Merge pull request #790 from EccoTheFlintstone/fp_fix

fix false positive matching on every powershell process not run by SY…

rules/windows/process_creation/win_renamed_powershell.yml

@@ -10,7 +10,7 @@ tags:
     - car.2013-05-009
 logsource:
     product: windows
-    service: sysmon
+    category: process_creation
 detection:
     selection:
         Description: 'Windows PowerShell'

rules/windows/process_creation/win_renamed_procdump.yml

@@ -11,7 +11,7 @@ tags:
     - attack.t1036
 logsource:
     product: windows
-    service: sysmon
+    category: process_creation
 detection:
     selection:
         OriginalFileName: 'procdump'

rules/windows/process_creation/win_renamed_psexec.yml

@@ -10,7 +10,7 @@ tags:
     - car.2013-05-009
 logsource:
     product: windows
-    service: sysmon
+    category: process_creation
 detection:
     selection:
         Description: 'Execute processes remotely'

rules/windows/process_creation/win_susp_file_characteristics.yml

@@ -14,7 +14,7 @@ tags:
     - attack.t1064
 logsource:
     product: windows
-    service: sysmon
+    category: process_creation
 detection:
     selection1:
         Description: '\?'

rules/windows/sysmon/sysmon_in_memory_powershell.yml

@@ -24,7 +24,7 @@ detection:
         Image|endswith:
             - '\powershell.exe'
             - '\WINDOWS\System32\sdiagnhost.exe'
-        User: 'NT AUTHORITY\SYSTEM'
+       # User: 'NT AUTHORITY\SYSTEM'   # if set, matches all powershell processes not launched by SYSTEM
     condition: selection and not filter
 falsepositives:
     - Used by some .NET binaries, minimal on user workstation.

rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml

@@ -1,12 +1,12 @@
-title: Dumping Lsass.exe Memory with MiniDumpWriteDump API
-id: dd5ab153-beaa-4315-9647-65abc5f71541
+title: Load of dbghelp/dbgcore DLL from Suspicious Process
+id: 0e277796-5f23-4e49-a490-483131d4f6e1
 status: experimental
-description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this
+description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump
     API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and
     transfer it over the network back to the attacker's machine.
 date: 2019/10/27
-modified: 2019/11/13
-author: Perez Diego (@darkquassar), oscd.community
+modified: 2020/05/23
+author: Perez Diego (@darkquassar), oscd.community, Ecco
 references:
     - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
     - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
@@ -35,7 +35,7 @@ detection:
             - '\outlook.exe'
             - '\monitoringhost.exe'
             - '\wmic.exe'
-            - '\msiexec.exe'
+              # - '\msiexec.exe'  an installer installing a program using one of those DLL will raise an alert
             - '\bash.exe'
             - '\wscript.exe'
             - '\cscript.exe'
@@ -62,4 +62,4 @@ fields:
     - ImageLoaded
 falsepositives:
     - Penetration tests
-level: critical
+level: high

rules/windows/sysmon/sysmon_wmi_module_load.yml

@@ -29,9 +29,9 @@ detection:
     filter:
         Image|endswith:
             - '\WmiPrvSe.exe'
-            - '\WmiPrvSE.exe'
             - '\WmiAPsrv.exe'
             - '\svchost.exe'
+            - '\DeviceCensus.exe'
     condition: selection and not filter
 fields:
     - ComputerName

tests/test_rules.py

@@ -486,6 +486,25 @@ class TestRules(unittest.TestCase):
         self.assertEqual(faulty_rules, [], Fore.RED + 
                          "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).")
     
+    def test_sysmon_rule_without_eventid(self):
+        faulty_rules = []
+        for file in self.yield_next_rule_file_path(self.path_to_rules):
+            logsource = self.get_rule_part(file_path=file, part_name="logsource")
+            service = logsource.get('service', '')
+            if service.lower() == 'sysmon':
+                with open(file) as f:
+                    found = False
+                    for line in f:
+                        if re.search(r'.*EventID:.*$', line):  # might be on a single line or in multiple lines
+                            found = True
+                            break
+                    if not found:
+                        faulty_rules.append(file)      
+
+        self.assertEqual(faulty_rules, [], Fore.RED + 
+                         "There are rules using sysmon events but with no EventID specified")
+
+
     def test_missing_date(self):
         faulty_rules = []
         for file in self.yield_next_rule_file_path(self.path_to_rules):
@@ -538,7 +557,7 @@ class TestRules(unittest.TestCase):
                 faulty_rules.append(file)
             wrong_casing = []
             for word in title.split(" "):
-                if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not word[0].isdigit():
+                if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not "/" in word and not word[0].isdigit():
                     wrong_casing.append(word)
             if len(wrong_casing) > 0:
                 print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format(file, ", ".join(wrong_casing)))