Merge branch 'master' into rule-devel
This commit is contained in:
Florian Roth
@@ -0,0 +1,17 @@
|
||||
title: Code Injection by ld.so Preload
|
||||
id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
|
||||
status: experimental
|
||||
description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
|
||||
author: Christian Burkard
|
||||
date: 2021/05/05
|
||||
references:
|
||||
- https://man7.org/linux/man-pages/man8/ld.so.8.html
|
||||
logsource:
|
||||
product: linux
|
||||
detection:
|
||||
keyword:
|
||||
- '/etc/ld.so.preload'
|
||||
condition: keyword
|
||||
falsepositives:
|
||||
- rare temporary workaround for library misconfiguration
|
||||
level: high
|
||||
@@ -0,0 +1,67 @@
|
||||
title: Suspicious DNS Z Flag Bit Set
|
||||
id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5
|
||||
description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
|
||||
date: 2021/05/04
|
||||
references:
|
||||
- 'https://twitter.com/neu5ron/status/1346245602502443009'
|
||||
- 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma'
|
||||
- 'https://tools.ietf.org/html/rfc2929#section-2.1'
|
||||
- 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
|
||||
author: '@neu5ron, SOC Prime Team, Corelight'
|
||||
tags:
|
||||
- attack.t1094
|
||||
- attack.t1043
|
||||
- attack.command_and_control
|
||||
logsource:
|
||||
product: zeek
|
||||
service: dns
|
||||
detection:
|
||||
z_flag_unset:
|
||||
Z: '0'
|
||||
most_probable_valid_domain:
|
||||
query|contains: '.'
|
||||
exclude_tlds:
|
||||
query|endswith:
|
||||
- '.arpa'
|
||||
- '.local'
|
||||
- '.ultradns.net'
|
||||
- '.twtrdns.net'
|
||||
- '.azuredns-prd.info'
|
||||
- '.azure-dns.com'
|
||||
- '.azuredns-ff.info'
|
||||
- '.azuredns-ff.org'
|
||||
- '.azuregov-dns.org'
|
||||
exclude_query_types:
|
||||
qtype_name:
|
||||
- 'NS'
|
||||
- 'ns'
|
||||
exclude_responses:
|
||||
answers|endswith: '\\x00'
|
||||
exclude_netbios:
|
||||
id.resp_p:
|
||||
- '137'
|
||||
- '138'
|
||||
- '139'
|
||||
condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios)
|
||||
falsepositive:
|
||||
- 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
|
||||
- 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
|
||||
level: medium
|
||||
fields:
|
||||
- ts
|
||||
- id.orig_h
|
||||
- id.orig_p
|
||||
- id.resp_h
|
||||
- id.resp_p
|
||||
- proto
|
||||
- qtype_name
|
||||
- qtype
|
||||
- query
|
||||
- answers
|
||||
- rcode
|
||||
- rcode_name
|
||||
- trans_id
|
||||
- qtype
|
||||
- ttl
|
||||
- AA
|
||||
- uid
|
||||
@@ -0,0 +1,25 @@
|
||||
title: Hidden Local User Creation
|
||||
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
|
||||
description: Detects the creation of a local hidden user account which should not happen for event ID 4720.
