarity index 100% rename from rules/windows/builtin/win_lolbas_execution_of_nltest.yml rename to rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml similarity index 100% rename from rules/windows/builtin/win_lsass_access_non_system_account.yml rename to rules/windows/builtin/security/win_lsass_access_non_system_account.yml diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/security/win_mal_wceaux_dll.yml similarity index 100% rename from rules/windows/builtin/win_mal_wceaux_dll.yml rename to rules/windows/builtin/security/win_mal_wceaux_dll.yml diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/security/win_metasploit_authentication.yml similarity index 100% rename from rules/windows/builtin/win_metasploit_authentication.yml rename to rules/windows/builtin/security/win_metasploit_authentication.yml diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml similarity index 100% rename from rules/windows/builtin/win_net_ntlm_downgrade.yml rename to rules/windows/builtin/security/win_net_ntlm_downgrade.yml diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml similarity index 100% rename from rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml rename to rules/windows/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml diff --git a/rules/windows/builtin/win_not_allowed_rdp_access.yml b/rules/windows/builtin/security/win_not_allowed_rdp_access.yml similarity index 100% rename from rules/windows/builtin/win_not_allowed_rdp_access.yml rename to rules/windows/builtin/security/win_not_allowed_rdp_access.yml diff --git a/rules/windows/builtin/win_overpass_the_hash.yml b/rules/windows/builtin/security/win_overpass_the_hash.yml similarity index 100% rename from rules/windows/builtin/win_overpass_the_hash.yml rename to rules/windows/builtin/security/win_overpass_the_hash.yml diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/security/win_pass_the_hash.yml similarity index 100% rename from rules/windows/builtin/win_pass_the_hash.yml rename to rules/windows/builtin/security/win_pass_the_hash.yml diff --git a/rules/windows/builtin/win_pass_the_hash_2.yml b/rules/windows/builtin/security/win_pass_the_hash_2.yml similarity index 100% rename from rules/windows/builtin/win_pass_the_hash_2.yml rename to rules/windows/builtin/security/win_pass_the_hash_2.yml diff --git a/rules/windows/builtin/win_petitpotam_network_share.yml b/rules/windows/builtin/security/win_petitpotam_network_share.yml similarity index 100% rename from rules/windows/builtin/win_petitpotam_network_share.yml rename to rules/windows/builtin/security/win_petitpotam_network_share.yml diff --git a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml similarity index 100% rename from rules/windows/builtin/win_petitpotam_susp_tgt_request.yml rename to rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml diff --git a/rules/windows/builtin/win_possible_dc_shadow.yml b/rules/windows/builtin/security/win_possible_dc_shadow.yml similarity index 100% rename from rules/windows/builtin/win_possible_dc_shadow.yml rename to rules/windows/builtin/security/win_possible_dc_shadow.yml diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml similarity index 100% rename from rules/windows/builtin/win_privesc_cve_2020_1472.yml rename to rules/windows/builtin/security/win_privesc_cve_2020_1472.yml diff --git a/rules/windows/builtin/win_protected_storage_service_access.yml b/rules/windows/builtin/security/win_protected_storage_service_access.yml similarity index 100% rename from rules/windows/builtin/win_protected_storage_service_access.yml rename to rules/windows/builtin/security/win_protected_storage_service_access.yml diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/security/win_rare_schtasks_creations.yml similarity index 100% rename from rules/windows/builtin/win_rare_schtasks_creations.yml rename to rules/windows/builtin/security/win_rare_schtasks_creations.yml diff --git a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml similarity index 100% rename from rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml rename to rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/security/win_rdp_localhost_login.yml similarity index 100% rename from rules/windows/builtin/win_rdp_localhost_login.yml rename to rules/windows/builtin/security/win_rdp_localhost_login.yml diff --git a/rules/windows/builtin/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml similarity index 100% rename from rules/windows/builtin/win_rdp_reverse_tunnel.yml rename to rules/windows/builtin/security/win_rdp_reverse_tunnel.yml diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml similarity index 100% rename from rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml rename to rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/security/win_remote_powershell_session.yml similarity index 100% rename from rules/windows/builtin/win_remote_powershell_session.yml rename to rules/windows/builtin/security/win_remote_powershell_session.yml diff --git a/rules/windows/builtin/win_remote_registry_management_using_reg_utility.yml b/rules/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml similarity index 100% rename from rules/windows/builtin/win_remote_registry_management_using_reg_utility.yml rename to rules/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml diff --git a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/security/win_sam_registry_hive_handle_request.yml similarity index 100% rename from rules/windows/builtin/win_sam_registry_hive_handle_request.yml rename to rules/windows/builtin/security/win_sam_registry_hive_handle_request.yml diff --git a/rules/windows/builtin/win_scheduled_task_deletion.yml b/rules/windows/builtin/security/win_scheduled_task_deletion.yml similarity index 100% rename from rules/windows/builtin/win_scheduled_task_deletion.yml rename to rules/windows/builtin/security/win_scheduled_task_deletion.yml diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/security/win_scm_database_handle_failure.yml similarity index 100% rename from rules/windows/builtin/win_scm_database_handle_failure.yml rename to rules/windows/builtin/security/win_scm_database_handle_failure.yml diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml similarity index 100% rename from rules/windows/builtin/win_scm_database_privileged_operation.yml rename to rules/windows/builtin/security/win_scm_database_privileged_operation.yml diff --git a/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/windows/builtin/security/win_scrcons_remote_wmi_scripteventconsumer.yml similarity index 100% rename from rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml rename to rules/windows/builtin/security/win_scrcons_remote_wmi_scripteventconsumer.yml diff --git a/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml