From 334301c18580d625b96810c2b858c5aeff6f10fa Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Fri, 25 Oct 2019 17:57:56 +0300 Subject: [PATCH 1/5] OSCD event rules from Jet CSIRT team --- rules/generic/generic_brute_force.yml | 26 ++++++++++++++ .../lnx_auditd_auditing_config_change.yml | 34 ++++++++++++++++++ .../lnx_auditd_logging_config_change.yml | 33 +++++++++++++++++ .../unsupported/sysmon_process_reimaging.yml | 35 +++++++++++++++++++ .../sysmon_narrator_feedback_persistance.yml | 26 ++++++++++++++ .../sysmon_regsvr32_network_activity.yml | 34 ++++++++++++++++++ 6 files changed, 188 insertions(+) create mode 100644 rules/generic/generic_brute_force.yml create mode 100644 rules/linux/auditd/lnx_auditd_auditing_config_change.yml create mode 100644 rules/linux/auditd/lnx_auditd_logging_config_change.yml create mode 100644 rules/unsupported/sysmon_process_reimaging.yml create mode 100644 rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml create mode 100644 rules/windows/sysmon/sysmon_regsvr32_network_activity.yml diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml new file mode 100644 index 000000000..b540449da --- /dev/null +++ b/rules/generic/generic_brute_force.yml @@ -0,0 +1,26 @@ +title: Brute Force +description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity +references: + - https://attack.mitre.org/techniques/T1110/ +tags: + - attack.t1110 +author: Aleksandr Akhremchik, oscd.community +date: 2019/10/25 +status: experimental +logsource: + category: authentication +detection: + selection: + action: failure + timeframe: 600s + condition: selection | count(category) by dst_ip > 30 +fields: + - src_ip + - dst_ip + - user +falsepositives: + - Inventarization + - Penetration testing + - Vulnerability scanner + - Legitimate application +level: medium diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml new file mode 100644 index 000000000..2e0594bd8 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -0,0 +1,34 @@ +title: Auditing configuration changes on linux host +description: Detect changes if auditd configuration files + # Example config for this one (place it at the top of audit.rules) + # -w /etc/audit/ -p wa -k etc_modify_auditconfig + # -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig + # -w /etc/audisp/ -p wa -k etc_modify_audispconfig +references: + - https://github.com/Neo23x0/auditd/blob/master/audit.rules + - https://attack.mitre.org/techniques/T1054/ + - self experience +tags: + - attack.defense_evasion + - attack.t1054 +author: Mikhail Larin, oscd community +status: experimental +date: 2019/10/25 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + key: + - 'etc_modify_auditconfig' + - 'etc_modify_libauditconfig' + - 'etc_modify_audispconfig' + condition: selection +fields: + - exe + - comm + - key +falsepositives: + - Legitimate administrative activity +level: high diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml new file mode 100644 index 000000000..bcc071bcb --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -0,0 +1,33 @@ +title: Logging configuration changes on linux host +description: Detect changes of syslog daemons configuration files + # Example config for this one (place it at the top of audit.rules) + # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig + # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig + # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig +references: + - https://attack.mitre.org/techniques/T1054/ + - self experience +tags: + - attack.defense_evasion + - attack.t1054 +author: Mikhail Larin, oscd community +status: experimental +date: 2019/10/25 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + key: + - 'etc_modify_syslogconfig' + - 'etc_modify_rsyslogconfig' + - 'etc_modify_syslogngconfig' + condition: selection +fields: + - exe + - comm + - key +falsepositives: + - Legitimate administrative activity +level: high diff --git a/rules/unsupported/sysmon_process_reimaging.yml b/rules/unsupported/sysmon_process_reimaging.yml new file mode 100644 index 000000000..16a422199 --- /dev/null +++ b/rules/unsupported/sysmon_process_reimaging.yml @@ -0,0 +1,35 @@ +title: Defense evasion via process reimaging +description: Detects process reimaging defense evasion technique, where +# ImageFileName != OriginalFileName +# ProcessGuid = ParentProcessGuid +# Image = TargetFileName +# Image = ^.