From f0dd02f483573e93c01f8931db7d31e44bfd739e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 29 Oct 2021 10:25:27 +0200 Subject: [PATCH 01/38] fix: FPs with Failed Logon Reason rule --- rules/windows/builtin/win_susp_failed_logon_reasons.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index b2379beb5..c5b66905d 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -4,8 +4,9 @@ description: This method uses uncommon error codes on failed logons to determine restricted. author: Florian Roth date: 2017/02/19 -modified: 2020/08/23 +modified: 2021/10/29 references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - https://twitter.com/SBousseaden/status/1101431884540710913 tags: - attack.persistence @@ -28,7 +29,9 @@ detection: - '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine - '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed - '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine - condition: selection + filter: + SubjectUserSid: 'S-1-0-0' + condition: selection and not filter falsepositives: - User using a disabled account level: high From a3f3ec84c9f30c682f638705fd91c93f2c1bb844 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 5 Nov 2021 13:16:24 +0100 Subject: [PATCH 02/38] fix product windows case --- ...ript_creation_by_office_using_file_ext.yml | 26 +++++++++---------- ...ript_creation_by_office_using_file_ext.yml | 2 +- ...reation_lolbins_by_office_applications.yml | 2 +- ...n_lolbins_with_wmiprvse_parent_process.yml | 2 +- ..._from_proxy_executing_regsvr32_payload.yml | 2 +- ...from_proxy_executing_regsvr32_payload2.yml | 2 +- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml index f6406ce9e..ac0f39659 100644 --- a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: file_event detection: #useful_information: Please add more file extensions and magic bytes to the logic of your choice. @@ -26,20 +26,20 @@ detection: - 'outlook.exe' selection2: FileName|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" selection3: FileMagicBytes|startswith: - - "4D5A" + - "4D5A" condition: selection1 and (selection2 or selection3) falsepositives: -- Unknown + - Unknown level: high diff --git a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml index e5da93512..107cdd312 100644 --- a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: file_event detection: #useful_information: Please add more file extensions to the logic of your choice. diff --git a/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml index 4f887b912..54af48794 100644 --- a/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml +++ b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. diff --git a/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml index 9dab9d437..9a2bd4996 100644 --- a/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml index 1ae6fc02a..3fb743549 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml index 36b6d571e..e752a0c9b 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml @@ -14,7 +14,7 @@ tags: status: experimental date: 2021/08/23 logsource: - product: Windows + product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. From 68d30293b55519534cb679c8768afd99a984a426 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 6 Nov 2021 10:16:16 +0100 Subject: [PATCH 03/38] Cleanup process_creation --- .../process_creation_command_execution_by_office_applications.yml | 0 .../win_exchange_proxylogon_oabvirtualdir.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{process_creation => other}/process_creation_command_execution_by_office_applications.yml (100%) rename rules/windows/{process_creation => other}/win_exchange_proxylogon_oabvirtualdir.yml (100%) diff --git a/rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml b/rules/windows/other/process_creation_command_execution_by_office_applications.yml similarity index 100% rename from rules/windows/process_creation/process_creation_command_execution_by_office_applications.yml rename to rules/windows/other/process_creation_command_execution_by_office_applications.yml diff --git a/rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml similarity index 100% rename from rules/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml rename to rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml From aa8694fdefbfb2e5071a2c657d15283c00b21c18 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 6 Nov 2021 10:17:12 +0100 Subject: [PATCH 04/38] add missing category --- rules/windows/process_creation/win_task_folder_evasion.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index 402ff3615..e45421438 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 date: 2020/01/13 -modified: 2021/05/30 +modified: 2021/11/06 author: Sreeman tags: - attack.defense_evasion @@ -15,9 +15,9 @@ tags: - attack.t1574.002 - attack.t1059 # an old one - attack.t1064 # an old one - logsource: product: windows + category: process_creation detection: selection1: CommandLine|contains: From e51dab10c265b2bab68e2a927bb431db17fd8a16 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 7 Nov 2021 09:55:02 +0100 Subject: [PATCH 05/38] fix logsources --- .../pipe_created/sysmon_susp_adfs_namedpipe_connection.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml index f1bc4e86d..04b903fe0 100644 --- a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml +++ b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml @@ -3,7 +3,7 @@ id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. status: experimental date: 2021/10/08 -modified: 2021/10/08 +modified: 2021/11/07 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml @@ -14,7 +14,7 @@ tags: - attack.t1005 logsource: product: windows - service: pipe_connected + category: pipe_created detection: selection: PipeName: '\MICROSOFT##WID\tsql\query' @@ -30,4 +30,4 @@ detection: condition: selection and not filter falsepositives: - Processes in the filter condition -level: critical \ No newline at end of file +level: critical From 46727620100df6c124a1d6c9bc9ede5621ba61c7 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 7 Nov 2021 21:57:40 +0100 Subject: [PATCH 06/38] add win_pc_susp_zipexec --- .../process_creation/win_pc_susp_zipexec.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_susp_zipexec.yml diff --git a/rules/windows/process_creation/win_pc_susp_zipexec.yml b/rules/windows/process_creation/win_pc_susp_zipexec.yml new file mode 100644 index 000000000..427cf76ea --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_zipexec.yml @@ -0,0 +1,33 @@ +title: Suspicious ZipExec Execution +id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132 +status: experimental +description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. +references: + - https://twitter.com/SBousseaden/status/1451237393017839616 + - https://github.com/Tylous/ZipExec +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +author: frack113 +date: 2021/11/07 +logsource: + category: process_creation + product: windows +detection: + run: + CommandLine|contains|all: + - '/generic:Microsoft_Windows_Shell_ZipFolder:filename=' + - '.zip' + - '/pass:' + - '/user:' + delete: + CommandLine|contains|all: + - '/delete' + - 'Microsoft_Windows_Shell_ZipFolder:filename=' + - '.zip' + condition: run or delete +falsepositives: + - unknown +level: medium From 20f4099cec6b454bc26b91293f9fe20d17a103f8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 8 Nov 2021 11:21:40 +0100 Subject: [PATCH 07/38] rule: Kirbi file creation --- ...ile_event_mimikatz_kirbi_file_creation.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml diff --git a/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml new file mode 100644 index 000000000..63ef4dac0 --- /dev/null +++ b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml @@ -0,0 +1,21 @@ +title: Mimikatz Kirbi File Creation +id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 +status: test +description: Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz +author: Florian Roth +references: + - https://cobalt.io/blog/kerberoast-attack-techniques +modified: 2021/11/08 +tags: + - attack.credential_access + - attack.t1558 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '.kirbi' + condition: selection +falsepositives: + - Unlikely +level: critical From d43f845157c141762272d6ad7b5983b72630a9fc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 8 Nov 2021 11:21:49 +0100 Subject: [PATCH 08/38] Update proxy_cobalt_malformed_uas.yml --- rules/proxy/proxy_cobalt_malformed_uas.