similarity index 100% rename from rules/windows/builtin/win_security_cobaltstrike_service_installs.yml rename to rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml diff --git a/rules/windows/builtin/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml similarity index 100% rename from rules/windows/builtin/win_security_mal_creddumper.yml rename to rules/windows/builtin/security/win_security_mal_creddumper.yml diff --git a/rules/windows/builtin/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml similarity index 100% rename from rules/windows/builtin/win_security_mal_service_installs.yml rename to rules/windows/builtin/security/win_security_mal_service_installs.yml diff --git a/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml similarity index 100% rename from rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml rename to rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml diff --git a/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml similarity index 100% rename from rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml rename to rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml diff --git a/rules/windows/builtin/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml similarity index 100% rename from rules/windows/builtin/win_security_powershell_script_installed_as_service.yml rename to rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml diff --git a/rules/windows/builtin/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml similarity index 100% rename from rules/windows/builtin/win_security_tap_driver_installation.yml rename to rules/windows/builtin/security/win_security_tap_driver_installation.yml diff --git a/rules/windows/other/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml similarity index 100% rename from rules/windows/other/win_security_wmi_persistence.yml rename to rules/windows/builtin/security/win_security_wmi_persistence.yml diff --git a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml b/rules/windows/builtin/security/win_smb_file_creation_admin_shares.yml similarity index 100% rename from rules/windows/builtin/win_smb_file_creation_admin_shares.yml rename to rules/windows/builtin/security/win_smb_file_creation_admin_shares.yml diff --git a/rules/windows/builtin/win_susp_add_domain_trust.yml b/rules/windows/builtin/security/win_susp_add_domain_trust.yml similarity index 100% rename from rules/windows/builtin/win_susp_add_domain_trust.yml rename to rules/windows/builtin/security/win_susp_add_domain_trust.yml diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/security/win_susp_add_sid_history.yml similarity index 100% rename from rules/windows/builtin/win_susp_add_sid_history.yml rename to rules/windows/builtin/security/win_susp_add_sid_history.yml diff --git a/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml similarity index 100% rename from rules/windows/builtin/win_susp_codeintegrity_check_failure.yml rename to rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml diff --git a/rules/windows/builtin/win_susp_dsrm_password_change.yml b/rules/windows/builtin/security/win_susp_dsrm_password_change.yml similarity index 100% rename from rules/windows/builtin/win_susp_dsrm_password_change.yml rename to rules/windows/builtin/security/win_susp_dsrm_password_change.yml diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/security/win_susp_eventlog_cleared.yml similarity index 100% rename from rules/windows/builtin/win_susp_eventlog_cleared.yml rename to rules/windows/builtin/security/win_susp_eventlog_cleared.yml diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/security/win_susp_failed_logon_reasons.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logon_reasons.yml rename to rules/windows/builtin/security/win_susp_failed_logon_reasons.yml diff --git a/rules/windows/builtin/win_susp_failed_logon_source.yml b/rules/windows/builtin/security/win_susp_failed_logon_source.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logon_source.yml rename to rules/windows/builtin/security/win_susp_failed_logon_source.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/security/win_susp_failed_logons_explicit_credentials.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml rename to rules/windows/builtin/security/win_susp_failed_logons_explicit_credentials.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_process.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_process.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_process.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source2.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source2.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml diff --git a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml rename to rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml diff --git a/rules/windows/builtin/win_susp_interactive_logons.yml b/rules/windows/builtin/security/win_susp_interactive_logons.yml similarity index 100% rename from rules/windows/builtin/win_susp_interactive_logons.yml rename to rules/windows/builtin/security/win_susp_interactive_logons.yml diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/security/win_susp_kerberos_manipulation.yml similarity index 100% rename from rules/windows/builtin/win_susp_kerberos_manipulation.yml rename to rules/windows/builtin/security/win_susp_kerberos_manipulation.yml diff --git a/rules/windows/builtin/win_susp_ldap_dataexchange.yml b/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml similarity index 100% rename from rules/windows/builtin/win_susp_ldap_dataexchange.yml rename to rules/windows/builtin/security/win_susp_ldap_dataexchange.yml diff --git a/rules/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml similarity index 100% rename from rules/windows/builtin/win_susp_local_anon_logon_created.yml rename to rules/windows/builtin/security/win_susp_local_anon_logon_created.yml diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/security/win_susp_logon_explicit_credentials.yml similarity index 100% rename from rules/windows/builtin/win_susp_logon_explicit_credentials.yml rename to rules/windows/builtin/security/win_susp_logon_explicit_credentials.yml diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/security/win_susp_lsass_dump.yml similarity index 100% rename from rules/windows/builtin/win_susp_lsass_dump.yml rename to rules/windows/builtin/security/win_susp_lsass_dump.yml diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml similarity index 100% rename from rules/windows/builtin/win_susp_lsass_dump_generic.yml rename to rules/windows/builtin/security/win_susp_lsass_dump_generic.yml diff --git a/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/builtin/security/win_susp_multiple_files_renamed_or_deleted.yml similarity