diff --git a/rules/application/antivirus/av_exploiting.yml b/rules/application/antivirus/av_exploiting.yml index c59de7e70..b8f836a5d 100644 --- a/rules/application/antivirus/av_exploiting.yml +++ b/rules/application/antivirus/av_exploiting.yml @@ -2,40 +2,40 @@ title: Antivirus Exploitation Framework Detection id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 status: test description: Detects a highly relevant Antivirus alert that reports an exploitation framework -author: Florian Roth references: - - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ + - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ +author: Florian Roth date: 2018/09/09 modified: 2022/05/12 -logsource: - category: antivirus -detection: - selection: - Signature|contains: - - 'MeteTool' - - 'MPreter' - - 'Meterpreter' - - 'Metasploit' - - 'PowerSploit' - - 'CobaltStrike' - - 'Swrort' - - 'Rozena' - - 'Backdoor.Cobalt' - - 'CobaltStr' - - 'COBEACON' - - 'Cometer' - - 'Razy' - - 'IISExchgSpawnCMD' - - 'Exploit.Script.CVE' - condition: selection -fields: - - FileName - - User -falsepositives: - - Unlikely -level: critical tags: - - attack.execution - - attack.t1203 - - attack.command_and_control - - attack.t1219 + - attack.execution + - attack.t1203 + - attack.command_and_control + - attack.t1219 +logsource: + category: antivirus +detection: + selection: + Signature|contains: + - 'MeteTool' + - 'MPreter' + - 'Meterpreter' + - 'Metasploit' + - 'PowerSploit' + - 'CobaltStrike' + - 'Swrort' + - 'Rozena' + - 'Backdoor.Cobalt' + - 'CobaltStr' + - 'COBEACON' + - 'Cometer' + - 'Razy' + - 'IISExchgSpawnCMD' + - 'Exploit.Script.CVE' + condition: selection +fields: + - FileName + - User +falsepositives: + - Unlikely +level: critical diff --git a/rules/application/antivirus/av_hacktool.yml b/rules/application/antivirus/av_hacktool.yml index c5eb0a830..8c29fdb92 100644 --- a/rules/application/antivirus/av_hacktool.yml +++ b/rules/application/antivirus/av_hacktool.yml @@ -22,9 +22,9 @@ detection: - Signature|contains: - 'Hacktool' condition: selection -falsepositives: - - Unlikely -level: high fields: - FileName - User +falsepositives: + - Unlikely +level: high diff --git a/rules/application/antivirus/av_password_dumper.yml b/rules/application/antivirus/av_password_dumper.yml index a8731c654..a86347223 100644 --- a/rules/application/antivirus/av_password_dumper.yml +++ b/rules/application/antivirus/av_password_dumper.yml @@ -2,40 +2,40 @@ title: Antivirus Password Dumper Detection id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 status: test description: Detects a highly relevant Antivirus alert that reports a password dumper -author: Florian Roth references: - - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ - - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection + - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ + - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection +author: Florian Roth date: 2018/09/09 modified: 2022/05/12 -logsource: - category: antivirus -detection: - selection: - Signature|contains: - - 'DumpCreds' - - 'Mimikatz' - - 'PWCrack' - - 'HTool/WCE' - - 'PSWTool' - - 'PWDump' - - 'SecurityTool' - - 'PShlSpy' - - 'Rubeus' - - 'Kekeo' - - 'LsassDump' - - 'Outflank' - - 'DumpLsass' - condition: selection -fields: - - FileName - - User -falsepositives: - - Unlikely -level: critical tags: - - attack.credential_access - - attack.t1003 - - attack.t1558 - - attack.t1003.001 - - attack.t1003.002 + - attack.credential_access + - attack.t1003 + - attack.t1558 + - attack.t1003.001 + - attack.t1003.002 +logsource: + category: antivirus +detection: + selection: + Signature|contains: + - 'DumpCreds' + - 'Mimikatz' + - 'PWCrack' + - 'HTool/WCE' + - 'PSWTool' + - 'PWDump' + - 'SecurityTool' + - 'PShlSpy' + - 'Rubeus' + - 'Kekeo' + - 'LsassDump' + - 'Outflank' + - 'DumpLsass' + condition: selection +fields: + - FileName + - User +falsepositives: + - Unlikely +level: critical diff --git a/rules/application/antivirus/av_ransomware.yml b/rules/application/antivirus/av_ransomware.yml index d58b66cfa..b2a0ef1ed 100644 --- a/rules/application/antivirus/av_ransomware.yml +++ b/rules/application/antivirus/av_ransomware.yml @@ -2,20 +2,21 @@ title: Antivirus Ransomware Detection id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f status: experimental description: Detects a highly relevant Antivirus alert that reports ransomware -author: Florian Roth references: - - https://www.nextron-systems.com/?s=antivirus + - https://www.nextron-systems.com/?s=antivirus +author: Florian Roth date: 2022/05/12 -logsource: - category: antivirus -detection: - selection: - Signature|contains: - - 'Ransom' - - 'Filecoder' - condition: selection -falsepositives: - - Unlikely -level: critical +modified: 2021/12/02 tags: - - attack.t1486 + - attack.t1486 +logsource: + category: antivirus +detection: + selection: + Signature|contains: + - 'Ransom' + - 'Filecoder' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/application/antivirus/av_relevant_files.yml b/rules/application/antivirus/av_relevant_files.yml index 0017e0124..7caa873ba 100644 --- a/rules/application/antivirus/av_relevant_files.yml +++ b/rules/application/antivirus/av_relevant_files.yml @@ -1,12 +1,15 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c -description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name status: experimental -date: 2018/09/09 -modified: 2021/11/23 -author: Florian Roth, Arnim Rupp +description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name references: - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ +author: Florian Roth, Arnim Rupp +date: 2018/09/09 +modified: 2021/11/23 +tags: + - attack.resource_development + - attack.t1588 logsource: category: antivirus detection: @@ -73,6 +76,3 @@ fields: falsepositives: - Unlikely level: high -tags: - - attack.resource_development - - attack.t1588 \ No newline at end of file diff --git a/rules/application/antivirus/av_webshell.yml b/rules/application/antivirus/av_webshell.yml index d8f2f4465..ec84ea329 100644 --- a/rules/application/antivirus/av_webshell.yml +++ b/rules/application/antivirus/av_webshell.yml @@ -1,10 +1,7 @@ title: Antivirus Web Shell Detection id: fdf135a2-9241-4f96-a114-bb404948f736 -description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. status: experimental -date: 2018/09/09 -modified: 2022/05/12 -author: Florian Roth, Arnim Rupp +description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. references: - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ - https://github.com/tennc/webshell @@ -15,6 +12,9 @@ references: - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection +author: Florian Roth, Arnim Rupp +date: 2018/09/09 +modified: 2022/05/12 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/application/django/appframework_django_exceptions.yml b/rules/application/django/appframework_django_exceptions.yml index 233cc72d6..8042c1fb8 100644 --- a/rules/application/django/appframework_django_exceptions.yml +++ b/rules/application/django/appframework_django_exceptions.yml @@ -2,12 +2,15 @@ title: Django Framework Exceptions id: fd435618-981e-4a7c-81f8-f78ce480d616 status: stable description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts -author: Thomas Patzke -date: 2017/08/05 -modified: 2020/09/01 references: - https://docs.djangoproject.com/en/1.11/ref/exceptions/ - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security +author: Thomas Patzke +date: 2017/08/05 +modified: 2020/09/01 +tags: + - attack.initial_access + - attack.t1190 logsource: category: application product: django @@ -31,6 +34,3 @@ detection: falsepositives: - Application bugs level: medium -tags: - - attack.initial_access - - attack.t1190 \ No newline at end of file diff --git a/rules/application/python/app_python_sql_exceptions.yml b/rules/application/python/app_python_sql_exceptions.yml index a070253a0..2dcda6679 100644 --- a/rules/application/python/app_python_sql_exceptions.yml +++ b/rules/application/python/app_python_sql_exceptions.yml @@ -2,11 +2,14 @@ title: Python SQL Exceptions id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9 status: stable description: Generic rule for SQL exceptions in Python according to PEP 249 +references: + - https://www.python.org/dev/peps/pep-0249/#exceptions author: Thomas Patzke date: 2017/08/12 modified: 2020/09/01 -references: - - https://www.python.org/dev/peps/pep-0249/#exceptions +tags: + - attack.initial_access + - attack.t1190 logsource: category: application product: python @@ -20,6 +23,3 @@ detection: falsepositives: - Application bugs level: medium -tags: - - attack.initial_access - - attack.t1190 \ No newline at end of file diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index 8ff4dbaca..f2c7a5efa 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -1,5 +1,6 @@ title: Remote Schedule Task Lateral Movement via ATSvc id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb +status: experimental description: Detects remote RPC calls to create or execute a scheduled task via ATSvc references: - https://attack.mitre.org/techniques/T1053/ @@ -8,14 +9,13 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 tags: - attack.lateral_movement - attack.t1053 - attack.t1053.002 -status: experimental -author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml index 22c1b59cd..8678f0f8d 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -1,5 +1,6 @@ title: Remote Schedule Task Recon via AtScv id: f177f2bc-5f3e-4453-b599-57eefce9a59c +status: experimental description: Detects remote RPC calls to read information about scheduled tasks via AtScv references: - https://attack.mitre.org/tactics/TA0007/ @@ -8,7 +9,6 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 diff --git a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml index d9eb4b5dd..e1bfa1842 100644 --- a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml +++ b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml @@ -1,5 +1,6 @@ title: Possible DCSync Attack id: 56fda488-113e-4ce9-8076-afc2457922c3 +status: experimental description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks. references: - https://attack.mitre.org/techniques/T1033/ @@ -7,12 +8,11 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -tags: - - attack.t1033 -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 +tags: + - attack.t1033 logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml index becc9af9c..2f54d4fee 100644 --- a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -1,5 +1,6 @@ title: Remote Encrypting File System Abuse id: 5f92fff9-82e2-48eb-8fc1-8b133556a551 +status: experimental description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR references: - https://attack.mitre.org/tactics/TA0008/ @@ -7,12 +8,11 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -tags: - - attack.lateral_movement -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 +tags: + - attack.lateral_movement logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml index d508eb6ba..bd69dc768 100644 --- a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml @@ -1,12 +1,12 @@ title: Remote Event Log Recon id: 2053961f-44c7-4a64-b62d-f6e72800af0d +status: experimental description: Detects remote RPC calls to get event log information via EVEN or EVEN6 references: - https://attack.mitre.org/tactics/TA0007/ - https://github.com/zeronetworks/rpcfirewall - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 @@ -19,8 +19,8 @@ detection: EventLog: RPCFW EventID: 3 InterfaceUuid: - - 82273fdc-e32a-18c3-3f78-827929dc23ea - - f6beaff7-1e19-4fbb-9f8f-b89e2018337c + - 82273fdc-e32a-18c3-3f78-827929dc23ea + - f6beaff7-1e19-4fbb-9f8f-b89e2018337c condition: selection falsepositives: - Remote administrative tasks on Windows Events diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index 84a44735d..595c9378d 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -1,5 +1,6 @@ title: Remote Schedule Task Lateral Movement via ITaskSchedulerService id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d +status: experimental description: Detects remote RPC calls to create or execute a scheduled task references: - https://attack.mitre.org/techniques/T1053/ @@ -8,14 +9,13 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 tags: - attack.lateral_movement - attack.t1053 - attack.t1053.002 -status: experimental -author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml index 53f436542..c3a458588 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -1,5 +1,6 @@ title: Remote Schedule Task Recon via ITaskSchedulerService id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e +status: experimental description: Detects remote RPC calls to read information about scheduled tasks references: - https://attack.mitre.org/tactics/TA0007/ @@ -7,7 +8,6 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 diff --git a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml index a4697edc7..6987c44f8 100644 --- a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -1,5 +1,6 @@ title: Remote Printing Abuse for Lateral Movement id: bc3a4b0c-e167-48e1-aa88-b3020950e560 +status: experimental description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR references: - https://attack.mitre.org/tactics/TA0008/ @@ -9,12 +10,11 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -tags: - - attack.lateral_movement -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 +tags: + - attack.lateral_movement logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml index ea909d4da..2b5a361eb 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -1,5 +1,6 @@ title: Remote DCOM/WMI Lateral Movement id: 68050b10-e477-4377-a99b-3721b422d6ef +status: experimental description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI. references: - https://attack.mitre.org/tactics/TA0008/ @@ -8,14 +9,13 @@ references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 tags: - attack.lateral_movement - attack.t1021.003 - attack.t1047 -status: experimental -author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 logsource: product: rpc_firewall category: application @@ -25,12 +25,12 @@ detection: EventLog: RPCFW EventID: 3 InterfaceUuid: - - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - - 99fcfec4-5260-101b-bbcb-00aa0021347a - - 000001a0-0000-0000-c000-000000000046 - - 00000131-0000-0000-c000-000000000046 - - 00000143-0000-0000-c000-000000000046 - - 00000000-0000-0000-c000-000000000046 + - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 + - 99fcfec4-5260-101b-bbcb-00aa0021347a + - 000001a0-0000-0000-c000-000000000046 + - 00000131-0000-0000-c000-000000000046 + - 00000143-0000-0000-c000-000000000046 + - 00000000-0000-0000-c000-000000000046 condition: selection falsepositives: - Some administrative tasks on remote host diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index f480a91a3..b8d232256 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -1,5 +1,6 @@ title: Remote Registry Lateral Movement id: 35c55673-84ca-4e99-8d09-e334f3c29539 +status: experimental description: Detects remote RPC calls to modify the registry and possible execute code references: - https://attack.mitre.org/techniques/T1112/ @@ -8,12 +9,11 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -tags: - - attack.lateral_movement -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 +tags: + - attack.lateral_movement logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml index f3370988c..b573ff8c2 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -1,5 +1,6 @@ title: Remote Registry Recon id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8 +status: experimental description: Detects remote RPC calls to collect information references: - https://attack.mitre.org/tactics/TA0007/ @@ -7,7 +8,6 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml index fb3ce78ec..2878a3bbb 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -1,5 +1,6 @@ title: Remote Server Service Abuse id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7 +status: experimental description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS references: - https://attack.mitre.org/tactics/TA0008/ @@ -7,12 +8,11 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -tags: - - attack.lateral_movement -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 +tags: + - attack.lateral_movement logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml index 8f20bc404..efc676f77 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -1,5 +1,6 @@ title: Remote Server Service Abuse for Lateral Movement id: 10018e73-06ec-46ec-8107-9172f1e04ff2 +status: experimental description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR references: - https://attack.mitre.org/tactics/TA0008/ @@ -8,13 +9,12 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -tags: - - attack.lateral_movement - - attack.t1569.002 -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 +tags: + - attack.lateral_movement + - attack.t1569.002 logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index 85bca67ea..5812fb437 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -1,5 +1,6 @@ title: Remote Schedule Task Lateral Movement via SASec id: aff229ab-f8cd-447b-b215-084d11e79eb0 +status: experimental description: Detects remote RPC calls to create or execute a scheduled task via SASec references: - https://attack.mitre.org/techniques/T1053/ @@ -8,14 +9,13 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 tags: - attack.lateral_movement - attack.t1053 - attack.t1053.002 -status: experimental -author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml index 62e9e51c7..34beea18c 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -1,5 +1,6 @@ title: Remote Schedule Task Lateral Movement via SASec id: 0a3ff354-93fc-4273-8a03-1078782de5b7 +status: experimental description: Detects remote RPC calls to read information about scheduled tasks via SASec references: - https://attack.mitre.org/tactics/TA0007/ @@ -7,7 +8,6 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml index 0bc2b5c9a..626092f6a 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -1,5 +1,6 @@ title: SharpHound Recon