diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/lnx_ldso_preload_injection.yml new file mode 100644 index 000000000..be1b937b7 --- /dev/null +++ b/rules/linux/lnx_ldso_preload_injection.yml @@ -0,0 +1,17 @@ +title: Code Injection by ld.so Preload +id: 7e3c4651-c347-40c4-b1d4-d48590fdf684 +status: experimental +description: Detects the ld.so preload persistence file. See `man ld.so` for more information. +author: Christian Burkard +date: 2021/05/05 +references: + - https://man7.org/linux/man-pages/man8/ld.so.8.html +logsource: + product: linux +detection: + keyword: + - '/etc/ld.so.preload' + condition: keyword +falsepositives: + - rare temporary workaround for library misconfiguration +level: high diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml new file mode 100644 index 000000000..ec83f8866 --- /dev/null +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -0,0 +1,67 @@ +title: Suspicious DNS Z Flag Bit Set +id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 +description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' +date: 2021/05/04 +references: + - 'https://twitter.com/neu5ron/status/1346245602502443009' + - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' + - 'https://tools.ietf.org/html/rfc2929#section-2.1' + - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' +author: '@neu5ron, SOC Prime Team, Corelight' +tags: + - attack.t1094 + - attack.t1043 + - attack.command_and_control +logsource: + product: zeek + service: dns +detection: + z_flag_unset: + Z: '0' + most_probable_valid_domain: + query|contains: '.' + exclude_tlds: + query|endswith: + - '.arpa' + - '.local' + - '.ultradns.net' + - '.twtrdns.net' + - '.azuredns-prd.info' + - '.azure-dns.com' + - '.azuredns-ff.info' + - '.azuredns-ff.org' + - '.azuregov-dns.org' + exclude_query_types: + qtype_name: + - 'NS' + - 'ns' + exclude_responses: + answers|endswith: '\\x00' + exclude_netbios: + id.resp_p: + - '137' + - '138' + - '139' + condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios) +falsepositive: + - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' + - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' +level: medium +fields: + - ts + - id.orig_h + - id.orig_p + - id.resp_h + - id.resp_p + - proto + - qtype_name + - qtype + - query + - answers + - rcode + - rcode_name + - trans_id + - qtype + - ttl + - AA + - uid diff --git a/rules/windows/builtin/win_hidden_user_creation.yml b/rules/windows/builtin/win_hidden_user_creation.yml new file mode 100644 index 000000000..8dee8a7c3 --- /dev/null +++ b/rules/windows/builtin/win_hidden_user_creation.yml @@ -0,0 +1,25 @@ +title: Hidden Local User Creation +id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 +description: Detects the creation of a local hidden user account which should not happen for event ID 4720. +status: experimental +tags: + - attack.persistence + - attack.t1136.001 +references: + - https://twitter.com/SBousseaden/status/1387743867663958021 +author: Christian Burkard +date: 2021/05/03 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4720 + TargetUserName|endswith: '$' + condition: selection +fields: + - EventCode + - AccountName +falsepositives: + - unkown +level: high diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml new file mode 100644 index 000000000..70636d9fa --- /dev/null +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -0,0 +1,34 @@ +action: global +title: Moriya Rootkit +id: 25b9c01c-350d-4b95-bed1-836d04a4f324 +description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report +status: experimental +author: Bhabesh Raj +date: 2021/05/06 +modified: 2021/05/12 +level: critical +falsepositives: + - None +references: + - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 + ServiceName: ZzNetSvc + condition: selection +--- +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys' + condition: selection diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index 9723914b0..a8388f876 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -1,8 +1,9 @@ -title: Remote PowerShell Sessions +title: Remote PowerShell Sessions Network Connections (WinRM) id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 -description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986 +description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 status: experimental date: 2019/09/12 +modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index 865cbc5b1..7efc27dbb 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -17,8 +17,9 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'servicesactive' Keywords: "Audit Failure" + filter: SubjectLogonId: "0x3e4" - condition: selection + condition: selection and not filter falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml index 9c9df1cb1..e5e6a0206 100644 --- a/rules/windows/builtin/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -15,8 +15,9 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'servicesactive' PrivilegeList: 'SeTakeOwnershipPrivilege' + filter: SubjectLogonId: "0x3e4" - condition: selection + condition: selection and not filter falsepositives: - Unknown level: critical diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml index c050853f6..39517aa8b 100644 --- a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -1,6 +1,6 @@ title: Vulnerable Dell BIOS Update Driver Load id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 -description: Detects the load of the vulnerable Dell BIOS update driver +description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 author: Florian Roth date: 2021/05/05 references: @@ -8,6 +8,8 @@ references: logsource: category: driver_load product: windows +tags: + - cve.2021-21551 detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' @@ -19,6 +21,9 @@ detection: - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' - '10b30bdee43b3a2ec4aa63375577ade650269d25' - 'd2fd132ab7bbc6bbb87a84f026fa0244' + + + condition: selection_image or selection_hash falsepositives: - legitimate BIOS driver updates (should be rare) diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml index 63f5efe97..fa78485a0 100644 --- a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml @@ -3,6 +3,7 @@ id: fe6e002f-f244-4278-9263-20e4b593827f description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/09/12 +modified: 2021/05/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -11,11 +12,11 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html logsource: product: windows - service: image_load + category: image_load detection: selection: - Description: 'system.management.automation' - ImageLoaded|contains: 'system.management.automation' + Description: 'System.Management.Automation' + ImageLoaded|contains: 'System.Management.Automation' filter: Image|endswith: '\powershell.exe' condition: selection and not filter diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml index b0d0303f9..bb3cbec63 100755 --- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml +++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - Description: 'system.management.automation' - ImageLoaded|contains: 'system.management.automation' + Description: 'System.Management.Automation' + ImageLoaded|contains: 'System.Management.Automation' condition: selection fields: - ComputerName diff --git a/rules/windows/image_load/sysmon_susp_python_image_load.yml b/rules/windows/image_load/sysmon_susp_python_image_load.yml index d5fa64cb8..ba7f3d7d4 100644 --- a/rules/windows/image_load/sysmon_susp_python_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_python_image_load.yml @@ -3,6 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. status: experimental date: 2020/05/03 +modified: 2021/05/12 author: Patrick St. John, OTR (Open Threat Research) tags: - attack.defense_evasion @@ -12,7 +13,7 @@ references: - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ logsource: product: windows - service: image_load + category: image_load detection: selection: Description: 'Python Core' diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 4975c1e95..c200959a2 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -2,27 +2,37 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name date: 2018/09/09 -modified: 2019/10/04 -author: Florian Roth +modified: 2021/05/09 +author: Florian Roth, Arnim Rupp references: - - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ logsource: product: antivirus detection: selection: - FileName|startswith: - - 'C:\Windows\Temp\' + - 'C:\Windows\' - 'C:\Temp\' - 'C:\PerfLogs\' - 'C:\Users\Public\' - 'C:\Users\Default\' - FileName|contains: - '\Client\' + - '\tsclient\' + - '\inetpub\' + - '/www/' + - 'apache' + - 'tomcat' + - 'nginx' + - 'weblogic' selection2: Filename|endswith: - '.ps1' + - '.psm1' - '.vbs' - '.bat' + - '.cmd' + - '.sh' - '.chm' - '.xml' - '.txt' @@ -30,8 +40,18 @@ detection: - '.jspx' - '.asp' - '.aspx' + - '.ashx' + - '.asax' + - '.asmx' - '.php' + - '.cfm' + - '.py' + - '.pyc' + - '.pl' + - '.rb' + - '.cgi' - '.war' + - '.ear' - '.hta' - '.lnk' - '.scf' @@ -39,6 +59,12 @@ detection: - '.vbe' - '.wsf' - '.wsh' + - '.gif' + - '.png' + - '.jpg' + - '.jpeg' + - '.svg' + - '.dat' condition: selection or selection2 fields: - Signature diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 3942662be..3d9cc3105 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -1,14 +1,19 @@ title: Antivirus Web Shell Detection id: fdf135a2-9241-4f96-a114-bb404948f736 -description: Detects a highly relevant Antivirus alert that reports a web shell +description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. date: 2018/09/09 -modified: 2001/01/07 +modified: 2021/05/08 author: Florian Roth, Arnim Rupp references: - - https://www.nextron-systems.com/2019/10/04/antivirus-event-analysis-cheat-sheet-v1-7-2/ + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ + - https://github.com/tennc/webshell - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection + - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection + - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection + - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection + - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - attack.t1100 @@ -18,26 +23,48 @@ logsource: detection: selection: - Signature|startswith: - - "PHP/Backdoor" - - "JSP/Backdoor" - - "ASP/Backdoor" - - "Backdoor.PHP" - - "Backdoor.JSP" - - "Backdoor.ASP" - - "Backdoor?Java" + - "PHP/" + - "JSP/" + - "ASP/" + - "Perl/" + - "PHP." + - "JSP." + - "ASP." + - "Perl." + - "VBS/Uxor" # looking