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index 419c0f120..75b258d15 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -4,17 +4,20 @@ status: experimental description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike author: Florian Roth date: 2021/05/06 +modified: 2021/11/02 references: - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ logsource: category: proxy detection: - selection: + selection1: c-useragent: - - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" - - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" - condition: selection + - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" + - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" + - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" + selection2: + c-useragent|endswith: '; MANM; MANM)' + condition: 1 of them falsepositives: - Unknown level: critical From 8ed456258fd0807c8ee8d1a36d56d57a8b50745e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 8 Nov 2021 18:22:23 +0100 Subject: [PATCH 09/38] Use correct pipenv version --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 2d1f625b3..88c6d0502 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -24,7 +24,7 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install pipenv + pip install pipenv==2021.5.29 pipenv lock pipenv install --dev --deploy - name: Test Sigma Tools and Rules From 3430943746506f065f08e32337e3d172124fb7dc Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 07:27:25 +0100 Subject: [PATCH 10/38] standardization --- ...crosoft365_activity_by_terminated_user.yml | 2 +- ...5_activity_from_anonymous_ip_addresses.yml | 2 +- ...ft365_activity_from_infrequent_country.yml | 2 +- ..._data_exfiltration_to_unsanctioned_app.yml | 2 +- ...rosoft365_from_suspicious_ip_addresses.yml | 2 +- ...icrosoft365_impossible_travel_activity.yml | 2 +- ...crosoft365_logon_from_risky_ip_address.yml | 2 +- ...osoft365_potential_ransomware_activity.yml | 2 +- ...crosoft365_suspicious_inbox_forwarding.yml | 2 +- ...ous_oauth_app_file_download_activities.yml | 2 +- ...oft365_unusual_volume_of_file_deletion.yml | 2 +- ...365_user_restricted_from_sending_email.yml | 2 +- tools/config/generic/m365.yml | 61 ++++++++++--------- 13 files changed, 43 insertions(+), 42 deletions(-) diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index c24d42b67..e9c4857d9 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index 7b3a72716..1b75ffd8e 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 9aa5ab394..34557397e 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 831a15ed6..b224f6014 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 9be142d81..bf3b9d459 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatDetection - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index 68146567b..8531eaef5 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -10,7 +10,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Office365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index b71a4344b..e9a282bd0 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml index b5571ef94..936b3c708 100644 --- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 513e4f1b0..61f478323 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index 6dbc4be42..df7d6e742 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: m365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml index 53bbf8ff2..84e368e0f 100644 --- a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml index b969efece..c0c02669d 100644 --- a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: category: ThreatManagement - service: Microsoft365 + product: m365 detection: selection: eventSource: SecurityComplianceCenter diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index de769059c..c83606056 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -1,32 +1,33 @@ title: Microsoft 365 Rules order: 10 -ThreatManagement: - product: m365 - category: ThreatManagement - conditions: - eventSource: SecurityComplianceCenter -AccessGovernance: - product: m365 - category: AccessGovernance - conditions: - eventSource: SecurityComplianceCenter -CloudDiscovery: - product: m365 - category: CloudDiscovery - conditions: - eventSource: SecurityComplianceCenter -DataLossPrevention: - product: m365 - category: DataLossPrevention - conditions: - eventSource: SecurityComplianceCenter -ThreatDetection: - product: m365 - category: ThreatDetection - conditions: - eventSource: SecurityComplianceCenter -SharingControl: - product: m365 - category: SharingControl - conditions: - eventSource: SecurityComplianceCenter +logsources: + ThreatManagement: + product: m365 + category: ThreatManagement + conditions: + eventSource: SecurityComplianceCenter + AccessGovernance: + product: m365 + category: AccessGovernance + conditions: + eventSource: SecurityComplianceCenter + CloudDiscovery: + product: m365 + category: CloudDiscovery + conditions: + eventSource: SecurityComplianceCenter + DataLossPrevention: + product: m365 + category: DataLossPrevention + conditions: + eventSource: SecurityComplianceCenter + ThreatDetection: + product: m365 + category: ThreatDetection + conditions: + eventSource: SecurityComplianceCenter + SharingControl: + product: m365 + category: SharingControl + conditions: + eventSource: SecurityComplianceCenter From 8f39ef9ed1fb228067c0d8ba194d6a6cc57ef414 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 10:41:09 +0100 Subject: [PATCH 11/38] normalize logsource --- .../edr_command_execution_by_office_applications.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{other/process_creation_command_execution_by_office_applications.yml => edr/edr_command_execution_by_office_applications.yml} (100%) diff --git a/rules/windows/other/process_creation_command_execution_by_office_applications.yml b/rules/windows/edr/edr_command_execution_by_office_applications.yml similarity index 100% rename from rules/windows/other/process_creation_command_execution_by_office_applications.yml rename to rules/windows/edr/edr_command_execution_by_office_applications.yml From 6c19303aa442f81bf4e4f5cfd6d5718a7790065a Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 10:48:13 +0100 Subject: [PATCH 12/38] normalize logsource --- .../builtin/win_hybridconnectionmgr_svc_running.yml | 2 +- .../edr/edr_command_execution_by_office_applications.yml | 7 ++++--- rules/windows/other/win_ldap_recon.yml | 2 +- rules/windows/other/win_system_defender_disabled.yml | 4 ++-- tools/config/winlogbeat-modules-enabled.yml | 5 +++++ 5 files changed, 13 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml index f2fb29d7d..de445a56a 100644 --- a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: product: windows - service: Microsoft-ServiceBus-Client + service: microsoft-servicebus-client detection: selection: EventID: diff --git a/rules/windows/edr/edr_command_execution_by_office_applications.yml b/rules/windows/edr/edr_command_execution_by_office_applications.yml index 19133d219..d8496c10d 100644 --- a/rules/windows/edr/edr_command_execution_by_office_applications.yml +++ b/rules/windows/edr/edr_command_execution_by_office_applications.yml @@ -1,4 +1,4 @@ -title: WMI Command Execution by Office Applications +title: EDR WMI Command Execution by Office Applications id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815 description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 references: @@ -13,9 +13,10 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: - product: EndPoint Detection Logs - category: process_creation + product: windows + category: edr detection: #useful_information: Add more office applications to the rule logic of choice selection1: diff --git a/rules/windows/other/win_ldap_recon.yml b/rules/windows/other/win_ldap_recon.yml index ee8ff3db5..e0a9559dd 100644 --- a/rules/windows/other/win_ldap_recon.yml +++ b/rules/windows/other/win_ldap_recon.yml @@ -9,8 +9,8 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs logsource: - category: ldap_query product: windows + service: ldap_debug definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging' detection: generic_search: diff --git a/rules/windows/other/win_system_defender_disabled.yml b/rules/windows/other/win_system_defender_disabled.yml index 15114f1dc..1d4838ea0 100644 --- a/rules/windows/other/win_system_defender_disabled.yml +++ b/rules/windows/other/win_system_defender_disabled.yml @@ -5,7 +5,7 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/09/21 +modified: 2021/11/09 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -17,7 +17,7 @@ tags: - attack.t1562.001 logsource: product: windows - category: system + service: system detection: selection3: EventID: 7036 diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index d7ec0f095..07c3c4e09 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -100,6 +100,11 @@ logsources: service: msexchange-management conditions: winlog.channel: 'MSExchange Management' + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + winlog.channel: 'Microsoft-ServiceBus-Client' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' From e1ecd379fa2d66e1f1089b38e1a1401e00661fd8 Mon Sep 17 00:00:00 2001 From: David Vassallo Date: Tue, 9 Nov 2021 13:38:31 +0200 Subject: [PATCH 13/38] Update elk-winlogbeat.yml Adding "RelativeTargetName" since it's used by `win_lm_namedpipe.yml` --- tools/config/elk-winlogbeat.