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1136.001
|
||||
references:
|
||||
- https://twitter.com/SBousseaden/status/1387743867663958021
|
||||
author: Christian Burkard
|
||||
date: 2021/05/03
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4720
|
||||
TargetUserName|endswith: '$'
|
||||
condition: selection
|
||||
fields:
|
||||
- EventCode
|
||||
- AccountName
|
||||
falsepositives:
|
||||
- unkown
|
||||
level: high
|
||||
@@ -0,0 +1,34 @@
|
||||
action: global
|
||||
title: Moriya Rootkit
|
||||
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
|
||||
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
|
||||
status: experimental
|
||||
author: Bhabesh Raj
|
||||
date: 2021/05/06
|
||||
modified: 2021/05/12
|
||||
level: critical
|
||||
falsepositives:
|
||||
- None
|
||||
references:
|
||||
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.privilege_escalation
|
||||
- attack.t1543.003
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: system
|
||||
detection:
|
||||
selection:
|
||||
EventID: 7045
|
||||
ServiceName: ZzNetSvc
|
||||
condition: selection
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
category: file_event
|
||||
detection:
|
||||
selection:
|
||||
TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
|
||||
condition: selection
|
||||
@@ -1,8 +1,9 @@
|
||||
title: Remote PowerShell Sessions
|
||||
title: Remote PowerShell Sessions Network Connections (WinRM)
|
||||
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
|
||||
description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986
|
||||
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
|
||||
status: experimental
|
||||
date: 2019/09/12
|
||||
modified: 2021/05/21
|
||||
author: Roberto Rodriguez @Cyb3rWard0g
|
||||
references:
|
||||
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
|
||||
|
||||
@@ -17,8 +17,9 @@ detection:
|
||||
ObjectType: 'SC_MANAGER OBJECT'
|
||||
ObjectName: 'servicesactive'
|
||||
Keywords: "Audit Failure"
|
||||
filter:
|
||||
SubjectLogonId: "0x3e4"
|
||||
condition: selection
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
|
||||
@@ -15,8 +15,9 @@ detection:
|
||||
ObjectType: 'SC_MANAGER OBJECT'
|
||||
ObjectName: 'servicesactive'
|
||||
PrivilegeList: 'SeTakeOwnershipPrivilege'
|
||||
filter:
|
||||
SubjectLogonId: "0x3e4"
|
||||
condition: selection
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Vulnerable Dell BIOS Update Driver Load
|
||||
id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
|
||||
description: Detects the load of the vulnerable Dell BIOS update driver
|
||||
description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
|
||||
author: Florian Roth
|
||||
date: 2021/05/05
|
||||
references:
|
||||
@@ -8,6 +8,8 @@ references:
|
||||
logsource:
|
||||
category: driver_load
|
||||
product: windows
|
||||
tags:
|
||||
- cve.2021-21551
|
||||
detection:
|
||||
selection_image:
|
||||
ImageLoaded|contains: '\DBUtil_2_3.Sys'
|
||||
@@ -19,6 +21,9 @@ detection:
|
||||
- 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
|
||||
- '10b30bdee43b3a2ec4aa63375577ade650269d25'
|
||||
- 'd2fd132ab7bbc6bbb87a84f026fa0244'
|
||||
|
||||
|
||||
|
||||
condition: selection_image or selection_hash
|
||||
falsepositives:
|
||||
- legitimate BIOS driver updates (should be rare)
|
||||
|
||||
@@ -3,6 +3,7 @@ id: fe6e002f-f244-4278-9263-20e4b593827f
|
||||
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
|
||||
status: experimental
|
||||
date: 2019/09/12
|
||||
modified: 2021/05/12
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.execution
|
||||
@@ -11,11 +12,11 @@ references:
|
||||
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
|
||||
logsource:
|
||||
product: windows
|
||||
service: image_load
|
||||
category: image_load
|
||||
detection:
|
||||
selection:
|
||||
Description: 'system.management.automation'
|
||||
ImageLoaded|contains: 'system.management.automation'
|
||||
Description: 'System.Management.Automation'
|
||||
ImageLoaded|contains: 'System.Management.Automation'
|
||||
filter:
|
||||
Image|endswith: '\powershell.exe'