index 100% rename from rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml rename to rules/windows/builtin/security/win_susp_multiple_files_renamed_or_deleted.yml diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/security/win_susp_net_recon_activity.yml similarity index 100% rename from rules/windows/builtin/win_susp_net_recon_activity.yml rename to rules/windows/builtin/security/win_susp_net_recon_activity.yml diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/security/win_susp_psexec.yml similarity index 100% rename from rules/windows/builtin/win_susp_psexec.yml rename to rules/windows/builtin/security/win_susp_psexec.yml diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml similarity index 100% rename from rules/windows/builtin/win_susp_raccess_sensitive_fext.yml rename to rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml similarity index 100% rename from rules/windows/builtin/win_susp_rc4_kerberos.yml rename to rules/windows/builtin/security/win_susp_rc4_kerberos.yml diff --git a/rules/windows/builtin/win_susp_rottenpotato.yml b/rules/windows/builtin/security/win_susp_rottenpotato.yml similarity index 100% rename from rules/windows/builtin/win_susp_rottenpotato.yml rename to rules/windows/builtin/security/win_susp_rottenpotato.yml diff --git a/rules/windows/builtin/win_susp_samr_pwset.yml b/rules/windows/builtin/security/win_susp_samr_pwset.yml similarity index 100% rename from rules/windows/builtin/win_susp_samr_pwset.yml rename to rules/windows/builtin/security/win_susp_samr_pwset.yml diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/security/win_susp_sdelete.yml similarity index 100% rename from rules/windows/builtin/win_susp_sdelete.yml rename to rules/windows/builtin/security/win_susp_sdelete.yml diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/security/win_susp_time_modification.yml similarity index 100% rename from rules/windows/builtin/win_susp_time_modification.yml rename to rules/windows/builtin/security/win_susp_time_modification.yml diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/security/win_susp_wmi_login.yml similarity index 100% rename from rules/windows/builtin/win_susp_wmi_login.yml rename to rules/windows/builtin/security/win_susp_wmi_login.yml diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml similarity index 100% rename from rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml rename to rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/security/win_svcctl_remote_service.yml similarity index 100% rename from rules/windows/builtin/win_svcctl_remote_service.yml rename to rules/windows/builtin/security/win_svcctl_remote_service.yml diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/security/win_syskey_registry_access.yml similarity index 100% rename from rules/windows/builtin/win_syskey_registry_access.yml rename to rules/windows/builtin/security/win_syskey_registry_access.yml diff --git a/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml similarity index 100% rename from rules/windows/builtin/win_sysmon_channel_reference_deletion.yml rename to rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml diff --git a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml similarity index 100% rename from rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml rename to rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml diff --git a/rules/windows/builtin/win_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_user_added_to_local_administrators.yml similarity index 100% rename from rules/windows/builtin/win_user_added_to_local_administrators.yml rename to rules/windows/builtin/security/win_user_added_to_local_administrators.yml diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml similarity index 100% rename from rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml rename to rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml diff --git a/rules/windows/builtin/win_user_creation.yml b/rules/windows/builtin/security/win_user_creation.yml similarity index 100% rename from rules/windows/builtin/win_user_creation.yml rename to rules/windows/builtin/security/win_user_creation.yml diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/security/win_user_driver_loaded.yml similarity index 100% rename from rules/windows/builtin/win_user_driver_loaded.yml rename to rules/windows/builtin/security/win_user_driver_loaded.yml diff --git a/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml b/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml similarity index 100% rename from rules/windows/builtin/win_vssaudit_secevent_source_registration.yml rename to rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml diff --git a/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml similarity index 100% rename from rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml rename to rules/windows/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml diff --git a/rules/windows/builtin/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml similarity index 100% rename from rules/windows/builtin/win_apt_carbonpaper_turla.yml rename to rules/windows/builtin/system/win_apt_carbonpaper_turla.yml diff --git a/rules/windows/builtin/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml similarity index 100% rename from rules/windows/builtin/win_apt_chafer_mar18_system.yml rename to rules/windows/builtin/system/win_apt_chafer_mar18_system.yml diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/system/win_apt_stonedrill.yml similarity index 100% rename from rules/windows/builtin/win_apt_stonedrill.yml rename to rules/windows/builtin/system/win_apt_stonedrill.yml diff --git a/rules/windows/builtin/win_apt_turla_service_png.yml b/rules/windows/builtin/system/win_apt_turla_service_png.yml similarity index 100% rename from rules/windows/builtin/win_apt_turla_service_png.yml rename to rules/windows/builtin/system/win_apt_turla_service_png.yml diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml similarity index 100% rename from rules/windows/builtin/win_cobaltstrike_service_installs.yml rename to rules/windows/builtin/system/win_cobaltstrike_service_installs.yml diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/system/win_hack_smbexec.yml similarity index 100% rename from rules/windows/builtin/win_hack_smbexec.yml rename to rules/windows/builtin/system/win_hack_smbexec.