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 8a9f000a0..97dfe3ec8 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -111,6 +111,7 @@ fieldmappings: PipeName: event_data.PipeName ProcessName: event_data.ProcessName Properties: event_data.Properties + RelativeTargetName: event_data.RelativeTargetName ServiceFileName: event_data.ServiceFileName ServiceName: event_data.ServiceName ShareName: event_data.ShareName From c8f488eabf94271e79ac874099464a18246675f6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 13:27:20 +0100 Subject: [PATCH 14/38] move to builtin --- rules/linux/{ => builtin}/lnx_apt_equationgroup_lnx.yml | 0 rules/linux/{ => builtin}/lnx_buffer_overflows.yml | 0 rules/linux/{ => builtin}/lnx_clear_syslog.yml | 0 rules/linux/{ => builtin}/lnx_file_copy.yml | 0 rules/linux/{ => builtin}/lnx_ldso_preload_injection.yml | 0 rules/linux/{ => builtin}/lnx_proxy_connection.yml | 0 rules/linux/{ => builtin}/lnx_setgid_setuid.yml | 0 rules/linux/{ => builtin}/lnx_shell_clear_cmd_history.yml | 0 rules/linux/{ => builtin}/lnx_shell_priv_esc_prep.yml | 0 rules/linux/{ => builtin}/lnx_shell_susp_commands.yml | 0 rules/linux/{ => builtin}/lnx_shell_susp_log_entries.yml | 0 rules/linux/{ => builtin}/lnx_shell_susp_rev_shells.yml | 0 rules/linux/{ => builtin}/lnx_shellshock.yml | 0 rules/linux/{ => builtin}/lnx_space_after_filename_.yml | 0 rules/linux/{ => builtin}/lnx_sudo_cve_2019_14287.yml | 0 rules/linux/{ => builtin}/lnx_sudo_cve_2019_14287_user.yml | 0 rules/linux/{ => builtin}/lnx_susp_jexboss.yml | 0 rules/linux/{ => builtin}/lnx_symlink_etc_passwd.yml | 0 18 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{ => builtin}/lnx_apt_equationgroup_lnx.yml (100%) rename rules/linux/{ => builtin}/lnx_buffer_overflows.yml (100%) rename rules/linux/{ => builtin}/lnx_clear_syslog.yml (100%) rename rules/linux/{ => builtin}/lnx_file_copy.yml (100%) rename rules/linux/{ => builtin}/lnx_ldso_preload_injection.yml (100%) rename rules/linux/{ => builtin}/lnx_proxy_connection.yml (100%) rename rules/linux/{ => builtin}/lnx_setgid_setuid.yml (100%) rename rules/linux/{ => builtin}/lnx_shell_clear_cmd_history.yml (100%) rename rules/linux/{ => builtin}/lnx_shell_priv_esc_prep.yml (100%) rename rules/linux/{ => builtin}/lnx_shell_susp_commands.yml (100%) rename rules/linux/{ => builtin}/lnx_shell_susp_log_entries.yml (100%) rename rules/linux/{ => builtin}/lnx_shell_susp_rev_shells.yml (100%) rename rules/linux/{ => builtin}/lnx_shellshock.yml (100%) rename rules/linux/{ => builtin}/lnx_space_after_filename_.yml (100%) rename rules/linux/{ => builtin}/lnx_sudo_cve_2019_14287.yml (100%) rename rules/linux/{ => builtin}/lnx_sudo_cve_2019_14287_user.yml (100%) rename rules/linux/{ => builtin}/lnx_susp_jexboss.yml (100%) rename rules/linux/{ => builtin}/lnx_symlink_etc_passwd.yml (100%) diff --git a/rules/linux/lnx_apt_equationgroup_lnx.yml b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml similarity index 100% rename from rules/linux/lnx_apt_equationgroup_lnx.yml rename to rules/linux/builtin/lnx_apt_equationgroup_lnx.yml diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/builtin/lnx_buffer_overflows.yml similarity index 100% rename from rules/linux/lnx_buffer_overflows.yml rename to rules/linux/builtin/lnx_buffer_overflows.yml diff --git a/rules/linux/lnx_clear_syslog.yml b/rules/linux/builtin/lnx_clear_syslog.yml similarity index 100% rename from rules/linux/lnx_clear_syslog.yml rename to rules/linux/builtin/lnx_clear_syslog.yml diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/builtin/lnx_file_copy.yml similarity index 100% rename from rules/linux/lnx_file_copy.yml rename to rules/linux/builtin/lnx_file_copy.yml diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml similarity index 100% rename from rules/linux/lnx_ldso_preload_injection.yml rename to rules/linux/builtin/lnx_ldso_preload_injection.yml diff --git a/rules/linux/lnx_proxy_connection.yml b/rules/linux/builtin/lnx_proxy_connection.yml similarity index 100% rename from rules/linux/lnx_proxy_connection.yml rename to rules/linux/builtin/lnx_proxy_connection.yml diff --git a/rules/linux/lnx_setgid_setuid.yml b/rules/linux/builtin/lnx_setgid_setuid.yml similarity index 100% rename from rules/linux/lnx_setgid_setuid.yml rename to rules/linux/builtin/lnx_setgid_setuid.yml diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml similarity index 100% rename from rules/linux/lnx_shell_clear_cmd_history.yml rename to rules/linux/builtin/lnx_shell_clear_cmd_history.yml diff --git a/rules/linux/lnx_shell_priv_esc_prep.yml b/rules/linux/builtin/lnx_shell_priv_esc_prep.yml similarity index 100% rename from rules/linux/lnx_shell_priv_esc_prep.yml rename to rules/linux/builtin/lnx_shell_priv_esc_prep.yml diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml similarity index 100% rename from rules/linux/lnx_shell_susp_commands.yml rename to rules/linux/builtin/lnx_shell_susp_commands.yml diff --git a/rules/linux/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml similarity index 100% rename from rules/linux/lnx_shell_susp_log_entries.yml rename to rules/linux/builtin/lnx_shell_susp_log_entries.yml diff --git a/rules/linux/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml similarity index 100% rename from rules/linux/lnx_shell_susp_rev_shells.yml rename to rules/linux/builtin/lnx_shell_susp_rev_shells.yml diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/builtin/lnx_shellshock.yml similarity index 100% rename from rules/linux/lnx_shellshock.yml rename to rules/linux/builtin/lnx_shellshock.yml diff --git a/rules/linux/lnx_space_after_filename_.yml b/rules/linux/builtin/lnx_space_after_filename_.yml similarity index 100% rename from rules/linux/lnx_space_after_filename_.yml rename to rules/linux/builtin/lnx_space_after_filename_.yml diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml similarity index 100% rename from rules/linux/lnx_sudo_cve_2019_14287.yml rename to rules/linux/builtin/lnx_sudo_cve_2019_14287.yml diff --git a/rules/linux/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml similarity index 100% rename from rules/linux/lnx_sudo_cve_2019_14287_user.yml rename to rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml diff --git a/rules/linux/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml similarity index 100% rename from rules/linux/lnx_susp_jexboss.yml rename to rules/linux/builtin/lnx_susp_jexboss.yml diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/builtin/lnx_symlink_etc_passwd.yml similarity index 100% rename from rules/linux/lnx_symlink_etc_passwd.yml rename to rules/linux/builtin/lnx_symlink_etc_passwd.yml From e8a36ace969c0d5e90c9159b9325eff0e6f0fa12 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 13:32:22 +0100 Subject: [PATCH 15/38] move to other --- rules/linux/{ => other}/lnx_clamav.yml | 0 rules/linux/{ => other}/lnx_security_tools_disabling_syslog.yml | 0 rules/linux/{ => other}/lnx_ssh_cve_2018_15473.yml | 0 rules/linux/{ => other}/lnx_susp_failed_logons_single_source.yml | 0 rules/linux/{ => other}/lnx_susp_guacamole.yml | 0 rules/linux/{ => other}/lnx_susp_named.yml | 0 rules/linux/{ => other}/lnx_susp_ssh.yml | 0 rules/linux/{ => other}/lnx_susp_vsftp.yml | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{ => other}/lnx_clamav.yml (100%) rename rules/linux/{ => other}/lnx_security_tools_disabling_syslog.yml (100%) rename rules/linux/{ => other}/lnx_ssh_cve_2018_15473.yml (100%) rename rules/linux/{ => other}/lnx_susp_failed_logons_single_source.yml (100%) rename rules/linux/{ => other}/lnx_susp_guacamole.yml (100%) rename rules/linux/{ => other}/lnx_susp_named.yml (100%) rename rules/linux/{ => other}/lnx_susp_ssh.yml (100%) rename rules/linux/{ => other}/lnx_susp_vsftp.yml (100%) diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/other/lnx_clamav.yml similarity index 100% rename from rules/linux/lnx_clamav.yml rename to rules/linux/other/lnx_clamav.yml diff --git a/rules/linux/lnx_security_tools_disabling_syslog.yml b/rules/linux/other/lnx_security_tools_disabling_syslog.yml similarity index 100% rename from rules/linux/lnx_security_tools_disabling_syslog.yml rename to rules/linux/other/lnx_security_tools_disabling_syslog.yml diff --git a/rules/linux/lnx_ssh_cve_2018_15473.yml b/rules/linux/other/lnx_ssh_cve_2018_15473.yml similarity index 100% rename from rules/linux/lnx_ssh_cve_2018_15473.yml rename to rules/linux/other/lnx_ssh_cve_2018_15473.yml diff --git a/rules/linux/lnx_susp_failed_logons_single_source.yml b/rules/linux/other/lnx_susp_failed_logons_single_source.yml similarity index 100% rename from rules/linux/lnx_susp_failed_logons_single_source.yml rename to rules/linux/other/lnx_susp_failed_logons_single_source.yml diff --git a/rules/linux/lnx_susp_guacamole.yml b/rules/linux/other/lnx_susp_guacamole.yml similarity index 100% rename from rules/linux/lnx_susp_guacamole.yml rename to rules/linux/other/lnx_susp_guacamole.yml diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/other/lnx_susp_named.yml similarity index 100% rename from rules/linux/lnx_susp_named.yml rename to rules/linux/other/lnx_susp_named.yml diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/other/lnx_susp_ssh.yml similarity index 100% rename from rules/linux/lnx_susp_ssh.yml rename to rules/linux/other/lnx_susp_ssh.yml diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/other/lnx_susp_vsftp.yml similarity index 100% rename from rules/linux/lnx_susp_vsftp.yml rename to rules/linux/other/lnx_susp_vsftp.yml From 18fea95b86b40ac4b6f7a7aa041f1273d2f73ead Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 9 Nov 2021 13:33:58 +0100 Subject: [PATCH 16/38] move to macos --- rules/linux/{ => macos}/macos_applescript.yml | 0 rules/linux/{ => macos}/macos_base64_decode.yml | 0 rules/linux/{ => macos}/macos_binary_padding.yml | 0 rules/linux/{ => macos}/macos_change_file_time_attr.yml | 0 rules/linux/{ => macos}/macos_clear_system_logs.yml | 0 rules/linux/{ => macos}/macos_create_account.yml | 0 rules/linux/{ => macos}/macos_create_hidden_account.yml | 0 rules/linux/{ => macos}/macos_creds_from_keychain.yml | 0 rules/linux/{ => macos}/macos_disable_security_tools.yml | 0 rules/linux/{ => macos}/macos_emond_launch_daemon.yml | 0 rules/linux/{ => macos}/macos_file_and_directory_discovery.yml | 0 rules/linux/{ => macos}/macos_find_cred_in_files.yml | 0 rules/linux/{ => macos}/macos_gui_input_capture.yml | 0 rules/linux/{ => macos}/macos_local_account.yml | 0 rules/linux/{ => macos}/macos_local_groups.yml | 0 rules/linux/{ => macos}/macos_network_service_scanning.yml | 0 rules/linux/{ => macos}/macos_network_sniffing.yml | 0 rules/linux/{ => macos}/macos_remote_system_discovery.yml | 0 rules/linux/{ => macos}/macos_schedule_task_job_cron.yml | 0 rules/linux/{ => macos}/macos_screencapture.yml | 0 rules/linux/{ => macos}/macos_security_software_discovery.yml | 0 rules/linux/{ => macos}/macos_split_file_into_pieces.yml | 0 rules/linux/{ => macos}/macos_startup_items.yml | 0 rules/linux/{ => macos}/macos_susp_histfile_operations.yml | 0 .../{ => macos}/macos_suspicious_macos_firmware_activity.yml | 0 .../{ => macos}/macos_system_network_connections_discovery.yml | 0 rules/linux/{ => macos}/macos_system_network_discovery.yml | 0 rules/linux/{ => macos}/macos_system_shutdown_reboot.yml | 0 rules/linux/{ => macos}/macos_xattr_gatekeeper_bypass.yml | 0 29 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{ => macos}/macos_applescript.yml (100%) rename rules/linux/{ => macos}/macos_base64_decode.yml (100%) rename rules/linux/{ => macos}/macos_binary_padding.yml (100%) rename rules/linux/{ => macos}/macos_change_file_time_attr.yml (100%) rename rules/linux/{ => macos}/macos_clear_system_logs.yml (100%) rename rules/linux/{ => macos}/macos_create_account.yml (100%) rename rules/linux/{ => macos}/macos_create_hidden_account.yml (100%) rename rules/linux/{ => macos}/macos_creds_from_keychain.yml (100%) rename rules/linux/{ => macos}/macos_disable_security_tools.yml (100%) rename rules/linux/{ => macos}/macos_emond_launch_daemon.yml (100%) rename rules/linux/{ => macos}/macos_file_and_directory_discovery.yml (100%) rename rules/linux/{ => macos}/macos_find_cred_in_files.yml (100%) rename rules/linux/{ => macos}/macos_gui_input_capture.yml (100%) rename rules/linux/{ => macos}/macos_local_account.yml (100%) rename rules/linux/{ => macos}/macos_local_groups.yml (100%) rename rules/linux/{ => macos}/macos_network_service_scanning.yml (100%) rename rules/linux/{ => macos}/macos_network_sniffing.yml (100%) rename rules/linux/{ => macos}/macos_remote_system_discovery.yml (100%) rename rules/linux/{ => macos}/macos_schedule_task_job_cron.yml (100%) rename rules/linux/{ => macos}/macos_screencapture.yml (100%) rename rules/linux/{ => macos}/macos_security_software_discovery.yml (100%) rename rules/linux/{ => macos}/macos_split_file_into_pieces.yml (100%) rename rules/linux/{ => macos}/macos_startup_items.yml (100%) rename rules/linux/{ => macos}/macos_susp_histfile_operations.yml (100%) rename rules/linux/{ => macos}/macos_suspicious_macos_firmware_activity.yml (100%) rename rules/linux/{ => macos}/macos_system_network_connections_discovery.yml (100%) rename rules/linux/{ => macos}/macos_system_network_discovery.yml (100%) rename rules/linux/{ => macos}/macos_system_shutdown_reboot.yml (100%) rename rules/linux/{ => macos}/macos_xattr_gatekeeper_bypass.yml (100%) diff --git a/rules/linux/macos_applescript.yml b/rules/linux/macos/macos_applescript.yml similarity index 100% rename from rules/linux/macos_applescript.yml rename to rules/linux/macos/macos_applescript.yml diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos/macos_base64_decode.yml similarity index 100% rename from rules/linux/macos_base64_decode.yml rename to rules/linux/macos/macos_base64_decode.yml diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos/macos_binary_padding.yml similarity index 100% rename from rules/linux/macos_binary_padding.yml rename to rules/linux/macos/macos_binary_padding.yml diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos/macos_change_file_time_attr.yml similarity index 100% rename from rules/linux/macos_change_file_time_attr.yml rename to rules/linux/macos/macos_change_file_time_attr.yml diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos/macos_clear_system_logs.yml similarity index 100% rename from rules/linux/macos_clear_system_logs.yml rename to rules/linux/macos/macos_clear_system_logs.yml diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos/macos_create_account.yml similarity index 100% rename from rules/linux/macos_create_account.yml rename to rules/linux/macos/macos_create_account.yml diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos/macos_create_hidden_account.yml similarity index 100% rename from rules/linux/macos_create_hidden_account.yml rename to rules/linux/macos/macos_create_hidden_account.yml diff --git a/rules/linux/macos_creds_from_keychain.yml b/rules/linux/macos/macos_creds_from_keychain.yml similarity index 100% rename from rules/linux/macos_creds_from_keychain.yml rename to rules/linux/macos/macos_creds_from_keychain.yml diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos/macos_disable_security_tools.yml similarity index 100% rename from rules/linux/macos_disable_security_tools.yml rename to rules/linux/macos/macos_disable_security_tools.yml diff --git a/rules/linux/macos_emond_launch_daemon.yml b/rules/linux/macos/macos_emond_launch_daemon.yml similarity index 100% rename from rules/linux/macos_emond_launch_daemon.yml rename to rules/linux/macos/macos_emond_launch_daemon.yml diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos/macos_file_and_directory_discovery.yml similarity index 100% rename from rules/linux/macos_file_and_directory_discovery.yml rename to rules/linux/macos/macos_file_and_directory_discovery.yml diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos/macos_find_cred_in_files.yml similarity index 100% rename from rules/linux/macos_find_cred_in_files.yml rename to rules/linux/macos/macos_find_cred_in_files.yml diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos/macos_gui_input_capture.yml similarity index 100% rename from rules/linux/macos_gui_input_capture.yml rename to rules/linux/macos/macos_gui_input_capture.yml diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos/macos_local_account.yml similarity index 100% rename from rules/linux/macos_local_account.yml rename to rules/linux/macos/macos_local_account.yml diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos/macos_local_groups.yml similarity index 100% rename from rules/linux/macos_local_groups.yml rename to rules/linux/macos/macos_local_groups.yml diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos/macos_network_service_scanning.yml similarity index 100% rename from rules/linux/macos_network_service_scanning.yml rename to rules/linux/macos/macos_network_service_scanning.yml diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos/macos_network_sniffing.yml similarity index 100% rename from rules/linux/macos_network_sniffing.yml rename to rules/linux/macos/macos_network_sniffing.yml diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos/macos_remote_system_discovery.yml similarity index 100% rename from rules/linux/macos_remote_system_discovery.yml rename to rules/linux/macos/macos_remote_system_discovery.yml diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos/macos_schedule_task_job_cron.yml similarity index 100% rename from rules/linux/macos_schedule_task_job_cron.yml rename to rules/linux/macos/macos_schedule_task_job_cron.yml diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos/macos_screencapture.yml similarity index 100% rename from rules/linux/macos_screencapture.yml rename to rules/linux/macos/macos_screencapture.yml diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos/macos_security_software_discovery.yml similarity index 100% rename from rules/linux/macos_security_software_discovery.yml rename to rules/linux/macos/macos_security_software_discovery.yml diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos/macos_split_file_into_pieces.yml similarity index 100% rename from rules/linux/macos_split_file_into_pieces.yml rename to rules/linux/macos/macos_split_file_into_pieces.yml diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos/macos_startup_items.yml similarity index 100% rename from rules/linux/macos_startup_items.yml rename to rules/linux/macos/macos_startup_items.yml diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos/macos_susp_histfile_operations.yml similarity index 100% rename from rules/linux/macos_susp_histfile_operations.yml rename to rules/linux/macos/macos_susp_histfile_operations.yml diff --git a/rules/linux/macos_suspicious_macos_firmware_activity.yml b/rules/linux/macos/macos_suspicious_macos_firmware_activity.yml similarity index 100% rename from rules/linux/macos_suspicious_macos_firmware_activity.yml rename to rules/linux/macos/macos_suspicious_macos_firmware_activity.yml diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos/macos_system_network_connections_discovery.yml similarity index 100% rename from rules/linux/macos_system_network_connections_discovery.yml rename to rules/linux/macos/macos_system_network_connections_discovery.yml diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos/macos_system_network_discovery.yml similarity index 100% rename from rules/linux/macos_system_network_discovery.yml rename to rules/linux/macos/macos_system_network_discovery.yml diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos/macos_system_shutdown_reboot.yml similarity index 100% rename from rules/linux/macos_system_shutdown_reboot.yml rename to rules/linux/macos/macos_system_shutdown_reboot.yml diff --git a/rules/linux/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos/macos_xattr_gatekeeper_bypass.yml similarity index 100% rename