|
||||
condition: selection and not filter
|
||||
|
||||
@@ -16,8 +16,8 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Description: 'system.management.automation'
|
||||
ImageLoaded|contains: 'system.management.automation'
|
||||
Description: 'System.Management.Automation'
|
||||
ImageLoaded|contains: 'System.Management.Automation'
|
||||
condition: selection
|
||||
fields:
|
||||
- ComputerName
|
||||
|
||||
@@ -3,6 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83
|
||||
description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
|
||||
status: experimental
|
||||
date: 2020/05/03
|
||||
modified: 2021/05/12
|
||||
author: Patrick St. John, OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
@@ -12,7 +13,7 @@ references:
|
||||
- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
|
||||
logsource:
|
||||
product: windows
|
||||
service: image_load
|
||||
category: image_load
|
||||
detection:
|
||||
selection:
|
||||
Description: 'Python Core'
|
||||
|
||||
@@ -2,27 +2,37 @@ title: Antivirus Relevant File Paths Alerts
|
||||
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
|
||||
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
|
||||
date: 2018/09/09
|
||||
modified: 2019/10/04
|
||||
author: Florian Roth
|
||||
modified: 2021/05/09
|
||||
author: Florian Roth, Arnim Rupp
|
||||
references:
|
||||
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
|
||||
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
|
||||
logsource:
|
||||
product: antivirus
|
||||
detection:
|
||||
selection:
|
||||
- FileName|startswith:
|
||||
- 'C:\Windows\Temp\'
|
||||
- 'C:\Windows\'
|
||||
- 'C:\Temp\'
|
||||
- 'C:\PerfLogs\'
|
||||
- 'C:\Users\Public\'
|
||||
- 'C:\Users\Default\'
|
||||
- FileName|contains:
|
||||
- '\Client\'
|
||||
- '\tsclient\'
|
||||
- '\inetpub\'
|
||||
- '/www/'
|
||||
- 'apache'
|
||||
- 'tomcat'
|
||||
- 'nginx'
|
||||
- 'weblogic'
|
||||
selection2:
|
||||
Filename|endswith:
|
||||
- '.ps1'
|
||||
- '.psm1'
|
||||
- '.vbs'
|
||||
- '.bat'
|
||||
- '.cmd'
|
||||
- '.sh'
|
||||
- '.chm'
|
||||
- '.xml'
|
||||
- '.txt'
|
||||
@@ -30,8 +40,18 @@ detection:
|
||||
- '.jspx'
|
||||
- '.asp'
|
||||
- '.aspx'
|
||||
- '.ashx'
|
||||
- '.asax'
|
||||
- '.asmx'
|
||||
- '.php'
|
||||
- '.cfm'
|
||||
- '.py'
|
||||
- '.pyc'
|
||||
- '.pl'
|
||||
- '.rb'
|
||||
- '.cgi'
|
||||
- '.war'
|
||||
- '.ear'
|
||||
- '.hta'
|
||||
- '.lnk'
|
||||
- '.scf'
|
||||
@@ -39,6 +59,12 @@ detection:
|
||||
- '.vbe'
|
||||
- '.wsf'
|
||||
- '.wsh'
|
||||
- '.gif'
|
||||
- '.png'
|
||||
- '.jpg'
|
||||
- '.jpeg'
|
||||
- '.svg'
|
||||
- '.dat'
|
||||
condition: selection or selection2
|
||||
fields:
|
||||
- Signature
|
||||
|
||||
@@ -1,14 +1,19 @@
|
||||
title: Antivirus Web Shell Detection
|
||||
id: fdf135a2-9241-4f96-a114-bb404948f736
|
||||
description: Detects a highly relevant Antivirus alert that reports a web shell
|
||||
description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
|
||||
date: 2018/09/09
|
||||
modified: 2001/01/07
|
||||
modified: 2021/05/08
|
||||
author: Florian Roth, Arnim Rupp
|
||||
references:
|
||||
- https://www.nextron-systems.com/2019/10/04/antivirus-event-analysis-cheat-sheet-v1-7-2/
|
||||
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
|
||||
- https://github.com/tennc/webshell
|
||||
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
|
||||
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
|
||||
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
|
||||
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
|
||||
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
|
||||
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
|
||||
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1100
|
||||
@@ -18,26 +23,48 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
- Signature|startswith:
|
||||
- "PHP/Backdoor"
|
||||
- "JSP/Backdoor"
|
||||
- "ASP/Backdoor"
|
||||
- "Backdoor.PHP"
|
||||
- "Backdoor.JSP"
|
||||
- "Backdoor.ASP"
|
||||
- "Backdoor?Java"
|
||||
- "PHP/"
|
||||
- "JSP/"
|
||||
- "ASP/"
|
||||
- "Perl/"
|
||||
- "PHP."