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_clip_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_var_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_var_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/system/win_mal_creddumper.yml similarity index 100% rename from rules/windows/builtin/win_mal_creddumper.yml rename to rules/windows/builtin/system/win_mal_creddumper.yml diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml similarity index 100% rename from rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename to rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/system/win_moriya_rootkit.yml similarity index 100% rename from rules/windows/builtin/win_moriya_rootkit.yml rename to rules/windows/builtin/system/win_moriya_rootkit.yml diff --git a/rules/windows/builtin/win_ntfs_vuln_exploit.yml b/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml similarity index 100% rename from rules/windows/builtin/win_ntfs_vuln_exploit.yml rename to rules/windows/builtin/system/win_ntfs_vuln_exploit.yml diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/builtin/system/win_pcap_drivers.yml similarity index 100% rename from rules/windows/other/win_pcap_drivers.yml rename to rules/windows/builtin/system/win_pcap_drivers.yml diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml similarity index 100% rename from rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml rename to rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml similarity index 100% rename from rules/windows/builtin/win_powershell_script_installed_as_service.yml rename to rules/windows/builtin/system/win_powershell_script_installed_as_service.yml diff --git a/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml similarity index 100% rename from rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml rename to rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/system/win_rare_service_installs.yml similarity index 100% rename from rules/windows/builtin/win_rare_service_installs.yml rename to rules/windows/builtin/system/win_rare_service_installs.yml diff --git a/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml b/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml similarity index 100% rename from rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml rename to rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/system/win_susp_dhcp_config.yml similarity index 100% rename from rules/windows/builtin/win_susp_dhcp_config.yml rename to rules/windows/builtin/system/win_susp_dhcp_config.yml diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml similarity index 100% rename from rules/windows/builtin/win_susp_dhcp_config_failed.yml rename to rules/windows/builtin/system/win_susp_dhcp_config_failed.yml diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/system/win_susp_proceshacker.yml similarity index 100% rename from rules/windows/builtin/win_susp_proceshacker.yml rename to rules/windows/builtin/system/win_susp_proceshacker.yml diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/system/win_susp_sam_dump.yml similarity index 100% rename from rules/windows/builtin/win_susp_sam_dump.yml rename to rules/windows/builtin/system/win_susp_sam_dump.yml diff --git a/rules/windows/other/win_system_defender_disabled.yml b/rules/windows/builtin/system/win_system_defender_disabled.yml similarity index 100% rename from rules/windows/other/win_system_defender_disabled.yml rename to rules/windows/builtin/system/win_system_defender_disabled.yml diff --git a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml similarity index 100% rename from rules/windows/builtin/win_system_susp_eventlog_cleared.yml rename to rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/system/win_tap_driver_installation.yml similarity index 100% rename from rules/windows/builtin/win_tap_driver_installation.yml rename to rules/windows/builtin/system/win_tap_driver_installation.yml diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/builtin/system/win_tool_psexec.yml similarity index 100% rename from rules/windows/other/win_tool_psexec.yml rename to rules/windows/builtin/system/win_tool_psexec.yml diff --git a/rules/windows/builtin/win_volume_shadow_copy_mount.yml b/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml similarity index 100% rename from rules/windows/builtin/win_volume_shadow_copy_mount.yml rename to rules/windows/builtin/system/win_volume_shadow_copy_mount.yml diff --git a/rules/windows/builtin/win_vul_cve_2020_1472.yml b/rules/windows/builtin/system/win_vul_cve_2020_1472.yml similarity index 100% rename from rules/windows/builtin/win_vul_cve_2020_1472.yml rename to rules/windows/builtin/system/win_vul_cve_2020_1472.yml diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml index d40dacc50..90cf7c75d 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml @@ -8,21 +8,22 @@ tags: - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 +modified: 2021/12/02 logsource: product: windows service: powershell detection: - encoded: + selection_encoded: - ' -enc ' - ' -EncodedCommand ' - hidden: + selection_hidden: - ' -w hidden ' - ' -window hidden ' - ' -windowstyle hidden ' - noninteractive: + selection_noninteractive: - ' -noni ' - ' -noninteractive ' - condition: all of them + condition: all of selection* falsepositives: - Penetration tests - Very special / sneaky PowerShell scripts diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index 30ac5364c..68b638a4c 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -3,7 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. status: experimental date: 2020/06/24 -modified: 2021/11/27 +modified: 2021/12/03 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -28,7 +28,10 @@ detection: - WsmSvc.dll - WSMANAUTOMATION.DLL - Microsoft.WSMan.Management.dll - filter: + respond_server: + Image|endswith: '\svchost.exe' + OriginalFileName: 'WsmWmiPl.dll' + filter_general: Image|endswith: - '\powershell.exe' - 'C:\Windows\System32\sdiagnhost.exe' @@ -36,10 +39,10 @@ detection: CommandLine|contains: - 'svchost.exe -k netsvcs -p -s BITS' - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc' - respond_server: - Image|endswith: '\svchost.exe' - OriginalFileName: 'WsmWmiPl.dll' - condition: ( request_client or respond_server ) and not filter and not filter_svchost + filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe + Image|startswith: C:\Windows\Microsoft.NET\Framework64\ + Image|endswith: \mscorsvw.exe + condition: ( request_client or respond_server ) and not 1 of filter* falsepositives: - Unknown level: medium diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml index ff948cfcf..af89c15f0 100644 --- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2021/11/25 +modified: 2021/12/03 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -32,7 +32,8 @@ detection: - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe' - 'C:\Program Files (x86)\' - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' - - Image|endswith: '\opera_autoupdate.exe' + - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe' + - Image|endswith: '\opera_autoupdate.exe' condition: selection and not filter falsepositives: - other