From 5d8f4aad5f06ac941adf392a2399bc2fdbcd67ab Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Wed, 2 Aug 2023 11:01:35 +0200 Subject: [PATCH 01/21] Add JSON schema for validation of Sigma rules --- sigma-schema.json | 243 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 243 insertions(+) create mode 100644 sigma-schema.json diff --git a/sigma-schema.json b/sigma-schema.json new file mode 100644 index 000000000..05b358e91 --- /dev/null +++ b/sigma-schema.json @@ -0,0 +1,243 @@ +{ + "title": "Sigma rule specification V1.0.4 (2023/06/29)", + "type": "object", + "required": ["title", "logsource", "detection"], + "properties": { + "title": { + "type": "string", + "maxLength": 256, + "description": "A brief title for the rule that should contain what the rules is supposed to detect" + }, + "id": { + "type": "string", + "description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory." + }, + "related": { + "type": "array", + "description": "A list of related Sigma rules to keep track of the relationships between detections. This can be used to indicate that a rule is derived from another rule, or that a rule has been obsoleted by another rule.", + "items": { + "type": "object", + "required": ["id", "type"], + "properties": { + "id": { + "type": "string" + }, + "type": { + "type": "string", + "oneOf": [ + { + "const": "derived", + "description": "The rule was derived from the referred rule or rules, which may remain active" + }, + { + "const": "obsoletes", + "description": "The rule obsoletes the referred rule or rules, which aren't used anymore" + }, + { + "const": "merged", + "description": "The rule was merged from the referred rules. The rules may be still existing and in use" + }, + { + "const": "renamed", + "description": "The rule had previously the referred identifier or identifiers but was renamed for whatever reason, e.g. from a private naming scheme to UUIDs, to resolve collisions etc. It's not expected that a rule with this id exists anymore" + }, + { + "const": "similar", + "description": "TUse to relate similar rules to each other (e.g. same detection content applied to different log sources, rule that is a modified version of another rule with a different level)" + } + ] + } + } + } + }, + "status": { + "type": "string", + "oneOf": [ + { + "const": "stable", + "description": "The rule didn't produce any obvious false positives in multiple environments over a long period of time" + }, + { + "const": "test", + "description": "The rule doesn't show any obvious false positives on a limited set of test systems" + }, + { + "const": "experimental", + "description": "A new rule that hasn't been tested outside of lab environments and could lead to many false positives" + }, + { + "const": "deprecated", + "description": "The rule is to replace or cover another one. The link between both rules is made via the `related` field" + }, + { + "const": "unsupported", + "description": "The rule can not be used in its current state (special correlation log, home-made fields...etc.)" + } + ] + }, + "description": { + "type": "string", + "description": "A short description of the rule and the malicious activity that can be detected", + "maxLength": 65535 + }, + "license": { + "type": "string", + "description": "License of the rule according the SPDX ID specification (https://spdx.dev/ids/)" + }, + "author": { + "type": "string", + "description": "Creator of the rule. (can be a name, nickname, twitter handle, etc.)" + }, + "references": { + "type": "array", + "description": "References to the source that the rule was derived from. These could be blog articles, technical papers, presentations or even tweets", + "items": { + "type": "string" + } + }, + "date": { + "type": "string", + "description": "Creation date of the rule. Use the format YYYY/MM/DD", + "pattern": "^\\d.*[/]\\d.{1,2}[/]\\d.{1,2}$" + }, + "modified": { + "type": "string", + "description": "Last modification date of the rule. Use the format YYYY/MM/DD", + "pattern": "^\\d.*[/]\\d.{1,2}[/]\\d.{1,2}$" + }, + "logsource": { + "type": "object", + "description": "The log source that the rule is supposed to detect malicious activity in.", + "properties": { + "category": { + "type": "string", + "description": "Select all log files written by a certain group of products, like firewalls or web server logs" + }, + "product": { + "type": "string", + "description": "Select all log outputs of a certain product, e.g. all Windows Eventlog types including \"Security\", \"System\", \"Application\" and the new log types like \"AppLocker\" and \"Windows Defender\"" + }, + "service": { + "type": "string", + "description": "Select only a subset of a product's logs, like the \"sshd\" on Linux or the \"Security\" Eventlog