Account Discovery id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5 +status: experimental description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. references: - https://attack.mitre.org/techniques/T1087/ @@ -7,12 +8,11 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -tags: - - attack.t1087 -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 +tags: + - attack.t1087 logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml index bcbee4299..d43f23072 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -1,5 +1,6 @@ title: SharpHound Recon Sessions id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28 +status: experimental description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. references: - https://attack.mitre.org/techniques/T1033/ @@ -7,12 +8,11 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ -tags: - - attack.t1033 -status: experimental author: Sagie Dulce, Dekel Paz date: 2022/01/01 modified: 2022/01/01 +tags: + - attack.t1033 logsource: product: rpc_firewall category: application diff --git a/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml index e0a3430cb..661780aff 100644 --- a/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml @@ -2,14 +2,17 @@ title: Ruby on Rails Framework Exceptions id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a status: stable description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts -author: Thomas Patzke -date: 2017/08/06 -modified: 2020/09/01 references: - http://edgeguides.rubyonrails.org/security.html - http://guides.rubyonrails.org/action_controller_overview.html - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception - https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb +author: Thomas Patzke +date: 2017/08/06 +modified: 2020/09/01 +tags: + - attack.initial_access + - attack.t1190 logsource: category: application product: ruby_on_rails @@ -24,6 +27,3 @@ detection: falsepositives: - Application bugs level: medium -tags: - - attack.initial_access - - attack.t1190 \ No newline at end of file diff --git a/rules/application/spring/appframework_spring_exceptions.yml b/rules/application/spring/appframework_spring_exceptions.yml index fe97e056c..bd366e7c9 100644 --- a/rules/application/spring/appframework_spring_exceptions.yml +++ b/rules/application/spring/appframework_spring_exceptions.yml @@ -2,11 +2,14 @@ title: Spring Framework Exceptions id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33 status: stable description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts +references: + - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html author: Thomas Patzke date: 2017/08/06 modified: 2020/09/01 -references: - - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html +tags: + - attack.initial_access + - attack.t1190 logsource: category: application product: spring @@ -23,6 +26,3 @@ detection: falsepositives: - Application bugs level: medium -tags: - - attack.initial_access - - attack.t1190 \ No newline at end of file diff --git a/rules/application/sql/app_sqlinjection_errors.yml b/rules/application/sql/app_sqlinjection_errors.yml index 3a9366fd6..f9f4a9be4 100644 --- a/rules/application/sql/app_sqlinjection_errors.yml +++ b/rules/application/sql/app_sqlinjection_errors.yml @@ -2,29 +2,29 @@ title: Suspicious SQL Error Messages id: 8a670c6d-7189-4b1c-8017-a417ca84a086 status: test description: Detects SQL error messages that indicate probing for an injection attack -author: Bjoern Kimminich references: - - http://www.sqlinjection.net/errors + - http://www.sqlinjection.net/errors +author: Bjoern Kimminich date: 2017/11/27 modified: 2021/11/27 -logsource: - category: application - product: sql -detection: - keywords: - # Oracle - - quoted string not properly terminated - # MySQL - - You have an error in your SQL syntax - # SQL Server - - Unclosed quotation mark - # SQLite - - 'near "*": syntax error' - - SELECTs to the left and right of UNION do not have the same number of result columns - condition: keywords -falsepositives: - - Application bugs -level: high tags: - - attack.initial_access - - attack.t1190 + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: sql +detection: + keywords: + # Oracle + - quoted string not properly terminated + # MySQL + - You have an error in your SQL syntax + # SQL Server + - Unclosed quotation mark + # SQLite + - 'near "*": syntax error' + - SELECTs to the left and right of UNION do not have the same number of result columns + condition: keywords +falsepositives: + - Application bugs +level: high