legitimate processes loading those DLLs in your environment. diff --git a/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml similarity index 100% rename from rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml rename to rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml diff --git a/rules/windows/builtin/win_apt_gallium.yml b/rules/windows/other/dns_server/win_apt_gallium.yml similarity index 100% rename from rules/windows/builtin/win_apt_gallium.yml rename to rules/windows/other/dns_server/win_apt_gallium.yml diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/other/dns_server/win_susp_dns_config.yml similarity index 100% rename from rules/windows/builtin/win_susp_dns_config.yml rename to rules/windows/other/dns_server/win_susp_dns_config.yml diff --git a/rules/windows/builtin/win_usb_device_plugged.yml b/rules/windows/other/driverframeworks/win_usb_device_plugged.yml similarity index 100% rename from rules/windows/builtin/win_usb_device_plugged.yml rename to rules/windows/other/driverframeworks/win_usb_device_plugged.yml diff --git a/rules/windows/other/win_ldap_recon.yml b/rules/windows/other/ldap/win_ldap_recon.yml similarity index 100% rename from rules/windows/other/win_ldap_recon.yml rename to rules/windows/other/ldap/win_ldap_recon.yml diff --git a/rules/windows/other/win_exchange_cve_2021_42321.yml b/rules/windows/other/msexchange/win_exchange_cve_2021_42321.yml similarity index 100% rename from rules/windows/other/win_exchange_cve_2021_42321.yml rename to rules/windows/other/msexchange/win_exchange_cve_2021_42321.yml diff --git a/rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml similarity index 100% rename from rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml rename to rules/windows/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml diff --git a/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/other/msexchange/win_exchange_proxyshell_certificate_generation.yml similarity index 100% rename from rules/windows/other/win_exchange_proxyshell_certificate_generation.yml rename to rules/windows/other/msexchange/win_exchange_proxyshell_certificate_generation.yml diff --git a/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/other/msexchange/win_exchange_proxyshell_mailbox_export.yml similarity index 100% rename from rules/windows/other/win_exchange_proxyshell_mailbox_export.yml rename to rules/windows/other/msexchange/win_exchange_proxyshell_mailbox_export.yml diff --git a/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/other/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml similarity index 100% rename from rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml rename to rules/windows/other/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml diff --git a/rules/windows/builtin/win_exchange_transportagent.yml b/rules/windows/other/msexchange/win_exchange_transportagent.yml similarity index 100% rename from rules/windows/builtin/win_exchange_transportagent.yml rename to rules/windows/other/msexchange/win_exchange_transportagent.yml diff --git a/rules/windows/other/win_exchange_transportagent_failed.yml b/rules/windows/other/msexchange/win_exchange_transportagent_failed.yml similarity index 100% rename from rules/windows/other/win_exchange_transportagent_failed.yml rename to rules/windows/other/msexchange/win_exchange_transportagent_failed.yml diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/other/msexchange/win_set_oabvirtualdirectory_externalurl.yml similarity index 100% rename from rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml rename to rules/windows/other/msexchange/win_set_oabvirtualdirectory_externalurl.yml diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/other/ntlm/win_susp_ntlm_auth.yml similarity index 100% rename from rules/windows/builtin/win_susp_ntlm_auth.yml rename to rules/windows/other/ntlm/win_susp_ntlm_auth.yml diff --git a/rules/windows/builtin/win_susp_ntlm_rdp.yml b/rules/windows/other/ntlm/win_susp_ntlm_rdp.yml similarity index 100% rename from rules/windows/builtin/win_susp_ntlm_rdp.yml rename to rules/windows/other/ntlm/win_susp_ntlm_rdp.yml diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler.yml similarity index 100% rename from rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml rename to rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler.yml diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml similarity index 100% rename from rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml rename to rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/other/servicebus/win_hybridconnectionmgr_svc_running.yml similarity index 100% rename from rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml rename to rules/windows/other/servicebus/win_hybridconnectionmgr_svc_running.yml diff --git a/rules/windows/builtin/win_susp_failed_guest_logon.yml b/rules/windows/other/smbclient/win_susp_failed_guest_logon.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_guest_logon.yml rename to rules/windows/other/smbclient/win_susp_failed_guest_logon.yml diff --git a/rules/windows/other/win_rare_schtask_creation.yml b/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml similarity index 100% rename from rules/windows/other/win_rare_schtask_creation.yml rename to rules/windows/other/taskscheduler/win_rare_schtask_creation.yml diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/other/windefend/win_alert_lsass_access.yml similarity index 100% rename from rules/windows/builtin/win_alert_lsass_access.yml rename to rules/windows/other/windefend/win_alert_lsass_access.yml diff --git a/rules/windows/other/win_defender_amsi_trigger.yml b/rules/windows/other/windefend/win_defender_amsi_trigger.yml similarity index 100% rename from rules/windows/other/win_defender_amsi_trigger.yml rename to rules/windows/other/windefend/win_defender_amsi_trigger.yml diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/windefend/win_defender_disabled.yml similarity index 100% rename from rules/windows/other/win_defender_disabled.yml rename to rules/windows/other/windefend/win_defender_disabled.yml diff --git a/rules/windows/other/win_defender_exclusions.yml b/rules/windows/other/windefend/win_defender_exclusions.yml similarity index 100% rename from rules/windows/other/win_defender_exclusions.yml rename to rules/windows/other/windefend/win_defender_exclusions.yml diff --git a/rules/windows/other/win_defender_history_delete.yml b/rules/windows/other/windefend/win_defender_history_delete.yml similarity index 100% rename from rules/windows/other/win_defender_history_delete.yml rename to rules/windows/other/windefend/win_defender_history_delete.yml diff --git a/rules/windows/other/win_defender_psexec_wmi_asr.yml b/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml similarity index 100% rename from rules/windows/other/win_defender_psexec_wmi_asr.yml rename to rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml diff --git a/rules/windows/other/win_defender_tamper_protection_trigger.yml b/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml similarity index 100% rename from rules/windows/other/win_defender_tamper_protection_trigger.yml rename to rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml diff --git a/rules/windows/other/win_defender_threat.yml b/rules/windows/other/windefend/win_defender_threat.yml similarity index 100% rename from rules/windows/other/win_defender_threat.yml rename to rules/windows/other/windefend/win_defender_threat.yml diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/wmi/win_wmi_persistence.yml similarity index 100% rename from rules/windows/other/win_wmi_persistence.yml rename to rules/windows/other/wmi/win_wmi_persistence.yml diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index aff2804f7..7bfba45ee 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html date: 2019/09/12 -modified: 2021/11/27 +modified: 2021/12/03 logsource: product: windows category: pipe_created @@ -17,6 +17,7 @@ detection: Image|endswith: - '\powershell.exe' - '\powershell_ise.exe' + - '\WINDOWS\System32\sdiagnhost.exe' filter2: Image: condition: selection and not filter1 and not filter2 diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml index 93e5ecb54..3281bd461 100644 --- a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml @@ -11,25 +11,25 @@ tags: - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 -modified: 2021/10/18 +modified: 2021/12/02 logsource: product: windows category: ps_module detection: - encoded: + selection_encoded: ContextInfo|contains: - ' -enc ' - ' -EncodedCommand ' - hidden: + selection_hidden: ContextInfo|contains: - ' -w hidden ' - ' -window hidden ' - ' -windowstyle hidden ' - noninteractive: + selection_noninteractive: ContextInfo|contains: - ' -noni ' - ' -noninteractive ' - condition: all of them + condition: all of selection* falsepositives: - Penetration tests - Very special / sneaky PowerShell scripts diff --git a/rules/windows/powershell/powershell_script/powershell_automated_collection.yml b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml index a56e163cb..e0a718d54 100644 --- a/rules/windows/powershell/powershell_script/powershell_automated_collection.yml +++ b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml @@ -3,7 +3,7 @@ id: c1dda054-d638-4c16-afc8-53e007f3fbc5 status: experimental author: frack113 date: 2021/07/28 -modified: 2021/10/16 +modified: 2021/12/02 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md @@ -31,7 +31,7 @@ detection: - 'Get-ChildItem' - ' -Recurse ' - ' -Include ' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml index 42e307279..331b1d12e 100644 --- a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml @@ -3,7 +3,7 @@ id: d93129cd-1ee0-479f-bc03-ca6f129882e3 status: experimental author: frack113 date: 2021/08/03 -modified: 2021/10/16 +modified: 2021/12/02 description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md @@ -22,7 +22,7 @@ detection: ScriptBlockText|contains: - MSAcpi_ThermalZoneTemperature - Win32_ComputerSystem - condition: all of them + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml index f298d3d4d..7ba724b77 100644 --- a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml @@ -14,20 +14,20 @@ tags: - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 -modified: 2021/10/16 +modified: 2021/12/02 logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: - content: + selection_content: ScriptBlockText|contains: - "set-content" - "add-content" - stream: + selection_stream: ScriptBlockText|contains: - "-stream" - condition: all of them + condition: all of selection* falsepositives: - unknown level: high diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml index 94529b393..2c106649e 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml @@ -11,25 +11,25 @@ tags: - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 -modified: 2021/10/18 +modified: 2021/12/02 logsource: product: windows category: ps_script detection: - encoded: + selection_encoded: ScriptBlockText|contains: - ' -enc ' - ' -EncodedCommand ' - hidden: + selection_hidden: ScriptBlockText|contains: - ' -w hidden ' - ' -window hidden ' - ' -windowstyle hidden ' - noninteractive: + selection_noninteractive: ScriptBlockText|contains: - ' -noni ' - ' -noninteractive ' - condition: all of them + condition: all of selection* falsepositives: - Penetration tests - Very special / sneaky PowerShell scripts diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml index d7468b444..f22cc23ac 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml @@ -3,7 +3,7 @@ id: a9723fcc-881c-424c-8709-fd61442ab3c3 status: experimental author: frack113 date: 2021/07/30 -modified: 2021/10/16 +modified: 2021/12/02 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md @@ -22,7 +22,7 @@ detection: - 'Get-Process ' selection_redirect: ScriptBlockText|contains: '> $env:TEMP\' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/win_root_certificate_installed.yml similarity index 85% rename from rules/windows/builtin/win_root_certificate_installed.yml rename to rules/windows/powershell/powershell_script/win_root_certificate_installed.yml index 5c2557e04..1dfe52048 100644 --- a/rules/windows/builtin/win_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/win_root_certificate_installed.yml @@ -6,21 +6,20 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020/10/10 -modified: 2021/09/21 +modified: 2021/12/04 tags: - attack.defense_evasion - attack.t1553.004 logsource: product: windows - service: powershell + category: ps_script + definition: Script block logging must be enabled detection: selection1: - EventID: 4104 ScriptBlockText|contains|all: - 'Move-Item' - 'Cert:\LocalMachine\Root' selection2: - EventID: 4104 ScriptBlockText|contains|all: - 'Import-Certificate' - 'Cert:\LocalMachine\Root' diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index ebac98349..527565c18 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -88,6 +88,9 @@ detection: GrantedAccess: - '0x1410' - '0x410' + filter_edge: # version in path 96.0.1054.43 + SourceImage|startswith: C:\Program Files (x86)\Microsoft\Edge\Application\ + SourceImage|endswith: \Installer\setup.exe # Old - too broad filter # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts # - '\wmiprvse.exe' diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index a6cbf5ca6..ffcf71b56 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags author: Florian Roth date: 2021/11/22 -modified: 2021/11/30 +modified: 2021/12/03 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -59,6 +59,7 @@ detection: - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' - 'C:\WINDOWS\system32\taskhostw.exe' - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' + - 'C:\Program Files\Windows Defender\MsMpEng.