from rules/linux/macos_xattr_gatekeeper_bypass.yml rename to rules/linux/macos/macos_xattr_gatekeeper_bypass.yml From c5fa73c328acd5fac5c89c84f2a71c94efc65827 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 9 Nov 2021 16:13:29 +0100 Subject: [PATCH 17/38] fix ProcessCommandLine to ParentCommandLine --- ...office_from_proxy_executing_regsvr32_payload.yml | 11 ++++++----- ...ffice_from_proxy_executing_regsvr32_payload2.yml | 13 +++++++------ ...ess_creation_office_spawning_wmi_commandline.yml | 13 +++++++------ rules/windows/process_creation/win_susp_wuauclt.yml | 4 ++-- tools/config/generic/windows-audit.yml | 1 + 5 files changed, 23 insertions(+), 19 deletions(-) diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml index 3fb743549..a901d3fd7 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml @@ -13,6 +13,7 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: product: windows category: process_creation @@ -20,7 +21,7 @@ detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - ParentCommandLine|contains: 'wmic ' - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: @@ -32,11 +33,11 @@ detection: - 'verclsid' selection3: ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe + - winword.exe + - excel.exe + - powerpnt.exe selection4: - processCommandLine|contains|all: + ParentCommandLine|contains|all: - 'process' - 'create' - 'call' diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml index e752a0c9b..8989e0e30 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml @@ -13,13 +13,14 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: product: windows category: process_creation detection: #useful_information: add more LOLBins to the rules logic of your choice. selection1: - ProcessCommandLine: + ParentCommandLine: - '*regsvr32*' - '*rundll32*' - '*msiexec*' @@ -27,14 +28,14 @@ detection: - '*verclsid*' selection2: - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - ParentCommandLine|contains: 'wmic ' selection3: ParentImage|endswith: - - winword.exe - - excel.exe - - powerpnt.exe + - winword.exe + - excel.exe + - powerpnt.exe selection4: - processCommandLine|contains|all: + ParentCommandLine|contains|all: - 'process' - 'create' - 'call' diff --git a/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml index 2fceff749..edbae2013 100644 --- a/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml @@ -13,19 +13,20 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/09 logsource: product: windows category: process_creation detection: #useful_information: Add more office applications to the rule logic of choice selection1: - - Image|endswith: '\wbem\WMIC.exe' - - ProcessCommandLine|contains: 'wmic ' + - Image|endswith: '\wbem\WMIC.exe' + - ParentCommandLine|contains: 'wmic ' selection2: - ParentImage: - - winword.exe - - excel.exe - - powerpnt.exe + ParentImage: + - winword.exe + - excel.exe + - powerpnt.exe condition: selection1 and selection2 falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 9d36bc717..93002eb61 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,7 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2021/05/12 +modified: 2021/11/09 tags: - attack.command_and_control - attack.execution @@ -17,7 +17,7 @@ logsource: category: process_creation detection: selection: - ProcessCommandLine|contains|all: + ParentCommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' Image|endswith: diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 63080759e..241520813 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -24,3 +24,4 @@ fieldmappings: Image: NewProcessName ParentImage: ParentProcessName Details: NewValue + ParentCommandLine: ProcessCommandLine \ No newline at end of file From c61ca81d9c86cefb383c8523caf2fc677d42e27c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 16:15:31 +0100 Subject: [PATCH 18/38] refactor: raw disk access rule FPs --- .../sysmon_raw_disk_access_using_illegitimate_tools.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index abb7d2c79..57389c082 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c description: Raw disk access using illegitimate tools, possible defence evasion author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2021/08/14 +modified: 2021/11/09 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -31,6 +31,7 @@ detection: - '\dfsrs.exe' - '\vds.exe' - '\lsass.exe' + - '\svchost.exe' condition: not filter_1 and not filter_2 fields: - ComputerName From 24f3e9db5b187edc9c8234903fb885feec546056 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 9 Nov 2021 16:44:11 +0100 Subject: [PATCH 19/38] fix detection from ref --- rules/windows/process_creation/win_susp_wuauclt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 93002eb61..a777e6ec9 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -20,7 +20,7 @@ detection: ParentCommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' - Image|endswith: + ParentImage|endswith: - '\wuauclt.exe' condition: selection falsepositives: From 37b9abd827432587a0a6608cbcda3bdfc91331f8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 16:52:19 +0100 Subject: [PATCH 20/38] fix: date field --- .../file_event/file_event_mimikatz_kirbi_file_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml index 63ef4dac0..4aadcd2fc 100644 --- a/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml +++ b/rules/windows/file_event/file_event_mimikatz_kirbi_file_creation.yml @@ -5,7 +5,7 @@ description: Detects the creation of files that contain Kerberos tickets based o author: Florian Roth references: - https://cobalt.io/blog/kerberoast-attack-techniques -modified: 2021/11/08 +date: 2021/11/08 tags: - attack.credential_access - attack.t1558 From 3c3bf75aa86cb4f523641294ad265d9b266962b7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 9 Nov 2021 17:04:27 +0100 Subject: [PATCH 21/38] fix detection from test --- rules/windows/process_creation/win_susp_wuauclt.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index a777e6ec9..c480fcbf7 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -17,10 +17,10 @@ logsource: category: process_creation detection: selection: - ParentCommandLine|contains|all: + CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' - ParentImage|endswith: + Image|endswith: - '\wuauclt.exe' condition: selection falsepositives: From 39283c0ac268ce9711e004bc5fcd56d508ffbd5a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 17:29:43 +0100 Subject: [PATCH 22/38] CobaltStrike DNS rules --- rules/network/net_mal_dns_cobaltstrike.yml | 6 ++-- .../dns_query/dns_net_mal_cobaltstrike.yml | 30 +++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 rules/windows/dns_query/dns_net_mal_cobaltstrike.yml diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index 3775bc795..05716fee9 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -11,11 +11,13 @@ references: logsource: category: dns detection: - selection: + selection1: query|startswith: - 'aaa.stage.' - 'post.1' - condition: selection + selection2: + query|contains: '.stage.123456.' + condition: 1 of them falsepositives: - Unknown level: critical diff --git a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml new file mode 100644 index 000000000..42fc9bc23 --- /dev/null +++ b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml @@ -0,0 +1,30 @@ +title: Suspicious Cobalt Strike DNS Beaconing +id: f356a9c4-effd-4608-bbf8-408afd5cd006 +status: experimental +description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons +author: Florian Roth +date: 2021/11/09 +references: + - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns + - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ +tags: + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 +logsource: + product: windows + category: dns_query +detection: + selection1: + QueryName|startswith: + - 'aaa.stage.' + - 'post.1' + selection2: + QueryName|contains: '.stage.123456.' + condition: 1 of them +fields: + - Image + - CommandLine +falsepositives: + - Unknown +level: critical From c07a9adb9bd2f6025973ba62d4f7d52f024cfec2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 17:30:15 +0100 Subject: [PATCH 23/38] fix: moved rule written for DNS/Sysmon to the correct folder --- .../dns_query/dns_net_susp_ipify.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{network/net_susp_ipify.yml => windows/dns_query/dns_net_susp_ipify.yml} (100%) diff --git a/rules/network/net_susp_ipify.yml b/rules/windows/dns_query/dns_net_susp_ipify.yml similarity index 100% rename from rules/network/net_susp_ipify.yml rename to rules/windows/dns_query/dns_net_susp_ipify.yml From 5613b6ca828a7979e8ff6537ea331329929356dd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 19:06:26 +0100 Subject: [PATCH 24/38] fix: FP with MicrosoftEdgeUpdate --- rules/windows/builtin/win_susp_lsass_dump_generic.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index 2856705cd..2ab869121 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2021/04/19 +modified: 2021/11/09 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -53,6 +53,7 @@ detection: - '\minionhost.exe' # Cyberreason - '\VsTskMgr.exe' # McAfee Enterprise - '\thor64.exe' # THOR + - '\MicrosoftEdgeUpdate.exe' ProcessName|startswith: - C:\Windows\System32\ - C:\Windows\SysWow64\ From e30b09fcced1614692c7c894101af4b672b43da4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Nov 2021 19:09:07 +0100 Subject: [PATCH 25/38] fix: more FPs with Windows 11 services --- rules/windows/builtin/win_susp_lsass_dump_generic.