diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 2d1f625b3..88c6d0502 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -24,7 +24,7 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install pipenv + pip install pipenv==2021.5.29 pipenv lock pipenv install --dev --deploy - name: Test Sigma Tools and Rules diff --git a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 85% rename from rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml rename to rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml index f6406ce9e..ac0f39659 100644 --- a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml +++ b/rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: file_event detection: #useful_information: Please add more file extensions and magic bytes to the logic of your choice. @@ -26,20 +26,20 @@ detection: - 'outlook.exe' selection2: FileName|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" selection3: FileMagicBytes|startswith: - - "4D5A" + - "4D5A" condition: selection1 and (selection2 or selection3) falsepositives: -- Unknown + - Unknown level: high diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules-unsupported/sysmon_non_priv_program_files_move.yml similarity index 100% rename from rules/windows/file_event/sysmon_non_priv_program_files_move.yml rename to rules-unsupported/sysmon_non_priv_program_files_move.yml diff --git a/rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml b/rules-unsupported/win_suspicious_werfault_connection_outbound.yml similarity index 100% rename from rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml rename to rules-unsupported/win_suspicious_werfault_connection_outbound.yml diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index c24d42b67..e9c4857d9 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index 7b3a72716..1b75ffd8e 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 9aa5ab394..34557397e 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 831a15ed6..b224f6014 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 9be142d81..bf3b9d459 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatDetection - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index 68146567b..8531eaef5 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -10,7 +10,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Office365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index b71a4344b..e9a282bd0 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml index b5571ef94..936b3c708 100644 --- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 513e4f1b0..61f478323 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 6dbc4be42..df7d6e742 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml index 53bbf8ff2..84e368e0f 100644 --- a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml index b969efece..c0c02669d 100644 --- a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/linux/lnx_apt_equationgroup_lnx.yml b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml similarity index 100% rename from rules/linux/lnx_apt_equationgroup_lnx.yml rename to rules/linux/builtin/lnx_apt_equationgroup_lnx.yml diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/builtin/lnx_buffer_overflows.yml similarity index 100% rename from rules/linux/lnx_buffer_overflows.yml rename to rules/linux/builtin/lnx_buffer_overflows.yml diff --git a/rules/linux/lnx_clear_syslog.yml b/rules/linux/builtin/lnx_clear_syslog.yml similarity index 100% rename from rules/linux/lnx_clear_syslog.yml rename to rules/linux/builtin/lnx_clear_syslog.yml diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/builtin/lnx_file_copy.yml similarity index 100% rename from rules/linux/lnx_file_copy.yml rename to rules/linux/builtin/lnx_file_copy.yml diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml similarity index 100% rename from rules/linux/lnx_ldso_preload_injection.yml rename to rules/linux/builtin/lnx_ldso_preload_injection.yml diff --git a/rules/linux/lnx_proxy_connection.yml b/rules/linux/builtin/lnx_proxy_connection.yml similarity index 100% rename from rules/linux/lnx_proxy_connection.yml rename to rules/linux/builtin/lnx_proxy_connection.yml diff --git a/rules/linux/lnx_setgid_setuid.yml b/rules/linux/builtin/lnx_setgid_setuid.yml similarity index 100% rename from rules/linux/lnx_setgid_setuid.yml rename to rules/linux/builtin/lnx_setgid_setuid.yml diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml similarity index 100% rename from rules/linux/lnx_shell_clear_cmd_history.yml rename to rules/linux/builtin/lnx_shell_clear_cmd_history.yml diff --git a/rules/linux/lnx_shell_priv_esc_prep.yml b/rules/linux/builtin/lnx_shell_priv_esc_prep.yml similarity index 100% rename from rules/linux/lnx_shell_priv_esc_prep.yml rename to rules/linux/builtin/lnx_shell_priv_esc_prep.yml diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml similarity index 100% rename from rules/linux/lnx_shell_susp_commands.yml rename to rules/linux/builtin/lnx_shell_susp_commands.yml diff --git a/rules/linux/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml similarity index 100% rename from rules/linux/lnx_shell_susp_log_entries.yml rename to rules/linux/builtin/lnx_shell_susp_log_entries.yml diff --git a/rules/linux/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml similarity index 100% rename from rules/linux/lnx_shell_susp_rev_shells.yml rename to rules/linux/builtin/lnx_shell_susp_rev_shells.yml diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/builtin/lnx_shellshock.yml similarity index 100% rename from rules/linux/lnx_shellshock.yml rename to rules/linux/builtin/lnx_shellshock.yml diff --git a/rules/linux/lnx_space_after_filename_.yml b/rules/linux/builtin/lnx_space_after_filename_.yml similarity index 100% rename from rules/linux/lnx_space_after_filename_.yml rename to rules/linux/builtin/lnx_space_after_filename_.yml diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml similarity index 100% rename from rules/linux/lnx_sudo_cve_2019_14287.yml rename to rules/linux/builtin/lnx_sudo_cve_2019_14287.yml diff --git a/rules/linux/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml similarity index 100% rename from rules/linux/lnx_sudo_cve_2019_14287_user.yml rename to rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml diff --git a/rules/linux/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml similarity index 100% rename from rules/linux/lnx_susp_jexboss.yml rename to rules/linux/builtin/lnx_susp_jexboss.yml diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/builtin/lnx_symlink_etc_passwd.yml similarity