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' diff --git a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml index 2e18a0f15..51f19e6c2 100644 --- a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml +++ b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml @@ -3,6 +3,7 @@ id: 2f47f1fd-0901-466e-a770-3b7092834a1b status: experimental author: frack113 date: 2021/08/16 +modified: 2021/12/02 description: Detects a command used by conti to dump database references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 #the leak info not the files itself @@ -26,7 +27,7 @@ detection: - 'sys.sysprocesses' - 'master.dbo.sysdatabases' - 'BACKUP DATABASE' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/process_creation_susp_7z.yml b/rules/windows/process_creation/process_creation_susp_7z.yml index 8a852dc02..db3093432 100644 --- a/rules/windows/process_creation/process_creation_susp_7z.yml +++ b/rules/windows/process_creation/process_creation_susp_7z.yml @@ -3,6 +3,7 @@ id: 9fbf5927-5261-4284-a71d-f681029ea574 status: experimental author: frack113 date: 2021/07/27 +modified: 2021/12/02 description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md @@ -23,7 +24,7 @@ detection: CommandLine|contains: - ' a ' - ' u ' - condition: all of them + condition: all of selection* falsepositives: - Command line parameter combinations that contain all included strings level: medium diff --git a/rules/windows/process_creation/process_creation_susp_winzip.yml b/rules/windows/process_creation/process_creation_susp_winzip.yml index 2e668c63e..28b69faf7 100644 --- a/rules/windows/process_creation/process_creation_susp_winzip.yml +++ b/rules/windows/process_creation/process_creation_susp_winzip.yml @@ -3,6 +3,7 @@ id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d status: experimental author: frack113 date: 2021/07/27 +modified: 2021/12/02 description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md @@ -24,7 +25,7 @@ detection: CommandLine|contains: - ' -min ' - ' -a ' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml index 52ffcbc05..6879195ee 100644 --- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -9,20 +9,20 @@ tags: status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2021/05/21 +modified: 2021/12/02 logsource: category: process_creation product: windows detection: - Powershell_selection: + selection_powershell: - CommandLine|contains: - 'powershell' - 'pwsh' - Description: 'Windows Powershell' - Product: 'PowerShell Core 6' - Length_selection: + selection_length: CommandLine|re: '.{1000,}' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/sysmon_susp_service_modification.yml b/rules/windows/process_creation/sysmon_susp_service_modification.yml index 7d54f7690..dbc592b76 100644 --- a/rules/windows/process_creation/sysmon_susp_service_modification.yml +++ b/rules/windows/process_creation/sysmon_susp_service_modification.yml @@ -3,6 +3,7 @@ id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b status: experimental author: frack113 date: 2021/07/07 +modified: 2021/12/02 description: Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md @@ -23,7 +24,7 @@ detection: - ' Trend Micro Deep Security Manager' - ' TMBMServer' # Feel free to add more service name - condition: all of them + condition: all of selection* fields: - ComputerName - User diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml index 9c07e2c02..4d3de67a2 100644 --- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml @@ -3,6 +3,7 @@ id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d description: Detects a command used by conti to access volume shadow backups author: Max Altgelt, Tobias Michalski date: 2021/08/09 +modified: 2021/12/02 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 @@ -19,7 +20,7 @@ detection: - '\\SYSTEM' - '\\SECURITY' - 'C:\\tmp\\log' - condition: all of them + condition: all of selection* falsepositives: - Some rare backup scenarios level: medium diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/process_creation/win_mmc20_lateral_movement.yml similarity index 100% rename from rules/windows/builtin/win_mmc20_lateral_movement.yml rename to rules/windows/process_creation/win_mmc20_lateral_movement.yml diff --git a/rules/windows/builtin/win_net_use_admin_share.yml b/rules/windows/process_creation/win_net_use_admin_share.yml similarity index 100% rename from rules/windows/builtin/win_net_use_admin_share.yml rename to rules/windows/process_creation/win_net_use_admin_share.yml diff --git a/rules/windows/process_creation/win_susp_disable_eventlog.yml b/rules/windows/process_creation/win_susp_disable_eventlog.yml index edbdd25fb..664d3d691 100644 --- a/rules/windows/process_creation/win_susp_disable_eventlog.yml +++ b/rules/windows/process_creation/win_susp_disable_eventlog.yml @@ -11,7 +11,7 @@ tags: - attack.t1070.001 author: Florian Roth date: 2021/02/11 -modified: 2021/06/21 +modified: 2021/12/02 logsource: category: process_creation product: windows @@ -26,7 +26,7 @@ detection: selection_service: CommandLine|contains: - EventLog-System - condition: all of them + condition: all of selection* falsepositives: - Legitimate deactivation by administrative staff - Installer tools that disable services, e.g. before log collection agent installation diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/process_creation/win_susp_mshta_execution.yml similarity index 100% rename from rules/windows/builtin/win_susp_mshta_execution.yml rename to rules/windows/process_creation/win_susp_mshta_execution.yml diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index 020307ac0..f42ec99fc 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -6,7 +6,7 @@ author: Teymur Kheirkhabarov, Harish Segar (rule) references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26 date: 2020/03/20 -modified: 2021/11/27 +modified: 2021/12/02 logsource: category: process_creation product: windows @@ -50,7 +50,7 @@ detection: - "pwsh" - Description: "Windows PowerShell" - Product: "PowerShell Core 6" - condition: all of them + condition: all of selection* falsepositives: - Other scripts level: high diff --git a/rules/windows/process_creation/win_susp_powershell_sam_access.yml b/rules/windows/process_creation/win_susp_powershell_sam_access.yml index 2b0b1ccd7..830281b0b 100644 --- a/rules/windows/process_creation/win_susp_powershell_sam_access.yml +++ b/rules/windows/process_creation/win_susp_powershell_sam_access.