on Windows systems" + }, + "definition": { + "type": "string", + "description": "Describe the log source, including some information on the log verbosity level or configurations that have to be applied" + } + } + }, + "detection": { + "type": "object", + "required": ["condition"], + "description": "A set of search-identifiers that represent properties of searches on log data", + "additionalProperties": { + "anyOf": [ + { + "type": "array", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "integer" + }, + { + "type": "object", + "items": { + "type": "string" + } + } + ] + } + }, + { + "type": "object", + "items": { + "type": "string" + } + } + ] + }, + "properties": { + "condition": { + "anyOf": [ + { + "type": "string", + "description": "A search condition that is applied to the log data. The following format must be used: fieldname : value" + }, + { + "type": "array", + "items": { + "type": "string", + "minLength": 2 + } + } + ], + "description": "A set of search-identifiers that represent properties of searches on log data" + }, + "timeframe": { + "type": "string", + "description": "Is a special Search-Identifier used only with Aggregation conditions Defines a time period in which the aggregation should be applied. The following format must be used: number + letter (in lowercase) - Xs seconds - Xm minutes - Xh hours - Xd days" + } + } + }, + "fields": { + "type": "array", + "description": "A list of log fields that could be interesting in further analysis of the event and should be displayed to the analyst", + "items": { + "type": "string" + } + }, + "falsepositives": { + "description": "A list of known false positives that may occur", + "anyOf": [ + { + "type": "string", + "minLength": 2 + }, + { + "type": "array", + "items": { + "type": "string", + "minLength": 2 + } + } + ] + }, + "level": { + "type": "string", + "description": "The criticality of a triggered rule", + "oneOf": [ + { + "const": "informational", + "description": "Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules" + }, + { + "const": "low", + "description": "Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended" + }, + { + "const": "medium", + "description": "Relevant event that should be reviewed manually on a more frequent basis" + }, + { + "const": "high", + "description": "Relevant event that should trigger an internal alert and requires a prompt review" + }, + { + "const": "critical", + "description": "Highly relevant event that indicates an incident. Critical events should be reviewed immediately. It is used only for cases in which probability borders certainty" + } + ] + }, + "tags": { + "type": "array", + "items": { + "type": "string", + "pattern": "^[a-z0-9_.].{2,}$" + } + } + } +} From 52ae5bf66f8170cdd8ba0b0ca1199376a7e866f4 Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Wed, 2 Aug 2023 11:02:00 +0200 Subject: [PATCH 02/21] Add script to validate all the rules with the JSON schema --- validate.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100755 validate.sh diff --git a/validate.sh b/validate.sh new file mode 100755 index 000000000..cf4d3695f --- /dev/null +++ b/validate.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# Check if the check-jsonschema tool is installed +if ! command -v check-jsonschema &> /dev/null +then + echo "check-jsonschema could not be found" + echo "Please install it from PyPI using:" + echo "pip install check-jsonschema" + exit +fi + +# Validate all the Sigma rules in the current directory +echo "Validating Sigma rules against schema.json" +check-jsonschema --schemafile sigma-schema.json $(find ./rules ./rules-compliance ./rules-dfir ./rules-emerging-threats ./rules-placeholder ./rules-threat-hunting -type f -name "*.yml") From e57f5943a483fc975081140452ec249bb0376774 Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Wed, 2 Aug 2023 11:41:28 +0200 Subject: [PATCH 03/21] Add workflow to validate all rules --- .github/workflows/sigma-validation.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/sigma-validation.yaml diff --git a/.github/workflows/sigma-validation.yaml b/.github/workflows/sigma-validation.yaml new file mode 100644 index 000000000..11169d74c --- /dev/null +++ b/.github/workflows/sigma-validation.yaml @@ -0,0 +1,23 @@ +name: Validate Sigma rules + +on: + push: + branches: + - "*" + pull_request: + branches: + - master + +jobs: + validate-sigma-rules: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up Python 3.10 + uses: actions/setup-python@v3 + with: + python-version: "3.10" + - name: Install dependencies + run: pip install check-jsonschema + - name: Validate Sigma rules + run: ./validate.sh From 3df9cf13aa57b92bc59b698131f6e41eba381d26 Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Wed, 2 Aug 2023 14:14:49 +0200 Subject: [PATCH 04/21] Fix related.id --- .../windows/file/file_event/file_event_win_winrm_awl_bypass.