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index 2ab869121..4b6ab1faf 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -54,6 +54,8 @@ detection: - '\VsTskMgr.exe' # McAfee Enterprise - '\thor64.exe' # THOR - '\MicrosoftEdgeUpdate.exe' + - '\GamingServices.exe' + - '\svchost.exe' ProcessName|startswith: - C:\Windows\System32\ - C:\Windows\SysWow64\ From 5abea871b03dc516f66bba65d88c31846913dad8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 10 Nov 2021 09:28:59 +0100 Subject: [PATCH 26/38] docs: put link in references --- ...in_invoke_obfuscation_obfuscated_iex_services_security.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml index 043bcf55b..0f746e487 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -3,7 +3,9 @@ id: fd0f5778-d3cb-4c9a-9695-66759d04702a related: - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 type: derived -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references" +references: + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 From 52d0cb67eb22bafd47098ca56eb79e2e7b32804e Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 10 Nov 2021 17:09:15 +0000 Subject: [PATCH 27/38] adding additional allow for dns service (domain controllers) --- rules/windows/network_connection/sysmon_susp_rdp.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml index e12fde626..9867e2b1d 100755 --- a/rules/windows/network_connection/sysmon_susp_rdp.yml +++ b/rules/windows/network_connection/sysmon_susp_rdp.yml @@ -38,9 +38,11 @@ detection: - '\FSAssessment.exe' - '\MobaRTE.exe' - '\chrome.exe' + - '\System32\dns.exe' - '\thor.exe' - '\thor64.exe' condition: selection and not filter falsepositives: - Other Remote Desktop RDP tools + - domain controller using dns.exe level: high From a4951a29bb0c804bf9e1044f0a5bb5b37729d161 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 18:57:54 +0100 Subject: [PATCH 28/38] Fix detection --- ...creation_office_applications_spawning_wmi_commandline.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml index a8e8f5824..700d264f4 100644 --- a/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml @@ -13,6 +13,7 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/10 logsource: product: windows category: process_creation @@ -24,11 +25,11 @@ detection: - OriginalFileName: 'wmic.exe' - Description: 'WMI Commandline Utility' selection2: - ParentPrcessName|endswith: + ParentImage|endswith: - winword.exe - excel.exe - powerpnt.exe condition: selection1 and selection2 falsepositives: -- Unknown + - Unknown level: high From b7b1ebf7720d454d6060ccae03dc5bf52e0cd72d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:12:51 +0100 Subject: [PATCH 29/38] Fix LogonId - SubjectLogonId --- .../win_wmiprvse_spawning_process.yml | 11 +++-------- tools/config/generic/windows-audit.yml | 3 ++- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index d3e6843f3..2ad743d7a 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -3,7 +3,7 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d description: Detects wmiprvse spawning processes status: experimental date: 2019/08/15 -modified: 2021/08/26 +modified: 2021/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html @@ -20,20 +20,15 @@ detection: - LogonId: - '0x3e7' # LUID 999 for SYSTEM - 'null' # too many false positives - - SubjectLogonId: - - '0x3e7' # LUID 999 for SYSTEM - - 'null' # too many false positives - User|startswith: - 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection - 'AUTORITE NT\Sys' # French language settings - Image|endswith: - '\WmiPrvSE.exe' - '\WerFault.exe' - filter_null1: # some backends need the null value in a separate expression + filter_null: # some backends need the null value in a separate expression LogonId: null - filter_null2: # some backends need the null value in a separate expression - SubjectLogonId: null - condition: selection and not filter and not filter_null1 and not filter_null2 + condition: selection and not filter and not filter_null falsepositives: - Unknown level: high diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 241520813..5eff54cfb 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -24,4 +24,5 @@ fieldmappings: Image: NewProcessName ParentImage: ParentProcessName Details: NewValue - ParentCommandLine: ProcessCommandLine \ No newline at end of file + ParentCommandLine: ProcessCommandLine + LogonId: SubjectLogonId \ No newline at end of file From 3ea1eda717510fbd468fc35d1a8f189a24605de4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:38:05 +0100 Subject: [PATCH 30/38] ParentImage do not exist in network_connection --- .../win_suspicious_werfault_connection_outbound.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules/windows/builtin => rules-unsupported}/win_suspicious_werfault_connection_outbound.yml (100%) diff --git a/rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml b/rules-unsupported/win_suspicious_werfault_connection_outbound.yml similarity index 100% rename from rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml rename to rules-unsupported/win_suspicious_werfault_connection_outbound.yml From 95b9cd3d35c997b0c98f27a1656b4ddb22aaf8fd Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:40:10 +0100 Subject: [PATCH 31/38] fix detection --- .../silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml index ab68f0b04..4dad7b038 100644 --- a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\msbuild.exe' + Image|endswith: '\msbuild.exe' filter: DestinationPort: - '80' From b6f6beda3ce9a06150fc1bd8329a02e5a40f4930 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:44:08 +0100 Subject: [PATCH 32/38] FileMagicBytes do not exist in file_event --- ...nt_executable_and_script_creation_by_office_using_file_ext.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules/windows/file_event => rules-unsupported}/file_event_executable_and_script_creation_by_office_using_file_ext.yml (100%) diff --git a/rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml rename to rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml From da8fcabe0cd43078a917ebddd0b5176013dcc9df Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:49:25 +0100 Subject: [PATCH 33/38] Fix TargetFilename case --- ...ript_creation_by_office_using_file_ext.yml | 45 ++++++++++--------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml index 107cdd312..6c4745fe3 100644 --- a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml @@ -13,29 +13,30 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 +modified: 2021/11/10 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - #useful_information: Please add more file extensions to the logic of your choice. - selection1: - Image|endswith: - - 'winword.exe' - - 'excel.exe' - - 'powerpnt.exe' - selection2: - TargetFileName|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" - condition: selection1 and selection2 + #useful_information: Please add more file extensions to the logic of your choice. + selection1: + Image|endswith: + - 'winword.exe' + - 'excel.exe' + - 'powerpnt.exe' + selection2: + TargetFilename|endswith: + - ".exe" + - ".dll" + - ".ocx" + - ".com" + - ".ps1" + - ".vbs" + - ".sys" + - ".bat" + - ".scr" + - ".proj" + condition: selection1 and selection2 falsepositives: -- Unknown + - Unknown level: high From f01523d7915a12292d55c9fd6c1249207bcd1fc7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:51:01 +0100 Subject: [PATCH 34/38] Integrity do not exist in file_event --- .../sysmon_non_priv_program_files_move.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules/windows/file_event => rules-unsupported}/sysmon_non_priv_program_files_move.yml (100%) diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules-unsupported/sysmon_non_priv_program_files_move.yml similarity index 100% rename from rules/windows/file_event/sysmon_non_priv_program_files_move.yml rename to rules-unsupported/sysmon_non_priv_program_files_move.yml From 82c9785f872abfe6ab245e691118e345e95db3e3 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 10 Nov 2021 19:57:46 +0100 Subject: [PATCH 35/38] Fix detection --- rules/windows/driver_load/driver_load_mal_creddumper.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 76fb665b7..3803a7313 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -6,7 +6,7 @@ related: description: Detects well-known credential dumping tools execution via service execution events author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/10/14 +modified: 2021/11/10 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -26,7 +26,7 @@ logsource: category: driver_load detection: selection: - ImagePath|contains: + ImageLoaded|contains: - 'fgexec' - 'dumpsvc' - 'cachedump' From 510da0085ec62f882a6dd544afdcc595f5df356e Mon Sep 17 00:00:00 2001 From: ZikyHD Date: Wed, 10 Nov 2021 20:43:13 +0100 Subject: [PATCH 36/38] Update sysmon.py (#2234) Update sysmon.py and merge from master --- tools/sigma/backends/sysmon.