index 100% rename from rules/linux/lnx_symlink_etc_passwd.yml rename to rules/linux/builtin/lnx_symlink_etc_passwd.yml diff --git a/rules/linux/macos_applescript.yml b/rules/linux/macos/macos_applescript.yml similarity index 100% rename from rules/linux/macos_applescript.yml rename to rules/linux/macos/macos_applescript.yml diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos/macos_base64_decode.yml similarity index 100% rename from rules/linux/macos_base64_decode.yml rename to rules/linux/macos/macos_base64_decode.yml diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos/macos_binary_padding.yml similarity index 100% rename from rules/linux/macos_binary_padding.yml rename to rules/linux/macos/macos_binary_padding.yml diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos/macos_change_file_time_attr.yml similarity index 100% rename from rules/linux/macos_change_file_time_attr.yml rename to rules/linux/macos/macos_change_file_time_attr.yml diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos/macos_clear_system_logs.yml similarity index 100% rename from rules/linux/macos_clear_system_logs.yml rename to rules/linux/macos/macos_clear_system_logs.yml diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos/macos_create_account.yml similarity index 100% rename from rules/linux/macos_create_account.yml rename to rules/linux/macos/macos_create_account.yml diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos/macos_create_hidden_account.yml similarity index 100% rename from rules/linux/macos_create_hidden_account.yml rename to rules/linux/macos/macos_create_hidden_account.yml diff --git a/rules/linux/macos_creds_from_keychain.yml b/rules/linux/macos/macos_creds_from_keychain.yml similarity index 100% rename from rules/linux/macos_creds_from_keychain.yml rename to rules/linux/macos/macos_creds_from_keychain.yml diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos/macos_disable_security_tools.yml similarity index 100% rename from rules/linux/macos_disable_security_tools.yml rename to rules/linux/macos/macos_disable_security_tools.yml diff --git a/rules/linux/macos_emond_launch_daemon.yml b/rules/linux/macos/macos_emond_launch_daemon.yml similarity index 100% rename from rules/linux/macos_emond_launch_daemon.yml rename to rules/linux/macos/macos_emond_launch_daemon.yml diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos/macos_file_and_directory_discovery.yml similarity index 100% rename from rules/linux/macos_file_and_directory_discovery.yml rename to rules/linux/macos/macos_file_and_directory_discovery.yml diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos/macos_find_cred_in_files.yml similarity index 100% rename from rules/linux/macos_find_cred_in_files.yml rename to rules/linux/macos/macos_find_cred_in_files.yml diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos/macos_gui_input_capture.yml similarity index 100% rename from rules/linux/macos_gui_input_capture.yml rename to rules/linux/macos/macos_gui_input_capture.yml diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos/macos_local_account.yml similarity index 100% rename from rules/linux/macos_local_account.yml rename to rules/linux/macos/macos_local_account.yml diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos/macos_local_groups.yml similarity index 100% rename from rules/linux/macos_local_groups.yml rename to rules/linux/macos/macos_local_groups.yml diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos/macos_network_service_scanning.yml similarity index 100% rename from rules/linux/macos_network_service_scanning.yml rename to rules/linux/macos/macos_network_service_scanning.yml diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos/macos_network_sniffing.yml similarity index 100% rename from rules/linux/macos_network_sniffing.yml rename to rules/linux/macos/macos_network_sniffing.yml diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos/macos_remote_system_discovery.yml similarity index 100% rename from rules/linux/macos_remote_system_discovery.yml rename to rules/linux/macos/macos_remote_system_discovery.yml diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos/macos_schedule_task_job_cron.yml similarity index 100% rename from rules/linux/macos_schedule_task_job_cron.yml rename to rules/linux/macos/macos_schedule_task_job_cron.yml diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos/macos_screencapture.yml similarity index 100% rename from rules/linux/macos_screencapture.yml rename to rules/linux/macos/macos_screencapture.yml diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos/macos_security_software_discovery.yml similarity index 100% rename from rules/linux/macos_security_software_discovery.yml rename to rules/linux/macos/macos_security_software_discovery.yml diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos/macos_split_file_into_pieces.yml similarity index 100% rename from rules/linux/macos_split_file_into_pieces.yml rename to rules/linux/macos/macos_split_file_into_pieces.yml diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos/macos_startup_items.yml similarity index 100% rename from rules/linux/macos_startup_items.yml rename to rules/linux/macos/macos_startup_items.yml diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos/macos_susp_histfile_operations.yml similarity index 100% rename from rules/linux/macos_susp_histfile_operations.yml rename to rules/linux/macos/macos_susp_histfile_operations.yml diff --git a/rules/linux/macos_suspicious_macos_firmware_activity.yml b/rules/linux/macos/macos_suspicious_macos_firmware_activity.yml similarity index 100% rename from rules/linux/macos_suspicious_macos_firmware_activity.yml rename to rules/linux/macos/macos_suspicious_macos_firmware_activity.yml diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos/macos_system_network_connections_discovery.yml similarity index 100% rename from rules/linux/macos_system_network_connections_discovery.yml rename to rules/linux/macos/macos_system_network_connections_discovery.yml diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos/macos_system_network_discovery.yml similarity index 100% rename from rules/linux/macos_system_network_discovery.yml rename to rules/linux/macos/macos_system_network_discovery.yml diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos/macos_system_shutdown_reboot.yml similarity index 100% rename from rules/linux/macos_system_shutdown_reboot.yml rename to rules/linux/macos/macos_system_shutdown_reboot.yml diff --git a/rules/linux/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos/macos_xattr_gatekeeper_bypass.yml