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml index c6180f208..a6d2cf763 100644 --- a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml +++ b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml @@ -1,7 +1,7 @@ title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File id: d353dac0-1b41-46c2-820c-d7d2561fc6ed related: - - id: 074e0ded-6ced-4ebd-8b4d-53f55908119 + - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d type: derived status: test description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) From ddcb16ec2362244a6532a28ff3975d01020fbc27 Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Wed, 2 Aug 2023 14:15:12 +0200 Subject: [PATCH 05/21] Add UUID format check for id and related.id --- sigma-schema.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sigma-schema.json b/sigma-schema.json index 05b358e91..7b483262b 100644 --- a/sigma-schema.json +++ b/sigma-schema.json @@ -10,7 +10,8 @@ }, "id": { "type": "string", - "description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory." + "description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.", + "format": "uuid" }, "related": { "type": "array", @@ -20,7 +21,9 @@ "required": ["id", "type"], "properties": { "id": { - "type": "string" + "type": "string", + "description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.", + "format": "uuid" }, "type": { "type": "string", From c975b1943a4e2c13256972532bd37922e2a7f7e5 Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Wed, 2 Aug 2023 14:20:47 +0200 Subject: [PATCH 06/21] Fix another related.id --- .../Pingback/proc_creation_win_malware_pingback_backdoor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml index 172309163..f928d1f1c 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml @@ -3,7 +3,7 @@ id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 related: - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load type: similar - - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf789 # File Indicators + - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators type: similar status: test description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report From df5c1402ec6c879da166c2be3121f8f106032256 Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Wed, 2 Aug 2023 14:21:01 +0200 Subject: [PATCH 07/21] Fix file name --- validate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/validate.sh b/validate.sh index cf4d3695f..596ffaf13 100755 --- a/validate.sh +++ b/validate.sh @@ -10,5 +10,5 @@ then fi # Validate all the Sigma rules in the current directory -echo "Validating Sigma rules against schema.json" +echo "Validating Sigma rules against sigma-schema.json" check-jsonschema --schemafile sigma-schema.json $(find ./rules ./rules-compliance ./rules-dfir ./rules-emerging-threats ./rules-placeholder ./rules-threat-hunting -type f -name "*.yml") From 21d7be9708574cba0586d98343b58b802eeb047d Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Wed, 2 Aug 2023 14:29:33 +0200 Subject: [PATCH 08/21] Use the latest version of checkout action --- .github/workflows/sigma-validation.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sigma-validation.yaml b/.github/workflows/sigma-validation.yaml index 11169d74c..e0cbae45e 100644 --- a/.github/workflows/sigma-validation.yaml +++ b/.github/workflows/sigma-validation.yaml @@ -12,7 +12,9 @@ jobs: validate-sigma-rules: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 + with: + fetch-depth: 0 - name: Set up Python 3.10 uses: actions/setup-python@v3 with: From 5a258019ec31beecf7022199a7c28482a51331e0 Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Thu, 3 Aug 2023 13:38:27 +0200 Subject: [PATCH 09/21] Fix date regex --- sigma-schema.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sigma-schema.json b/sigma-schema.json index 7b483262b..a6ffbdbd6 100644 --- a/sigma-schema.json +++ b/sigma-schema.json @@ -101,12 +101,12 @@ "date": { "type": "string", "description": "Creation date of the rule. Use the format YYYY/MM/DD", - "pattern": "^\\d.*[/]\\d.{1,2}[/]\\d.{1,2}$" + "pattern": "^\\d.*[/]\\d.{0,1}[/]\\d.{0,1}$" }, "modified": { "type": "string", "description": "Last modification date of the rule. Use the format YYYY/MM/DD", - "pattern": "^\\d.*[/]\\d.{1,2}[/]\\d.{1,2}$" + "pattern": "^\\d.*[/]\\d.{0,1}[/]\\d.{0,1}$" }, "logsource": { "type": "object", From 264d51847e6ac08266e75a8d973a9ba25684fb65 Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Thu, 3 Aug 2023 13:58:52 +0200 Subject: [PATCH 10/21] Fix tags regex --- sigma-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sigma-schema.json b/sigma-schema.json index a6ffbdbd6..647801126 100644 --- a/sigma-schema.json +++ b/sigma-schema.json @@ -239,7 +239,7 @@ "type": "array", "items": { "type": "string", - "pattern": "^[a-z0-9_.].