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index 3b592525b..927d00dbc 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -213,9 +213,9 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): raise NotSupportedError("Not supported condition.") def createTableFromLogsource(self): - if self.logsource.get("product", "") != "windows": + if self.logsource.get("product", "") not in ("linux","windows"): raise NotSupportedError( - "Not supported logsource. Should be product `windows`.") + "Not supported logsource. Should be product `linux` or `windows`.") for item in self.logsource.values(): if str(item).lower() in self.allowedSource.keys(): self.table = self.allowedSource.get(item.lower()) @@ -248,4 +248,4 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): if sysmon_rule: rulegroup_comment = '' - return "{}\n{}".format(rulegroup_comment, sysmon_rule) \ No newline at end of file + return "{}\n{}".format(rulegroup_comment, sysmon_rule) From a9b49679d32d834103f42303f7a8f10ade97028a Mon Sep 17 00:00:00 2001 From: "redsand (Tim Shelton)" Date: Thu, 11 Nov 2021 01:01:53 -0600 Subject: [PATCH 37/38] Updates to hawk sigmac backend (#2244) Updated HAWK sigma backend --- tools/config/hawk.yml | 233 +++++++++++++++++++++++++++++++++-- tools/sigma/backends/hawk.py | 162 +++++++++++++++++------- 2 files changed, 343 insertions(+), 52 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index a9e7b9e01..cdfed557c 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -7,11 +7,213 @@ logsources: product: apache conditions: product_name: '*apache*' + okta: + service: okta + conditions: + vendor_name: "Okta" + product_name: "Identity and Access Management" + onedrive: + service: onedrive + conditions: + vendor_name: "Microsoft" + product_name: "Onedrive" + onelogin-events: + service: onelogin.events + conditions: + vendor_name: "Microsoft" + product_name: "Onelogin" + microsoft365: + category: ThreatManagement + service: Microsoft365 + conditions: + vendor_name: "Microsoft" + product_name: "365" + m365: + category: ThreatManagement + service: m365 + conditions: + vendor_name: "Microsoft" + product_name: "365" + google-workspace: + service: google_workspace.admin + conditions: + vendor_name: "Google" + product_name: "Workspace" + guacamole: + service: guacamole + product_name: "Guacamole" + conditions: + vendor_name: "Guacamole" + google-cloud: + service: gcp.audit + conditions: + vendor_name: "Google" + product_name: "Cloud" + auditd: + service: auditd + conditions: + process_name: "auditd" + sshd: + service: sshd + conditions: + process_name: "sshd*" + syslog: + service: syslog + conditions: + process_name: "syslog*" + modsecurity: + service: modsecurity + conditions: + process_name: "modsec*" + msexchange-management: + service: msexchange-management + conditions: + channel: "MSExchange Management" windows: product: windows index: windows conditions: - vendor_name: 'Microsoft' + vendor_name: "Microsoft" + windows-stream-hash: + product: windows + category: create_stream_hash + conditions: + product_name: "Sysmon" + vendor_id: "15" + windows-create-remote-thread: + product: windows + category: create_remote_thread + conditions: + product_name: "Sysmon" + vendor_id: "8" + windows-process-access: + product: windows + category: process_access + conditions: + product_name: "Sysmon" + vendor_id: "10" + windows-process-creation: + product: windows + category: process_creation + conditions: + product_name: "Sysmon" + vendor_id: "1" + windows-network-connection: + product: windows + category: network_connection + conditions: + product_name: "Sysmon" + vendor_id: "3" + windows-sysmon-status: + product: windows + category: sysmon_status + conditions: + product_name: "Sysmon" + vendor_id: + - 4 + - 5 + windows-sysmon-error: + product: windows + category: sysmon_error + conditions: + product_name: "Sysmon" + vendor_id: "255" + windows-raw-access-thread: + product: windows + category: raw_access_thread + conditions: + product_name: "Sysmon" + vendor_id: 9 + windows-file-create: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-file-event: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-pipe-created: + product: windows + category: pipe_created + conditions: + product_name: "Sysmon" + vendor_id: + - 17 + - 18 + windows-dns-query: + product: windows + category: dns_query + conditions: + product_name: "Sysmon" + vendor_id: "22" + windows-file-delete: + product: windows + category: file_delete + conditions: + product_name: "Sysmon" + vendor_id: "23" + windows-wmi-sysmon: + product: windows + category: wmi_event + conditions: + product_name: "Sysmon" + vendor_id: + - 19 + - 20 + - 21 + windows-ldap-query: + product: windows + category: ldap_query + conditions: + channel: "Microsoft-Windows-LDAP-Client/Debug ETW" + windows-driver-load: + product: windows + category: driver_load + conditions: + product_name: "Sysmon" + vendor_id: "6" + windows-image-load: + product: windows + category: image_load + conditions: + product_name: "Sysmon" + vendor_id: "7" + clamav: + service: clamav + conditions: + process_name: "clamav*" + aws-cloudtrail: + service: cloudtrail + conditions: + vendor_name: "AWS CloudTrail" + zeek: + product: zeek + conditions: + vendor_name: "Zeek IDS" + azure-signin: + service: azure.signinlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-auditlogs: + service: azure.auditlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activitylogs: + service: azure.activitylogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activity: + service: AzureActivity + conditions: + vendor_name: "Microsoft" + product_name: "Azure" windows-application: product: windows service: application @@ -55,14 +257,13 @@ logsources: windows-dns-server: product: windows service: dns-server - category: dns conditions: - product_name: 'DNS Server' + channel: 'DNS Server' windows-dns-server-audit: product: windows service: dns-server-audit conditions: - product_name: 'DNS-Server' + channel: 'DNS Server' windows-driver-framework: product: windows service: driver-framework @@ -89,11 +290,15 @@ logsources: conditions: product_name: - 'AppLocker' + windows-service-bus: + service: Microsoft-ServiceBus-Client + conditions: + product_name: "Microsoft-ServiceBus-Client" windows-msexchange-management: product: windows service: msexchange-management conditions: - product_name: 'MSExchange Management' + channel: 'MSExchange Management' windows-printservice-admin: product: windows service: printservice-admin @@ -109,6 +314,14 @@ logsources: service: smbclient-security conditions: product_name: 'SmbClient' + windows-registry: + product: windows + category: registry_event + conditions: + vendor_id: + - 12 + - 13 + - 14 qflow: product: qflow netflow: @@ -116,7 +329,7 @@ logsources: ipfix: product: ipfix flow: - category: flow + product: flow fieldmappings: dst: - ip_dst_host @@ -126,6 +339,9 @@ fieldmappings: - ip_src_host src_ip: - ip_src + IPAddress: ip_src + DNSAddress: dns_address + DCIPAddress: ip_src category: vendor_category error: error_code key: event_key @@ -171,7 +387,9 @@ fieldmappings: ServiceFileName: filename EventID: vendor_id SourceImage: parent_image + ImageLoaded: image_loaded Description: image_description + ScriptBlockText: value Product: image_product Company: image_company CurrentDirectory: path @@ -197,7 +415,6 @@ fieldmappings: Details: object_target CallTrace: calltrace IpAddress: ip_src - DCIPAddress: ip_src WorkstationName: hostname_src Workstation: hostname_src DestinationIp: ip_dst @@ -210,3 +427,5 @@ fieldmappings: TicketEncryptionType: sys.ticket.encryption.type DetectionSource: value Priority: event_priority + event_type_id: vendor_id + eventtype: vendor_type diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 7147ff37b..904e81563 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -20,6 +20,7 @@ import re import sigma import json import uuid +import re from sigma.parser.modifiers.base import SigmaTypeModifier from sigma.parser.modifiers.type import SigmaRegularExpressionModifier from .base import SingleTextQueryBackend @@ -62,27 +63,27 @@ class HAWKBackend(SingleTextQueryBackend): #print(type(node)) #print(node) if type(node) == sigma.parser.condition.ConditionAND: - return self.generateANDNode(node) + return self.generateANDNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionOR: #print("OR NODE") #print(node) - return self.generateORNode(node) + return self.generateORNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionNOT: #print("NOT NODE") #print(node) return self.generateNOTNode(node) elif type(node) == sigma.parser.condition.ConditionNULLValue: - return self.generateNULLValueNode(node) + return self.generateNULLValueNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionNotNULLValue: return self.generateNotNULLValueNode(node) elif type(node) == sigma.parser.condition.NodeSubexpression: #print(node) - return self.generateSubexpressionNode(node) + return self.generateSubexpressionNode(node, notNode) elif type(node) == tuple: #print("TUPLE: ", node) return self.generateMapItemNode(node, notNode) elif type(node) in (str, int): - nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "regex" }, "str": { "value": "5" } } } + nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5", "regex": "true" } } } #key = next(iter(self.sigmaparser.parsedyaml['detection'])) key = "payload" @@ -94,7 +95,7 @@ class HAWKBackend(SingleTextQueryBackend): # they imply the entire payload nodeRet['description'] = key nodeRet['rule_id'] = str(uuid.uuid4()) - nodeRet['args']['str']['value'] = self.generateValueNode(node, False).replace("\\","\\\\") + nodeRet['args']['str']['value'] = re.escape(self.generateValueNode(node, False)) # .replace("\\","\\\\").replace(".","\\.") # return json.dumps(nodeRet) return nodeRet elif type(node) == list: @@ -102,7 +103,7 @@ class HAWKBackend(SingleTextQueryBackend): else: raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node)))) - def