similarity index 100% rename from rules/linux/macos_xattr_gatekeeper_bypass.yml rename to rules/linux/macos/macos_xattr_gatekeeper_bypass.yml diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/other/lnx_clamav.yml similarity index 100% rename from rules/linux/lnx_clamav.yml rename to rules/linux/other/lnx_clamav.yml diff --git a/rules/linux/lnx_security_tools_disabling_syslog.yml b/rules/linux/other/lnx_security_tools_disabling_syslog.yml similarity index 100% rename from rules/linux/lnx_security_tools_disabling_syslog.yml rename to rules/linux/other/lnx_security_tools_disabling_syslog.yml diff --git a/rules/linux/lnx_ssh_cve_2018_15473.yml b/rules/linux/other/lnx_ssh_cve_2018_15473.yml similarity index 100% rename from rules/linux/lnx_ssh_cve_2018_15473.yml rename to rules/linux/other/lnx_ssh_cve_2018_15473.yml diff --git a/rules/linux/lnx_susp_failed_logons_single_source.yml b/rules/linux/other/lnx_susp_failed_logons_single_source.yml similarity index 100% rename from rules/linux/lnx_susp_failed_logons_single_source.yml rename to rules/linux/other/lnx_susp_failed_logons_single_source.yml diff --git a/rules/linux/lnx_susp_guacamole.yml b/rules/linux/other/lnx_susp_guacamole.yml similarity index 100% rename from rules/linux/lnx_susp_guacamole.yml rename to rules/linux/other/lnx_susp_guacamole.yml diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/other/lnx_susp_named.yml similarity index 100% rename from rules/linux/lnx_susp_named.yml rename to rules/linux/other/lnx_susp_named.yml diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/other/lnx_susp_ssh.yml similarity index 100% rename from rules/linux/lnx_susp_ssh.yml rename to rules/linux/other/lnx_susp_ssh.yml diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/other/lnx_susp_vsftp.yml similarity index 100% rename from rules/linux/lnx_susp_vsftp.yml rename to rules/linux/other/lnx_susp_vsftp.yml diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index 3775bc795..05716fee9 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -11,11 +11,13 @@ references: logsource: category: dns detection: - selection: + selection1: query|startswith: - 'aaa.stage.' - 'post.1' - condition: selection + selection2: + query|contains: '.stage.123456.' + condition: 1 of them falsepositives: - Unknown level: critical diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index 419c0f120..75b258d15 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -4,17 +4,20 @@ status: experimental description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike author: Florian Roth date: 2021/05/06 +modified: 2021/11/02 references: - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ logsource: category: proxy detection: - selection: + selection1: c-useragent: - - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" - - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" - condition: selection + - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" + - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" + - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" + selection2: + c-useragent|endswith: '; MANM; MANM)' + condition: 1 of them falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml index f2fb29d7d..de445a56a 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: product: windows - service: Microsoft-ServiceBus-Client + service: microsoft-servicebus-client detection: selection: EventID: diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml index 043bcf55b..0f746e487 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -3,7 +3,9 @@ id: fd0f5778-d3cb-4c9a-9695-66759d04702a related: - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 type: derived -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references" +references: + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index b2379beb5..c5b66905d 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -4,8 +4,9 @@ description: This method uses uncommon error codes on failed logons to determine restricted. author: Florian Roth date: 2017/02/19 -modified: 2020/08/23 +modified: 2021/10/29 references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - https://twitter.com/SBousseaden/status/1101431884540710913 tags: - attack.persistence @@ -28,7 +29,9 @@ detection: - '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine - '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed - '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine - condition: selection + filter: + SubjectUserSid: 'S-1-0-0' + condition: selection and not filter falsepositives: - User using a disabled account level: high diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index 2856705cd..4b6ab1faf 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2021/04/19 +modified: 2021/11/09 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -53,6 +53,9 @@ detection: - '\minionhost.exe' # Cyberreason - '\VsTskMgr.exe' # McAfee Enterprise - '\thor64.exe' # THOR + - '\MicrosoftEdgeUpdate.exe' + - '\GamingServices.exe' + - '\svchost.exe' ProcessName|startswith: - C:\Windows\System32\ - C:\Windows\SysWow64\ diff --git a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml new file mode 100644 index 000000000..42fc9bc23 --- /dev/null +++ b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml @@ -0,0 +1,30 @@ +title: Suspicious Cobalt Strike DNS Beaconing +id: f356a9c4-effd-4608-bbf8-408afd5cd006 +status: experimental +description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons +author: Florian Roth +date: 2021/11/09 +references: + - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns + - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ +tags: + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 +logsource: + product: windows + category: dns_query +detection: + selection1: + QueryName|startswith: + - 'aaa.stage.' + - 'post.1' + selection2: + QueryName|contains: '.stage.123456.' + condition: 1 of them +fields: + - Image + - CommandLine +falsepositives: + - Unknown +level: critical diff --git a/rules/network/net_susp_ipify.yml b/rules/windows/dns_query/dns_net_susp_ipify.yml similarity index 100% rename from rules/network/net_susp_ipify.yml rename to rules/windows/dns_query/dns_net_susp_ipify.yml diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 76fb665b7..3803a7313 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -6,7 +6,7 @@ related: description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/10/14 +modified: 2021/11/10 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -26,7 +26,7 @@ logsource: category: driver_load detection: selection: - ImagePath|contains: + ImageLoaded|contains: - 'fgexec' - 'dumpsvc' - 'cachedump' diff --git a/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml b/rules/windows/edr/edr_command_execution_by_office_applications.yml similarity index 89% rename from rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml rename to rules/windows/edr/edr_command_execution_by_office_applications.yml index 19133d219..d8496c10d 100644 --- a/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml +++ b/rules/windows/edr/edr_command_execution_by_office_applications.yml @@ -1,4 +1,4 @@ -title: WMI Command Execution by Office Applications +title: EDR WMI Command Execution by Office Applications id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815 description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 references: @@ -13,9 +13,10 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: - product: EndPoint Detection Logs - category: process_creation + product: windows + category: edr detection: #useful_information: Add more office applications to the rule logic of choice selection1: diff --git a/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml new file mode 100644 index 000000000..4aadcd2fc --- /dev/null +++ b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml @@ -0,0 +1,21 @@ +title: Mimikatz Kirbi File Creation +id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 +status: test +description: Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz +author: Florian Roth +references: + - https://cobalt.io/blog/kerberoast-attack-techniques +date: 2021/11/08 +tags: + - attack.credential_access + - attack.t1558 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '.kirbi' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml index e5da93512..6c4745fe3 100644 --- a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml @@ -13,29 +13,30 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/10 logsource: - product: Windows - category: file_event + product: windows + category: file_event detection: - #useful_information: Please add more file extensions to the logic of your choice. - selection1: - Image|endswith: - - 'winword.exe' - - 'excel.exe' - - 'powerpnt.exe' - selection2: - TargetFileName|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" - condition: selection1 and selection2 + #useful_information: Please add more file extensions to the logic of your choice. + selection1: + Image|endswith: + - 'winword.exe' + - 'excel.exe' + - 'powerpnt.exe' + selection2: + TargetFilename|endswith: + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" + condition: selection1 and selection2 falsepositives: -- Unknown + - Unknown level: high diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml index ab68f0b04..4dad7b038 100644 --- a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\msbuild.exe' + Image|endswith: '\msbuild.exe' filter: DestinationPort: - '80' diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml index e12fde626..9867e2b1d 100755 --- a/rules/windows/network_connection/sysmon_susp_rdp.yml +++ b/rules/windows/network_connection/sysmon_susp_rdp.yml @@ -38,9 +38,11 @@ detection: - '\FSAssessment.exe' - '\MobaRTE.exe' - '\chrome.exe' + - '\System32\dns.exe' - '\thor.exe' - '\thor64.exe' condition: selection and not filter falsepositives: - Other Remote Desktop RDP tools + - domain controller using dns.exe level: high diff --git a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml similarity index 100% rename from rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml rename to rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml diff --git a/rules/windows/other/win_ldap_recon.yml b/rules/windows/other/win_ldap_recon.yml index ee8ff3db5..e0a9559dd 100644 --- a/rules/windows/other/win_ldap_recon.yml +++ b/rules/windows/other/win_ldap_recon.yml @@ -9,8 +9,8 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs logsource: - category: ldap_query product: windows + service: ldap_debug definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging' detection: generic_search: diff --git a/rules/windows/other/win_system_defender_disabled.yml b/rules/windows/other/win_system_defender_disabled.yml index 15114f1dc..1d4838ea0 100644 --- a/rules/windows/other/win_system_defender_disabled.yml +++ b/rules/windows/other/win_system_defender_disabled.yml @@ -5,7 +5,7 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/09/21 +modified: 2021/11/09 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -17,7 +17,7 @@ tags: - attack.t1562.001 logsource: product: windows - category: system + service: system detection: selection3: EventID: 7036 diff --git a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml index f1bc4e86d..04b903fe0 100644 --- a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml +++ b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml @@ -3,7 +3,7 @@ id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. status: experimental date: 2021/10/08 -modified: 2021/10/08 +modified: 2021/11/07 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml @@ -14,7 +14,7 @@ tags: - attack.t1005 logsource: product: windows - service: pipe_connected + category: pipe_created detection: selection: PipeName: '\MICROSOFT##WID\tsql\query' @@ -30,4 +30,4 @@ detection: condition: selection and not filter falsepositives: - Processes in the filter condition -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml index 4f887b912..54af48794 100644 --- a/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml +++ b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. diff --git a/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml index 9dab9d437..9a2bd4996 100644 --- a/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. diff --git a/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml index a8e8f5824..700d264f4 100644 --- a/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml @@ -13,6 +13,7 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/10 logsource: product: windows category: process_creation @@ -24,11 +25,11 @@ detection: - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: - ParentPrcessName|endswith: + ParentImage|endswith: - winword.exe - excel.exe - powerpnt.exe condition: selection1 and selection2 falsepositives: -- Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml index 1ae6fc02a..a901d3fd7 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml @@ -13,14 +13,15 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - ParentCommandLine|contains: 'wmic ' - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: @@ -32,11 +33,11 @@ detection: - 'verclsid' selection3: ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe + - winword.exe + - excel.exe + - powerpnt.exe selection4: - processCommandLine|contains|all: + ParentCommandLine|contains|all: - 'process' - 'create' - 'call' diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml index 36b6d571e..8989e0e30 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml @@ -13,13 +13,14 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - ProcessCommandLine: + ParentCommandLine: - '*regsvr32*' - '*rundll32*' - '*msiexec*' @@ -27,14 +28,14 @@ detection: - '*verclsid*' selection2: - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - ParentCommandLine|contains: 'wmic ' selection3: ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe + - winword.exe + - excel.exe + - powerpnt.exe selection4: - processCommandLine|contains|all: + ParentCommandLine|contains|all: - 'process' - 'create' - 'call' diff --git a/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml index 2fceff749..edbae2013 100644 --- a/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml @@ -13,19 +13,20 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: product: windows category: process_creation detection: #useful_information: Add more office applications to the rule logic of choice selection1: - - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - Image|endswith: '\wbem\WMIC.exe' + - ParentCommandLine|contains: 'wmic ' selection2: - ParentImage: - - winword.exe - - excel.exe - - powerpnt.exe + ParentImage: + - winword.exe + - excel.exe + - powerpnt.exe condition: selection1 and selection2 falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_pc_susp_zipexec.yml b/rules/windows/process_creation/win_pc_susp_zipexec.yml new file mode 100644 index 000000000..427cf76ea --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_zipexec.yml @@ -0,0 +1,33 @@ +title: Suspicious ZipExec Execution +id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132 +status: experimental +description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. +references: + - https://twitter.com/SBousseaden/status/1451237393017839616 + - https://github.com/Tylous/ZipExec +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +author: frack113 +date: 2021/11/07 +logsource: + category: process_creation + product: windows +detection: + run: + CommandLine|contains|all: + - '/generic:Microsoft_Windows_Shell_ZipFolder:filename=' + - '.zip' + - '/pass:' + - '/user:' + delete: + CommandLine|contains|all: + - '/delete' + - 'Microsoft_Windows_Shell_ZipFolder:filename=' + - '.zip' + condition: run or delete +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml index 5389761e7..1a817b30f 100644 --- a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth, Max Altgelt date: 2021/07/14 -modified: 2021/08/10 +modified: 2021/11/11 tags: - attack.execution logsource: @@ -32,6 +32,7 @@ detection: - ' >' - 'Out-File' - 'ConvertTo-Json' + - '-WindowStyle hidden -Verb runAs' # VSCode behaviour if file cannot be written as current user condition: selection and not filter falsepositives: - Administrative scripts diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 9d36bc717..c480fcbf7 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,7 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2021/05/12 +modified: 2021/11/09 tags: - attack.command_and_control - attack.execution @@ -17,7 +17,7 @@ logsource: category: process_creation detection: selection: - ProcessCommandLine|contains|all: + CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' Image|endswith: diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index 402ff3615..e45421438 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 date: 2020/01/13 -modified: 2021/05/30 +modified: 2021/11/06 author: Sreeman tags: - attack.defense_evasion @@ -15,9 +15,9 @@ tags: - attack.t1574.002 - attack.t1059 # an old one - attack.t1064 # an old one - logsource: product: windows + category: process_creation detection: selection1: CommandLine|contains: diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index d3e6843f3..2ad743d7a 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -3,7 +3,7 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d description: Detects wmiprvse spawning processes status: experimental date: 2019/08/15 -modified: 2021/08/26 +modified: 2021/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html @@ -20,20 +20,15 @@ detection: - LogonId: - '0x3e7' # LUID 999 for SYSTEM - 'null' # too many false positives - - SubjectLogonId: - - '0x3e7' # LUID 999 for SYSTEM - - 'null' # too many false positives - User|startswith: - 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection - 'AUTORITE NT\Sys' # French language settings - Image|endswith: - '\WmiPrvSE.exe' - '\WerFault.exe' - filter_null1: # some backends need the null value in a separate expression + filter_null: # some backends need the null value in a separate expression LogonId: null - filter_null2: # some backends need the null value in a separate expression - SubjectLogonId: null - condition: selection and not filter and not filter_null1 and not filter_null2 + condition: selection and not filter and not filter_null falsepositives: - Unknown level: high diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index abb7d2c79..57389c082 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c description: Raw disk access using illegitimate tools, possible defence evasion author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2021/08/14 +modified: 2021/11/09 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -31,6 +31,7 @@ detection: - '\dfsrs.exe' - '\vds.exe' - '\lsass.exe' + - '\svchost.exe' condition: not filter_1 and not filter_2 fields: - ComputerName diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 8a9f000a0..97dfe3ec8 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -111,6 +111,7 @@ fieldmappings: PipeName: event_data.PipeName ProcessName: event_data.ProcessName Properties: event_data.Properties + RelativeTargetName: event_data.RelativeTargetName ServiceFileName: event_data.ServiceFileName ServiceName: event_data.ServiceName ShareName: event_data.ShareName diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index de769059c..c83606056 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -1,32 +1,33 @@ title: Microsoft 365 Rules order: 10 -ThreatManagement: - product: m365 - category: ThreatManagement - conditions: - eventSource: SecurityComplianceCenter -AccessGovernance: - product: m365 - category: AccessGovernance - conditions: - eventSource: SecurityComplianceCenter -CloudDiscovery: - product: m365 - category: CloudDiscovery - conditions: - eventSource: SecurityComplianceCenter -DataLossPrevention: - product: m365 - category: DataLossPrevention - conditions: - eventSource: SecurityComplianceCenter -ThreatDetection: - product: m365 - category: ThreatDetection - conditions: - eventSource: SecurityComplianceCenter -SharingControl: - product: m365 - category: SharingControl - conditions: - eventSource: SecurityComplianceCenter +logsources: + ThreatManagement: + product: m365 + category: ThreatManagement + conditions: + eventSource: SecurityComplianceCenter + AccessGovernance: + product: m365 + category: AccessGovernance + conditions: + eventSource: SecurityComplianceCenter + CloudDiscovery: + product: m365 + category: CloudDiscovery + conditions: + eventSource: SecurityComplianceCenter + DataLossPrevention: + product: m365 + category: DataLossPrevention + conditions: + eventSource: SecurityComplianceCenter + ThreatDetection: + product: m365 + category: ThreatDetection + conditions: + eventSource: SecurityComplianceCenter + SharingControl: + product: m365 + category: SharingControl + conditions: + eventSource: SecurityComplianceCenter diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 63080759e..5eff54cfb 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -24,3 +24,5 @@ fieldmappings: Image: NewProcessName ParentImage: ParentProcessName Details: NewValue + ParentCommandLine: ProcessCommandLine + LogonId: SubjectLogonId \ No newline at end of file diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index a9e7b9e01..cdfed557c 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -7,11 +7,213 @@ logsources: product: apache conditions: product_name: '*apache*' + okta: + service: okta + conditions: + vendor_name: "Okta" + product_name: "Identity and Access Management" + onedrive: + service: onedrive + conditions: + vendor_name: "Microsoft" + product_name: "Onedrive" + onelogin-events: + service: onelogin.events + conditions: + vendor_name: "Microsoft" + product_name: "Onelogin" + microsoft365: + category: ThreatManagement + service: Microsoft365 + conditions: + vendor_name: "Microsoft" + product_name: "365" + m365: + category: ThreatManagement + service: m365 + conditions: + vendor_name: "Microsoft" + product_name: "365" + google-workspace: + service: google_workspace.admin + conditions: + vendor_name: "Google" + product_name: "Workspace" + guacamole: + service: guacamole + product_name: "Guacamole" + conditions: + vendor_name: "Guacamole" + google-cloud: + service: gcp.audit + conditions: + vendor_name: "Google" + product_name: "Cloud" + auditd: + service: auditd + conditions: + process_name: "auditd" + sshd: + service: sshd + conditions: + process_name: "sshd*" + syslog: + service: syslog + conditions: + process_name: "syslog*" + modsecurity: + service: modsecurity + conditions: + process_name: "modsec*" + msexchange-management: + service: msexchange-management + conditions: + channel: "MSExchange Management" windows: product: windows index: windows conditions: - vendor_name: 'Microsoft' + vendor_name: "Microsoft" + windows-stream-hash: + product: windows + category: create_stream_hash + conditions: + product_name: "Sysmon" + vendor_id: "15" + windows-create-remote-thread: + product: windows + category: create_remote_thread + conditions: + product_name: "Sysmon" + vendor_id: "8" + windows-process-access: + product: windows + category: process_access + conditions: + product_name: "Sysmon" + vendor_id: "10" + windows-process-creation: + product: windows + category: process_creation + conditions: + product_name: "Sysmon" + vendor_id: "1" + windows-network-connection: + product: windows + category: network_connection + conditions: + product_name: "Sysmon" + vendor_id: "3" + windows-sysmon-status: + product: windows + category: sysmon_status + conditions: + product_name: "Sysmon" + vendor_id: + - 4 + - 5 + windows-sysmon-error: + product: windows + category: sysmon_error + conditions: + product_name: "Sysmon" + vendor_id: "255" + windows-raw-access-thread: + product: windows + category: raw_access_thread + conditions: + product_name: "Sysmon" + vendor_id: 9 + windows-file-create: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-file-event: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-pipe-created: + product: windows + category: pipe_created + conditions: + product_name: "Sysmon" + vendor_id: + - 17 + - 18 + windows-dns-query: + product: windows + category: dns_query + conditions: + product_name: "Sysmon" + vendor_id: "22" + windows-file-delete: + product: windows + category: file_delete + conditions: + product_name: "Sysmon" + vendor_id: "23" + windows-wmi-sysmon: + product: windows + category: wmi_event + conditions: + product_name: "Sysmon" + vendor_id: + - 19 + - 20 + - 21 + windows-ldap-query: + product: windows + category: ldap_query + conditions: + channel: "Microsoft-Windows-LDAP-Client/Debug ETW" + windows-driver-load: + product: windows + category: driver_load + conditions: + product_name: "Sysmon" + vendor_id: "6" + windows-image-load: + product: windows + category: image_load + conditions: + product_name: "Sysmon" + vendor_id: "7" + clamav: + service: clamav + conditions: + process_name: "clamav*" + aws-cloudtrail: + service: cloudtrail + conditions: + vendor_name: "AWS CloudTrail" + zeek: + product: zeek + conditions: + vendor_name: "Zeek IDS" + azure-signin: + service: azure.signinlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-auditlogs: + service: azure.auditlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activitylogs: + service: azure.activitylogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activity: + service: AzureActivity + conditions: + vendor_name: "Microsoft" + product_name: "Azure" windows-application: product: windows service: application @@ -55,14 +257,13 @@ logsources: windows-dns-server: product: windows service: dns-server - category: dns conditions: - product_name: 'DNS Server' + channel: 'DNS Server' windows-dns-server-audit: product: windows service: dns-server-audit conditions: - product_name: 'DNS-Server' + channel: 'DNS Server' windows-driver-framework: product: windows service: driver-framework @@ -89,11 +290,15 @@ logsources: conditions: product_name: - 'AppLocker' + windows-service-bus: + service: Microsoft-ServiceBus-Client + conditions: + product_name: "Microsoft-ServiceBus-Client" windows-msexchange-management: product: windows service: msexchange-management conditions: - product_name: 'MSExchange Management' + channel: 'MSExchange