+\\$ +references: + - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/ +tags: + - attack.defense_evasion +author: Alexey Balandin, oscd community +status: experimental +date: 2019/10/25 +logsource: + product: windows + service: sysmon +detection: + condition: all of them + # Create Process Sysmon Event + selection1: + EventID: 1 + # Create File Sysmon Event + selection2: + EventID: 11 +fields: + - Image + - OriginalFileName + - ProcessGuid + - ParentProcessGuid + - TargetFileName +new_fields: + - ImageFileName +falsepositives: + - unknown +level: high diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml new file mode 100644 index 000000000..de139f461 --- /dev/null +++ b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml @@ -0,0 +1,26 @@ +title: Narrator's Feedback-Hub Persistence +description: Detects abusing Windows 10 Narrator's Feedback-Hub +references: + - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html +tags: + - attack.persistence +author: Dmitriy Lifanov, oscd community +status: experimental +date: 2019/10/25 +logsource: + product: windows + service: sysmon +detection: + condition: 1 of them + # Registry Object Delete + selection1: + EventID: 12 + EventType: DeleteValue + TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' + # Registry Object Value Set + selection2: + EventID: 13 + TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' +falsepositives: + - unknown +level: high diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml new file mode 100644 index 000000000..c987a1b2f --- /dev/null +++ b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml @@ -0,0 +1,34 @@ +title: Regsvr32 network activity +description: Detects network connections and DNS queries initiated by Regsvr32.exe +references: + - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ + - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md +tags: + - attack.execution + - attack.defense_evasion + - attack.t1117 +author: Dmitriy Lifanov, oscd community +status: experimental +date: 2019/10/25 +logsource: + product: windows + service: sysmon +detection: + condition: 1 of them + selection1: + EventID: 3 + Image: '*\System32\regsvr32.exe' + selection2: + EventID: 22 + Image: '*\System32\regsvr32.exe' +# The 32-bit version of Regsvr32.exe on a 64-bit Windows version + selection3: + EventID: 3 + Image: '*\SysWoW64\regsvr32.exe' + selection4: + EventID: 22 + Image: '*\SysWoW64\regsvr32.exe' +falsepositives: + - unknown +level: high From 1f6aec8060f540b8f33ea1df5f1ecefb58dcb939 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Sun, 27 Oct 2019 15:33:38 +0300 Subject: [PATCH 2/5] removed unsupported rule from oscd branch --- .../unsupported/sysmon_process_reimaging.yml | 35 ------------------- 1 file changed, 35 deletions(-) delete mode 100644 rules/unsupported/sysmon_process_reimaging.yml diff --git a/rules/unsupported/sysmon_process_reimaging.yml b/rules/unsupported/sysmon_process_reimaging.yml deleted file mode 100644 index 16a422199..000000000 --- a/rules/unsupported/sysmon_process_reimaging.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Defense evasion via process reimaging -description: Detects process reimaging defense evasion technique, where -# ImageFileName != OriginalFileName -# ProcessGuid = ParentProcessGuid -# Image = TargetFileName -# Image = ^.+\\$ -references: - - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/ -tags: - - attack.defense_evasion -author: Alexey Balandin, oscd community -status: experimental -date: 2019/10/25 -logsource: - product: windows - service: sysmon -detection: - condition: all of them - # Create Process Sysmon Event - selection1: - EventID: 1 - # Create File Sysmon Event - selection2: - EventID: 11 -fields: - - Image - - OriginalFileName - - ProcessGuid - - ParentProcessGuid - - TargetFileName -new_fields: - - ImageFileName -falsepositives: - - unknown -level: high From 3376cf4dd800fd69864d772a8694379f6699a02b Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 29 Oct 2019 01:40:06 +0300 Subject: [PATCH 3/5] fix some typos and remove redundand references --- rules/generic/generic_brute_force.yml | 2 +- rules/linux/auditd/lnx_auditd_auditing_config_change.yml | 3 +-- rules/linux/auditd/lnx_auditd_logging_config_change.yml | 3 +-- rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml | 2 +- rules/windows/sysmon/sysmon_regsvr32_network_activity.yml | 2 +- 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml index b540449da..5e42646de 100644 --- a/rules/generic/generic_brute_force.yml +++ b/rules/generic/generic_brute_force.yml @@ -1,7 +1,7 @@ title: Brute Force description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity references: - - https://attack.mitre.org/techniques/T1110/ + - None tags: - attack.t1110 author: Aleksandr Akhremchik, oscd.community diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 2e0594bd8..cd02b1595 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -6,12 +6,11 @@ description: Detect changes if auditd configuration files # -w /etc/audisp/ -p wa -k etc_modify_audispconfig references: - https://github.com/Neo23x0/auditd/blob/master/audit.rules - - https://attack.mitre.org/techniques/T1054/ - self experience tags: - attack.defense_evasion - attack.t1054 -author: Mikhail Larin, oscd community +author: Mikhail Larin, oscd.community status: experimental date: 2019/10/25 logsource: diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index bcc071bcb..c9977f619 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -5,12 +5,11 @@ description: Detect changes of syslog daemons configuration files # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig references: - - https://attack.mitre.org/techniques/T1054/ - self experience tags: - attack.defense_evasion - attack.t1054 -author: Mikhail Larin, oscd community +author: Mikhail Larin, oscd.community status: experimental date: 2019/10/25 logsource: diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml index de139f461..ff59f881d 100644 --- a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml @@ -4,7 +4,7 @@ references: - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html tags: - attack.persistence -author: Dmitriy Lifanov, oscd community +author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 logsource: diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml index c987a1b2f..dd9f0b7b6 100644 --- a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml @@ -8,7 +8,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1117 -author: Dmitriy Lifanov, oscd community +author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 logsource: From 0beeaadb6f6cd2b44b2b8ba93b03efc2b03e640c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 22:47:48 +0300 Subject: [PATCH 4/5] Update sysmon_narrator_feedback_persistance.yml --- .../sysmon/sysmon_narrator_feedback_persistance.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml index ff59f881d..687d7ea8c 100644 --- a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml @@ -4,23 +4,23 @@ references: - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html tags: - attack.persistence + - attack.t1060 author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 +modified: 2019/11/10 logsource: product: windows service: sysmon detection: condition: 1 of them - # Registry Object Delete selection1: EventID: 12 EventType: DeleteValue - TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' - # Registry Object Value Set + TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' selection2: EventID: 13 - TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' + TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' falsepositives: - unknown level: high From fcde35d6abb9e28856663b201d51da1e225b2eec Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 22:51:53 +0300 Subject: [PATCH 5/5] Update sysmon_regsvr32_network_activity.yml --- .../sysmon_regsvr32_network_activity.yml | 21 +++++++------------ 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml index dd9f0b7b6..5194d4090 100644 --- a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml @@ -11,24 +11,17 @@ tags: author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 +modified: 2019/11/10 logsource: product: windows service: sysmon detection: - condition: 1 of them - selection1: - EventID: 3 - Image: '*\System32\regsvr32.exe' - selection2: - EventID: 22 - Image: '*\System32\regsvr32.exe' -# The 32-bit version of Regsvr32.exe on a 64-bit Windows version - selection3: - EventID: 3 - Image: '*\SysWoW64\regsvr32.exe' - selection4: - EventID: 22 - Image: '*\SysWoW64\regsvr32.exe' + selection: + EventID: + - 3 + - 22 + Image|endswith: '\regsvr32.exe' + condition: selection falsepositives: - unknown level: high