|
||||
- "JSP."
|
||||
- "ASP."
|
||||
- "Perl."
|
||||
- "VBS/Uxor" # looking for "VBS/" would also find downloaders and droppers meant for desktops
|
||||
- "IIS/BackDoor"
|
||||
- "JAVA/Backdoor"
|
||||
- "Troj/ASP"
|
||||
- "Troj/PHP"
|
||||
- "Troj/JSP"
|
||||
- Signature|contains:
|
||||
- "Webshell"
|
||||
- "Chopper"
|
||||
- "SinoChoper"
|
||||
- "ASPXSpy"
|
||||
- "Aspdoor"
|
||||
- "filebrowser"
|
||||
- "PHP_"
|
||||
- "JSP_"
|
||||
- "ASP_" # looking for "VBS_" would also find downloaders and droppers meant for desktops
|
||||
- "PHP:"
|
||||
- "JSP:"
|
||||
- "ASP:"
|
||||
- "Perl:"
|
||||
- "PHPShell"
|
||||
- "Trojan.PHP"
|
||||
- "Trojan.ASP"
|
||||
- "Trojan.JSP"
|
||||
- "Trojan.VBS"
|
||||
- "PHP?Agent"
|
||||
- "ASP?Agent"
|
||||
- "JSP?Agent"
|
||||
- "VBS?Agent"
|
||||
- "Backdoor?PHP"
|
||||
- "Backdoor?JSP"
|
||||
- "Backdoor?ASP"
|
||||
- "Backdoor?VBS"
|
||||
- "Backdoor?Java"
|
||||
condition: selection
|
||||
fields:
|
||||
- FileName
|
||||
|
||||
@@ -6,7 +6,7 @@ references:
|
||||
- https://twitter.com/SBousseaden/status/1096148422984384514
|
||||
author: Samir Bousseaden
|
||||
date: 2019/02/16
|
||||
modified: 2020/08/24
|
||||
modified: 2021/05/11
|
||||
tags:
|
||||
- attack.command_and_control
|
||||
- attack.t1572
|
||||
@@ -25,7 +25,7 @@ detection:
|
||||
selection2:
|
||||
- DestinationIp|startswith:
|
||||
- '127.'