Management' windows-printservice-admin: product: windows service: printservice-admin @@ -109,6 +314,14 @@ logsources: service: smbclient-security conditions: product_name: 'SmbClient' + windows-registry: + product: windows + category: registry_event + conditions: + vendor_id: + - 12 + - 13 + - 14 qflow: product: qflow netflow: @@ -116,7 +329,7 @@ logsources: ipfix: product: ipfix flow: - category: flow + product: flow fieldmappings: dst: - ip_dst_host @@ -126,6 +339,9 @@ fieldmappings: - ip_src_host src_ip: - ip_src + IPAddress: ip_src + DNSAddress: dns_address + DCIPAddress: ip_src category: vendor_category error: error_code key: event_key @@ -171,7 +387,9 @@ fieldmappings: ServiceFileName: filename EventID: vendor_id SourceImage: parent_image + ImageLoaded: image_loaded Description: image_description + ScriptBlockText: value Product: image_product Company: image_company CurrentDirectory: path @@ -197,7 +415,6 @@ fieldmappings: Details: object_target CallTrace: calltrace IpAddress: ip_src - DCIPAddress: ip_src WorkstationName: hostname_src Workstation: hostname_src DestinationIp: ip_dst @@ -210,3 +427,5 @@ fieldmappings: TicketEncryptionType: sys.ticket.encryption.type DetectionSource: value Priority: event_priority + event_type_id: vendor_id + eventtype: vendor_type diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index d7ec0f095..07c3c4e09 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -100,6 +100,11 @@ logsources: service: msexchange-management conditions: winlog.channel: 'MSExchange Management' + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + winlog.channel: 'Microsoft-ServiceBus-Client' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 7147ff37b..904e81563 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -20,6 +20,7 @@ import re import sigma import json import uuid +import re from sigma.parser.modifiers.base import SigmaTypeModifier from sigma.parser.modifiers.type import SigmaRegularExpressionModifier from .base import SingleTextQueryBackend @@ -62,27 +63,27 @@ class HAWKBackend(SingleTextQueryBackend): #print(type(node)) #print(node) if type(node) == sigma.parser.condition.ConditionAND: - return self.generateANDNode(node) + return self.generateANDNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionOR: #print("OR NODE") #print(node) - return self.generateORNode(node) + return self.generateORNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionNOT: #print("NOT NODE") #print(node) return self.generateNOTNode(node) elif type(node) == sigma.parser.condition.ConditionNULLValue: - return self.generateNULLValueNode(node) + return self.generateNULLValueNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionNotNULLValue: return self.generateNotNULLValueNode(node) elif type(node) == sigma.parser.condition.NodeSubexpression: #print(node) - return self.generateSubexpressionNode(node) + return self.generateSubexpressionNode(node, notNode) elif type(node) == tuple: #print("TUPLE: ", node) return self.generateMapItemNode(node, notNode) elif type(node) in (str, int): - nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "regex" }, "str": { "value": "5" } } } + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5", "regex": "true" } } } #key = next(iter(self.sigmaparser.parsedyaml['detection'])) key = "payload" @@ -94,7 +95,7 @@ class HAWKBackend(SingleTextQueryBackend): # they imply the entire payload nodeRet['description'] = key nodeRet['rule_id'] = str(uuid.uuid4()) - nodeRet['args']['str']['value'] = self.generateValueNode(node, False).replace("\\","\\\\") + nodeRet['args']['str']['value'] = re.escape(self.generateValueNode(node, False)) # .replace("\\","\\\\").replace(".","\\.") # return json.dumps(nodeRet) return nodeRet elif type(node) == list: @@ -102,7 +103,7 @@ class HAWKBackend(SingleTextQueryBackend): else: raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node)))) - def generateANDNode(self, node): + def generateANDNode(self, node, notNode=False): """ generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -114,7 +115,7 @@ class HAWKBackend(SingleTextQueryBackend): return None """ ret = { "id" : "and", "key": "And", "children" : [ ] } - generated = [ self.generateNode(val) for val in node ] + generated = [ self.generateNode(val, notNode) for val in node ] filtered = [ g for g in generated if g is not None ] if filtered: if self.sort_condition_lists: @@ -125,11 +126,12 @@ class HAWKBackend(SingleTextQueryBackend): else: return None - def generateORNode(self, node): - #retAnd = { "id" : "and", "key": "And", "children" : [ ] } - - ret = { "id" : "or", "key": "Or", "children" : [ ] } - generated = [ self.generateNode(val) for val in node ] + def generateORNode(self, node, notNode=False): + if notNode: + ret = { "id" : "and", "key": "And", "children" : [ ] } + else: + ret = { "id" : "or", "key": "Or", "children" : [ ] } + generated = [ self.generateNode(val, notNode) for val in node ] filtered = [ g for g in generated if g is not None ] if filtered: if self.sort_condition_lists: @@ -142,8 +144,8 @@ class HAWKBackend(SingleTextQueryBackend): else: return None - def generateSubexpressionNode(self, node): - generated = self.generateNode(node.items) + def generateSubexpressionNode(self, node, notNode=False): + generated = self.generateNode(node.items, notNode) if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" if len(node.items) == 1: # A sub expression with length 1 is not a proper sub expression, no self.subExpression required @@ -182,12 +184,13 @@ class HAWKBackend(SingleTextQueryBackend): elif type(value) == str and "*" in value: # value = value.replace("*", ".*") value = value.replace("*", "") - value = value.replace("\\", "\\\\") + value = re.escape(value) # .replace("\\", "\\\\").replace(".","\\.") if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" nodeRet['args']['str']['value'] = value + nodeRet['args']['str']['regex'] = "true" # return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True)) #return json.dumps(nodeRet) return nodeRet @@ -214,14 +217,27 @@ class HAWKBackend(SingleTextQueryBackend): return self.generateMapItemTypedNode(key, value) elif value is None: #return self.nullExpression % (key, ) - nodeRet['args']['str']['value'] = None + #print("Performing null") + #print(notNode) + #print(key) + nodeRet = { "key" : "empty", "description" : "Value Does Not Exist (IS NULL)", "class" : "function", "inputs" : { "comparison" : { "order" : 0, "source" : "comparison", "type" : "comparison" }, "column" : { "order" : 1, "source" : "columns", "type" : "str" } }, "args" : { "comparison" : { "value" : "!