generateANDNode(self, node): + def generateANDNode(self, node, notNode=False): """ generated = [ self.generateNode(val) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -114,7 +115,7 @@ class HAWKBackend(SingleTextQueryBackend): return None """ ret = { "id" : "and", "key": "And", "children" : [ ] } - generated = [ self.generateNode(val) for val in node ] + generated = [ self.generateNode(val, notNode) for val in node ] filtered = [ g for g in generated if g is not None ] if filtered: if self.sort_condition_lists: @@ -125,11 +126,12 @@ class HAWKBackend(SingleTextQueryBackend): else: return None - def generateORNode(self, node): - #retAnd = { "id" : "and", "key": "And", "children" : [ ] } - - ret = { "id" : "or", "key": "Or", "children" : [ ] } - generated = [ self.generateNode(val) for val in node ] + def generateORNode(self, node, notNode=False): + if notNode: + ret = { "id" : "and", "key": "And", "children" : [ ] } + else: + ret = { "id" : "or", "key": "Or", "children" : [ ] } + generated = [ self.generateNode(val, notNode) for val in node ] filtered = [ g for g in generated if g is not None ] if filtered: if self.sort_condition_lists: @@ -142,8 +144,8 @@ class HAWKBackend(SingleTextQueryBackend): else: return None - def generateSubexpressionNode(self, node): - generated = self.generateNode(node.items) + def generateSubexpressionNode(self, node, notNode=False): + generated = self.generateNode(node.items, notNode) if 'len'in dir(node.items): # fix the "TypeError: object of type 'NodeSubexpression' has no len()" if len(node.items) == 1: # A sub expression with length 1 is not a proper sub expression, no self.subExpression required @@ -182,12 +184,13 @@ class HAWKBackend(SingleTextQueryBackend): elif type(value) == str and "*" in value: # value = value.replace("*", ".*") value = value.replace("*", "") - value = value.replace("\\", "\\\\") + value = re.escape(value) # .replace("\\", "\\\\").replace(".","\\.") if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" nodeRet['args']['str']['value'] = value + nodeRet['args']['str']['regex'] = "true" # return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True)) #return json.dumps(nodeRet) return nodeRet @@ -214,14 +217,27 @@ class HAWKBackend(SingleTextQueryBackend): return self.generateMapItemTypedNode(key, value) elif value is None: #return self.nullExpression % (key, ) - nodeRet['args']['str']['value'] = None + #print("Performing null") + #print(notNode) + #print(key) + nodeRet = { "key" : "empty", "description" : "Value Does Not Exist (IS NULL)", "class" : "function", "inputs" : { "comparison" : { "order" : 0, "source" : "comparison", "type" : "comparison" }, "column" : { "order" : 1, "source" : "columns", "type" : "str" } }, "args" : { "comparison" : { "value" : "!=" }, "column" : { "value" : "" } }, "return" : "boolean" } + nodeRet['args']['column']['value'] = self.cleanKey(key).lower() + nodeRet['description'] += " %s" % key + if notNode: + nodeRet['args']['comparison']['value'] = "!=" + else: + nodeRet['args']['comparison']['value'] = "=" #return json.dumps(nodeRet) + #print(json.dumps(nodeRet)) return nodeRet else: raise TypeError("Backend does not support map values of type " + str(type(value))) def generateMapItemListNode(self, key, value, notNode=False): - ret = { "id" : "or", "key": "Or", "children" : [ ] } + if notNode: + ret = { "id" : "and", "key": "And", "children" : [ ] } + else: + ret = { "id" : "or", "key": "Or", "children" : [ ] } for item in value: nodeRet = {"key": "", "description": "", "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "5" } } } nodeRet['key'] = self.cleanKey(key).lower() @@ -232,15 +248,15 @@ class HAWKBackend(SingleTextQueryBackend): ret['children'].append( nodeRet ) elif type(item) == str and "*" in item: item = item.replace("*", "") - item = item.replace("\\", "\\\\") - # item = item.replace("*", ".*") + item = re.escape(item) # .replace("\\", "\\\\").replace(".","\\.") #print("item") #print(item) nodeRet['args']['str']['value'] = item # self.generateValueNode(item, True) + nodeRet['args']['str']['regex'] = "true" if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" ret['children'].append( nodeRet ) else: #print("item2") @@ -258,35 +274,21 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['rule_id'] = str(uuid.uuid4()) if type(value) == SigmaRegularExpressionModifier: regex = str(value) - """ - # Regular Expressions have to match the full value in QRadar - if not (regex.startswith('^') or regex.startswith('.*')): - regex = '.*' + regex - if not (regex.endswith('$') or regex.endswith('.*')): - regex = regex + '.*' - return "%s imatches %s" % (self.cleanKey(fieldname), self.generateValueNode(regex, True)) - """ - #print("ENDS WITH!!!") - nodeRet['args']['str']['value'] = self.generateValueNode(regex, True).replace("\\", "\\\\") + nodeRet['args']['str']['value'] = re.escape(self.generateValueNode(regex, True)) # .replace("\\", "\\\\").replace(".","\\.") + nodeRet['args']['str']['regex'] = "true" if notNode: - nodeRet["args"]["comparison"]["value"] = "!regex" + nodeRet["args"]["comparison"]["value"] = "!=" else: - nodeRet['args']['comparison']['value'] = "regex" + nodeRet['args']['comparison']['value'] = "=" # return json.dumps(nodeRet) return nodeRet else: raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) def generateValueNode(self, node, keypresent): - """ - if keypresent == False: - return "payload regex \'{0}{1}{2}\'".format("%", self.cleanValue(str(node)), "%") - else: - return self.valueExpression % (self.cleanValue(str(node))) - """ return self.valueExpression % (self.cleanValue(str(node))) - def generateNULLValueNode(self, node): + def generateNULLValueNode(self, node, notNode): # node.item nodeRet = {"key": node.item, "description": node.item, "class": "column", "return": "str", "args": { "comparison": { "value": "=" }, "str": { "value": "null" } } } nodeRet['rule_id'] = str(uuid.uuid4()) @@ -440,6 +442,72 @@ class HAWKBackend(SingleTextQueryBackend): return result + def dedupeAnds(self, arr, parentAnd=False): + # simple dedupe + for i in range(0, len(arr)): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + + if len(arr[i]['children']) == 1 and 'id' in arr[i]['children'][0] and arr[i]['children'][0]['id'].lower() == "and": + arr[i] = arr[i]['children'][0] + + + return arr + + """ + for i in range(0, len(arr)): + if parentAnd and 'id' in arr[i] and arr[i]['id'].lower() == "and": + isAnd = True + else: + isAnd = False + + if 'children' in arr[i]: + arr[i]['children'] = self.dedupeAnds(arr['i']['children'], isAnd) + + if parentAnd and 'id' in arr[i] and arr[i]['id'].lower() == "and": + pass + + if len(arr) == 1 and 'id' in arr[0] and arr[0]['id'].lower() == "and": + # print("Returning less!") + for i in range(0, len(arr) ): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + return arr[0]['children'] + + """ + return arr + + """ + def dedupeAnds(self, arr, parentAnd=False): + #if not parentAnd: + # for i in range(0, len(arr) ): + # if 'id' in arr[i] and arr[i]['id'].lower() == "and": + # arr[i]['children'] = self.dedupeAnds(arr[i]['children'], False) + + if len(arr) == 1 and 'id' in arr[0] and arr[0]['id'].lower() == "and": + # print("Returning less!") + for i in range(0, len(arr) ): + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + return arr[0]['children'] + + allAndCheck = True + for i in range(0, len(arr) ): + # print(arr[i]) + if 'id' in arr[i] and arr[i]['id'].lower() == "and": + arr[i]['children'] = self.dedupeAnds(arr[i]['children']) + else: + allAndCheck = False + + + x = [ ] + if allAndCheck: + for i in range(0, len(arr)): + x = x + arr[i]['children'] + return x + return arr + """ + def generateQuery(self, parsed, sigmaparser): self.sigmaparser = sigmaparser result = self.generateNode(parsed.parsedSearch) @@ -508,6 +576,9 @@ class HAWKBackend(SingleTextQueryBackend): analytic_txt = ret + result + ret2 # json.dumps(ret) try: analytic = json.loads(analytic_txt) # json.dumps(ret) + # analytic = self.dedupeAnds(analytic) + analytic[0]['children'] = self.dedupeAnds(analytic[0]['children'], True) + except Exception as e: print("Failed to parse json: %s" % analytic_txt) raise Exception("Failed to parse json: %s" % analytic_txt) @@ -535,12 +606,13 @@ class HAWKBackend(SingleTextQueryBackend): record = { "rules" : analytic, # analytic_txt.replace('"','""'), "filter_name" : sigmaparser.parsedyaml['title'], + "filter_details" : cmt, "actions_category_name" : "Add (+)", "correlation_action" : 5.00, "date_added" : sigmaparser.parsedyaml['date'], - "enabled" : True, + "enabled" : False, + # "enabled" : True, "public" : True, - "comments" : cmt, "references" : ref, "group_name" : ".", "hawk_id" : sigmaparser.parsedyaml['id'] From b61e92ae1deb44a0ba5830304886ea763dbcd6ab Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 11 Nov 2021 16:12:49 +0100 Subject: [PATCH 38/38] fix: FP with VSCode --- .../process_creation/win_susp_script_exec_from_temp.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml index 5389761e7..1a817b30f 100644 --- a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth, Max Altgelt date: 2021/07/14 -modified: 2021/08/10 +modified: 2021/11/11 tags: - attack.execution logsource: @@ -32,6 +32,7 @@ detection: - ' >' - 'Out-File' - 'ConvertTo-Json' + - '-WindowStyle hidden -Verb runAs' # VSCode behaviour if file cannot be written as current user condition: selection and not filter falsepositives: - Administrative scripts