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/splinter_code/status/1420546784250769408 author: Florian Roth date: 2021/07/29 +modified: 2021/12/02 tags: - attack.credential_access - attack.t1003.002 @@ -24,7 +25,7 @@ detection: - 'cpi $_.' - 'copy $_.' - '.File]::Copy(' - condition: all of them + condition: all of selection* falsepositives: - Some rare backup scenarios - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index 12f3a7989..af0cdb025 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -8,7 +8,7 @@ tags: - attack.t1036 # an old one author: Florian Roth date: 2017/08/15 -modified: 2021/11/26 +modified: 2021/12/03 logsource: category: process_creation product: windows @@ -23,6 +23,7 @@ detection: - '\rpcnet.exe' - '\svchost.exe' - '\ngen.exe' + - '\TiWorker.exe' filter_null: ParentImage: null condition: selection and not filter and not filter_null diff --git a/tests/test_rules.py b/tests/test_rules.py index bae8bd869..be340f84d 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -184,6 +184,19 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_detections, [], Fore.RED + "There are rules using '1/all of them' style conditions but only have one condition") + def test_all_of_them_condition(self): + faulty_detections = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + yaml = self.get_rule_yaml(file_path = file) + detection = self.get_rule_part(file_path = file, part_name = "detection") + + if "all of them" in detection["condition"]: + faulty_detections.append(file) + + self.assertEqual(faulty_detections, [], Fore.RED + + "There are rules using 'all of them'. Better use e.g. 'all of selection*' instead (and use the 'selection_' prefix as search-identifier).") + def test_duplicate_detections(self): def compare_detections(detection1:dict, detection2:dict) -> bool: diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 6635c076c..583e4421c 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -13,6 +13,10 @@ logsources: product_name: - 'apache*' - 'httpd*' + webserver: + category: webserver + conditions: + vendor_type: 'Webserver' cisco: product: cisco conditions: @@ -444,3 +448,5 @@ fieldmappings: event_type_id: vendor_id eventtype: vendor_type destination.port: ip_dport + user: correlation_username + Provider_Name: channel diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index e0d846645..0afa8fae3 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -52,7 +52,7 @@ class HAWKBackend(SingleTextQueryBackend): def cleanKey(self, key): if key == None: return "" - return self.sigmaparser.config.get_fieldmapping(key).resolve_fieldname(key, self.sigmaparser) + return self.snake_case( self.sigmaparser.config.get_fieldmapping(key).resolve_fieldname(key, self.sigmaparser) ) def cleanValue(self, value): """Remove quotes in text""" @@ -100,12 +100,21 @@ class HAWKBackend(SingleTextQueryBackend): value = value[:-2] value = re.escape(value) value = value.replace("EEEESTAREEE", ".*") + endsWith = False + startsWith = False if value[0:2] == ".*": value = value[2:] + endsWith = True if value[-2:] == ".*": value = value[:-2] - nodeRet['args']['str']['value'] = value - # return json.dumps(nodeRet) + startsWith = True + + if endsWith and not startsWith: + nodeRet['args']['str']['value'] = value + "$" + elif startsWith and not endsWith: + nodeRet['args']['str']['value'] = "^" + value + else: + nodeRet['args']['str']['value'] = value return nodeRet elif type(node) == list: return self.generateListNode(node, notNode) @@ -183,17 +192,28 @@ class HAWKBackend(SingleTextQueryBackend): value = value.replace("*", "EEEESTAREEE") value = re.escape(value) value = value.replace("EEEESTAREEE", ".*") + endsWith = False + startsWith = False if value[0:2] == ".*": value = value[2:] + endsWith = True if value[-2:] == ".*": value = value[:-2] + startsWith = True if notNode: nodeRet["args"]["comparison"]["value"] = "!=" else: nodeRet['args']['comparison']['value'] = "=" if value[-2:] == "\\\\": value = value[:-2] - nodeRet['args']['str']['value'] = value + + if endsWith and not startsWith: + nodeRet['args']['str']['value'] = value + "$" + elif startsWith and not endsWith: + nodeRet['args']['str']['value'] = "^" + value + else: + nodeRet['args']['str']['value'] = value + nodeRet['args']['str']['regex'] = "true" # return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True)) #return json.dumps(nodeRet) @@ -268,14 +288,25 @@ class HAWKBackend(SingleTextQueryBackend): item = item.replace("*", "EEEESTAREEE") item = re.escape(item) item = item.replace("EEEESTAREEE", ".*") + endsWith = False + startsWith = False if item[:2] == ".*": item = item[2:] + endsWith = True if item[-2:] == ".*": item = item[:-2] + startsWith = True if item[-2:] == "\\\\": item = item[:-2] - nodeRet['args']['str']['value'] = item + + if endsWith and not startsWith: + nodeRet['args']['str']['value'] = item + "$" + elif startsWith and not endsWith: + nodeRet['args']['str']['value'] = "^" + item + else: + nodeRet['args']['str']['value'] = item nodeRet['args']['str']['regex'] = "true" + if notNode: nodeRet["args"]["comparison"]["value"] = "!=" else: @@ -299,13 +330,25 @@ class HAWKBackend(SingleTextQueryBackend): value = value.replace("*", "EEEESTAREEE") value = re.escape(self.generateValueNode(value, True)) value = value.replace("EEEESTAREEE", ".*") + endsWith = False + startsWith = False if value[:2] == ".*": value = value[2:] + endsWith = True if value[-2:] == ".*": value = value[:-2] + startsWith = True # print(value) if value[-2:] == "\\\\": value = value[:-2] + + if endsWith and not startsWith: + nodeRet['args']['str']['value'] = value + "$" + elif startsWith and not endsWith: + nodeRet['args']['str']['value'] = "^" + value + else: + nodeRet['args']['str']['value'] = value + nodeRet['args']['str']['value'] = value nodeRet['args']['str']['regex'] = "true" if notNode: @@ -613,7 +656,6 @@ class HAWKBackend(SingleTextQueryBackend): except Exception as e: print("Failed to parse json: %s" % analytic_txt) raise Exception("Failed to parse json: %s" % analytic_txt) - # "rules","filter_name","actions_category_name","correlation_action","date_added","scores/53c9a74abfc386415a8b463e","enabled","public","group_name","score_id" cmt = "Sigma Rule: %s\n" % sigmaparser.parsedyaml['id'] cmt += "Author: %s\n" % sigmaparser.parsedyaml['author'] @@ -667,6 +709,19 @@ class HAWKBackend(SingleTextQueryBackend): elif self.sigmaparser.parsedyaml['level'].lower() == 'medium': record['correlation_action'] += 5.0; elif self.sigmaparser.parsedyaml['level'].lower() == 'low': - record['correlation_action'] += 2.0; + record['correlation_action'] -= 5.0; + elif self.sigmaparser.parsedyaml['level'].lower() == 'informational': + record['correlation_action'] -= 15.0; return json.dumps(record) + + def snake_case(self, str): + res = [str[0].lower()] + for c in str[1:]: + if c in ('ABCDEFGHIJKLMNOPQRSTUVWXYZ'): + res.append('_') + res.append(c.lower()) + else: + res.append(c) + + return ''.join(res)