=" }, "column" : { "value" : "" } }, "return" : "boolean" } + nodeRet['args']['column']['value'] = self.cleanKey(key).lower() + nodeRet['description'] += " %s" % key + if notNode: + nodeRet['args']['comparison']['value'] = "!=" + else: + nodeRet['args']['comparison']['value'] = "=" #return json.dumps(nodeRet) + #print(json.dumps(nodeRet)) return nodeRet else: raise TypeError("Backend does not support map values of type " + str(type(value))) def generateMapItemListNode(self, key, value, notNode=False): - ret = { "id" : "or", "key": "Or", "children" : [ ] } + if notNode: + ret = { "id" : "and", "key": "And", "children" : [ ] } + else: + ret = { "id" : "or", "key": "Or", "children" : [ ] } for item in value: nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5" } } } nodeRet['key'] = self.cleanKey(key).lower() @@ -232,15 +248,15 @@ class HAWKBackend(SingleTextQueryBackend): ret['children'].append( nodeRet ) elif type(item) == str and "*" in item: item = item.replace("*", "") - item = item.replace("\\", "\\\\") - # item = item.replace("*", ".*") + item = re.escape(item) # .replace("\\", "\\\\").replace(".","\\.") #print("item") #print(item) nodeRet['args']['str']['value'] = item # self.generateValueNode(item, True) + nodeRet['args']['str']['regex'] = "true" if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" ret['children'].append( nodeRet ) else: #print("item2") @@ -258,35 +274,21 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['rule_id'] = str(uuid.uuid4()) if type(value) == SigmaRegularExpressionModifier: regex = str(value) - """ - # Regular Expressions have to match the full value in QRadar - if not (regex.startswith('^') or regex.startswith('.*')): - regex = '.*' + regex - if not (regex.endswith('$') or regex.endswith('.*')): - regex = regex + '.*' - return "%s imatches %s" % (self.cleanKey(fieldname), self.generateValueNode(regex, True)) - """ - #print("ENDS WITH!!!") - nodeRet['args']['str']['value'] = self.generateValueNode(regex, True).replace("\\", "\\\\") + nodeRet['args']['str']['value'] = re.escape(self.generateValueNode(regex, True)) # .replace("\\", "\\\\").replace(".","\\.") + nodeRet['args']['str']['regex'] = "true" if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" # return json.dumps(nodeRet) return nodeRet else: raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) def generateValueNode(self, node, keypresent): - """ - if keypresent == False: - return "payload regex \'{0}{1}{2}\'".format("%", self.cleanValue(str(node)), "%") - else: - return self.valueExpression % (self.cleanValue(str(node))) - """ return self.valueExpression % (self.cleanValue(str(node))) - def generateNULLValueNode(self, node): + def generateNULLValueNode(self, node, notNode): # node.item nodeRet = {"key": node.item, "description": node.item, "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "null" } } } nodeRet['rule_id'] = str(uuid.uuid4()) @@ -440,6 +442,72 @@ class HAWKBackend(SingleTextQueryBackend): return result + def dedupeAnds(self, arr, parentAnd=False): + # simple dedupe + for i in range(0, len(arr)): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + + if len(arr[i]['children']) == 1 and 'id' in arr[i]['children'][0] and arr[i]['children'][0]['id'].lower() == "and": + arr[i] = arr[i]['children'][0] + + + return arr + + """ + for i in range(0, len(arr)): + if parentAnd and 'id' in arr[i] and arr[i]['id'].lower() == "and": + isAnd = True + else: + isAnd = False + + if 'children' in arr[i]: + arr[i]['children'] = self.dedupeAnds(arr['i']['children'], isAnd) + + if parentAnd and 'id' in arr[i] and arr[i]['id'].lower() == "and": + pass + + if len(arr) == 1 and 'id' in arr[0] and arr[0]['id'].lower() == "and": + # print("Returning less!") + for i in range(0, len(arr) ): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + return arr[0]['children'] + + """ + return arr + + """ + def dedupeAnds(self, arr, parentAnd=False): + #if not parentAnd: + # for i in range(0, len(arr) ): + # if 'id' in arr[i] and arr[i]['id'].lower() == "and": + # arr[i]['children'] = self.dedupeAnds(arr[i]['children'], False) + + if len(arr) == 1 and 'id' in arr[0] and arr[0]['id'].lower() == "and": + # print("Returning less!") + for i in range(0, len(arr) ): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + return arr[0]['children'] + + allAndCheck = True + for i in range(0, len(arr) ): + # print(arr[i]) + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + else: + allAndCheck = False + + + x = [ ] + if allAndCheck: + for i in range(0, len(arr)): + x = x + arr[i]['children'] + return x + return arr + """ + def generateQuery(self, parsed, sigmaparser): self.sigmaparser = sigmaparser result = self.generateNode(parsed.parsedSearch) @@ -508,6 +576,9 @@ class HAWKBackend(SingleTextQueryBackend): analytic_txt = ret + result + ret2 # json.dumps(ret) try: analytic = json.loads(analytic_txt) # json.dumps(ret) + # analytic = self.dedupeAnds(analytic) + analytic[0]['children'] = self.dedupeAnds(analytic[0]['children'], True) + except Exception as e: print("Failed to parse json: %s" % analytic_txt) raise Exception("Failed to parse json: %s" % analytic_txt) @@ -535,12 +606,13 @@ class HAWKBackend(SingleTextQueryBackend): record = { "rules" : analytic, # analytic_txt.replace('"','""'), "filter_name" : sigmaparser.parsedyaml['title'], + "filter_details" : cmt, "actions_category_name" : "Add (+)", "correlation_action" : 5.00, "date_added" : sigmaparser.parsedyaml['date'], - "enabled" : True, + "enabled" : False, + # "enabled" : True, "public" : True, - "comments" : cmt, "references" : ref, "group_name" : ".", "hawk_id" : sigmaparser.parsedyaml['id'] diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index 3b592525b..927d00dbc 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -213,9 +213,9 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): raise NotSupportedError("Not supported condition.") def createTableFromLogsource(self): - if self.logsource.get("product", "") != "windows": + if self.logsource.get("product", "") not in ("linux","windows"): raise NotSupportedError( - "Not supported logsource. Should be product `windows`.") + "Not supported logsource. Should be product `linux` or `windows`.") for item in self.logsource.values(): if str(item).lower() in self.allowedSource.keys(): self.table = self.allowedSource.get(item.lower()) @@ -248,4 +248,4 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): if sysmon_rule: rulegroup_comment = '' - return "{}\n{}".format(rulegroup_comment, sysmon_rule) \ No newline at end of file + return "{}\n{}".format(rulegroup_comment, sysmon_rule)