diff --git a/README.md b/README.md index 0ecb4a325..3e480bf77 100644 --- a/README.md +++ b/README.md @@ -7,25 +7,60 @@ Generic Signature Format for SIEM Systems Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. -![sigma_description](./images/Sigma-description.png) +Sigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files. This repository contains: * Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification) * Open repository for sigma signatures in the ```./rules```subfolder -* A converter that generate searches/queries for different SIEM systems [in development] +* A converter that generate searches/queries for different SIEM systems [work in progress] -# Converter +# Use Cases -The converter is written in Python 3 and requires PyYAML. Invoke it with `--help` for usage instructions. +* Describe your once discovered detection method in Sigma to make it sharable +* Share the signature in the appendix of your analysis along with file hashes and C2 servers +* Share the signature in threat intel communities - e.g. via MISP +* Provide Sigma signatures for malicious behaviour in your application (Error messages, access violations, manipulations) +* Integrate a new log into your SIEM and check the Sigma repository for available rules +* Develop an experimental detection method, write a Sigma rule, share it and ask for feedback +* Write a rule converter for your custom log analysis tool and process new Sigma rules automatically +* Provide a free or commercial feed for Sigma signatures -# Slides +# Sigma Converter + +The converter is currently under development in the *devel-sigmac* branch of this project. It has currently the +following capabilities: + +* Parsing of Sigma rule files +* Conversion of searches into Elasticsearch and Splunk queries + +Planned main features are: + +* Conversion of aggregation expressions (after the pipe character) +* Output of Kibana JSON configurations + +Support for further SIEM solutions can be added by developing an corresponsing output backend class. + +![sigma_description](./images/Sigma-description.png) + +# Why Sigma + +Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. + +Others provide excellent analyses for threat groups, sharing file indicators, C2 servers and YARA rules to detect the malicious files, but describe a certain malicious service install or remote thread injection in a separate paragraph. Security analysts, who read that paragraph then extract the necessary information and create rules in their SIEM system. The detection method never finds a way into a repository that is shared, structured and archived. + +The lower layers of the OSI layer are well known and described. Every SIEM vendor has rules to detect port scans, ping sweeps and threats like the ['smurf attack'](https://en.wikipedia.org/wiki/Smurf_attack). But the higher layers contain numerous applications and protocols with special characteristics that write their own custom log files. SIEM vendors consider the signatures and correlations as their intelectual property and do not tend to share details on the coverage. + +Sigma is meant to be an open standard in which detection mechanisms can be defined, shared and collected in order to improve the detection capabilities on the application layers for everyone. + +![sigma_why](./images/Problem_OSI_v01.png) + +## Slides See the first slide deck that I prepared for a private conference in mid January 2017. [Sigma - Make Security Monitoring Great Again](https://www.slideshare.net/secret/gvgxeXoKblXRcA) - # Specification The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification). @@ -56,3 +91,9 @@ Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single So * Integration of feedback into the rule specifications * Collecting rule input from fellow researchers and analysts * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms + +# Credits + +This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. + +Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona) diff --git a/images/Problem_OSI_v01.png b/images/Problem_OSI_v01.png new file mode 100644 index 000000000..79bed632e Binary files /dev/null and b/images/Problem_OSI_v01.png differ diff --git a/images/Sigma-description.png b/images/Sigma-description.png index 167e36044..a57d589e4 100644 Binary files a/images/Sigma-description.png and b/images/Sigma-description.png differ diff --git a/images/Sigma_rule_example1.png b/images/Sigma_rule_example1.png index ad8fd0653..179cdcf65 100644 Binary files a/images/Sigma_rule_example1.png and b/images/Sigma_rule_example1.png differ diff --git a/images/Sigma_rule_example2.png b/images/Sigma_rule_example2.png index 2c03a9fc0..39719a518 100644 Binary files a/images/Sigma_rule_example2.png and b/images/Sigma_rule_example2.png differ diff --git a/images/Sigma_rule_example3.png b/images/Sigma_rule_example3.png index a46991c9e..69f610bc8 100644 Binary files a/images/Sigma_rule_example3.png and b/images/Sigma_rule_example3.png differ diff --git a/images/Sigma_rule_example4.png b/images/Sigma_rule_example4.png index 1f95257ae..50834c1a6 100644 Binary files a/images/Sigma_rule_example4.png and b/images/Sigma_rule_example4.png differ diff --git a/images/Sigma_rule_example5.png b/images/Sigma_rule_example5.png index cbcaffd47..ac9cd2edf 100644 Binary files a/images/Sigma_rule_example5.png and b/images/Sigma_rule_example5.png differ diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index 4bf1c83e5..69df7f046 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -1,5 +1,8 @@ title: Network Scans description: Detects many failed connection attempts to different ports or hosts +author: Thomas Patzke +logsource: + type: firewall detection: selection: log: network diff --git a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml index 57a31033f..d2c1942c1 100644 --- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml +++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml @@ -1,10 +1,10 @@ title: Multiple suspicious Response Codes caused by Single Client description: Detects possible exploitation activity or bugs in a web application +author: Thomas Patzke +logsource: + type: webserver detection: selection: - log: - - access.log - - error.log response: - 400 - 401 diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index cd8584c1c..f2cf40427 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -1,10 +1,9 @@ title: Webshell Detection by Keyword -description: Detects webshells that use GET requests by keyword sarches in URL strings +description: Detects webshells that use GET requests by keyword sarches in URL strings +author: Florian Roth +logsource: + type: webserver detection: - selection: - log: - - access.log - - error.log keywords: - '=whoami' - '=net%20user' diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 9ef69b2ba..be73985e2 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -1,5 +1,8 @@ title: Mimikatz Usage description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) +author: Florian Roth +logsource: + product: windows detection: selection: EventLog: diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index ad0125603..62c0338a7 