{2,}$" + "pattern": "^[a-z0-9_.].{1,}$" } } } From b73e636eb2c541206260f1d8439b372e58d1b3fa Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Thu, 3 Aug 2023 14:15:06 +0200 Subject: [PATCH 11/21] Apply suggestions from code review Update regex patterns Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- sigma-schema.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sigma-schema.json b/sigma-schema.json index 647801126..f81b5dd38 100644 --- a/sigma-schema.json +++ b/sigma-schema.json @@ -101,12 +101,12 @@ "date": { "type": "string", "description": "Creation date of the rule. Use the format YYYY/MM/DD", - "pattern": "^\\d.*[/]\\d.{0,1}[/]\\d.{0,1}$" + "pattern": "^\\d{4}[/]\\d{2}[/]\\d{2}$" }, "modified": { "type": "string", "description": "Last modification date of the rule. Use the format YYYY/MM/DD", - "pattern": "^\\d.*[/]\\d.{0,1}[/]\\d.{0,1}$" + "pattern": "^\\d{4}[/]\\d{2}[/]\\d{2}$" }, "logsource": { "type": "object", @@ -239,7 +239,7 @@ "type": "array", "items": { "type": "string", - "pattern": "^[a-z0-9_.].{1,}$" + "pattern": "^[a-z0-9_.]+$" } } } From 46ce3d32702f6e8295ecf856ff6ee9f534f753ab Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 4 Aug 2023 09:27:13 +0200 Subject: [PATCH 12/21] allow - in tags --- sigma-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sigma-schema.json b/sigma-schema.json index f81b5dd38..93e06903f 100644 --- a/sigma-schema.json +++ b/sigma-schema.json @@ -239,7 +239,7 @@ "type": "array", "items": { "type": "string", - "pattern": "^[a-z0-9_.]+$" + "pattern": "^[a-z0-9_.-]+$" } } } From 04121f1920babe9ce40f452d9199722db823eaf6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 15 Aug 2023 11:52:05 +0200 Subject: [PATCH 13/21] Rename sigma-validation.yaml to sigma-validation.yml --- .github/workflows/{sigma-validation.yaml => sigma-validation.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{sigma-validation.yaml => sigma-validation.yml} (100%) diff --git a/.github/workflows/sigma-validation.yaml b/.github/workflows/sigma-validation.yml similarity index 100% rename from .github/workflows/sigma-validation.yaml rename to .github/workflows/sigma-validation.yml From ad01182279003307599febdfc6015bfff70ec4ee Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 15 Aug 2023 12:00:55 +0200 Subject: [PATCH 14/21] stricter regex, remove timeframe search identifier Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- sigma-schema.json | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/sigma-schema.json b/sigma-schema.json index 93e06903f..4c4c6f62e 100644 --- a/sigma-schema.json +++ b/sigma-schema.json @@ -101,12 +101,12 @@ "date": { "type": "string", "description": "Creation date of the rule. Use the format YYYY/MM/DD", - "pattern": "^\\d{4}[/]\\d{2}[/]\\d{2}$" + "pattern": "^\\d{4}/(0[1-9]|1[012])/(0[1-9]|[12][0-9]|3[01])$" }, "modified": { "type": "string", "description": "Last modification date of the rule. Use the format YYYY/MM/DD", - "pattern": "^\\d{4}[/]\\d{2}[/]\\d{2}$" + "pattern": "^\\d{4}/(0[1-9]|1[012])/(0[1-9]|[12][0-9]|3[01])$" }, "logsource": { "type": "object", @@ -179,10 +179,6 @@ } ], "description": "A set of search-identifiers that represent properties of searches on log data" - }, - "timeframe": { - "type": "string", - "description": "Is a special Search-Identifier used only with Aggregation conditions Defines a time period in which the aggregation should be applied. The following format must be used: number + letter (in lowercase) - Xs seconds - Xm minutes - Xh hours - Xd days" } } }, From 5a135694a6b95adfe08aeec10013b0439644d805 Mon Sep 17 00:00:00 2001 From: Mostafa Moradian Date: Tue, 15 Aug 2023 12:44:13 +0200 Subject: [PATCH 15/21] Remove logsource properties, since they are optional --- sigma-schema.json | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/sigma-schema.json b/sigma-schema.json index 4c4c6f62e..aab23dd89 100644 --- a/sigma-schema.json +++ b/sigma-schema.json @@ -111,23 +111,8 @@ "logsource": { "type": "object", "description": "The log source that the rule is supposed to detect malicious activity in.", - "properties": { - "category": { - "type": "string", - "description": "Select all log files written by a certain group of products, like firewalls or web server logs" - }, - "product": { - "type": "string", - "description": "Select all log outputs of a certain product, e.g. all Windows Eventlog types including \"Security\", \"System\", \"Application\" and the new log types like \"AppLocker\" and \"Windows Defender\"" - }, - "service": { - "type": "string", - "description": "Select