|
||||
- DestinationIP:
|
||||
- DestinationIp:
|
||||
- '::1'
|
||||
condition: selection and selection2
|
||||
falsepositives:
|
||||
|
||||
@@ -6,7 +6,7 @@ references:
|
||||
- https://twitter.com/PythonResponder/status/1385064506049630211
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1552.004
|
||||
- attack.t1003.001
|
||||
author: Florian Roth
|
||||
date: 2021/04/23
|
||||
logsource:
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
title: Suspicious Shells Spawn by WinRM
|
||||
id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
|
||||
description: Detects suspicious shell spawn from WinRM host process
|
||||
status: experimental
|
||||
author: Andreas Hunkeler (@Karneades), Markus Neis
|
||||
date: 2021/05/20
|
||||
tags:
|
||||
- attack.t1190
|
||||
- attack.initial_access
|
||||
- attack.persistence
|
||||
- attack.privilege_escalation
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
ParentImage: '*\wsmprovhost.exe'
|
||||
Image:
|
||||
- '*\cmd.exe'
|
||||
- '*\sh.exe'
|
||||
- '*\bash.exe'
|
||||
- '*\powershell.exe'
|
||||
- '*\schtasks.exe'
|
||||
- '*\certutil.exe'
|
||||
- '*\whoami.exe'
|
||||
- '*\bitsadmin.exe'
|
||||
condition: selection
|
||||
|
||||
level: critical
|
||||
@@ -0,0 +1,32 @@
|
||||
title: RClone Execution
|
||||
id: a0d63692-a531-4912-ad39-4393325b2a9c
|
||||
status: experimental
|
||||
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
|
||||
tags:
|
||||
- attack.exfiltration
|
||||
- attack.t1567.002
|
||||
author: Bhabesh Raj
|
||||
date: 2021/05/10
|
||||
references:
|
||||
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
|
||||
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
|
||||
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
|
||||
fields:
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
- Details
|
||||
falsepositives:
|
||||
- Legitimate RClone use
|
||||
level: high
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Description: 'Rsync for cloud storage'
|
||||
selection2:
|
||||
CommandLine|contains|all:
|
||||
- '--config '
|
||||
- '--no-check-certificate '
|
||||
- ' copy '
|
||||
condition: 1 of them
|
||||
@@ -6,7 +6,7 @@ references:
|
||||
- https://securityxploded.com/
|
||||
- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
|
||||
date: 2018/12/19
|
||||
modified: 2020/09/01
|
||||
modified: 2021/05/11
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1555
|
||||
@@ -21,7 +21,7 @@ detection:
|
||||
selection2:
|
||||
Image|endswith: 'PasswordDump.exe'
|
||||
selection3:
|
||||
OriginalFilename|endswith: 'PasswordDump.exe'
|
||||
OriginalFileName|endswith: 'PasswordDump.exe'
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- unlikely
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
title: Remote PowerShell Session
|
||||
title: Remote PowerShell Session Host Process (WinRM)
|
||||
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
|
||||
description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)
|
||||
description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session)
|
||||
status: experimental
|
||||
date: 2019/09/12
|
||||
modified: 2019/11/10
|
||||
modified: 2021/05/21
|
||||
author: Roberto Rodriguez @Cyb3rWard0g
|
||||
references:
|
||||
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://thedfirreport.com/2020/05/08/adfind-recon/
|
||||
author: FPT.EagleEye Team, omkar72, oscd.community
|
||||
date: 2020/09/26
|
||||
modified: 2020/10/11
|
||||
modified: 2021/05/12
|
||||
tags:
|
||||
- attack.discovery
|
||||
- attack.t1018
|
||||
@@ -17,7 +17,7 @@ tags:
|
||||
- attack.t1069.002
|
||||
logsource:
|
||||
product: windows
|
||||
service: process_creation
|
||||
category: process_creation
|
||||
detection:
|
||||
selection:
|
||||
CommandLine|contains:
|
||||
|
||||
@@ -8,8 +8,6 @@ date: 2019/01/16
|
||||
modified: 2021/04/23
|
||||
references:
|
||||
- https://twitter.com/JohnLaTwC/status/835149808817991680
|
||||
- https://twitter.com/subTee/status/888102593838362624
|
||||
- https://twitter.com/subTee/status/888071631528235010
|
||||
- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