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -1,5 +1,8 @@ title: Relevant Anti-Virus Event description: This detection method points out highly relevant Antivirus events +author: Florian Roth +logsource: + product: windows detection: selection: EventLog: Application diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 43ef48536..0e6e8ee3e 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,13 +1,15 @@ title: Eventlog Cleared -description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities +description: One of the Windows Eventlogs has been cleared +reference: https://twitter.com/deviouspolack/status/832535435960209408 +author: Florian Roth +logsource: + product: windows detection: selection: - EventLog: Security - EventID: - - 517 - - 1102 + EventLog: System + EventID: 104 condition: selection falsepositives: - - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - - System provisioning (system reset before the golden image creation) -level: high + - Unknown +level: medium + diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index 55a17e3d6..97f2a83de 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -1,6 +1,8 @@ title: Account Tampering - Suspicious Failed Logon Reasons description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. +author: Florian Roth logsource: + product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index 7cd8b2069..f10e4b660 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -1,5 +1,8 @@ title: Multiple Failed Logins with Different Accounts from Single Source System description: Detects suspicious failed logins with different user accounts from a single source system +author: Florian Roth +logsource: + product: windows detection: selection: EventLog: Security @@ -17,3 +20,5 @@ falsepositives: - Other multiuser systems like Citrix server farms - Workstations with frequently changing users level: medium + + diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/win_susp_kerberos_manipulation.yml index 7f7aaa37c..df2c7f077 100644 --- a/rules/windows/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/win_susp_kerberos_manipulation.yml @@ -1,5 +1,8 @@ title: Kerberos Manipulation description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages +author: Florian Roth +logsource: + product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 89b4114d2..b14d5f18a 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -2,6 +2,8 @@ title: Password Dumper Activity on LSASS description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental reference: https://twitter.com/jackcr/status/807385668833968128 +logsource: + product: windows detection: selection: EventLog: Security @@ -13,3 +15,4 @@ detection: falsepositives: - Unkown level: high + diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 3f1edc393..0525bf6f6 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -1,7 +1,9 @@ title: Suspicious Kerberos RC4 Ticket Encryption status: experimental reference: https://adsecurity.org/?p=3458 -description: Detects logons using RC4 encryption type +description: Detects logons using RC4 encryption type +logsource: + product: windows detection: selection: EventLog: Security diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml new file mode 100644 index 000000000..e7e4924ff --- /dev/null +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -0,0 +1,16 @@ +title: Security Eventlog Cleared +description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities +author: Florian Roth +logsource: + product: windows +detection: + selection: + EventLog: Security + EventID: + - 517 + - 1102 + condition: selection +falsepositives: + - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) + - System provisioning (system reset before the golden image creation) +level: high diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index 90c5ed748..804976fc7 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -2,6 +2,8 @@ title: Mimikatz Detection LSASS Access status: experimental description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ) reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow +logsource: + product: sysmon detection: selection: - EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index 1b8a6809e..9f49d0057 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -2,6 +2,8 @@ title: Mimikatz In-Memory Detection status: experimental description: Detects certain DLL loads when Mimikatz gets executed reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ +logsource: + product: sysmon detection: dllload1: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index aa29c5c2e..1853bb459 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -1,6 +1,8 @@ title: Password Dumper Remote Thread in LSASS description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundrets of events. -reference: Internal research +author: Thomas Patzke +logsource: + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 4ef9dd05d..daf1b9ca9 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -1,5 +1,8 @@ title: Suspicious Driver Load from Temp description: Detetcs a driver load from a temporary directory +author: Florian Roth +logsource: + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index 9ab5d339b..b5e9b5ed8 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -2,6 +2,8 @@ title: Proceses created by MMC status: experimental description: Processes started by MMC could by a sign of lateral movement using MMC application COM object reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ +logsource: + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational @@ -13,4 +15,4 @@ detection: condition: selection and not exclusion falsepositives: - unknown -level: high +level: medium diff --git a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml index f5329300f..2ab733d73 100644 --- a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml +++ b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml @@ -1,5 +1,8 @@ title: Java running with Remote Debugging description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect +author: Florian Roth +logsource: + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/sysmon/sysmon_webshell_detection.yml index f54e3640e..02fdcf6d0 100644 --- a/rules/windows/sysmon/sysmon_webshell_detection.yml +++ b/rules/windows/sysmon/sysmon_webshell_detection.yml @@ -1,5 +1,8 @@ title: Webshell Detection With Command Line Keywords -description: Detects certain command line parameters often used during reconnissaince activity via web shells +description: Detects certain command line parameters often used during reconnissaince activity via web shells +author: Florian Roth +logsource: + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/sysmon/sysmon_webshell_spawn.yml index e468356e3..7017adba8 100644 --- a/rules/windows/sysmon/sysmon_webshell_spawn.yml +++ b/rules/windows/sysmon/sysmon_webshell_spawn.yml @@ -1,6 +1,9 @@ title: Shells spawned by Web Servers status: experimental description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack +author: Thomas Patzke +logsource: + product: sysmon detection: selection: EventLog: Microsoft-Windows-Sysmon/Operational