only a subset of a product's logs, like the \"sshd\" on Linux or the \"Security\" Eventlog on Windows systems" - }, - "definition": { - "type": "string", - "description": "Describe the log source, including some information on the log verbosity level or configurations that have to be applied" - } + "items": { + "type": "string" } }, "detection": { From 7ed0930f8f5a282b884db7975886feeeaacebc99 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 15 Aug 2023 13:13:29 +0200 Subject: [PATCH 16/21] Rename sigma-schema.json to tests/validate-sigma-schema/sigma-schema.json --- .../validate-sigma-schema/sigma-schema.json | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sigma-schema.json => tests/validate-sigma-schema/sigma-schema.json (100%) diff --git a/sigma-schema.json b/tests/validate-sigma-schema/sigma-schema.json similarity index 100% rename from sigma-schema.json rename to tests/validate-sigma-schema/sigma-schema.json From 373c458184b76cd680664f27dd746ae994a84a9b Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 15 Aug 2023 13:14:07 +0200 Subject: [PATCH 17/21] Rename validate.sh to tests/validate-sigma-schema/validate.sh --- validate.sh => tests/validate-sigma-schema/validate.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename validate.sh => tests/validate-sigma-schema/validate.sh (100%) diff --git a/validate.sh b/tests/validate-sigma-schema/validate.sh similarity index 100% rename from validate.sh rename to tests/validate-sigma-schema/validate.sh From 9a1d0932e997e54194c649c1d581ef2902ddcec6 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 15 Aug 2023 13:15:16 +0200 Subject: [PATCH 18/21] use new path of validate script --- .github/workflows/sigma-validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-validation.yml b/.github/workflows/sigma-validation.yml index e0cbae45e..b7e8be086 100644 --- a/.github/workflows/sigma-validation.yml +++ b/.github/workflows/sigma-validation.yml @@ -22,4 +22,4 @@ jobs: - name: Install dependencies run: pip install check-jsonschema - name: Validate Sigma rules - run: ./validate.sh + run: tests/validate-sigma-schema/validate.sh From 2f6b8cd03aa28647578f6902d67045520ce14732 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 15 Aug 2023 13:18:33 +0200 Subject: [PATCH 19/21] fix path to schema json --- tests/validate-sigma-schema/validate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/validate-sigma-schema/validate.sh b/tests/validate-sigma-schema/validate.sh index 596ffaf13..fc12c024b 100755 --- a/tests/validate-sigma-schema/validate.sh +++ b/tests/validate-sigma-schema/validate.sh @@ -11,4 +11,4 @@ fi # Validate all the Sigma rules in the current directory echo "Validating Sigma rules against sigma-schema.json" -check-jsonschema --schemafile sigma-schema.json $(find ./rules ./rules-compliance ./rules-dfir ./rules-emerging-threats ./rules-placeholder ./rules-threat-hunting -type f -name "*.yml") +check-jsonschema --schemafile tests/validate-sigma-schema/sigma-schema.json $(find ./rules ./rules-compliance ./rules-dfir ./rules-emerging-threats ./rules-placeholder ./rules-threat-hunting -type f -name "*.yml") From 21c433937daa3a6e979231434feb0aedd82f650f Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 15 Aug 2023 13:22:09 +0200 Subject: [PATCH 20/21] trigger error for new test --- .../windows/file/file_event/file_event_win_winrm_awl_bypass.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml index a6d2cf763..6207c5201 100644 --- a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml +++ b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml @@ -1,7 +1,7 @@ title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File id: d353dac0-1b41-46c2-820c-d7d2561fc6ed related: - - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d + - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d_DELETE_ME type: derived status: test description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) From 594d3d86ed75de892c2063ddecd751115384c69a Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 15 Aug 2023 13:24:57 +0200 Subject: [PATCH 21/21] revert trigger error for new test --- .../windows/file/file_event/file_event_win_winrm_awl_bypass.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml index 6207c5201..a6d2cf763 100644 --- a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml +++ b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml @@ -1,7 +1,7 @@ title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File id: d353dac0-1b41-46c2-820c-d7d2561fc6ed related: - - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d_DELETE_ME + - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d type: derived status: test description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)