|
||||
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
|
||||
- https://twitter.com/egre55/status/1087685529016193025
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Csi.exe is a signed binary from Micosoft that comes with Visual Stu
|
||||
status: experimental
|
||||
author: Konstantin Grishchenko, oscd.community
|
||||
date: 2020/10/17
|
||||
modified: 2021/05/11
|
||||
references:
|
||||
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
|
||||
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml
|
||||
@@ -22,8 +23,8 @@ detection:
|
||||
- Image|endswith: '\csi.exe'
|
||||
- Image|endswith: '\rcsi.exe'
|
||||
renamed:
|
||||
- OriginalFilename: 'csi.exe'
|
||||
- OriginalFilename: 'rcsi.exe'
|
||||
- OriginalFileName: 'csi.exe'
|
||||
- OriginalFileName: 'rcsi.exe'
|
||||
selection:
|
||||
Company: 'Microsoft Corporation'
|
||||
condition: (basic or renamed) and selection
|
||||
|
||||
@@ -15,7 +15,7 @@ detection:
|
||||
- 'Sysinternals DebugView'
|
||||
- 'Sysinternals Debugview'
|
||||
filter:
|
||||
OriginalFilename: 'Dbgview.exe'
|
||||
OriginalFileName: 'Dbgview.exe'
|
||||
Image|endswith: '\Dbgview.exe'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
|
||||
@@ -6,6 +6,7 @@ references:
|
||||
- https://dtm.uk/wuauclt/
|
||||
author: FPT.EagleEye Team
|
||||
date: 2020/10/17
|
||||
modified: 2021/05/12
|
||||
tags:
|
||||
- attack.command_and_control
|
||||
- attack.execution
|
||||
@@ -13,7 +14,7 @@ tags:
|
||||
- attack.t1218
|
||||
logsource:
|
||||
product: windows
|
||||
service: process_creation
|
||||
category: process_creation
|
||||
detection:
|
||||
selection:
|
||||
ProcessCommandLine|contains|all:
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
title: Creation of a Local Hidden User Account by Registry
|
||||
id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
|
||||
description: Sysmon registry detection of a local hidden user account.
|
||||
status: experimental
|
||||
date: 2021/05/03
|
||||
modified: 2021/05/12
|
||||
author: Christian Burkard
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1136.001
|
||||
references:
|
||||
- https://twitter.com/SBousseaden/status/1387530414185664538
|
||||
logsource:
|
||||
product: windows
|
||||
category: registry_event
|
||||
detection:
|
||||
selection:
|
||||
TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\'
|
||||
TargetObject|endswith: '$'
|
||||
Image|endswith: "lsass.exe"
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
level: high
|
||||
@@ -3,6 +3,7 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014
|
||||
description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
|
||||
status: experimental
|
||||
date: 2020/05/02
|
||||
modified: 2021/05/12
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
@@ -12,7 +13,7 @@ references:
|
||||
- https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html
|
||||
logsource:
|
||||
product: windows
|
||||
service: registry_event
|
||||
category: registry_event
|
||||
detection:
|
||||
selection:
|
||||
TargetObject|contains: '\Software\Sysinternals\SDelete'
|
||||
|
||||
@@ -0,0 +1,47 @@
|
||||
action: global
|
||||
title: Pingback Backdoor
|
||||
id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
|
||||
status: experimental
|
||||
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
|
||||
author: Bhabesh Raj
|
||||
date: 2021/05/05
|
||||
falsepositives:
|
||||
- Very unlikely
|
||||
level: high
|
||||
references:
|
||||
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
|
||||
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1574.001
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
category: file_event
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: updata.exe
|
||||
TargetFilename: 'C:\Windows\oci.dll'
|
||||
condition: selection
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
category: image_load
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: 'msdtc.exe'
|
||||
ImageLoaded: 'C:\Windows\oci.dll'
|
||||
condition: selection
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
category: process_creation
|
||||
detection:
|
||||