for "VBS/" would also find downloaders and droppers meant for desktops + - "IIS/BackDoor" + - "JAVA/Backdoor" + - "Troj/ASP" + - "Troj/PHP" + - "Troj/JSP" - Signature|contains: - "Webshell" - "Chopper" + - "SinoChoper" - "ASPXSpy" - "Aspdoor" + - "filebrowser" + - "PHP_" + - "JSP_" + - "ASP_" # looking for "VBS_" would also find downloaders and droppers meant for desktops - "PHP:" + - "JSP:" + - "ASP:" + - "Perl:" - "PHPShell" - "Trojan.PHP" - "Trojan.ASP" - "Trojan.JSP" + - "Trojan.VBS" - "PHP?Agent" - "ASP?Agent" - "JSP?Agent" + - "VBS?Agent" + - "Backdoor?PHP" + - "Backdoor?JSP" + - "Backdoor?ASP" + - "Backdoor?VBS" + - "Backdoor?Java" condition: selection fields: - FileName diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml index ad50510af..b42525448 100755 --- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1096148422984384514 author: Samir Bousseaden date: 2019/02/16 -modified: 2020/08/24 +modified: 2021/05/11 tags: - attack.command_and_control - attack.t1572 @@ -25,7 +25,7 @@ detection: selection2: - DestinationIp|startswith: - '127.' - - DestinationIP: + - DestinationIp: - '::1' condition: selection and selection2 falsepositives: diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml index b89b2b086..cb8754e21 100644 --- a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/PythonResponder/status/1385064506049630211 tags: - attack.credential_access - - attack.t1552.004 + - attack.t1003.001 author: Florian Roth date: 2021/04/23 logsource: diff --git a/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml new file mode 100644 index 000000000..57c00dc75 --- /dev/null +++ b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml @@ -0,0 +1,29 @@ +title: Suspicious Shells Spawn by WinRM +id: 5cc2cda8-f261-4d88-a2de-e9e193c86716 +description: Detects suspicious shell spawn from WinRM host process +status: experimental +author: Andreas Hunkeler (@Karneades), Markus Neis +date: 2021/05/20 +tags: + - attack.t1190 + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\wsmprovhost.exe' + Image: + - '*\cmd.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\powershell.exe' + - '*\schtasks.exe' + - '*\certutil.exe' + - '*\whoami.exe' + - '*\bitsadmin.exe' + condition: selection + +level: critical diff --git a/rules/windows/process_creation/sysmon_rclone_execution.yml b/rules/windows/process_creation/sysmon_rclone_execution.yml new file mode 100644 index 000000000..6cf58dc45 --- /dev/null +++ b/rules/windows/process_creation/sysmon_rclone_execution.yml @@ -0,0 +1,32 @@ +title: RClone Execution +id: a0d63692-a531-4912-ad39-4393325b2a9c +status: experimental +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +tags: + - attack.exfiltration + - attack.t1567.002 +author: Bhabesh Raj +date: 2021/05/10 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a + - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate RClone use +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + Description: 'Rsync for cloud storage' + selection2: + CommandLine|contains|all: + - '--config ' + - '--no-check-certificate ' + - ' copy ' + condition: 1 of them diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index d36b3844d..d8899df42 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -6,7 +6,7 @@ references: - https://securityxploded.com/ - https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ date: 2018/12/19 -modified: 2020/09/01 +modified: 2021/05/11 tags: - attack.credential_access - attack.t1555 @@ -21,7 +21,7 @@ detection: selection2: Image|endswith: 'PasswordDump.exe' selection3: - OriginalFilename|endswith: 'PasswordDump.exe' + OriginalFileName|endswith: 'PasswordDump.exe' condition: 1 of them falsepositives: - unlikely diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index 7490d9b6d..f5bb57daa 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -1,9 +1,9 @@ -title: Remote PowerShell Session +title: Remote PowerShell Session Host Process (WinRM) id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 -description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session) +description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session) status: experimental date: 2019/09/12 -modified: 2019/11/10 +modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index eca94458b..831fefe48 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -8,7 +8,7 @@ references: - https://thedfirreport.com/2020/05/08/adfind-recon/ author: FPT.EagleEye Team, omkar72, oscd.community date: 2020/09/26 -modified: 2020/10/11 +modified: 2021/05/12 tags: - attack.discovery - attack.t1018 @@ -17,7 +17,7 @@ tags: - attack.t1069.002 logsource: product: windows - service: process_creation + category: process_creation detection: selection: CommandLine|contains: diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 26cc7c489..b643eb4fc 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -8,8 +8,6 @@ date: 2019/01/16 modified: 2021/04/23 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - - https://twitter.com/subTee/status/888102593838362624 - - https://twitter.com/subTee/status/888071631528235010 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - https://twitter.com/egre55/status/1087685529016193025 diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml index 6599c02b5..ee19fca90 100644 --- a/rules/windows/process_creation/win_susp_csi.yml +++ b/rules/windows/process_creation/win_susp_csi.yml @@ -4,6 +4,7 @@ description: Csi.exe is a signed binary from Micosoft that comes with Visual Stu status: experimental author: Konstantin Grishchenko, oscd.community date: 2020/10/17 +modified: 2021/05/11 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml @@ -22,8 +23,8 @@ detection: - Image|endswith: '\csi.exe' - Image|endswith: '\rcsi.exe' renamed: - - OriginalFilename: 'csi.exe' - - OriginalFilename: 'rcsi.exe' + - OriginalFileName: 'csi.exe' + - OriginalFileName: 'rcsi.exe' selection: Company: 'Microsoft Corporation' condition: (basic or renamed) and selection diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml index dcab5bd63..f421c1cd6 100644 --- a/rules/windows/process_creation/win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml @@ -15,7 +15,7 @@ detection: - 'Sysinternals DebugView' - 'Sysinternals Debugview' filter: - OriginalFilename: 'Dbgview.exe' + OriginalFileName: 'Dbgview.exe' Image|endswith: '\Dbgview.exe' condition: selection and not filter falsepositives: diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 55659f9a0..9d36bc717 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,6 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 +modified: 2021/05/12 tags: - attack.command_and_control - attack.execution @@ -13,7 +14,7 @@ tags: - attack.t1218 logsource: product: windows - service: process_creation + category: process_creation detection: selection: ProcessCommandLine|contains|all: diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml new file mode 100644 index 000000000..0b9558835 --- /dev/null +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -0,0 +1,24 @@ +title: Creation of a Local Hidden User Account by Registry +id: 460479f3-80b7-42da-9c43-2cc1d54dbccd +description: Sysmon registry detection of a local hidden user account. +status: experimental +date: 2021/05/03 +modified: 2021/05/12 +author: Christian Burkard +tags: + - attack.persistence + - attack.t1136.001 +references: + - https://twitter.com/SBousseaden/status/1387530414185664538 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\' + TargetObject|endswith: '$' + Image|endswith: "lsass.exe" + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml index 5a0e5fb05..ea6a92f21 100644 --- a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml @@ -3,6 +3,7 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. status: experimental date: 2020/05/02 +modified: 2021/05/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion @@ -12,7 +13,7 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html logsource: product: windows - service: registry_event + category: registry_event detection: selection: TargetObject|contains: '\Software\Sysinternals\SDelete' diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/sysmon/sysmon_pingback_backdoor.yml new file mode 100644 index 000000000..085c739e9 --- /dev/null +++ b/rules/windows/sysmon/sysmon_pingback_backdoor.yml @@ -0,0 +1,47 @@ +action: global +title: Pingback Backdoor +id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 +status: experimental +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +author: Bhabesh Raj +date: 2021/05/05 +falsepositives: + - Very unlikely +level: high +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel + - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +tags: + - attack.persistence + - attack.t1574.001 +--- +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: updata.exe + TargetFilename: 'C:\Windows\oci.dll' + condition: selection +--- +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: 'msdtc.exe' + ImageLoaded: 'C:\Windows\oci.dll' + condition: selection +--- +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: 'updata.exe' + CommandLine|contains|all: + - 'config' + - 'msdtc' + - 'start' + - 'auto' + condition: selection diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 7e91eb360..a3034b7c5 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -135,6 +135,7 @@ fieldmappings: Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName + ScriptBlockText: powershell.file.script_block_text SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 34fef1fdd..789d5f2b8 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -119,6 +119,7 @@ fieldmappings: ProcessName: event_data.ProcessName Product: event_data.Product Properties: event_data.Properties + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: event_data.SecurityID ServiceFileName: event_data.ServiceFileName ServiceName: event_data.ServiceName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 9bb3c5559..1b1f4bdea 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -125,6 +125,7 @@ fieldmappings: Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName SAMAccountName: winlog.event_data.SamAccountName + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index a60c8cc3a..248640066 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1346,7 +1346,11 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): tactics_list.append(tact) threat = self.create_threat_description(tactics_list=tactics_list, techniques_list=technics_list) rule_name = configs.get("title", "").lower() - rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name) + rule_uuid = configs.get("id", "").lower() + if rule_uuid == "": + rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name) + else: + rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_uuid) risk_score = self.map_risk_score(configs.get("level", "medium")) references = configs.get("reference") if references is None: @@ -1381,6 +1385,8 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): rule.update({"threshold": self.rule_threshold}) if references: rule.update({"references": references}) + self.rule_type = "query" + self.rule_threshold = {} return json.dumps(rule) class KibanaNdjsonBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin): diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index bd734bfa6..bc55a1ba1 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -1,6 +1,7 @@ # Output backends for sigmac # Copyright 2019 Jayden Zheng # Copyright 2020 Jonas Hagg +# Copyright 2021 wagga (https://github.com/wagga40/) # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by @@ -43,9 +44,16 @@ class SQLBackend(SingleTextQueryBackend): mapListValueExpression = "%s OR %s" # Syntax for field/value condititons where map value is a list mapLength = "(%s %s)" - def __init__(self, sigmaconfig, table): + options = SingleTextQueryBackend.options + ( + ("table", False, "Use this option to specify table name, default is \"eventlog\"", None), + ) + + def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) - self.table = table + if "table" in options: + self.table = options["table"] + else: + self.table = "eventlog" def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] @@ -162,10 +170,10 @@ class SQLBackend(SingleTextQueryBackend): group_by = "" if agg.aggfield: - select = "{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) + select = "*,{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) else: if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: - select = "{}(*) AS agg".format(agg.aggfunc_notrans) + select = "*,{}(*) AS agg".format(agg.aggfunc_notrans) else: raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans)) diff --git a/tools/tests/test_backend_sql.py b/tools/tests/test_backend_sql.py index b4bd82026..b30da675d 100644 --- a/tools/tests/test_backend_sql.py +++ b/tools/tests/test_backend_sql.py @@ -125,7 +125,7 @@ class TestGenerateQuery(unittest.TestCase): # count detection = {"selection": {"fieldname": "test"}, "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {} WHERE fieldname = "test"'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {} WHERE fieldname = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -133,7 +133,7 @@ class TestGenerateQuery(unittest.TestCase): # min detection = {"selection": {"fieldname1": "test"}, "condition": "selection | min(fieldname2) > 5"} - inner_query = 'SELECT min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -141,7 +141,7 @@ class TestGenerateQuery(unittest.TestCase): # max detection = {"selection": {"fieldname1": "test"}, "condition": "selection | max(fieldname2) > 5"} - inner_query = 'SELECT max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -149,7 +149,7 @@ class TestGenerateQuery(unittest.TestCase): # avg detection = {"selection": {"fieldname1": "test"}, "condition": "selection | avg(fieldname2) > 5"} - inner_query = 'SELECT avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -157,7 +157,7 @@ class TestGenerateQuery(unittest.TestCase): # sum detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) > 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -165,7 +165,7 @@ class TestGenerateQuery(unittest.TestCase): # < detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) < 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg < 5'.format(inner_query) self.validate(detection, expected_result) @@ -173,7 +173,7 @@ class TestGenerateQuery(unittest.TestCase): # == detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) @@ -181,7 +181,7 @@ class TestGenerateQuery(unittest.TestCase): # group by detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) by fieldname3 == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) @@ -189,7 +189,7 @@ class TestGenerateQuery(unittest.TestCase): # multiple conditions detection = {"selection": {"fieldname1": "test"}, "filter": { "fieldname2": "tessst"}, "condition": "selection OR filter | sum(fieldname2) == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) diff --git a/tools/tests/test_backend_sqlite.py b/tools/tests/test_backend_sqlite.py index ac7647739..294a59de2 100644 --- a/tools/tests/test_backend_sqlite.py +++ b/tools/tests/test_backend_sqlite.py @@ -71,14 +71,14 @@ class TestFullTextSearch(unittest.TestCase): # aggregation with fts detection = {"selection": ["test"], "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) detection = {"selection": ["test1", "test2"], "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -86,7 +86,7 @@ class TestFullTextSearch(unittest.TestCase): # aggregation + group by + fts detection = {"selection": ["test1", "test2"], "condition": "selection | count() by fieldname > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result)