selection:
|
||||
ParentImage|endswith: 'updata.exe'
|
||||
CommandLine|contains|all:
|
||||
- 'config'
|
||||
- 'msdtc'
|
||||
- 'start'
|
||||
- 'auto'
|
||||
condition: selection
|
||||
@@ -135,6 +135,7 @@ fieldmappings:
|
||||
Product: winlog.event_data.Product
|
||||
Properties: winlog.event_data.Properties
|
||||
RuleName: winlog.event_data.RuleName
|
||||
ScriptBlockText: powershell.file.script_block_text
|
||||
SecurityID: winlog.event_data.SecurityID
|
||||
ServiceFileName: winlog.event_data.ServiceFileName
|
||||
ServiceName: winlog.event_data.ServiceName
|
||||
|
||||
@@ -119,6 +119,7 @@ fieldmappings:
|
||||
ProcessName: event_data.ProcessName
|
||||
Product: event_data.Product
|
||||
Properties: event_data.Properties
|
||||
ScriptBlockText: winlog.event_data.ScriptBlockText
|
||||
SecurityID: event_data.SecurityID
|
||||
ServiceFileName: event_data.ServiceFileName
|
||||
ServiceName: event_data.ServiceName
|
||||
|
||||
@@ -125,6 +125,7 @@ fieldmappings:
|
||||
Properties: winlog.event_data.Properties
|
||||
RuleName: winlog.event_data.RuleName
|
||||
SAMAccountName: winlog.event_data.SamAccountName
|
||||
ScriptBlockText: winlog.event_data.ScriptBlockText
|
||||
SecurityID: winlog.event_data.SecurityID
|
||||
ServiceFileName: winlog.event_data.ServiceFileName
|
||||
ServiceName: winlog.event_data.ServiceName
|
||||
|
||||
@@ -1346,7 +1346,11 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
|
||||
tactics_list.append(tact)
|
||||
threat = self.create_threat_description(tactics_list=tactics_list, techniques_list=technics_list)
|
||||
rule_name = configs.get("title", "").lower()
|
||||
rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name)
|
||||
rule_uuid = configs.get("id", "").lower()
|
||||
if rule_uuid == "":
|
||||
rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name)
|
||||
else:
|
||||
rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_uuid)
|
||||
risk_score = self.map_risk_score(configs.get("level", "medium"))
|
||||
references = configs.get("reference")
|
||||
if references is None:
|
||||
@@ -1381,6 +1385,8 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
|
||||
rule.update({"threshold": self.rule_threshold})
|
||||
if references:
|
||||
rule.update({"references": references})
|
||||
self.rule_type = "query"
|
||||
self.rule_threshold = {}
|
||||
return json.dumps(rule)
|
||||
|
||||
class KibanaNdjsonBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin):
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
# Output backends for sigmac
|
||||
# Copyright 2019 Jayden Zheng
|
||||
# Copyright 2020 Jonas Hagg
|
||||
# Copyright 2021 wagga (https://github.com/wagga40/)
|
||||
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Lesser General Public License as published by
|
||||
@@ -43,9 +44,16 @@ class SQLBackend(SingleTextQueryBackend):
|
||||
mapListValueExpression = "%s OR %s" # Syntax for field/value condititons where map value is a list
|
||||
mapLength = "(%s %s)"
|
||||
|
||||
def __init__(self, sigmaconfig, table):
|
||||
options = SingleTextQueryBackend.options + (
|
||||
("table", False, "Use this option to specify table name, default is \"eventlog\"", None),
|
||||
)
|
||||
|
||||
def __init__(self, sigmaconfig, options):
|
||||
super().__init__(sigmaconfig)
|
||||
self.table = table
|
||||
if "table" in options:
|
||||
self.table = options["table"]
|
||||
else:
|
||||
self.table = "eventlog"
|
||||
|
||||
def generateANDNode(self, node):
|
||||
generated = [ self.generateNode(val) for val in node ]
|
||||
@@ -162,10 +170,10 @@ class SQLBackend(SingleTextQueryBackend):
|
||||
group_by = ""
|
||||
|
||||
if agg.aggfield:
|
||||
select = "{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None))
|
||||
select = "*,{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None))
|
||||
else:
|
||||
if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT:
|
||||
select = "{}(*) AS agg".format(agg.aggfunc_notrans)
|
||||
select = "*,{}(*) AS agg".format(agg.aggfunc_notrans)
|
||||
else:
|
||||
raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans))
|
||||
|
||||
|
||||
@@ -125,7 +125,7 @@ class TestGenerateQuery(unittest.TestCase):
|
||||
# count
|
||||
detection = {"selection": {"fieldname": "test"},
|
||||
"condition": "selection | count() > 5"}
|
||||
inner_query = 'SELECT count(*) AS agg FROM {} WHERE fieldname = "test"'.format(
|
||||
inner_query = 'SELECT *,count(*) AS agg FROM {} WHERE fieldname = "test"'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
@@ -133,7 +133,7 @@ class TestGenerateQuery(unittest.TestCase):
|
||||
# min
|
||||
detection = {"selection": {"fieldname1": "test"},
|
||||
"condition": "selection | min(fieldname2) > 5"}
|
||||
inner_query = 'SELECT min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
inner_query = 'SELECT *,min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
@@ -141,7 +141,7 @@ class TestGenerateQuery(unittest.TestCase):
|
||||
# max
|
||||
detection = {"selection": {"fieldname1": "test"},
|
||||
"condition": "selection | max(fieldname2) > 5"}
|
||||
inner_query = 'SELECT max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
inner_query = 'SELECT *,max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
@@ -149,7 +149,7 @@ class TestGenerateQuery(unittest.TestCase):
|
||||
# avg
|
||||
detection = {"selection": {"fieldname1": "test"},
|
||||
"condition": "selection | avg(fieldname2) > 5"}
|
||||
inner_query = 'SELECT avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
inner_query = 'SELECT *,avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
@@ -157,7 +157,7 @@ class TestGenerateQuery(unittest.TestCase):
|
||||
# sum
|
||||
detection = {"selection": {"fieldname1": "test"},
|
||||
"condition": "selection | sum(fieldname2) > 5"}
|
||||
inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
@@ -165,7 +165,7 @@ class TestGenerateQuery(unittest.TestCase):
|
||||
# <
|
||||
detection = {"selection": {"fieldname1": "test"},
|
||||
"condition": "selection | sum(fieldname2) < 5"}
|
||||
inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg < 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
@@ -173,7 +173,7 @@ class TestGenerateQuery(unittest.TestCase):
|
||||
# ==
|
||||
detection = {"selection": {"fieldname1": "test"},
|
||||
"condition": "selection | sum(fieldname2) == 5"}
|
||||
inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
@@ -181,7 +181,7 @@ class TestGenerateQuery(unittest.TestCase):
|
||||
# group by
|
||||
detection = {"selection": {"fieldname1": "test"},
|
||||
"condition": "selection | sum(fieldname2) by fieldname3 == 5"}
|
||||
inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format(
|
||||
inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
@@ -189,7 +189,7 @@ class TestGenerateQuery(unittest.TestCase):
|
||||
# multiple conditions
|
||||
detection = {"selection": {"fieldname1": "test"}, "filter": {
|
||||
"fieldname2": "tessst"}, "condition": "selection OR filter | sum(fieldname2) == 5"}
|
||||
inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format(
|
||||
inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
|
||||
@@ -71,14 +71,14 @@ class TestFullTextSearch(unittest.TestCase):
|
||||
# aggregation with fts
|
||||
detection = {"selection": ["test"],
|
||||
"condition": "selection | count() > 5"}
|
||||
inner_query = 'SELECT count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format(
|
||||
inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
|
||||
detection = {"selection": ["test1", "test2"],
|
||||
"condition": "selection | count() > 5"}
|
||||
inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format(
|
||||
inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
@@ -86,7 +86,7 @@ class TestFullTextSearch(unittest.TestCase):
|
||||
# aggregation + group by + fts
|
||||
detection = {"selection": ["test1", "test2"],
|
||||
"condition": "selection | count() by fieldname > 5"}
|
||||
inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format(
|
||||
inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format(
|
||||
self.table)
|
||||
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
|
||||
self.validate(detection, expected_result)
|
||||
|
||||
Reference in New Issue
Block a user